PostgreSQL實例參考

陳景峰(netkiller)

前言

經過三個月的努力《PostgreSQL 實用實例參考》正式版終於推出了。因為最近換了工作，新公司的工作也很忙所以文檔進展很慢，從最初幾十頁寫到現在200頁的文檔，每天寫文檔的時間越來越少，有時一周也就只寫2頁，甚至一週一字未對。

正式版推出了，然後就是不斷的修正。可能這段時間《PostgreSQL 實用實例參考》更新會更慢些。因為我還有其他文檔要寫：《OpenLDAP 文檔》、《PHP + Corba + Python文檔》、《JBuilder + Weblogic + PostgreSQL 開發EJB》。。。。。

文檔中所有例子，都是在工作總結出來的，如有錯誤請指正。本人愛寫錯別字（哈哈）如果你發現了有錯字，請發郵糽ang=EN-US style='mso-fareast-font-family:PMingLiU;mso-fareast-language:ZH-TW'>netkiller(at)9812(dot)net修正文檔。

300頁之後不再推出HTML格式的文檔了，之後的文檔以PDF、PS（PostScript）格式為主，我是使用Microsoft Word寫文檔，處理300頁的文檔很困難，在保存文檔或將doc檔轉成其他格式的檔時經常會出現無回應。我也考慮過使用docbook / latex，或Page Maker。前者非所見即所得，要用戶使用XML撰寫，通過make一類的命令可以生成多種格式的文檔，docbook也是UNIX手冊的標準格式。後者Page Maker不用說了，Adobe出品，生成PDF更好些。

這是我第一次寫一篇如此長的文檔，沒有經驗，寫的不好，不敢稱為“書”，所以我叫它“文檔”。

1.1 本文檔的讀者對象

文檔面向有一定資料庫基礎用戶。在這裏我假設你對資料有一定認識，能夠使用create創建資料與表，能夠使用select、insert、update等語句操作資料庫記錄。

不管是誰，我希望這本文檔都能對你有所幫助。

1.2 本文檔主要內容

第一章主要介紹PostgreSQL

第二章是開發中遇到的一些問題

附錄中一些SQL腳本文件，可供用戶參考。

1.3 怎樣使用本文檔

邊看、邊做、邊試驗，然後總結，多動腦。有問題先查查這本文檔，如果文檔中沒有提到，再考慮其他方式，或與我聯繫。

作者簡介

作者資訊：

陳景峰，昵稱：netkiller, UNIX like愛好者,研究方向群集系統、網路安全、資料倉庫與資料挖掘、LDAP、J2EE，Corba，企業解決方案。

主頁地址：

http://www.9812.net/

ICQ:101888222

Yahoo:snetkiller

AIM:xnetkiller

網易泡泡：openunix@163.com

E-Mail: openunix@163.com

有問題最好給我發Email或去下面的Newsgroup裏討論

news://news.cdut.edu.cn/cn.lang.java

news://news.cdut.edu.cn/cn.lang.python

Web Newsgroup:

http://202.103.190.130:8080/news

我常去的BBS：

http://www.pgsqldb.org

http://www.chinaunix.com

http://www.linuxforum.net

第一章 PostgreSQL

PostgreSQL Wins Linux Journal Editors Choice Award
Posted on 2004-08-02
Posted by press at postgresql.org

PostgreSQL has won the 2004 Linux Journal Editors' Choice Award for the best DBMS!

Linux Journal's Editors' Choice Awards are well-known as the premiere forum recognizing outstanding product developments and achievements in the Linux market, and winners of the sixth annual awards are featured in the August 2004 issue of Linux Journal.

Check out the full article.

1 簡介

我接觸PostgreSQL是2000年，但項目中使用PostgreSQL是2003年，2000當時應該是5.x，6.x版本我並沒有深入地研究這個資料庫，還是主要使用MS Sql Server 7/2000 、Oracle 8。

因為很多企業難以支付MS Sql Server 7/2000 、Oracle 8這筆費用，所以Free Database是最佳選擇。但大多免費的資料庫，功能有限、性能也差，跟本不能滿足我們的需求。

1.4 關於性能

有一段時間裏我們使用MySQL，實在不好用，功能太少，它只實現了SQL92 中不到30%的功能。除了select、insert、update、delete還有什麼功能？一味強調速度快，真的是這樣嗎？MySQL資料量增加很大時，速度下劃很快。

幾萬條記錄時速度最快，幾十萬記錄時速度不同了，幾百萬時就開始慢了。PostgreSQL 隨著資料量增大時，速度變化差距不象MySQL那麼大。

有些朋友在網上說（觸發器、游標、外鍵、視圖）影響性能。這裏要說明一下如果適當的使用視圖、子查詢、觸發器、游標……會讓你開發更輕鬆。

注：關於游標，很多SQL書中這樣寫“游標就是指向一行的指標”在PostgreSQL有些不同，它是返回一個結果集，對結果集next 操作返回一行。

Phpbuilder上有一篇文章是寫PostgreSQL 與 MySQL 大家可以去看看。

1.5 為什麼說postgresql是最先進的開源資料庫？

1. 技術領先：
很多新技術都是它提出的
如：pl過程語言．在其他資料系統中都有自己的專用PL語言。而PostgreSQL中支援很多種PL語言（pl/tcl,pl/python,pl/perl,pl/php,pl/shell/pl/pgsql,pl/java.......）
還有面象物件(ORDBMS)他實現的也很早．
他的資料類型支援很全．如幾何型,陣列．．．在其他RDBMS中是沒有的．
總是有新的技術、思想加入其中

2. 在開源ORDBMS中PostgreSQL功能最強．也最完善

1.6 PostgreSQL對SQL99的支持

SQL-3/SQL99	√
PRIMARY KEY主鍵	√
FOREIGN KEY外鍵	√
Schema 模式	√
TOAST大對象	√
View視圖	√
正則運算式	√
subquery子查詢	√
TRIGGER觸發器	√
RULE規則	√
FUNCTION過程/函數	√
CURSOR游標	√
PLSQL 過程語言	√（PL/pgSQL,PL/Tcl,PL/Perl,PL/Python,plPHP等等）
OLTP表的鎖定、事務隔離	√
許可權	√（用戶、組）
Object對象支援	√（ORDBMS）
	√

其他：

連接	進程方式
SSL	√
群集（HA，資料同步複製。。。）	√
ODBC	√
JDBC	√
裸設備	目前不支持
下面是一些限制：一行，一個表，一個庫的最大尺寸是多少？
一個資料庫最大尺寸？	無限制（存在 32TB 的資料庫）
一個表的最大尺寸？	32TB
一行的最大尺寸？	1.6TB
一個欄位的最大尺寸?	1GB
一個表裏最大行數？	無限制
一個表裏最大列數？	跟列類型有關,250-1600
一個表裏的最大索引數量？	無限制

當然，實際上沒有真正的無限制，還是要受可用磁碟空間、可用記憶體/交換區的制約。表的最大尺寸 32 TB 不需要作業系統對大檔的支援。大表用多個 1 GB 的檔存儲，因此檔系統尺寸的限制是不重要的。如果缺省的塊大小增長到 32K ，最大的表尺寸和最大列數可以增加。

這裏引用http://www.pgsqldb.org/postgres-faq.html4.5詳細請登錄網站查看。

2 PostgreSQL 資料庫

2.1 PostgreSQL分區

PostgreSQL 最好自己單獨一個分區，如果你有兩塊硬碟建議你給它單獨一塊硬碟。

[chen@linux chen]$ df

Filesystem 1K-blocks Used Available Use% Mounted on

/dev/sda9 1004024 99892 853128 11% /

/dev/sda1 101089 9498 86372 10% /boot

/dev/sda2 120952116 7648124 107159936 7% /home

none 515400 0 515400 0% /dev/shm

/dev/sda10 2522048 33260 2360672 2% /tmp

/dev/sda7 5036284 2238244 2542208 47% /usr

/dev/sda6 5036284 1919140 2861312 41% /var

/dev/sda5 40313964 99444 38166636 1% /var/lib/pgsql

/dev/sda3 60476068 212532 57191508 1% /cvsroot

[chen@linux chen]$

[chen@linux chen]$ df -m

Filesystem 1M-blocks Used Available Use% Mounted on

/dev/sda9 980 98 833 11% /

/dev/sda1 99 10 84 10% /boot

/dev/sda2 118117 7469 104648 7% /home

none 503 0 503 0% /dev/shm

/dev/sda10 2463 33 2305 2% /tmp

/dev/sda7 4918 2186 2482 47% /usr

/dev/sda6 4918 1875 2794 41% /var

/dev/sda5 39369 98 37272 1% /var/lib/pgsql

/dev/sda3 59059 208 55851 1% /cvsroot

[chen@linux chen]$

2.2 RPM包安裝

[root@linux software]# ls -1

postgresql-7.3.4-1PGDG.i386.rpm

postgresql-contrib-7.3.4-1PGDG.i386.rpm

postgresql-debuginfo-7.3.4-1PGDG.i386.rpm

postgresql-devel-7.3.4-1PGDG.i386.rpm

postgresql-docs-7.3.4-1PGDG.i386.rpm

postgresql-jdbc-7.3.4-1PGDG.i386.rpm

postgresql-libs-7.3.4-1PGDG.i386.rpm

postgresql-pl-7.3.4-1PGDG.i386.rpm

postgresql-python-7.3.4-1PGDG.i386.rpm

postgresql-server-7.3.4-1PGDG.i386.rpm

postgresql-tcl-7.3.4-1PGDG.i386.rpm

postgresql-test-7.3.4-1PGDG.i386.rpm

[root@linux software]# rpm -Uvh --nodeps `ls -1`

Preparing... ########################################### [100%]

