diff --git a/build/deploy.edex.awips2/esb/bin/setup.env b/build/deploy.edex.awips2/esb/bin/setup.env index 5cdcdf09c2..b49c6aa985 100644 --- a/build/deploy.edex.awips2/esb/bin/setup.env +++ b/build/deploy.edex.awips2/esb/bin/setup.env @@ -14,6 +14,8 @@ export DB_PORT=5432 # pypies hdf5 connection export PYPIES_SERVER=http://${EDEX_SERVER}:9582 + +# qpid connection export BROKER_ADDR=${EDEX_SERVER} # these values are returned to clients that contact the localization service diff --git a/edexOsgi/build.edex/opt/db/replication/README b/edexOsgi/build.edex/opt/db/replication/README index 8b5bc5a6e3..7e5b240cb1 100644 --- a/edexOsgi/build.edex/opt/db/replication/README +++ b/edexOsgi/build.edex/opt/db/replication/README @@ -11,9 +11,9 @@ SETUP - ALL SERVERS On each server you must add lines to pg_hba.conf to allow remote replication connections: - host replication replication 127.12.34.0/24 md5 + host replication replication 12.34.56.0/24 cert clientcert=1 -Replace "127.12.34.0/24" with the standby server IP address (or block). +Replace "12.34.56.0/24" with the standby server IP address (or block). Every server should have one line for every server in the replication setup, including itself--thus all servers should have the same lines. This enables quickly changing which server is the master without extra configuration. diff --git a/edexOsgi/build.edex/opt/db/replication/replication-config.sh b/edexOsgi/build.edex/opt/db/replication/replication-config.sh new file mode 100755 index 0000000000..1a04c98803 --- /dev/null +++ b/edexOsgi/build.edex/opt/db/replication/replication-config.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# This script configures a server to allow Postgres replication: +# - Creates replication user +# - Adds lines to pg_hba.conf to allow replication +# +# This must run on all servers that will replicate or be replicated. You +# only need to run this once per server. + +psql="/awips2/psql/bin/psql" +db_superuser=awips +postgres_data_dir=/awips2/data + +cleanup_exit () { + echo INFO: Cleaning up. + rm -f ${temp_hba_conf} + exit $1 +} + +temp_hba_conf=$(mktemp || cleanup_exit 1) + +if [[ "$(id -u)" -ne 0 ]]; then + echo ERROR: You need to be root. + cleanup_exit 1 +fi + +echo "INFO: Creating replication role" + +"${psql}" -v ON_ERROR_STOP=1 --user="${db_superuser}" --db=metadata << EOF || cleanup_exit 1 + begin transaction; + drop role if exists replication; + create role replication with replication login password 'replication'; + commit transaction; +EOF + +grep -Ev "replication" "${postgres_data_dir}/pg_hba.conf" > ${temp_hba_conf} +cat << EOF >> ${temp_hba_conf} || cleanup_exit 1 + +# replication connections +local replication replication trust +hostssl replication replication 162.0.0.0/8 cert clientcert=1 +hostssl replication replication ::1/128 cert clientcert=1 +EOF + +echo INFO: Updating pg_hba.conf +install -T -m 600 -o awips -g fxalpha ${temp_hba_conf} "${postgres_data_dir}/pg_hba.conf" || cleanup_exit 1 +echo "INFO: Finished. No errors reported." +cleanup_exit 0 diff --git a/edexOsgi/build.edex/opt/db/replication/setup-standby.sh b/edexOsgi/build.edex/opt/db/replication/setup-standby.sh index 32af317ffa..d9658207ca 100755 --- a/edexOsgi/build.edex/opt/db/replication/setup-standby.sh +++ b/edexOsgi/build.edex/opt/db/replication/setup-standby.sh @@ -22,9 +22,8 @@ # Configuration ############################################################### # Credentials -db_superuser=awips # awipsadmin on 16.4.1 and later +db_superuser=awips db_rep_user=replication # for connecting to master -db_rep_password=replication # Master server info master_hostname="$1" # from command line @@ -34,6 +33,13 @@ master_port=5432 this_host=$(hostname -s) local_port=5432 data_dir=/awips2/data +ssl_dir=/awips2/database/ssl + +# For logging the output of this script +log_dir=/awips2/database/replication/logs +# Keep this many logs, delete old ones +keep_logs=5 +log_file="${log_dir}/setup-standby.$(date +%Y%m%d.%H%M%S).log" # Location of PostgreSQL install pg_dir=/awips2/postgresql @@ -43,11 +49,15 @@ pg_basebackup=${pg_dir}/bin/pg_basebackup pg_ctl=${pg_dir}/bin/pg_ctl psql=/awips2/psql/bin/psql +log() { + echo $* | sudo -u awips tee -a "${log_file}" +} + ############################################################################### do_pg_ctl() { - "${pg_ctl}" -o \"--port=${local_port}\" -D "${data_dir}" $* >/dev/null 2>&1 + sudo -u awips "${pg_ctl}" -o \"--port=${local_port}\" -D "${data_dir}" $* >/dev/null 2>&1 return $? } @@ -61,21 +71,22 @@ stop_server() { cleanup_exit() { - echo "ERROR: There were one or more errors; see above." - echo "INFO: Cleaning up." + log "ERROR: There were one or more errors; see above." + log "INFO: Cleaning up." stop_server if [[ "$?" -eq 0 ]]; then - sleep 1 - rm -rf "${data_dir}"/* + if [[ -d "${data_dir}" ]]; then + rm -rf "${data_dir}"/* + fi else # I don't know if this is possible, but if it is, we don't want to # delete data dir while server is running - echo -n "WARNING: Postgres is still running. " - echo "See ${data_dir}/pg_log/postgresql-$(date +%A).log for possible errors." + log -n "WARNING: Postgres is still running. " + log "See ${data_dir}/pg_log/postgresql-$(date +%A).log for possible errors." fi if [[ -d "${config_tmpdir}" ]]; then if [[ -f "${config_tmpdir}/pg_hba.conf" ]]; then - mv "${config_tmpdir}/pg_hba.conf" ${data_dir} + sudo -u awips mv "${config_tmpdir}/pg_hba.conf" ${data_dir} fi if [[ -d "${config_tmpdir}/pg_log" ]]; then if [[ -d "${data_dir}/pg_log" ]]; then @@ -83,8 +94,8 @@ cleanup_exit() { else logdir="${data_dir}/pg_log" fi - echo "INFO: Moving old logs to ${logdir}" - mv "${config_tmpdir}/pg_log" "${logdir}" + log "INFO: Moving old logs to ${logdir}" + sudo -u awips mv "${config_tmpdir}/pg_log" "${logdir}" fi rm -rf "${config_tmpdir}" fi @@ -101,8 +112,8 @@ if [[ -z "${master_hostname}" ]]; then exit 1 fi -if [[ "$(id -u)" -ne "$(id -u awips)" ]]; then - echo "$(basename $0): Must run as user 'awips'." +if [[ "$(id -u)" -ne 0 ]]; then + echo "$(basename $0): Must run as root." exit 1 fi @@ -115,7 +126,6 @@ if [[ "${master_hostname}" == "${this_host}" || exit 1 fi - # Warning prompt echo "You are about to configure this server (${this_host}) as a PostgreSQL" echo "standby server." @@ -137,49 +147,83 @@ fi # Actually do it ############################################################## +# Make log file for script output +sudo -u awips mkdir -p "${log_dir}" || exit 1 +sudo -u awips touch "${log_file}" || exit 1 +# Purge old logs +sudo -u awips find "${log_dir}"/*.log -xdev \ + | sort \ + | head -n -${keep_logs} \ + | tr '\n' '\0' \ + | sudo xargs -0r rm + +log "INFO: Starting replication setup on ${this_host}:${local_port}" +log "INFO: Will replicate ${master_hostname}:${master_port}" + stop_server || exit 1 trap 'cleanup_exit' SIGINT -# Backup pg_hba.conf and old logs -config_tmpdir=$(mktemp -d --tmpdir=${data_dir} .tmp.XXXXXX || cleanup_exit) +# Get certificates from master +master_ssl_dir="${ssl_dir}/replication/${master_hostname}" +sudo -u awips mkdir -p "${master_ssl_dir}" +log "INFO: Downloading SSL certs and keyfile from ${master_hostname}" +# must ssh as root to skip password prompt +rsync --delete-before -av -e ssh \ + "${master_hostname}":"${master_ssl_dir}"/{replication.crt,replication.key,root.crt} \ + "${master_ssl_dir}" || exit 1 +chown -R awips:fxalpha "${ssl_dir}"/replication +find "${ssl_dir}"/replication -xdev -type f -exec chmod 600 {} \; +find "${ssl_dir}"/replication -xdev -type d -exec chmod 700 {} \; + +# Backup pg_hba.conf and old postgres logs +config_tmpdir=$(sudo -u awips mktemp -d --tmpdir=${data_dir} .tmp.XXXXXX || cleanup_exit) if [[ -f "${data_dir}/pg_hba.conf" ]]; then - cp -a "${data_dir}/pg_hba.conf" "${config_tmpdir}" || cleanup_exit + sudo -u awips cp -a "${data_dir}/pg_hba.conf" "${config_tmpdir}" || cleanup_exit fi if [[ -d "${data_dir}/pg_log" ]]; then - cp -a "${data_dir}/pg_log" "${config_tmpdir}" || cleanup_exit + sudo -u awips cp -a "${data_dir}/pg_log" "${config_tmpdir}" || cleanup_exit fi # Prepare data directory +log "INFO: Recreating ${data_dir}" if [[ -d "${data_dir}" ]]; then rm -rf "${data_dir}"/* else - mkdir -p "${data_dir}" || exit 1 - chmod 700 "${data_dir}" || exit 1 + sudo -u awips mkdir -p "${data_dir}" || exit 1 + sudo -u awips chmod 700 "${data_dir}" || exit 1 fi +# SSL connection string parts +# needed for basebackup and recovery.conf +sslmode_part="sslmode=verify-ca" +sslcert_part="sslcert=${master_ssl_dir}/replication.crt" +sslkey_part="sslkey=${master_ssl_dir}/replication.key" +sslrootcert_part="sslrootcert=${master_ssl_dir}/root.crt" +ssl_part="${sslmode_part} ${sslcert_part} ${sslkey_part} ${sslrootcert_part}" # pg_basebackup will not write to a non-empty directory # so we have to make a temporary one -data_tmpdir=$(mktemp -d --tmpdir=${data_dir} .tmp.XXXX || cleanup_exit) +data_tmpdir=$(sudo -u awips mktemp -d --tmpdir=${data_dir} .tmp.XXXX || cleanup_exit) # Fetch and install base backup -echo "INFO: Fetching base backup from ${master_hostname}" -echo "Enter the password for the '${db_rep_user}' role now, if prompted." -"${pg_basebackup}" \ +log "INFO: Fetching base backup from ${master_hostname}" +log "Enter the password for the '${db_rep_user}' role now, if prompted." +sudo -u awips "${pg_basebackup}" \ --host="${master_hostname}" \ --verbose --progress --xlog-method=fetch \ --username="${db_rep_user}" --format=tar --gzip \ --port=${master_port} \ + --db="${ssl_part}" \ -D "${data_tmpdir}" || cleanup_exit -mv "${data_tmpdir}"/*.tar.gz "${data_dir}" || cleanup_exit +sudo -u awips mv "${data_tmpdir}"/*.tar.gz "${data_dir}" || cleanup_exit -echo "INFO: Installing base backup to ${data_dir}" +log "INFO: Installing base backup to ${data_dir}" pushd "${data_dir}" > /dev/null || cleanup_exit -tar xzf "${data_dir}/base.tar.gz" || cleanup_exit +sudo -u awips tar xzf "${data_dir}/base.tar.gz" || cleanup_exit popd > /dev/null rm -f "${data_dir}/base.tar.gz" # Install tablespaces -echo INFO: Unpacking tablespaces +log INFO: Unpacking tablespaces # On Postgres 9.5 and later we need to read tablespace_map and create the # symlinks ourselves if [[ -f "${data_dir}/tablespace_map" ]]; then @@ -188,7 +232,7 @@ if [[ -f "${data_dir}/tablespace_map" ]]; then ts_path="$(echo "$line" | cut -d' ' -f2-)" if [[ -n "${ts_num}" && -n "${ts_path}" ]]; then rm -f "${data_dir}/pg_tblspc/${ts_num}" - ln -sf "${ts_path}" "${data_dir}/pg_tblspc/${ts_num}" || cleanup_exit + sudo -u awips ln -sf "${ts_path}" "${data_dir}/pg_tblspc/${ts_num}" || cleanup_exit fi done < "${data_dir}/tablespace_map" rm -f "${data_dir}/tablespace_map" @@ -197,25 +241,33 @@ fi # Now unpack each