Prerequisites¶
Machine¶
OS¶
The PostgreSQL cluster provided by the appliance is based on a 64-bit Debian 12 (bookworm) operating system.
CPU¶
It is recommended to allocate 4 CPU cores per node in the PostgreSQL cluster.
RAM¶
It is recommended to allocate 4 GB of RAM per node in the PostgreSQL cluster.
Disk¶
The virtual appliance comes with a 60GB virtual disk.
Network¶
A PostgreSQL cluster will require 4 IP addresses:
- 1 real IP address per PostgreSQL node
- 1 virtual IP address for the PostgreSQL cluster
Warning!
The real and virtual IP addresses of the PostgreSQL cluster nodes must all belong to the same subnet.
The nodes of the PostgreSQL cluster are usually placed in the LAN to be accessed by cyberelements.io or cyberelements Cleanroom via Edge Gateways.
To better identify the different machine addresses, they will be named as follows in the documentation:
| IP address name | Signification |
|---|---|
RIP_PSQL_1 |
Real IP address of PostgreSQL node n°1. |
RIP_PSQL_2 |
Real IP address of PostgreSQL node n°2. |
RIP_PSQL_3 |
Real IP address of PostgreSQL node n°3. |
VIP_PSQL |
Virtual IP address of the PostgreSQL cluster. |
| Source | Destination | Destination port | Comments |
|---|---|---|---|
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
Debian repositories | TCP 80 | Required for installing cyberelements Cleanroom dependencies and keeping the system up to date. The documentation and virtual appliances use ftp.fr.debian.org and security.debian.org. |
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
DNS server | UDP 53 | Required for DNS resolution. Optional if a DNS server is available on the LAN or DMZ. |
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
NTP time server | UDP 123 | Optional if the server needs to synchronize its clock with a server on the LAN or DMZ. By default, the Debian pools are used: 0.debian.pool.ntp.org, 1.debian.pool.ntp.org, 2.debian.pool.ntp.org and 3.debian.pool.ntp.org. |
| Source | Destination | Destination port | Comments |
|---|---|---|---|
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
TCP 2379 | Port used for cluster operation and listened to by ETCD. |
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
TCP 2380 | Port used for cluster operation and listened to by ETCD. |
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
TCP 5432 | SQL connection port carried by PostgreSQL (default port can be changed). |
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
TCP 8008 | Port used for cluster operation and listened to by Patroni. |
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
DNS server | UDP 53 | Required for DNS resolution. Optional if a DNS server is available on the WAN or DMZ. |
RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
NTP time server | UDP 123 | Optional if the server needs to synchronize its clock with a server on the WAN or DMZ. By default, the Debian pools are used: 0.debian.pool.ntp.org, 1.debian.pool.ntp.org, 2.debian.pool.ntp.org and 3.debian.pool.ntp.org. |
| IP addresses or network range of administration workstations | RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
TCP 22 | Remote SSH administration port. |
| IP addresses or network range of administration workstations | RIP_PSQL_1RIP_PSQL_2RIP_PSQL_3 |
TCP 5432 | SQL connection port used by PostgreSQL (default port can be changed). |
| IP addresses or network range of administration workstations | VIP_PSQL |
TCP 5432 | SQL connection port used by PostgreSQL (default port can be changed). |
| IP addresses of Edge Gateways that need to access the PostgreSQL cluster | VIP_PSQL |
TCP 5432 | SQL connection port used by PostgreSQL (default port can be changed). |
Certificates¶
The PostgreSQL cluster encrypts communication flows between its nodes for cluster operation as well as for SQL connections. This is a TLS encryption, which requires the use of certificates.
The information below summarizes the settings and options required for PostgreSQL cluster certificates.
Certificate security constraint
Regardless of the certificate used, ensure that it complies with OpenSSL security level 2, which can be summarized as follows:
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits.
- The certificate signature must not be MD5 or SHA-1 (SHA-512 is preferred).
Each PostgreSQL node will use a single certificate but will also need to import the root Certificate Authority (CA) certificate.
The root CA is expected to be in base64 encoded crt format.
The PostgreSQL node certificate must comply with the following settings:
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and the secp384r1 ECDSA curve with a size of 384 bits.
- The
Common Nameattribute must have the short name of the server as its value (specifying the FQDN will cause failures). - The
Key Usageattribute must have the valuescritical,digitalSignatureandkeyEncipherment. - The
Extended Key Usageattribute must have the valuesserverAuthandclientAuth. - The
Subject Alternative Nameattribute must be defined to cover:- The name of the PostgreSQL node associated with the real IP address
- The name of the PostgreSQL cluster associated with the virtual IP address
- The real IP address of the PostgreSQL node
- The virtual IP address of the PostgreSQL cluster
Expected certificate format: P12.