1:postgresql-test ########################################### [ 8%]

2:postgresql ########################################### [ 17%]

3:postgresql-contrib ########################################### [ 25%]

4:postgresql-debuginfo ########################################### [ 33%]

5:postgresql-devel ########################################### [ 42%]

6:postgresql-docs ########################################### [ 50%]

7:postgresql-jdbc ########################################### [ 58%]

8:postgresql-libs ########################################### [ 67%]

9:postgresql-pl ########################################### [ 75%]

10:postgresql-python ########################################### [ 83%]

11:postgresql-server ########################################### [ 92%]

12:postgresql-tcl ########################################### [100%]

[root@linux software]# rpm -qa|grep postgre

postgresql-devel-7.3.4-1PGDG

postgresql-7.3.4-1PGDG

postgresql-python-7.3.4-1PGDG

postgresql-contrib-7.3.4-1PGDG

postgresql-jdbc-7.3.4-1PGDG

postgresql-server-7.3.4-1PGDG

postgresql-debuginfo-7.3.4-1PGDG

postgresql-libs-7.3.4-1PGDG

postgresql-tcl-7.3.4-1PGDG

postgresql-test-7.3.4-1PGDG

postgresql-pl-7.3.4-1PGDG

postgresql-docs-7.3.4-1PGDG

[root@linux software]#

[root@linux software]# service postgresql start

Starting postgresql service: [ OK ]

[root@linux software]# su postgres

bash-2.05b$ createdb

CREATE DATABASE

bash-2.05b$ psql

Welcome to psql 7.3.4, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help on internal slash commands

\g or terminate with semicolon to execute query

\q to quit

postgres=# \q

bash-2.05b$

bash-2.05b$ vi /var/lib/pgsql/data/postgresql.conf

#========================================================================

# Connection Parameters

#tcpip_socket = false

tcpip_socket = true

#ssl = false

#max_connections = 32

max_connections = 128

#superuser_reserved_connections = 2

#port = 5432

#hostname_lookup = false

#show_source_port = false

#unix_socket_directory = ''

#unix_socket_group = ''

#unix_socket_permissions = 0777 # octal

#virtual_host = ''

#krb_server_keyfile = ''

# Shared Memory Size

#shared_buffers = 64 # min max_connections*2 or 16, 8KB each

shared_buffers = 256 # min max_connections*2 or 16, 8KB each

#max_fsm_relations = 1000 # min 10, fsm is free space map, ~40 bytes

#max_fsm_pages = 10000 # min 1000, fsm is free space map, ~6 bytes

#max_locks_per_transaction = 64 # min 10

#wal_buffers = 8 # min 4, typically 8KB each

bash-2.05b$ vi /var/lib/pgsql/data/pg_hba.conf

host all all 127.0.0.1 255.255.255.255 md5

bash-2.05b$ psql

Welcome to psql 7.3.4, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help on internal slash commands

\g or terminate with semicolon to execute query

\q to quit

postgres=# CREATE USER netkiller WITH PASSWORD 'chen';

CREATE USER

postgres=# CREATE DATABASE netkiller WITH OWNER = netkiller TEMPLATE = template0 ENCODING = 'UNICODE';

CREATE DATABASE

postgres=# \du

List of database users

User name | User ID | Attributes

-----------+---------+----------------------------

netkiller | 100 |

postgres | 1 | superuser, create database

(2 rows)

postgres=# \l

List of databases

Name | Owner | Encoding

-----------+-----------+-----------

netkiller | netkiller | UNICODE

postgres | postgres | SQL_ASCII

template0 | postgres | SQL_ASCII

template1 | postgres | SQL_ASCII

(4 rows)

postgres=# \q

bash-2.05b$

bash-2.05b$ createlang plpgsql netkiller

bash-2.05b$

bash-2.05b$ exit

exit

[root@linux software]# service postgresql restart

[ OK ]

Starting postgresql service: [ OK ]

[root@linux software]#

[root@linux software]# psql -h127.0.0.1 -Unetkiller netkiller

Password:

Welcome to psql 7.3.4, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help on internal slash commands

\g or terminate with semicolon to execute query

\q to quit

netkiller=>

注意：

1. 程式安裝我使用了一個小技巧。（我懶哈哈）rpm -Uvh --nodeps `ls -1`
安裝一定要加—nodeps，ls -1 這裏是減號，阿拉伯數字1，不是英文字母“l” (L)

2. postgres只能用於UNIX Domain Socket方式登陸(/tmp/.s.PGSQL.5432)，不能在TCP/IP Socket模式下登陸。

[root@linux software]# ls -la /tmp

total 68

drwxrwxrwt 11 root root 4096 Nov 11 16:29 .

drwxr-xr-x 22 root root 4096 Nov 5 14:49 ..

srwx------ 1 root nobody 0 Nov 5 11:34 .fam_socket

drwxrwxrwt 2 xfs xfs 4096 Nov 5 14:49 .font-unix

drwx------ 2 root root 4096 Nov 5 19:06 .gconfd

srw-rw-rw- 1 root root 0 Nov 5 14:49 .gdm_socket

drwxrwxrwx 2 bin bin 4096 Nov 5 14:49 .iroha_unix

drwx------ 2 root root 4096 Nov 5 19:14 kde-root

drwx------ 2 root root 16384 Nov 5 18:46 lost+found

drwxr-xr-x 2 root root 4096 Nov 5 18:55 .mozilla

drwx------ 2 root root 4096 Nov 5 11:38 orbit-root

drwxr-xr-x 2 root root 4096 Nov 5 19:14 .qt

-rw------- 1 root root 1024 Nov 5 18:52 .rnd

srwxrwxrwx 1 postgres postgres 0 Nov 11 16:29 .s.PGSQL.5432

-rw------- 1 postgres postgres 26 Nov 11 16:29 .s.PGSQL.5432.lock

-r--r--r-- 1 root root 11 Nov 5 14:49 .X0-lock

drwxrwxrwt 2 root root 4096 Nov 5 14:49 .X11-unix

[root@linux software]# file /tmp/.s.PGSQL.5432

/tmp/.s.PGSQL.5432: socket

使用file命令可以查看檔類型，所以/tmp/.s.PGSQL.5432顯示類型為/tmp/.s.PGSQL.5432: socket

[root@linux software]# psql -h127.0.0.1 –Upostgres db會提示

Password:

psql: FATAL: Password authentication failed for user "postgres"

[root@linux software]# psql -h127.0.0.1 -Upostgres netkiller

Password:

psql: FATAL: Password authentication failed for user "postgres"

解決方法是創建一個用戶。

3. 登陸提示
[root@linux software]# psql -h127.0.0.1 -Unetkiller netkiller

psql: FATAL: No pg_hba.conf entry for host 127.0.0.1, user netkiller, database netkiller

編輯/var/lib/pgsql/data/pg_hba.conf文件加入

host all all 127.0.0.1 255.255.255.255 md5

2.3 APT 安裝

Apt 是Debian Linux安裝風格

去下而網站可以找到APT套裝軟體

http://www.rpmfind.net/

輸入：apt 搜索即可

http://www.rpmfind.net/linux/rpm2html/search.php?query=apt

[root@linux root]# cd /usr/local/src/

[root@linux src]# wget ftp://194.199.20.114/linux/freshrpms/redhat/9/apt/apt-0.5.5cnc6-fr1.i386.rpm