tar in the right place for ts_link in "${data_dir}/pg_tblspc"/*; do this_ts=$(readlink "${ts_link}") - echo -n " ${this_ts}..." + log -n " ${this_ts}..." tar_name=$(basename "${ts_link}") if [[ -d "${this_ts}" ]]; then rm -rf "${this_ts}"/* else - mkdir -p "${this_ts}" || cleanup_exit + sudo -u awips mkdir -p "${this_ts}" || cleanup_exit fi pushd "${this_ts}" > /dev/null - tar xzf "${data_dir}/${tar_name}.tar.gz" || cleanup_exit + sudo -u awips tar xzf "${data_dir}/${tar_name}.tar.gz" || cleanup_exit popd > /dev/null rm -f "${data_dir}/${tar_name}.tar.gz" - echo done. + log done. done # Write recovery.conf -echo "INFO: Writing ${data_dir}/recovery.conf" -cat > "${data_dir}/recovery.conf" << EOF || cleanup_exit + +host_part="host=${master_hostname}" +port_part="port=${master_port}" +user_part="user=${db_rep_user}" +primary_conninfo="${host_part} ${port_part} ${user_part} ${ssl_part}" + +log "INFO: Writing ${data_dir}/recovery.conf" +rm -f "${data_dir}/recovery.conf" +sudo -u awips touch "${data_dir}"/recovery.conf +cat >> "${data_dir}/recovery.conf" << EOF || cleanup_exit standby_mode='on' -primary_conninfo='host=${master_hostname} port=${master_port} user=${db_rep_user} password=${db_rep_password}' +primary_conninfo='${primary_conninfo}' recovery_target_timeline='latest' trigger_file='${data_dir}/promote' EOF @@ -224,35 +276,35 @@ rm -f "${data_dir}/recovery.done" # Install pg_hba.conf if [[ -f "${config_tmpdir}/pg_hba.conf" ]]; then - echo "INFO: Installing ${data_dir}/pg_hba.conf" - mv "${config_tmpdir}/pg_hba.conf" "${data_dir}" + log "INFO: Installing ${data_dir}/pg_hba.conf" + sudo -u awips mv "${config_tmpdir}/pg_hba.conf" "${data_dir}" fi # Save old pg_logs if [[ -d "${config_tmpdir}/pg_log" ]]; then logdir_ts=$(date +%F_%H%M%S) - echo "INFO: Moving old logs to ${data_dir}/pg_log-${logdir_ts}" - mv "${config_tmpdir}/pg_log" "${data_dir}/pg_log-${logdir_ts}" + log "INFO: Moving old logs to ${data_dir}/pg_log-${logdir_ts}" + sudo -u awips mv "${config_tmpdir}/pg_log" "${data_dir}/pg_log-${logdir_ts}" fi # Start it up and run test query -echo "INFO: Starting PostgreSQL" +log "INFO: Starting PostgreSQL" do_pg_ctl start -w || cleanup_exit -echo "INFO: Testing read-only connection to standby" -is_recovery=$("${psql}" \ +log "INFO: Testing read-only connection to standby" +is_recovery=$(sudo -u awips "${psql}" \ -U "${db_superuser}" \ --port=${local_port} \ --db=metadata \ -Aqtc "select pg_is_in_recovery();") if [[ "${is_recovery}" != "t" ]]; then - echo "ERROR: It looks like this server failed to start up properly, or is" - echo "ERROR: not in recovery mode." + log "ERROR: It looks like this server failed to start up properly, or is" + log "ERROR: not in recovery mode." cleanup_exit fi rm -rf ${config_tmpdir} rm -rf ${data_tmpdir} -echo "INFO: Setup is complete. No errors reported." +log "INFO: Setup is complete. No errors reported." diff --git a/rpms/awips2.core/Installer.database-server-configuration/configuration/postgresql.conf.centralRegistry b/rpms/awips2.core/Installer.database-server-configuration/configuration/postgresql.conf.centralRegistry deleted file mode 100644 index a6f2045eb9..0000000000 --- a/rpms/awips2.core/Installer.database-server-configuration/configuration/postgresql.conf.centralRegistry +++ /dev/null @@ -1,572 +0,0 @@ -# ----------------------------- -# PostgreSQL configuration file -# ----------------------------- -# -# This file consists of lines of the form: -# -# name = value -# -# (The "=" is optional.) Whitespace may be used. Comments are introduced with -# "#" anywhere on a line. The complete list of parameter names and allowed -# values can be found in the PostgreSQL documentation. -# -# The commented-out settings shown in this file represent the default values. -# Re-commenting a setting is NOT sufficient to revert it to the default value; -# you need to reload the server. -# -# This file is read on server startup and when the server receives a SIGHUP -# signal. If you edit the file on a running system, you have to SIGHUP the -# server for the changes to take effect, or use "pg_ctl reload". Some -# parameters, which are marked below, require a server shutdown and restart to -# take effect. -# -# Any parameter can also be given as a command-line option to the server, e.g., -# "postgres -c log_connections=on". Some parameters can be changed at run time -# with the "SET" SQL command. -# -# Memory units: kB = kilobytes Time units: ms = milliseconds -# MB = megabytes s = seconds -# GB = gigabytes min = minutes -# h = hours -# d = days - - -#------------------------------------------------------------------------------ -# FILE LOCATIONS -#------------------------------------------------------------------------------ - -# The default values of these variables are driven from the -D command-line -# option or PGDATA environment variable, represented here as ConfigDir. - -#data_directory = 'ConfigDir' # use data in another directory - # (change requires restart) -#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file - # (change requires restart) -#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file - # (change requires restart) - -# If external_pid_file is not explicitly set, no extra PID file is written. -#external_pid_file = '' # write an extra PID file - # (change requires