[root@linux src]# rpm -ivh apt-0.5.5cnc6-fr1.i386.rpm

warning: apt-0.5.5cnc6-fr1.i386.rpm: V3 DSA signature: NOKEY, key ID e42d547b

Preparing... ########################################### [100%]

1:apt ########################################### [100%]

[root@linux src]# apt-get update

Get:1 http://ayo.freshrpms.net redhat/9/i386 release [1171B]

Fetched 1171B in 6s (170B/s)

Get:1 http://ayo.freshrpms.net redhat/9/i386/os pkglist [1357kB]

Get:2 http://ayo.freshrpms.net redhat/9/i386/os release [140B]

Get:3 http://ayo.freshrpms.net redhat/9/i386/updates pkglist [487kB]

Get:4 http://ayo.freshrpms.net redhat/9/i386/updates release [153B]

Get:5 http://ayo.freshrpms.net redhat/9/i386/freshrpms pkglist [151kB]

Get:6 http://ayo.freshrpms.net redhat/9/i386/freshrpms release [157B]

Fetched 1995kB in 2m41s (12.3kB/s)

Reading Package Lists... Done

Building Dependency Tree... Done

[root@linux src]#

[root@linux src]# apt-get check

Reading Package Lists... Done

Building Dependency Tree... Done

You might want to run `apt-get -f install' to correct these.

The following packages have unmet dependencies:

postgresql-python: Depends: mx but it is not installed

E: Unmet dependencies. Try using -f.

[root@linux src]#

[root@linux src]# apt-get -f install

Reading Package Lists... Done

Building Dependency Tree... Done

Correcting dependencies... Done

The following extra packages will be installed:

The following NEW packages will be installed:

0 packages upgraded, 1 newly installed, 0 removed and 146 not upgraded.

Need to get 609kB of archives.

After unpacking 2266kB of additional disk space will be used.

Do you want to continue? [Y/n]

Get:1 http://ayo.freshrpms.net redhat/9/i386/os mx 2.0.3-8 [609kB]

Fetched 609kB in 2m49s (3596B/s)

Executing RPM (-Uvh)...

Preparing... ########################################### [100%]

1:mx ########################################### [100%]

[root@linux src]#

[root@linux src]# apt-get install postgresql-server

如果是Debian Linux 系統直接

[root@linux src]# apt-get install postgresql-server

2.4 PostgreSQL 8.0 beta for windows版本安裝

PostgreSQL 8.0 beta版windows版本安裝包下載地址：

http://laser.dyndns.zhengmai.net.cn/download/postgresql-8.0-beta1.msi

下載後雙擊postgresql開始安裝，只下一步，下一步，即可。

配置D:\PostgreSQL\8.0-beta1\data\pg_hba.conf 檔，建議使用UltraEdit工具。

host all all 192.168.0.1 255.255.255.255 md5

注：我的環境是Windows XP SP2

啟動PostgreSQL 8.0伺服器:

Ø 開始à所有程式àPostgreSQL 8.0-beta1à Start service

停止PostgreSQL 8.0伺服器:

Ø 開始à所有程式àPostgreSQL 8.0-beta1à Stop service

進入psql控制臺:

Ø 開始à所有程式àPostgreSQL 8.0-beta1à psql to template1

2.4.1 運行pgAdmin III

Ø 開始à所有程式àPostgreSQL 8.0-beta1àpgAdmin III

pgAdmin III的一般操作順序是：

1. 新建一個用戶（用於tcp/ip socket的PostgreSQL帳號，而非系統用戶postgres是一個系統帳號，不能用於tcp/ip連接，它是用來管理資料的用戶）

2. 新建一個表空間，用於存放資料

3. 新建一個資料庫實例

4. 新建一個PL過程語言（一般是pl/pgsql）

5. 新建一個模式(Schema)

6. 創建表，視圖，觸發器等等

2.4.2 psql控制臺：

網上有很多朋友問我，PostgreSQL 8.0的psql在那，他默認打開template1資料庫，如何打開其他資料等等問題。

步驟，開始à所有程式àPostgreSQL 8.0-beta1à psql to template1進入PostgreSQL 8.0 psql控制臺，輸入postgres用戶的密碼登錄。

使用“\l”列出資料

使用“\c”連接到其他資料庫。
\c 資料庫資料庫所有者，接提示輸入密碼即可。

Password:

Welcome to psql.exe 8.0.0beta1, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help with psql commands

\g or terminate with semicolon to execute query

\q to quit

template1=# \l

List of databases

Name | Owner | Encoding

-----------+----------+----------

netkiller | chen | UNICODE

template0 | postgres | UNICODE

template1 | postgres | UNICODE

(3 rows)

template1=# \c netkiller chen

Password:

You are now connected to database "netkiller" as user "chen".

netkiller=#

2.4.3 ODBC

1. 開始à控制面板à管理工具à數據源 (ODBC)

2. 單擊“添加”按鈕

3. 列表中選擇PostgreSQLà單擊“完成”按鈕

4. 單擊Save保存

5. 單擊“確定”按鈕

2.4.4 從Unix/Linux 登錄到Windows

[root@linux root]# psql -h 192.168.0.254 -U chen netkiller

Password:

Welcome to psql 7.3.4, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help on internal slash commands

\g or terminate with semicolon to execute query

\q to quit

netkiller=#

2.4.5 從Windows 登錄到 Unix/Linux

D:\PostgreSQL\8.0-beta1\bin>psql.exe -h 192.168.0.1 -U netkiller netkiller

Password:

Welcome to psql.exe 8.0.0beta1, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help with psql commands

\g or terminate with semicolon to execute query

\q to quit

netkiller=>

2.5 資料庫備份方案

2.5.1 備份資料庫腳本

腳本功能是，首先備份資料庫、然後打包、壓縮為tar.gz、最後上傳到指定位置並刪除暫存檔案。

[root@linux root]# cat backup.sh

#!/bin/bash

FTPHOST=ftp.9812.net

USER=netkiller

PASSWD=xxx

echo "Starting Backup PostgreSQL ... "

#big5 gb2312 gb18030 …

export PGCLIENTENCODING=gb18030

su - postgres -c pg_dumpall > pgsql-backup.`date +%Y-%m-%d.%H:%M:%S`.dmp

tar zcvf pgsql-backup.`date +%Y-%m-%d`.tar.gz *.dmp

echo "Upload File ..."

ftp -n ${FTPHOST} <<!

user ${USER} ${PASSWD}

binary

prompt

mkdir backup

cd backup

mput *.tar.gz

bye

echo "Remove temp file ..."

rm -rf pgsql-backup.*.dmp

rm -rf pgsql-backup.????-??-??.tar.gz

[root@linux root]#

如果您沒有一台專用於備份資料的機器（有靜態IP的機器）。上面的備份腳本可更改為：

[root@linux root]# cat backup.sh

#!/bin/bash

echo "Starting Backup PostgreSQL ... "

su - postgres -c pg_dumpall > pgsql-backup.`date +%Y-%m-%d.%H:%M:%S`.dmp

tar zcvf pgsql-backup.`date +%Y-%m-%d`.tar.gz *.dmp

echo "Remove temp file ..."

rm -rf pgsql-backup.*.dmp

[root@linux root]#

2.5.2 下載備份腳本

[root@linux root]# cat getbackup.sh

#!/bin/bash

FTPHOST=ftp.9812.net

USER=netkiller

PASSWD=xxx

wget ftp://${USER}:${PASSWD}@${FTPHOST}/backup/*

ftp -n ${FTPHOST} <<!

user ${USER} ${PASSWD}

binary

prompt

cd backup

mdelete *

bye

[root@linux root]#

2.5.3 保證備份資料的安全-PGP/GPG加密

資料庫中的內容有些是不能提供給用戶的，如其它用戶的資料，密碼。在資料庫中的資料，你可以通過許可權來限制用戶操作。將資料庫備份（導出）到本地SQL文字檔案中(xxxx.sql包括DDL，DML) ，一但備份落入他手，後果不可設想，他很容易得用你的資料，因為你備份的資料是文字檔案，沒有任何加密措施。

這裏介紹GnuPG 以下簡稱GPG，GPG與PGP相容。由於PGP使用了許多專利演算法，屬於美國加密出口限制之列。而GnuPG是GPL軟體。

GPG使用非對稱加密演算法，安全程度很高。所謂非對稱加密演算法，就是每一個用戶都擁有一對密鑰：公鑰和私鑰。其中，私鑰由用戶保存，公鑰提供給internet上的用戶。

設：

陳景峰的帳號：chen

小明的帳號：ming

以下為chen 帳號的操作：

1. 查看當前文件夾

[chen@linux chen]$ ls -la

total 56

drwx------ 4 chen chen 4096 Dec 12 20:38 .

drwxr-xr-x 7 root root 4096 Nov 12 11:47 ..

-rw------- 1 chen chen 4953 Dec 10 14:05 .bash_history

-rw-r--r-- 1 chen chen 24 Feb 11 2003 .bash_logout

-rw-r--r-- 1 chen chen 191 Feb 11 2003 .bash_profile

-rw-r--r-- 1 chen chen 124 Feb 11 2003 .bashrc

-rw-r--r-- 1 chen chen 5531 Feb 4 2003 .canna

-rw-r--r-- 1 chen chen 847 Feb 20 2003 .emacs

-rw-r--r-- 1 chen chen 120 Feb 27 2003 .gtkrc

drwxr-xr-x 3 chen chen 4096 Aug 12 2002 .kde

-rw------- 1 chen chen 594 Dec 10 09:38 .viminfo

drwxr-xr-x 2 chen chen 4096 Nov 5 19:16 .xemacs

[chen@linux chen]$

2. 生成密鑰（公鑰、私鑰）

使用GPG之前必須生成密鑰（公鑰、私鑰）操作步驟。
# gpg --gen-key

[chen@linux chen]$ gpg --gen-key

This program comes with ABSOLUTELY NO WARRANTY.

This is free software, and you are welcome to redistribute it

under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

gpg: /home/chen/.gnupg: directory created

gpg: new configuration file `/home/chen/.gnupg/gpg.conf' created

gpg: keyblock resource `/home/chen/.gnupg/secring.gpg': file open error

gpg: keyring `/home/chen/.gnupg/pubring.gpg' created

Please select what kind of key you want:

(1) DSA and ElGamal (default)

(2) DSA (sign only)

(5) RSA (sign only)

Your selection? 回車

DSA keypair will have 1024 bits.

About to generate a new ELG-E keypair.

minimum keysize is 768 bits

default keysize is 1024 bits

highest suggested keysize is 2048 bits

What keysize do you want? (1024) 回車

Requested keysize is 1024 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0) 回車

Key does not expire at all

Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the user id

from Real Name, Comment and Email Address in this form:

"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: netkiller

Email address: openunix@163.com

Comment: 陳景峰的密鑰（注：輸入中文終端要支援UTF-8）

You are using the `utf-8' character set.

You selected this USER-ID:

"netkiller (陳景峰的密鑰) <openunix@163.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?o

Enter passphrase:輸入密鑰口令

Repeat passphrase:輸入密鑰口令

You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

+++++++++++++++.+++++++++++++++.+++++++++++++++.+++++++++++++++.+++++++++++++++.++++++++++++++++++++++++++++++++++++++++.++++++++++++++++++++.....>+++++..................+++++

Not enough random bytes available. Please do some other work to give

the OS a chance to collect more entropy! (Need 290 more bytes)

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

..+++++.+++++.++++++++++.+++++++++++++++.+++++++++++++++++++++++++..+++++++++++++++.++++++++++++++++++++.+++++.+++++++++++++++.+++++...++++++++++>+++++............................................................>+++++.............>.+++++.....<+++++............+++++^^^

gpg: /home/chen/.gnupg/trustdb.gpg: trustdb created

public and secret key created and signed.

key marked as ultimately trusted.

pub 1024D/B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

Key fingerprint = 0058 5847 7598 556F AAFD 81A5 AC07 C873 B008 47C5

sub 1024g/0B70F0CB 2003-12-12

[chen@linux chen]$

3. 查看生成密鑰

[chen@linux chen]$ ls -la

total 52

drwx------ 5 chen chen 4096 Dec 12 20:47 .

drwxr-xr-x 7 root root 4096 Dec 12 20:44 ..

-rw-r--r-- 1 chen chen 24 Dec 12 20:44 .bash_logout

-rw-r--r-- 1 chen chen 191 Dec 12 20:44 .bash_profile

-rw-r--r-- 1 chen chen 124 Dec 12 20:44 .bashrc

-rw-r--r-- 1 chen chen 5531 Dec 12 20:44 .canna

-rw-r--r-- 1 chen chen 847 Dec 12 20:44 .emacs

drwx------ 2 chen chen 4096 Dec 12 20:52 .gnupg

-rw-r--r-- 1 chen chen 120 Dec 12 20:44 .gtkrc

drwxr-xr-x 3 chen chen 4096 Dec 12 20:44 .kde

-rw------- 1 chen chen 61 Dec 12 20:45 .Xauthority

drwxr-xr-x 2 chen chen 4096 Dec 12 20:44 .xemacs

[chen@linux chen]$ ls .gnupg/

gpg.conf pubring.gpg pubring.gpg~ random_seed secring.gpg trustdb.gpg

4. 證書的回收

當您的密鑰（gpg --gen-key）生成之後，建議您立即做一個公鎭ヘ收證書，如果您忘記了您的私鑰口令或者您的私鑰丟失或者被盜，您可以發佈這個證書來聲明以前的公鑰不再有效。

gpg --output revoke.asc --gen-revoke netkiller （netkiller 你在生成密鑰時輸入的Real name:）

gpg --output revoke.asc --gen-revoke openunix@163.com （使用郵�

[chen@linux chen]$ gpg --output revoke.asc --gen-revoke netkiller

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

sec 1024D/B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

Create a revocation certificate for this key? y

Please select the reason for the revocation:

0 = No reason specified

1 = Key has been compromised

2 = Key is superseded

3 = Key is no longer used

Q = Cancel

(Probably you want to select 1 here)

Your decision?

Enter an optional description; end it with an empty line:

> :( cancel

>

Reason for revocation: Key has been compromised

:( cancel

Is this okay?

Please select the reason for the revocation:

0 = No reason specified

1 = Key has been compromised

2 = Key is superseded

3 = Key is no longer used

Q = Cancel

(Probably you want to select 1 here)

Enter an optional description; end it with an empty line:

> :( cancel

>

Is this okay? y

You need a passphrase to unlock the secret key for

user: "netkiller (陳景峰的密鑰) <openunix@163.com>"

1024-bit DSA key, ID B00847C5, created 2003-12-12

ASCII armored output forced.

Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets

access to this certificate he can use it to make your key unusable.

It is smart to print this certificate and store it away, just in case

your media become unreadable. But have some caution: The print system of

your machine might store the data and make it available to others!

[chen@linux chen]$ ls

revoke.asc

[chen@linux chen]$ cat revoke.asc

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.2.1 (GNU/Linux)

Comment: A revocation certificate should follow

iFIEIBECABIFAj/Zv08LHQI6KCBjYW5jZWwACgkQrAfIc7AIR8X3agCcDBjqRkFx

QUzcZ/1Gyf1/jjFis04An2rYQz2XrCode08Y78Fj63RVNKD9

=ovDh

-----END PGP PUBLIC KEY BLOCK-----

[chen@linux chen]$

5. 密鑰列表

gpg --list-key

[chen@linux chen]$ gpg --list-key

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

/home/chen/.gnupg/pubring.gpg

-----------------------------

pub 1024D/B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

sub 1024g/0B70F0CB 2003-12-12

[chen@linux chen]$

6. 輸出公鑰

以ASCII字元格式輸出公鑰：gpg --output netkiller.gpg --armor --export netkiller

以二進位格式輸出公鑰：gpg --output netkiller.gpg --export netkiller

下面是以ASCII字元格式輸出（其實就是做了一下BASE64編碼）：

[chen@linux chen]$ gpg --output netkiller.gpg --armor --export netkiller

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

[chen@linux chen]$ ls

netkiller.gpg revoke.asc

[chen@linux chen]$ cat netkiller.gpg

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.2.1 (GNU/Linux)