restart) - - -#------------------------------------------------------------------------------ -# CONNECTIONS AND AUTHENTICATION -#------------------------------------------------------------------------------ - -# - Connection Settings - - -listen_addresses = '*' # what IP address(es) to listen on; - # comma-separated list of addresses; - # defaults to 'localhost'; use '*' for all - # (change requires restart) -port = 5432 # (change requires restart) -max_connections = 400 # (change requires restart) -# Note: Increasing max_connections costs ~400 bytes of shared memory per -# connection slot, plus lock space (see max_locks_per_transaction). -#superuser_reserved_connections = 3 # (change requires restart) -#unix_socket_directory = '' # (change requires restart) -#unix_socket_group = '' # (change requires restart) -#unix_socket_permissions = 0777 # begin with 0 to use octal notation - # (change requires restart) -#bonjour = off # advertise server via Bonjour - # (change requires restart) -#bonjour_name = '' # defaults to the computer name - # (change requires restart) - -# - Security and Authentication - - -#authentication_timeout = 1min # 1s-600s -#ssl = off # (change requires restart) -#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers - # (change requires restart) -#ssl_renegotiation_limit = 512MB # amount of data between renegotiations -#ssl_cert_file = 'server.crt' # (change requires restart) -#ssl_key_file = 'server.key' # (change requires restart) -#ssl_ca_file = '' # (change requires restart) -#ssl_crl_file = '' # (change requires restart) -#password_encryption = on -#db_user_namespace = off - -# Kerberos and GSSAPI -#krb_server_keyfile = '' -#krb_srvname = 'postgres' # (Kerberos only) -#krb_caseins_users = off - -# - TCP Keepalives - -# see "man 7 tcp" for details - -#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; - # 0 selects the system default -#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; - # 0 selects the system default -#tcp_keepalives_count = 0 # TCP_KEEPCNT; - # 0 selects the system default - - -#------------------------------------------------------------------------------ -# RESOURCE USAGE (except WAL) -#------------------------------------------------------------------------------ - -# - Memory - - -shared_buffers = 128MB # min 128kB - # (change requires restart) -temp_buffers = 16MB # min 800kB -#max_prepared_transactions = 0 # zero disables the feature - # (change requires restart) -# Note: Increasing max_prepared_transactions costs ~600 bytes of shared memory -# per transaction slot, plus lock space (see max_locks_per_transaction). -# It is not advisable to set max_prepared_transactions nonzero unless you -# actively intend to use prepared transactions. -work_mem = 32MB # min 64kB -maintenance_work_mem = 32MB # min 1MB -#max_stack_depth = 2MB # min 100kB - -# - Disk - - -#temp_file_limit = -1 # limits per-session temp file space - # in kB, or -1 for no limit - -# - Kernel Resource Usage - - -#max_files_per_process = 1000 # min 25 - # (change requires restart) -#shared_preload_libraries = '' # (change requires restart) - -# - Cost-Based Vacuum Delay - - -#vacuum_cost_delay = 0ms # 0-100 milliseconds -#vacuum_cost_page_hit = 1 # 0-10000 credits -#vacuum_cost_page_miss = 10 # 0-10000 credits -#vacuum_cost_page_dirty = 20 # 0-10000 credits -#vacuum_cost_limit = 200 # 1-10000 credits - -# - Background Writer - - -#bgwriter_delay = 200ms # 10-10000ms between rounds -#bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round -#bgwriter_lru_multiplier = 2.0 # 0-10.0 multipler on buffers scanned/round - -# - Asynchronous Behavior - - -#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching - - -#------------------------------------------------------------------------------ -# WRITE AHEAD LOG -#------------------------------------------------------------------------------ - -# - Settings - - -wal_level = hot_standby # minimal, archive, or hot_standby - # (change requires restart) -fsync = off # turns forced synchronization on or off -#synchronous_commit = on # synchronization level; - # off, local, remote_write, or on -#wal_sync_method = fsync # the default is the first option - # supported by the operating system: - # open_datasync - # fdatasync (default on Linux) - # fsync - # fsync_writethrough - # open_sync -#full_page_writes = on # recover from partial page writes -#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers - # (change requires restart) -#wal_writer_delay = 200ms # 1-10000 milliseconds - -commit_delay = 50000 # range 0-100000, in microseconds -commit_siblings = 5 # range 1-1000 - -# - Checkpoints - - -checkpoint_segments = 10 # in logfile segments, min 1, 16MB each -#checkpoint_timeout = 5min # range 30s-1h -#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 -#checkpoint_warning = 30s # 0 disables - -# - Archiving - - -#archive_mode = off # allows archiving to be done - # (change requires restart) -#archive_command = '' # command to use to archive a logfile segment - # placeholders: %p = path of file to archive - # %f = file name only - # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' -#archive_timeout = 0 # force a logfile segment switch after this - # number of seconds; 0 disables - -#------------------------------------------------------------------------------ -# REPLICATION -#------------------------------------------------------------------------------ - -# - Sending Server(s) - - -# Set these on the master and on any standby that will send replication data. - -max_wal_senders = 5 # max number of walsender processes - # (change requires restart) - -wal_keep_segments = 64 # in logfile segments, 16MB each; 0 disables -#replication_timeout = 60s # in milliseconds; 0 disables - -# - Master Server - - -# These settings are ignored on a standby server. - -#synchronous_standby_names = '' # standby servers that provide sync rep - # comma-separated list of application_name - # from standby(s); '*' = all -#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed - -# - Standby Servers - - -# These settings are ignored on a master server. - -hot_standby = on # "on" allows queries during recovery - # (change requires restart) -#max_standby_archive_delay = 30s # max delay before canceling queries - # when reading WAL from archive; - # -1 allows indefinite delay -#max_standby_streaming_delay = 30s # max delay before canceling queries - # when reading streaming WAL; - # -1 allows indefinite delay -#wal_receiver_status_interval = 10s # send replies at least this often - # 0 disables -#hot_standby_feedback = off # send info from standby to prevent - # query conflicts - - -#------------------------------------------------------------------------------ -# QUERY TUNING -#------------------------------------------------------------------------------ - -# - Planner Method Configuration - - -#enable_bitmapscan = on -#enable_hashagg = on -#enable_hashjoin = on -#enable_indexscan = on -#enable_indexonlyscan = on -#enable_material = on -#enable_mergejoin = on -#enable_nestloop = on -#enable_seqscan = on -#enable_sort = on -#enable_tidscan = on - -# - Planner Cost Constants - - -#seq_page_cost = 1.0 # measured on an arbitrary scale -#random_page_cost = 4.0 # same scale as above -#cpu_tuple_cost = 0.01 # same scale as above -#cpu_index_tuple_cost = 0.005 # same scale as above -#cpu_operator_cost = 0.0025 # same scale as above -effective_cache_size = 512MB - -# - Genetic Query Optimizer - - -#geqo = on -#geqo_threshold = 12 -#geqo_effort = 5 # range 1-10 -#geqo_pool_size = 0 # selects default based on effort -#geqo_generations = 0 # selects default based on effort -#geqo_selection_bias = 2.0 # range 1.5-2.0 -#geqo_seed = 0.0 # range 0.0-1.0 - -# - Other Planner Options - - -default_statistics_target = 100 # range 1-10000 -#constraint_exclusion = partition # on, off, or partition -#cursor_tuple_fraction = 0.1 # range 0.0-1.0 -#from_collapse_limit = 8 -#join_collapse_limit = 8 # 1 disables collapsing of explicit - # JOIN clauses - - -#------------------------------------------------------------------------------ -# ERROR REPORTING AND LOGGING -#------------------------------------------------------------------------------ - -# - Where to Log - - -#log_destination = 'stderr' # Valid values are combinations of - # stderr, csvlog, syslog, and eventlog, - # depending on platform. csvlog - # requires logging_collector to be on. - -# This is used when logging to stderr: -logging_collector = on # Enable capturing of stderr and csvlog - # into log files. Required to be on for - # csvlogs. - # (change requires restart) - -# These are only used if logging_collector is on: -log_directory = 'pg_log' # directory where log files are written, - # can be absolute or relative to PGDATA -log_filename = 'postgresql-%A.log' # log file name pattern, - # can include strftime() escapes -#log_file_mode = 0600 # creation mode for log files, - # begin with 0 to use octal notation -log_truncate_on_rotation = on # If on, an existing log file with the - # same name as the new log file will be - # truncated rather than appended to. - # But such truncation only occurs on - # time-driven rotation, not on restarts - # or size-driven rotation. Default is - # off, meaning append to existing files - # in all cases. -log_rotation_age = 1d # Automatic rotation of logfiles will - # happen after that time. 0 disables. -log_rotation_size = 0 # Automatic rotation of logfiles will - # happen after that much log output. - # 0 disables. - -# These are relevant when logging to syslog: -#syslog_facility = 'LOCAL0' -#syslog_ident = 'postgres' - -# This is only relevant when logging to eventlog (win32): -#event_source = 'PostgreSQL' - -# - When to Log - - -#client_min_messages = notice # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # log - # notice - # warning - # error - -#log_min_messages = warning # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # info - # notice - # warning - # error - # log - # fatal - # panic - -#log_min_error_statement = error # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # info - # notice - # warning - # error - # log - # fatal - # panic (effectively off) - -#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements - # and their durations, > 0 logs only - # statements running at least this number - # of milliseconds - - -# - What to Log - - -#debug_print_parse = off -#debug_print_rewritten = off -#debug_print_plan = off -#debug_pretty_print = on -#log_checkpoints = off -#log_connections = off -#log_disconnections = off -#log_duration = off -#log_error_verbosity = default # terse, default, or verbose messages -#log_hostname = off -log_line_prefix = '%t %x %d : %h : ' # special values: - # %a = application name - # %u = user name - # %d = database name - # %r = remote host and port - # %h = remote host - # %p = process ID - # %t = timestamp without milliseconds - # %m = timestamp with milliseconds - # %i = command tag - # %e = SQL state - # %c = session ID - # %l = session line number - # %s = session start timestamp - # %v = virtual transaction ID - # %x = transaction ID (0 if none) - # %q = stop here in non-session - # processes - # %% = '%' - # e.g. '<%u%%%d> ' -#log_lock_waits = off # log lock waits >= deadlock_timeout -#log_statement = 'none' # none, ddl, mod, all -#log_temp_files = -1 # log temporary files equal or larger - # than the specified size in kilobytes; - # -1 disables, 0 logs all temp files -log_timezone = 'UTC' - - -#------------------------------------------------------------------------------ -# RUNTIME STATISTICS -#------------------------------------------------------------------------------ - -# - Query/Index Statistics Collector - - -#track_activities = on -track_counts = on -#track_io_timing = off -#track_functions = none # none, pl, all -#track_activity_query_size = 1024 # (change requires restart) -#update_process_title = on -#stats_temp_directory = 'pg_stat_tmp' - - -# - Statistics Monitoring - - -#log_parser_stats = off -#log_planner_stats = off -#log_executor_stats = off -#log_statement_stats = off - - -#------------------------------------------------------------------------------ -# AUTOVACUUM PARAMETERS -#------------------------------------------------------------------------------ - -autovacuum = on # Enable autovacuum subprocess? 'on' - # requires track_counts to also be on. -log_autovacuum_min_duration = 120s # -1 disables, 0 logs all actions and - # their durations, > 0 logs only - # actions running at least this number - # of milliseconds. -autovacuum_max_workers = 6 # max number of autovacuum subprocesses - # (change requires restart) -autovacuum_naptime = 30s # time between autovacuum runs -autovacuum_vacuum_threshold = 500 # min number of row updates before - # vacuum -autovacuum_analyze_threshold = 250 # min number of row updates before - # analyze -autovacuum_vacuum_scale_factor = 0.15 # fraction of table size before vacuum -autovacuum_analyze_scale_factor = 0.075 # fraction of table size before analyze -#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum - # (change requires restart) -autovacuum_vacuum_cost_delay = 10ms # default vacuum cost delay for - # autovacuum, in milliseconds; - # -1 means use vacuum_cost_delay -autovacuum_vacuum_cost_limit = 1000 # default vacuum cost limit for - # autovacuum, -1 means use vacuum_cost_limit - - -#------------------------------------------------------------------------------ -# CLIENT CONNECTION DEFAULTS -#------------------------------------------------------------------------------ - -# - Statement Behavior - - -#search_path = '"$user",public' # schema names -#default_tablespace = '' # a tablespace name, '' uses the default -#temp_tablespaces = '' # a list of tablespace names, '' uses - # only default tablespace -#check_function_bodies = on -#default_transaction_isolation = 'read committed' -#default_transaction_read_only = off -#default_transaction_deferrable = off -#session_replication_role = 'origin' -statement_timeout = 1800000 # in milliseconds, 0 is disabled -#vacuum_freeze_min_age = 50000000 -#vacuum_freeze_table_age = 150000000 -bytea_output = 'escape' # hex, escape -#xmlbinary = 'base64' -#xmloption = 'content' - -# - Locale and Formatting - - -datestyle = 'iso, mdy' -#intervalstyle = 'postgres' -timezone = 'GMT' -#timezone_abbreviations = 'Default' # Select the set of available time zone - # abbreviations. Currently, there are - # Default - # Australia - # India - # You can create your own file in - # share/timezonesets/. -#extra_float_digits = 0 # min -15, max 3 -#client_encoding = sql_ascii # actually, defaults to database - # encoding - -# These settings are initialized by initdb, but they can be changed. -lc_messages = 'en_US.UTF-8' # locale for system error message - # strings -lc_monetary = 'en_US.UTF-8' # locale for monetary formatting -lc_numeric = 'en_US.UTF-8' # locale for number formatting -lc_time = 'en_US.UTF-8' # locale for time formatting - -# default configuration for text search -default_text_search_config = 'pg_catalog.english' - -# - Other Defaults - - -#dynamic_library_path = '$libdir' -#local_preload_libraries = '' - - -#------------------------------------------------------------------------------ -# LOCK MANAGEMENT -#------------------------------------------------------------------------------ - -#deadlock_timeout = 1s -#max_locks_per_transaction = 64 # min 10 - # (change requires restart) -# Note: Each lock table slot uses ~270 bytes of shared memory, and there are -# max_locks_per_transaction * (max_connections + max_prepared_transactions) -# lock table slots. -#max_pred_locks_per_transaction = 64 # min 10 - # (change requires restart) - - -#------------------------------------------------------------------------------ -# VERSION/PLATFORM COMPATIBILITY -#------------------------------------------------------------------------------ - -# - Previous PostgreSQL Versions - - -#array_nulls = on -#backslash_quote = safe_encoding # on, off, or safe_encoding -#default_with_oids = off -#escape_string_warning = on -#lo_compat_privileges = off -#quote_all_identifiers = off -#sql_inheritance = on -#standard_conforming_strings = on -#synchronize_seqscans = on - -# - Other Platforms and Clients - - -#transform_null_equals = off - - -#------------------------------------------------------------------------------ -# ERROR HANDLING -#------------------------------------------------------------------------------ - -#exit_on_error = off # terminate session on any error? -#restart_after_crash = on # reinitialize after backend crash? - - -#------------------------------------------------------------------------------ -# CUSTOMIZED OPTIONS -#------------------------------------------------------------------------------ - -# Add settings for extensions here diff --git a/rpms/awips2.core/Installer.database-server-configuration/configuration/root.crt b/rpms/awips2.core/Installer.database-server-configuration/configuration/root.crt deleted file mode 100644 index 21edc14354..0000000000 --- a/rpms/awips2.core/Installer.database-server-configuration/configuration/root.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDOTCCAiGgAwIBAgIJAIsJUossJEAhMA0GCSqGSIb3DQEBBQUAMDMxDjAMBgNV -BAoMBUFXSVBTMRAwDgYDVQQLDAdUZXN0aW5nMQ8wDQYDVQQDDAZjYXJvb3QwHhcN -MTYxMTIwMDAyNzQ0WhcNNDYxMTEzMDAyNzQ0WjAzMQ4wDAYDVQQKDAVBV0lQUzEQ -MA4GA1UECwwHVGVzdGluZzEPMA0GA1UEAwwGY2Fyb290MIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEA1aBCQLlOpbC7/ikudAmYdTgI16FecS8yItRzMMgX -Po589JRydYe+3Wv4gaVZAktoCFCuoik9DRnewzqPxGzAOrq+QfPKRQhY0AdDZP4v -c82r8C0ga/SZTImST/Y+WA7dJ6eRGfDiOIS/auQ0zcfrGFv4//I5+Sa+5dQNe0me -pyAKaYTzrZWKrSsZbjxs1nHd+0ahIzgwWGb3UDY9MNMtP9/EvhRZkxgjeTnVZD8X -aOLiwCIBALoGayId5wbXjyUIRzelPQPCXAADQcewlnlvbLadTXVCA3rP7TvNyx0W -blpluNBg0o6sjlo2bzInBswHsFHUOZPcJT6pLhGRC52eNwIDAQABo1AwTjAdBgNV -HQ4EFgQUjRTZ3Toe0L+XZodTnOTtpR39eJUwHwYDVR0jBBgwFoAUjRTZ3Toe0L+X -ZodTnOTtpR39eJUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAuvXD -Hm5cJxtP3phZYAOdrSxJkJg/gMmRBLsS2GksPks07pelSxPySRjVZCJSDd8zbSc5 -DGdFBMI0Xdk7+V5KxP6ATfyc37GoxGG7ygbUjLvmlzsg2i+a0wIDjILyzisicA0q -DyCLZGxNahFUrhci0mpKAr/RaGr4Hx4R+JMItP3sxysVbIhc4wdm4mRTA3n8Eru3 -hcPpLQlqLheVuCIECxMG+eVKVevZWN0gqiEA7C+pByMxASqeHc6SRCXHx8/GJPmw -ocaHpJ7Iib2kMLeBT24R+RNHEpPknf/PkgwvM0BLPqlk8cNqAR7TZ/OtX1ffmPbv -t+nP8jegKGo4lVr3Fg== ------END CERTIFICATE----- diff --git a/rpms/awips2.core/Installer.database-server-configuration/configuration/server.crt b/rpms/awips2.core/Installer.database-server-configuration/configuration/server.crt deleted file mode 100644 index 0a8345ee67..0000000000 --- a/rpms/awips2.core/Installer.database-server-configuration/configuration/server.crt +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC5TCCAc0CCQDkIgVweT7S1zANBgkqhkiG9w0BAQUFADAzMQ4wDAYDVQQKDAVB -V0lQUzEQMA4GA1UECwwHVGVzdGluZzEPMA0GA1UEAwwGY2Fyb290MB4XDTE2MTEy -MDAwMjc0NVoXDTQ2MTExMzAwMjc0NVowNjEOMAwGA1UECgwFQVdJUFMxEDAOBgNV -BAsMB1Rlc3RpbmcxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMWhdkvvIyM+onkzDIrewNHZrqDhNi69xG1fl7+Jr0vf -FQFJUXp5NzSBZvoRXRMXu+u2BVwlA0evuAOzQ7Ael+CA9/xfwc5C3hMp9go4V9TA -0wrdJdrdUvdat3zTZNw8pn7hQIQp5pJLTTXHDwxa/WTsDpdnd9AqLOQgLYfTtfDy -NYY+Q+BHUHaxT+VpB8Q4BvR0Kind1+L8MGv9D3dokB76+gSRMcLIwluCkSN/I6G4 -nWsPtgNNf38pmootuxoCjqzTjeRfTiTRJCOTM8iVdeWnidNyYn9j3tVNDazuKMB6 -wkKz/amuaPsmMex9LjQOYyt/3gKlMVQp1GHl7r/JXJ0CAwEAATANBgkqhkiG9w0B -AQUFAAOCAQEAjkABv9kOD6hAOyUUMCnMUbOHbW0blenW7aDClFJH7UlC8XVHpSW1 -ZJlAjrXjBXwyV0imyEBBu9l03ej2p4+eCyMyuSUiUzVzDC9y3lKQo5tkPcmv/hid -PsNWn2cKC4mRIoMzUypzZ2VdP4deaVGsTP9tclJOWb+osmvj4Fv/olXzz7/6WDdd -idnAvLdk6x3MKZZxSTtqSUXiVdGWdwBmj8MKQs+wTuehc90qVwcVu3yuJU8vjeDC -BqtptjGZBfN66FzV4sKOMLE7RVcdQvlMQ1UQrHvnQx2KHBUrZu3AEWNJQ8mvzADf -PXp0rzotjHX+QKsaEtj3MTKzegfo5PE7zQ== ------END CERTIFICATE----- diff --git a/rpms/awips2.core/Installer.database-server-configuration/configuration/server.key b/rpms/awips2.core/Installer.database-server-configuration/configuration/server.key deleted file mode 100644 index 76595ba62f..0000000000 --- a/rpms/awips2.core/Installer.database-server-configuration/configuration/server.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDFoXZL7yMjPqJ5 -MwyK3sDR2a6g4TYuvcRtX5e/ia9L3xUBSVF6eTc0gWb6EV0TF7vrtgVcJQNHr7gD -s0OwHpfggPf8X8HOQt4TKfYKOFfUwNMK3SXa3VL3Wrd802TcPKZ+4UCEKeaSS001 -xw8MWv1k7A6XZ3fQKizkIC2H07Xw8jWGPkPgR1B2sU/laQfEOAb0dCop3dfi/DBr -/Q93aJAe+voEkTHCyMJbgpEjfyOhuJ1rD7YDTX9/KZqKLbsaAo6s043kX04k0SQj -kzPIlXXlp4nTcmJ/Y97VTQ2s7ijAesJCs/2prmj7JjHsfS40DmMrf94CpTFUKdRh -5e6/yVydAgMBAAECggEBAK1v10soYGPL0fYfMMCmX/1J1hDl1BENBNcfbyLuh+JD -skFgwJqEykfP0DlhB5d72rUvFmEZMlm1Af5tUde74XlqdTcMKh8DW7ThvESX0ayq -VAtSrKf4V5kwCZsIQZltuIfc0iuqQejdILMzMCedqobpCp0gdms+uAqzmoF68E60 -FQ2UEyOaiJLXxAV5ZqB/nRFAGhRGAYUKMAfljzo0xtGgrAvrbQcyQ5IAkYNM+dbc -Mkdf9E8d5EQ0jIOoBhambX36IF6emSkVeLKqPOemE7MoxnGFdxdmZpAMziLPrMfq -WX8oGB+hNuhdhI/3SMW3s8SejIjGmunDi7NQyQmLdoECgYEA8pBg0OVt4uNiTWPU -M8BMMOl5rrZijjvqgJCiaxy8xBqaGjC/4CvWExcbPqRQR7ZD/jGG4nQQ8g8fhgNb -H9/oiEsMg1VirHIZ6nD4H3y2bfBqQAfsNCdVx9Z1aucdebg+vdEv8XnCsCaZitJW -T1T5vecgqXBHPpppYz1lx8PP160CgYEA0JPrEPfi6HbCARpfPtnQFwZjfIbOzxLn -Cm1g3BCoiMAcH84ECgNqUU/5z05TYS+lZp4gybxTPzRxziCWcAobksI1Jpja5LKE -XkIhp8wO6O/wxFLEN7SIfG8On690KAF2uJA9MseE2ts01B9ud7DQW/cQXxUpYdUC -FspfbSHJ9rECgYEA1tTAqsNIu7agDeLowp0B3iAqwW6Pg2HVo+B1uWBOX3EgIyoi -Bq1MgMPqQWTOJXVsaun6iP47M+fpB4xZXLW3AV9WycsKBalZAqbjWx/dgyl3MRbT -QK3F76QlgnUHShLAnuVzDO/GWrUVMDpybvjX6DWYW/kxYGTqChcK2g63OlECgYA3 -+bp4D06B/H0MNrug7mt+AmToonUV9Yizr67y4DWanZPupSdIWKpLsB7ml6qgxlyp -MX6zJStiJvzzyKMW5l+H/z6sYRE9lvsXIMBPe9/0e5At39hw6q5GVreh+0A9DEeE -OJFz8z+gTHvdAaJv1K/WPnPSUKeObc/lteHuM8czwQKBgQDf+aHu4kC0szBq80YB -mgw41kVMmlJRMlkPFaeldYUlAspoPfCY/10d0ch6nrd5SDnHB/TydndNeh6VHXqn -5t1iieZp+lQVy6GVLxeneW/9R6GgznULnZc0C76+gMhaUN7gE6tAceOg+sR46AhN -7kqJhJZZSGEYlySXi29d+RYQtQ== ------END PRIVATE KEY----- diff --git a/rpms/awips2.core/Installer.database/component.spec b/rpms/awips2.core/Installer.database/component.spec index 51bf9630b0..060de4455b 100644 --- a/rpms/awips2.core/Installer.database/component.spec +++ b/rpms/awips2.core/Installer.database/component.spec @@ -22,7 +22,7 @@ Packager: %{_build_site} AutoReq: no Provides: awips2-database Provides: awips2-static-user -Requires: libpng +Requires: libpng, awips2 Requires: awips2-postgresql Requires: awips2-psql Requires: netcdf = 4.1.2 @@ -50,18 +50,18 @@ if [ $? -ne 0 ]; then exit 1 fi -PROJECT_DIR="Installer.database" -CONFIGURATION_DIR="rpms/awips2.core/${PROJECT_DIR}/configuration" -CONF_FILE="postgresql.conf" - -cp %{_baseline_workspace}/${CONFIGURATION_DIR}/${CONF_FILE} \ - ${RPM_BUILD_ROOT}/awips2/data - - -mkdir -p ${RPM_BUILD_ROOT}/awips2/database +mkdir -p ${RPM_BUILD_ROOT}/awips2/database/ssl if [ $? -ne 0 ]; then exit 1 fi +CONFIGURATION_DIR="rpms/awips2.core/Installer.database/configuration" +CONF_FILE="postgresql.conf" + +cp -p %{_baseline_workspace}/${CONFIGURATION_DIR}/*.{key,crt} \ + ${RPM_BUILD_ROOT}/awips2/database/ssl + +cp %{_baseline_workspace}/${CONFIGURATION_DIR}/${CONF_FILE} \ + ${RPM_BUILD_ROOT}/awips2/data PATH_TO_DDL="build.edex/opt/db/ddl" PATH_TO_REPLICATION="build.edex/opt/db/replication" @@ -153,7 +153,6 @@ MAPS=${AWIPS2_DATA_DIRECTORY}/maps DAMCAT=${AWIPS2_DATA_DIRECTORY}/damcat HMDB=${AWIPS2_DATA_DIRECTORY}/hmdb EBXML=${AWIPS2_DATA_DIRECTORY}/ebxml - # Add The PostgreSQL Libraries And The PSQL Libraries To LD_LIBRARY_PATH. export LD_LIBRARY_PATH=${POSTGRESQL_INSTALL}/lib:$LD_LIBRARY_PATH export LD_LIBRARY_PATH=${PSQL_INSTALL}/lib:$LD_LIBRARY_PATH @@ -189,6 +188,11 @@ function init_db() if [ -f /awips2/data/postgresql.conf ]; then mv /awips2/data/postgresql.conf /awips2/ fi + + # move certificates/keys in /awips2/data to a temporary location. (aren't they in /awips2/database/ssl ??) + rm -rf /awips2/.a2pgdbsec + mkdir -m 700 /awips2/.a2pgdbsec + mv /awips2/database/ssl/*.{crt,key} /awips2/.a2pgdbsec su - ${AWIPS_DEFAULT_USER} -c \ "${POSTGRESQL_INSTALL}/bin/initdb --auth=trust --locale=en_US.UTF-8 --pgdata=${AWIPS2_DATA_DIRECTORY} --lc-collate=en_US.UTF-8 --lc-ctype=en_US.UTF-8" @@ -197,6 +201,9 @@ function init_db() if [ -f /awips2/postgresql.conf ]; then mv /awips2/postgresql.conf /awips2/data fi + + mv /awips2/.a2pgdbsec/*.{crt,key} /awips2/database/ssl/ + rm -rf /awips2/.a2pgdbsec return ${RC} } @@ -284,7 +291,7 @@ execute_initial_sql_script ${SQL_SHARE_DIR}/initial_setup_server.sql /awips2/psql/bin/psql -U awips -d metadata -c "CREATE EXTENSION postgis;" /awips2/psql/bin/psql -U awips -d metadata -c "CREATE EXTENSION postgis_topology;" -execute_psql_sql_script /awips2/postgresql/share/contrib/postgis-2.0/legacy.sql metadata +execute_psql_sql_script /awips2/postgresql/share/contrib/postgis-2.2/legacy.sql metadata execute_psql_sql_script ${SQL_SHARE_DIR}/permissions.sql metadata execute_psql_sql_script ${SQL_SHARE_DIR}/fxatext.sql metadata @@ -306,11 +313,14 @@ copy_addl_config rm -rf ${RPM_BUILD_ROOT} %files +%defattr(600,awips,fxalpha,700) +/awips2/database/ssl +%config(noreplace) /awips2/database/ssl/server.crt +%config(noreplace) /awips2/database/ssl/root.crt +%config(noreplace) /awips2/database/ssl/server.key %defattr(644,awips,fxalpha,700) %dir /awips2/data - %defattr(644,awips,fxalpha,755) -%dir /awips2 %dir /awips2/database %dir /awips2/database/sqlScripts %dir /awips2/database/replication @@ -325,3 +335,4 @@ rm -rf ${RPM_BUILD_ROOT} /awips2/database/sqlScripts/share/sql/*.sql /awips2/database/sqlScripts/share/sql/*.sh /awips2/database/replication/setup-standby.sh +/awips2/database/replication/replication-config.sh diff --git a/rpms/awips2.core/Installer.database/configuration/postgresql.conf b/rpms/awips2.core/Installer.database/configuration/postgresql.conf index edb5b41383..c010f7802d 100644 --- a/rpms/awips2.core/Installer.database/configuration/postgresql.conf +++ b/rpms/awips2.core/Installer.database/configuration/postgresql.conf @@ -77,13 +77,13 @@ max_connections = 400 # (change requires restart) # - Security and Authentication - #authentication_timeout = 1min # 1s-600s -ssl = off # (change requires restart) +ssl = on # (change requires restart) #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers # (change requires restart) #ssl_renegotiation_limit = 512MB # amount of data between renegotiations -#ssl_cert_file = 'server.crt' # (change requires restart) -#ssl_key_file = 'server.key' # (change requires restart) -#ssl_ca_file = 'root.crt' # (change requires restart) +ssl_cert_file = '/awips2/database/ssl/server.crt' # (change requires restart) +ssl_key_file = '/awips2/database/ssl/server.key' # (change requires restart) +ssl_ca_file = '/awips2/database/ssl/root.crt' # (change requires restart) #ssl_crl_file = '' # (change requires restart) #password_encryption = on #db_user_namespace = off