mQGiBD/ZuhgRBACBRuWYRtJ8+8VmnYUgNy7TS/nVl0sHrsGD2kgIWVUuZYgKSUoM

vT4MUHWdd52yesovAV61qsVCfUz+O76ovhQrUzv4jp+bkIOKcc7E07Z2MZmc1BqR

+Gavb3gsJM6DmOLcRiU0m3fqod1KCGFf8K6ZLQUhRJYWDI80KEgJqliG4wCgo2xn

5WS1CIGnvGDFUiGY6VhdamsD/jdiqSIcwFt2x6VMjzeWkHHM5wNYHuBJnp9DPd9g

rn3uEq+tSex8ZXRyzHGj+N4SKezhEYal1D762kDxjGYltk5Xce5dXQBn9fulEDhD

OzOp78GvIvJ/m33D/J6xECbXUz8XsFFhxJ6QnVh/RURY+EvHE1Tmz/fRG69Rc1Uc

JBqCA/0faHEkyDv+FWEsmFKjflDNqN5NHtdWzJZQZKD1Vb64oJ5CK6r2l+vmxbBr

fVpfk5OVXnfMSpLKc7aGA9X+mUMuNrGRNzzzsmVK6urWQovL/BfeukMgDBZXkLd8

fO7aA53XeBhmVC49atFPH8hsOeMdd0mombrzcvKczjMp0ThP9rQzbmV0a2lsbGVy

ICjpmYjmma/ls7DnmoTlr4bpkqUpIDxuZXRraWxsZXJAOTgxMi5uZXQ+iFkEExEC

ABkFAj/ZuhgECwcDAgMVAgMDFgIBAh4BAheAAAoJEKwHyHOwCEfFBqMAn0HoK9Xc

zvzVkFODVZPWUskzwAhqAJ4rbgYEjSN1/CrdUBzTMtecGu9P+7kBDQQ/2boaEAQA

zhoIDY866/GWUUpuarpVKcN1ijn+5M1Pr42vm2Z42ns4PZW3cagHJeIOuJ5R2Aw1

6V4zZwP5PcBScYxQpM0m0bVmTGp/suZmZ6/u3+ADgvJYSxAXdpzP0cL9rVRKqaPa

MKh+HOanAJ9tWcSy6KW83JKG2NS/0U6OSGGDSoNLElMAAwUD/iGBjPfXD5jsepg+

Z9J1RefM5/R1nnBEeOROnWyaczIU1okswlyluAthi+2+ijpEULaqSQ+ZjtuBjcMp

kE5UKKql6yBAk2CqJMVkVLlDbPFqbidkAqGp5riKWKc487jR6iZjIAhHvXL0xPIQ

erBmEpi4UT7RlaCAmYwvZ1nxGP3eiEYEGBECAAYFAj/ZuhoACgkQrAfIc7AIR8U0

xACfT5pZ+0YjSp9z0/9jPwDfhw7J1bcAnjqxP+uKfkuDHnXRyYFErTN+7iHE

=CII0

-----END PGP PUBLIC KEY BLOCK-----

[chen@linux chen]$

二進位格式輸出：

[chen@linux chen]$ gpg --output bin-netkiller.gpg --export netkiller

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

[chen@linux chen]$ ls

bin-netkiller.gpg netkiller.gpg revoke.asc

[chen@linux chen]$

7. 使用file命令識別文件

[chen@linux chen]$ ls

bin-netkiller.gpg netkiller.gpg revoke.asc

[chen@linux chen]$ file bin-netkiller.gpg

bin-netkiller.gpg: data

[chen@linux chen]$ file netkiller.gpg

netkiller.gpg: PGP armored data public key block

[chen@linux chen]$ file revoke.asc

revoke.asc: PGP armored data public key block

[chen@linux chen]$

8. 發佈公鑰

你可以將你的公鑰放在主頁上下載，也可以mail給別人。

[chen@linux chen]$ pine

PINE 4.44 MAIN MENU Folder: INBOX No Messages

? HELP - Get help using Pine

C COMPOSE MESSAGE - Compose and send a message

I MESSAGE INDEX - View messages in current folder

L FOLDER LIST - Select a folder to view

A ADDRESS BOOK - Update address book

S SETUP - Configure Pine Options

Q QUIT - Leave the Pine program

[Folder "INBOX" opened with 0 messages]

? Help P PrevCmd R RelNotes

O OTHER CMDS > [ListFldrs] N NextCmd K KBLock

PINE 4.44 COMPOSE MESSAGE Folder: INBOX No Messages

To : openunix@163.com

Cc :

Attchmnt:

Subject : 這是我的證書

----- Message Text -----

Attchmnt

^G Get Help ^X Send ^R Rich Hdr ^Y PrvPg/Top ^K Cut Line ^O Postpone

^C Cancel ^D Del Char ^J Attach ^V NxtPg/End ^U UnDel Line^T To Files

游標至於Attchmnt:上按^J -> 再按 ^T

File to attach:

^G Get Help ^T To Files

^C Cancel TAB Complete

PINE 4.44 BROWSER Dir: /home/chen

.. (parent dir) .gnupg (dir)

.kde (dir) mail (dir)

.xemacs (dir) .addressbook 0 B

.addressbook.lu 2.3 KB .bash_logout 24 B

.bash_profile 191 B .bashrc 124 B

bin-netkiller.gpg 909 B .canna 5.5 KB

.emacs 847 B .gtkrc 120 B

netkiller.gpg 1.3 KB .pinerc 14 KB

revoke.asc 275 B .Xauthority 61 B

[ Searched to end of directory ]

? Get Help E Exit Brwsr - Prev Pg D Delete C Copy

S [Select] W Where is Spc Next Pg R Rename A Add

選擇netkiller.gpg 回車

Attachment comment: my netkiller.gpg file

^G Get Help

^C Cancel

輸入注釋資訊

PINE 4.44 COMPOSE MESSAGE Folder: INBOX No Messages

To : openunix@163.com

Cc :

Attchmnt: 1. /home/chen/netkiller.gpg (1.3 KB) "my netkiller.gpg file"

Subject : my netkiller.gpg file

----- Message Text -----

http://linux.9812.net

email:openunix@163.com

[File /home/chen/netkiller.gpg attached as type TEXT/PLAIN]

^G Get Help ^X Send ^R Rich Hdr ^Y PrvPg/Top ^K Cut Line ^O Postpone

^C Cancel ^D Del Char ^J Attach ^V NxtPg/End ^U UnDel Line^T To Files

Send message?y

? Help Y [Yes]

^C Cancel N No

選擇y回車

PINE 4.44 MAIN MENU Folder: INBOX No Messages

PINE 4.44 COMPOSE MESSAGE Folder: INBOX No Messages

To : openunix@163.com

Cc :

Attchmnt: 1. /home/chen/netkiller.gpg (1.3 KB) "my netkiller.gpg file"

Subject : 這是我的證書

----- Message Text -----

Attchmnt

[Sending mail | 0% |]

發送成功

PINE 4.44 MAIN MENU Folder: INBOX No Messages

? HELP - Get help using Pine

C COMPOSE MESSAGE - Compose and send a message

I MESSAGE INDEX - View messages in current folder

L FOLDER LIST - Select a folder to view

A ADDRESS BOOK - Update address book

S SETUP - Configure Pine Options

Q QUIT - Leave the Pine program

[Message sent and copied to "sent-mail".]

? Help P PrevCmd R RelNotes

O OTHER CMDS > [ListFldrs] N NextCmd K KBLock

9. 將公鑰給其他用戶

[chen@linux chen]$ cp netkiller.gpg /tmp

以下是ming帳號的操作：

10. 獲得公鑰

[ming@linux ming]$ cp /tmp/netkiller.gpg .

[ming@linux ming]$ ls

netkiller.gpg

[ming@linux ming]$

11. 導入公鑰

[ming@linux ming]$ gpg --import netkiller.gpg

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

gpg: /home/ming/.gnupg: directory created

gpg: new configuration file `/home/ming/.gnupg/gpg.conf' created

gpg: keyblock resource `/home/ming/.gnupg/secring.gpg': file open error

gpg: keyring `/home/ming/.gnupg/pubring.gpg' created

gpg: /home/ming/.gnupg/trustdb.gpg: trustdb created

gpg: key B00847C5: public key "netkiller (▒\x9\x8▒\x9▒峰▒\x9\x8▒\x8▒\x9▒) <openunix@163.com>" imported

gpg: Total number processed: 1

gpg: imported: 1

[ming@linux ming]$ gpg --list-key

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

/home/ming/.gnupg/pubring.gpg

-----------------------------

pub 1024D/B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

sub 1024g/0B70F0CB 2003-12-12

[ming@linux ming]$

12. 確認密鑰

導入密鑰以後，使用數位簽名來驗證此證書是否合法。

[ming@linux ming]$ gpg --fingerprint netkiller

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

pub 1024D/B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

Key fingerprint = 0058 5847 7598 556F AAFD 81A5 AC07 C873 B008 47C5

sub 1024g/0B70F0CB 2003-12-12

[ming@linux ming]$

13. 密鑰簽名

導入密鑰之後，可以使用(gpg -—sign-key netkiller) 進行簽名，簽名的主要目的是證明您完全信任這個證書的合法性。

[ming@linux ming]$ gpg --gen-key

This program comes with ABSOLUTELY NO WARRANTY.

This is free software, and you are welcome to redistribute it

under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

Please select what kind of key you want:

(1) DSA and ElGamal (default)

(2) DSA (sign only)

(5) RSA (sign only)

Your selection?

DSA keypair will have 1024 bits.

About to generate a new ELG-E keypair.

minimum keysize is 768 bits

default keysize is 1024 bits

highest suggested keysize is 2048 bits

What keysize do you want? (1024)

Requested keysize is 1024 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0)

Key does not expire at all

Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the user id

from Real Name, Comment and Email Address in this form:

"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: ming

Name must be at least 5 characters long

Real name: mings

Email address: mings@9812.net

Comment: I am ming

You selected this USER-ID:

"mings (I am ming) <mings@9812.net>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a Passphrase to protect your secret key.

Enter passphrase:

passphrase not correctly repeated; try again.

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

+++++++++++++++.++++++++++++++++++++++++++++++.++++++++++....++++++++++.++++++++++++++++++++.+++++++++++++++..+++++++++++++++++++++++++.++++++++++.....>..+++++...........................+++++

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

+++++++++++++++++++++++++..++++++++++++++++++++.+++++++++++++++++++++++++++++++++++..+++++++++++++++...+++++++++++++++++++++++++++++++++++>+++++..................+++++^^^^^^^^^^^^^^^

public and secret key created and signed.

key marked as ultimately trusted.

pub 1024D/3D9CE6DF 2003-12-12 mings (I am ming) <mings@9812.net>

Key fingerprint = 51C5 A223 98B8 A65F 4BF4 B610 4B80 D812 3D9C E6DF

sub 1024g/510C2A18 2003-12-12

[ming@linux ming]$ gpg --sign-key netkiller

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

pub 1024D/B00847C5 created: 2003-12-12 expires: never trust: -/-

sub 1024g/0B70F0CB created: 2003-12-12 expires: never

(1). netkiller (陳景峰的密鑰) <openunix@163.com>

pub 1024D/B00847C5 created: 2003-12-12 expires: never trust: -/-

Primary key fingerprint: 0058 5847 7598 556F AAFD 81A5 AC07 C873 B008 47C5

netkiller (陳景峰的密鑰) <openunix@163.com>

How carefully have you verified the key you are about to sign actually belongs

to the person named above? If you don't know what to answer, enter "0".

(0) I will not answer. (default)

(1) I have not checked at all.

(2) I have done casual checking.

(3) I have done very careful checking.

Your selection? 3

Are you really sure that you want to sign this key

with your key: "mings (I am ming) <mings@9812.net>"

I have checked this key very carefully.

Really sign? y

You need a passphrase to unlock the secret key for

user: "mings (I am ming) <mings@9812.net>"

1024-bit DSA key, ID 3D9CE6DF, created 2003-12-12

Enter passphrase: （注這裏輸入mings的口令）

[ming@linux ming]$

[ming@linux ming]$ gpg --list-key

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

/home/ming/.gnupg/pubring.gpg

-----------------------------

pub 1024D/B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

sub 1024g/0B70F0CB 2003-12-12

pub 1024D/3D9CE6DF 2003-12-12 mings (I am ming) <mings@9812.net>

sub 1024g/510C2A18 2003-12-12

[ming@linux ming]$

14. 檢查簽名

[chen@linux chen]$ gpg --check-sigs netkiller

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

pub 1024D/B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

sig!3 B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

sub 1024g/0B70F0CB 2003-12-12

sig! B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

[ming@linux ming]$ gpg --check-sigs netkiller

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

pub 1024D/B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

sig!3 B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

sig! 79F1102B 2003-12-12 mings (I am mings) <mings@9812.net>

sub 1024g/0B70F0CB 2003-12-12

sig! B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

[ming@linux ming]$

[chen@linux chen]$

[ming@linux ming]$ gpg --check-sigs netkiller

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

pub 1024D/B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

sig!3 B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

sub 1024g/0B70F0CB 2003-12-12

sig! B00847C5 2003-12-12 netkiller (陳景峰的密鑰) <openunix@163.com>

[ming@linux ming]$

15. 加密和解密

加密：

[ming@linux ming]$ pg_dump -Unetkiller -h127.0.0.1 >pgsql-dump.sql

Password:

[ming@linux ming]$

加簽名：

[ming@linux ming]$ gpg -sear netkiller pgsql-dump.sql

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

You need a passphrase to unlock the secret key for

user: "mings (I am mings) <mings@9812.net>"

1024-bit DSA key, ID 79F1102B, created 2003-12-12

gpg: checking the trustdb

gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/1

gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=1/0/0/0/0/0

[ming@linux ming]$

不加簽名：

[ming@linux ming]$ gpg -ear netkiller pgsql-dump.sql

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

[ming@linux ming]$ ls

netkiller.gpg pgsql-dump.sql pgsql-dump.sql.asc

[ming@linux ming]$

加密完成，將檔pgsql-dump.sql.asc發給chen (郵約tyle='mso-bookmark:AEN1755'>WEB/FTP下載。。。都可以，不用擔心被其他人得到對你不利，現在這個檔已經加密了。)

以下為chen帳號解密操作：

[chen@linux chen]$ gpg -d pgsql-dump.sql.asc > pgsql-dump.sql

gpg: WARNING: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

You need a passphrase to unlock the secret key for

user: "netkiller (陳景峰的密鑰) <openunix@163.com>"

1024-bit ELG-E key, ID 0B70F0CB, created 2003-12-12 (main key ID B00847C5)

Enter passphrase:

gpg: encrypted with 1024-bit ELG-E key, ID 0B70F0CB, created 2003-12-12

"netkiller (陳景峰的密鑰) <openunix@163.com>"

[chen@linux chen]$

2.6 備份計畫

2.6.1 伺服器端計畫

因為每天淩晨1:00-5:00這段時間訪問的人比較少，所以我選擇伺服器端每天淩晨3：00開始備份，您也可以在其他時間段備份，根據您的需求而定。

[root@linux etc]# cat crontab

SHELL=/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root

HOME=/

# run-parts

01 * * * * root run-parts /etc/cron.hourly

02 4 * * * root run-parts /etc/cron.daily

22 4 * * 0 root run-parts /etc/cron.weekly

42 4 1 * * root run-parts /etc/cron.monthly

0 3 * * * root /usr/local/backup/backup.sh

2.6.2 用戶端計畫

用戶端每天零晨4：00點開始下載備份資料。為什麼是4：00下載呢？因為伺服器備份要一段時間，如果伺服器還沒有備份完成，這邊是不能下載的。所以計畫在3:00伺服器開始備份，4：00時用戶端開始下載已經備份好的資料。

[root@linux etc]# cat crontab

SHELL=/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root

HOME=/

# run-parts

01 * * * * root run-parts /etc/cron.hourly

02 4 * * * root run-parts /etc/cron.daily

22 4 * * 0 root run-parts /etc/cron.weekly

42 4 1 * * root run-parts /etc/cron.monthly

0 4 * * * root /usr/local/backup/getbackup.sh

2.7 資料恢復

[root@linux root]# su postgres

bash-2.05b$ psql member -f pgsql-backup.xxxx-xx-xx.xx:xx:xx.dmp

2.8 性能提升

2.8.1 共用記憶體

在 2.2 內核裏缺省的共用記憶體限制（ SHMMAX 和 SHMALL）都是 32 MB，但是你可以在 proc 檔系統裏修改這些值（不用重起）．比如，要允許 128 MB：

方法1：

# echo 134217728 >/proc/sys/kernel/shmall

# echo 134217728 >/proc/sys/kernel/shmmax

[root@linux root]# cat /proc/sys/kernel/shmall

2097152

[root@linux root]# cat /proc/sys/kernel/shmmax

33554432

[root@linux root]# echo 134217728 >/proc/sys/kernel/shmall

[root@linux root]# echo 134217728 >/proc/sys/kernel/shmmax

[root@linux root]# cat /proc/sys/kernel/shmall

134217728

[root@linux root]# cat /proc/sys/kernel/shmmax

134217728

你可以把這些命令放到一個引導時運行的腳本中．如rc.local文件

[root@linux root]# cat /etc/rc.d/rc.local

#!/bin/sh

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

/usr/local/jakarta-tomcat/bin/startup.sh

/usr/local/apache/bin/apachectl start

echo 134217728 >/proc/sys/kernel/shmall

echo 134217728 >/proc/sys/kernel/shmmax

方法2，使用 sysctl 命令來控制這些參數．

[root@linux root]# sysctl -w kernel.shmall=134217728

kernel.shmall = 134217728

[root@linux root]# sysctl -w kernel.shmmax=134217728

kernel.shmmax = 134217728

[root@linux root]#

方法3，你可以在一個叫 /etc/sysctl.conf 的檔裏面加下面這樣的兩行：

kernel.shmall = 134217728

kernel.shmmax = 134217728

[root@linux root]# cat /etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux

# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and

# sysctl.conf(5) for more details.

# Controls IP packet forwarding

net.ipv4.ip_forward = 0

# Controls source route verification

net.ipv4.conf.default.rp_filter = 1

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.

# Useful for debugging multi-threaded applications.

kernel.core_uses_pid = 1

kernel.shmall = 134217728

kernel.shmmax = 134217728

通常在引導的時候會處理這個檔，但你也可以稍後明確調用sysctl．

2.8.2 最大連接

跟據你的需要來配置最大連接數，系統默認是32，配置需要修改兩處。

max_connections = 100

shared_buffers = 200

shared_buffers = max_connections*2

[root@linux data]# cat postgresql.conf

# PostgreSQL configuration file

# -----------------------------

# This file consists of lines of the form:

# name = value

# (The '=' is optional.) White space may be used. Comments are introduced

# with '#' anywhere on a line. The complete list of option names and

# allowed values can be found in the PostgreSQL documentation. The

# commented-out settings shown in this file represent the default values.

# Any option can also be given as a command line switch to the

# postmaster, e.g. 'postmaster -c log_connections=on'. Some options

# can be changed at run-time with the 'SET' SQL command.

# This file is read on postmaster startup and when the postmaster

# receives a SIGHUP. If you edit the file on a running system, you have

# to SIGHUP the postmaster for the changes to take effect, or use

# "pg_ctl reload".

#========================================================================

# Connection Parameters

#tcpip_socket = false

tcpip_socket = true

#ssl = false

#ssl = true

#max_connections = 32

max_connections = 100

#superuser_reserved_connections = 2

#port = 5432

#hostname_lookup = false

#show_source_port = false

#unix_socket_directory = ''

#unix_socket_group = ''

#unix_socket_permissions = 0777 # octal

#virtual_host = ''

#krb_server_keyfile = ''

# Shared Memory Size

#shared_buffers = 64 # min max_connections*2 or 16, 8KB each

shared_buffers = 200 # min max_connections*2 or 16, 8KB each

#max_fsm_relations = 1000 # min 10, fsm is free space map, ~40 bytes

#max_fsm_pages = 10000 # min 1000, fsm is free space map, ~6 bytes

#max_locks_per_transaction = 64 # min 10

#wal_buffers = 8 # min 4, typically 8KB each

# Non-shared Memory Sizes

#sort_mem = 1024 # min 64, size in KB

#vacuum_mem = 8192 # min 1024, size in KB

# Write-ahead log (WAL)

#checkpoint_segments = 3 # in logfile segments, min 1, 16MB each

#checkpoint_timeout = 300 # range 30-3600, in seconds

#commit_delay = 0 # range 0-100000, in microseconds

#commit_siblings = 5 # range 1-1000

#fsync = true

#wal_sync_method = fsync # the default varies across platforms:

# # fsync, fdatasync, open_sync, or open_datasync

#wal_debug = 0 # range 0-16

# Optimizer Parameters

#enable_seqscan = true

#enable_indexscan = true

#enable_tidscan = true

#enable_sort = true

#enable_nestloop = true

#enable_mergejoin = true

#enable_hashjoin = true

#effective_cache_size = 1000 # typically 8KB each

#random_page_cost = 4 # units are one sequential page fetch cost

#cpu_tuple_cost = 0.01 # (same)

#cpu_index_tuple_cost = 0.001 # (same)

#cpu_operator_cost = 0.0025 # (same)

#default_statistics_target = 10 # range 1-1000

# GEQO Optimizer Parameters

#geqo = true

#geqo_selection_bias = 2.0 # range 1.5-2.0

#geqo_threshold = 11

#geqo_pool_size = 0 # default based on tables in statement,

# range 128-1024

#geqo_effort = 1

#geqo_generations = 0

#geqo_random_seed = -1 # auto-compute seed

# Message display

#server_min_messages = notice # Values, in order of decreasing detail:

# debug5, debug4, debug3, debug2, debug1,

# info, notice, warning, error, log, fatal,

# panic

#client_min_messages = notice # Values, in order of decreasing detail:

# debug5, debug4, debug3, debug2, debug1,

# log, info, notice, warning, error

#silent_mode = false

#log_connections = false

#log_pid = false

#log_statement = false

#log_duration = false

#log_timestamp = false

#log_min_error_statement = panic # Values in order of increasing severity:

# debug5, debug4, debug3, debug2, debug1,

# info, notice, warning, error, panic(off)

#debug_print_parse = false

#debug_print_rewritten = false

#debug_print_plan = false

#debug_pretty_print = false

#explain_pretty_print = true

# requires USE_ASSERT_CHECKING

#debug_assertions = true

# Syslog

#syslog = 0 # range 0-2

#syslog_facility = 'LOCAL0'

#syslog_ident = 'postgres'

# Statistics

#show_parser_stats = false

#show_planner_stats = false

#show_executor_stats = false

#show_statement_stats = false

# requires BTREE_BUILD_STATS

#show_btree_build_stats = false

# Access statistics collection

#stats_start_collector = true

#stats_reset_on_server_start = true

#stats_command_string = false

#stats_row_level = false

#stats_block_level = false

# Lock Tracing

#trace_notify = false

# requires LOCK_DEBUG

#trace_locks = false

#trace_userlocks = false

#trace_lwlocks = false

#debug_deadlocks = false

#trace_lock_oidmin = 16384

#trace_lock_table = 0

# Misc

#autocommit = true

#dynamic_library_path = '$libdir'

#search_path = '$user,public'

#datestyle = 'iso, us'

#timezone = unknown # actually, defaults to TZ environment setting

#australian_timezones = false

#client_encoding = sql_ascii # actually, defaults to database encoding

#authentication_timeout = 60 # 1-600, in seconds

#deadlock_timeout = 1000 # in milliseconds

#default_transaction_isolation = 'read committed'

#max_expr_depth = 10000 # min 10

#max_files_per_process = 1000 # min 25

#password_encryption = true

#sql_inheritance = true

#transform_null_equals = false

#statement_timeout = 0 # 0 is disabled, in milliseconds

#db_user_namespace = false

# Locale settings

# (initialized by initdb -- may be changed)

LC_MESSAGES = 'en_US.UTF-8'

LC_MONETARY = 'en_US.UTF-8'

LC_NUMERIC = 'en_US.UTF-8'

LC_TIME = 'en_US.UTF-8'

重新啟動數據：

[root@linux data]# service postgresql restart

[ OK ]

Starting postgresql service: [ OK ]

查看配置是否正確：

[root@linux root]# psql -Uchen member

Welcome to psql 7.3.3, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help on internal slash commands

\g or terminate with semicolon to execute query

\q to quit

member=> show max_connections;

max_connections

-----------------

100

(1 row)

2.8.3 vacuumdb

資料庫2：00優化、3：00備份、4：00下載備份資料

[root@linux etc]# cat crontab

SHELL=/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root

HOME=/

# run-parts

01 * * * * root run-parts /etc/cron.hourly

02 4 * * * root run-parts /etc/cron.daily

22 4 * * 0 root run-parts /etc/cron.weekly

42 4 1 * * root run-parts /etc/cron.monthly

0 2 * * * root /usr/local/pgsql/optimize.sh

資料庫vacuumdb優化腳本

[root@linux pgsql]# cat optimize.sh

#!/bin/bash

vacuumdb -hlocalhost -p5432 -Upostgres -a -f -z

[root@linux pgsql]#

2.8.4 資料庫操作與性能

1. 分組插入資料

向資料庫做大量Insert 操作時（注：非導入，在某些特殊環境中要做大量的插入操作，而不是導入資料），如你有10000條記錄要插入到資料庫中，建議你將10000記錄分組插入

第一組

begin;

insert into ……

…….

1000條insert into

…….

insert into ……

commit;

第二組

begin;

insert into ……

…….

1000條insert into

…….

insert into ……

commit;

第十組

begin;

insert into ……

…….

1000條insert into

…….

insert into ……

commit;

2. 通過copy from插入資料

pg_copy_from

(PHP 4 >= 4.2.0)

pg_copy_from -- 根據陣列將記錄插入表中

說明

bool pg_copy_from ( resource connection, string table_name, array rows [, string delimiter [, string null_as]])

pg_copy_from() 將陣列 rows 的內容作為記錄插入表中。它在內部使用了 COPY FROM SQL 命令來插入記錄。如果成功則返回 TRUE，失敗則返回 FALSE。

參見 pg_copy_to()。

3. 操作之後使用重建索引
vacuumdb -hlocalhost -p5432 -Upostgres -a -f -z

2.8.5 硬體方面

1. 一般伺服器

PC伺服器有條件建議使用SATA（串列）硬碟。

沒有條件可以買時下最快的ATA硬碟（也不是越快越好，還要穩定）

正常情況下幾塊ATA 66 (5400rpm)硬碟做RAID 0，要比一塊ATA100(7200rpm)還要快。

RAID 是解決伺服器硬碟瓶頸最佳方案。建議使用RAID０，RAID0速度最快，不安全，但速度誘人，只要做好備份，是沒有問題的。
目前ＰＣ上ＡＴＡ只能做ＲＡＩＤ０（條帶）和ＲＡＩＤ１（鏡像）。ＳＡＴＡ可以做ＲＡＩＤ０，１，５，１０，５０。不過我還沒見過ＳＴＡＴ　的ＲＡＩＤ卡，深圳賽格也沒得賣。

2. 高檔伺服器

高檔伺服器中主流使用ＳＣＳＩ硬碟，公司也出得起￥￥￥買。所以乾脆一次就配置５塊SＣＳＩ硬碟。４塊盤做ＲＡＩＤ５，剩餘１塊做熱交換hotswap。

因為ＳＣＳＩ性能穩定，如果不滿足RAID5速度，可以做ＲＡＩＤ０。

附表1

RAID級別	RAID 0	RAID 1	RAID 3	RAID 5
名稱	條帶	鏡像	專用校驗條帶	分散校驗條帶
允許故障	否	是	是	是
冗餘類型	無	副本	校驗	校驗
熱備用操作	不可	可以	可以	可以
硬碟數量	一個以上	兩個	三個以上	三個以上
可用容量	最大	最小	中間	中間
減少容量	無	50%	一個磁片	一個磁片
讀性能	高（盤的數量決定）	中間	高	高
隨機寫性能	最高	中間	最低	低
連續寫性能	最高	中間	低	最低
典型應用	無故障的迅速讀寫	允許故障的小檔、亂數據寫入	允許故障的大檔、連續資料傳輸	允許故障的小檔、隨機資料傳輸
可用容量	總的磁片的容量	只能用磁片容量的50%	（n-1）/n的磁片容量。其中n為磁片數	（n-1）/n的總磁片容量。其中n為磁片數

　　附表2

RAID級別	RAID 10	RAID 30	RAID 50
名稱	跨越鏡像陣列	跨越專用校驗陣列	跨越分散校驗陣列
允許故障	是	是	是
冗餘類型	副本	校驗	校驗
熱備用操作	可以	可以	可以
磁片數量
跨越2個陣列	4	6,8,10,12,14或16	6,8,10,12,14或16
跨越3個陣列	6	9,12或15	9,12或15
跨越4個陣列	8	12或16	12或16
可用容量	最小	中間	中間
減少容量	50%	每個陣列中一個磁片	每個陣列中一個磁片
讀性能	中間	高	高
隨機寫性能	中間	最低	低
連續寫性能	中間	低	最低
典型應用	允許故障高速度小檔、亂數據寫入	允許故障高速度大檔、連續資料傳輸	允許故障高速度小檔、隨機資料傳輸
可用容量	磁片容量的50%	n-2/2的磁片容量。其中n為磁片數目	n-2/n的磁片容量。其中n為磁片數

3. 網路，光纖存儲我沒使用過，這裏也不談了。

2.8.6 磁片性能

注：hdparm 有些參考只支援ATA硬碟。

[root@linux root]# hdparm

hdparm - get/set hard disk parameters - version v5.2

Usage: hdparm [options] [device] ..

Options:

-a get/set fs readahead

-A set drive read-lookahead flag (0/1)

-b get/set bus state (0 == off, 1 == on, 2 == tristate)

-B set Advanced Power Management setting (1-255)

-c get/set IDE 32-bit IO setting

-C check IDE power mode status

-d get/set using_dma flag

-D enable/disable drive defect-mgmt

-E set cd-rom drive speed

-f flush buffer cache for device on exit

-g display drive geometry

-h display terse usage information

-i display drive identification

-I detailed/current information directly from drive

-Istdin similar to -I, but wants /proc/ide/*/hd?/identify as input

-k get/set keep_settings_over_reset flag (0/1)

-K set drive keep_features_over_reset flag (0/1)

-L set drive doorlock (0/1) (removable harddisks only)

-M get/set acoustic management (0-254, 128: quiet, 254: fast) (EXPERIMENTAL)

-m get/set multiple sector count

-n get/set ignore-write-errors flag (0/1)

-p set PIO mode on IDE interface chipset (0,1,2,3,4,...)

-P set drive prefetch count

-q change next setting quietly

-Q get/set DMA tagged-queuing depth (if supported)

-r get/set readonly flag (DANGEROUS to set)

-R register an IDE interface (DANGEROUS)

-S set standby (spindown) timeout

-t perform device read timings

-T perform cache read timings

-u get/set unmaskirq flag (0/1)

-U un-register an IDE interface (DANGEROUS)

-v defaults; same as -mcudkrag for IDE drives

-V display program version and exit immediately

-w perform device reset (DANGEROUS)

-W set drive write-caching flag (0/1) (DANGEROUS)

-x tristate device for hotswap (0/1) (DANGEROUS)

-X set IDE xfer mode (DANGEROUS)

-y put IDE drive in standby mode

-Y put IDE drive to sleep

-Z disable Seagate auto-powersaving mode

-z re-read partition table

測試 /dev/hda 這塊硬碟的cache與實際效能：

[root@linux root]# hdparm -Tt /dev/hda

/dev/hda:

Timing buffer-cache reads: 128 MB in 0.26 seconds =492.31 MB/sec

Timing buffered disk reads: 64 MB in 2.28 seconds = 28.07 MB/sec

[root@linux root]#

關閉 DMA 模式！

[root@linux root]# hdparm -d0 /dev/hda

/dev/hda:

setting using_dma to 0 (off)

using_dma = 0 (off)

[root@linux root]#

開啟 DMA 模式在 DMA 66 ，並且開啟 32 位元存取模式

[root@linux root]# hdparm -d1 -c3 -X66 /dev/hda

/dev/hda:

setting 32-bit IO_support flag to 3

setting using_dma to 1 (on)

setting xfermode to 66 (UltraDMA mode2)

IO_support = 3 (32-bit w/sync)

using_dma = 1 (on)

[root@linux root]#

因為可能這個程式比較早，沒有後續版本，所以他只支持到66。

[root@linux root]# hdparm -d1 -c3 -X100 /dev/hda

/dev/hda:

setting 32-bit IO_support flag to 3

setting using_dma to 1 (on)

setting xfermode to 100 (unknown, probably not valid)

HDIO_DRIVE_CMD(setxfermode) failed: Input/output error

IO_support = 3 (32-bit w/sync)

using_dma = 1 (on)

[root@linux root]#

這是我的PC伺服器A：

CPU：P4 2.6G
記憶體：512MB

硬碟：70GB （ATA133）

[root@linux root]# hdparm -d1 -Tt -c3 /dev/hda

/dev/hda:

setting 32-bit IO_support flag to 3

setting using_dma to 1 (on)

IO_support = 3 (32-bit w/sync)

using_dma = 1 (on)

Timing buffer-cache reads: 128 MB in 0.25 seconds =512.00 MB/sec

Timing buffered disk reads: 64 MB in 2.28 seconds = 28.07 MB/sec

[root@linux root]#

這是一台深圳產的寶德PC伺服器B：

CPU：P4 2.4G

記憶體：1GB

ATA RAID 0 ：120G（ATA100）*2

[root@linux root]# hdparm -d1 -Tt -c3 /dev/sda

/dev/sda:

operation not supported on SCSI disks

[root@linux root]#

[root@linux root]# hdparm -Tt /dev/sda

/dev/sda:

Timing buffer-cache reads: 128 MB in 0.33 seconds =392.46 MB/sec

Timing buffered disk reads: 64 MB in 1.00 seconds = 63.87 MB/sec

[root@linux root]# hdparm -Tt /dev/sda

/dev/sda:

Timing buffer-cache reads: 128 MB in 0.33 seconds =392.46 MB/sec

Timing buffered disk reads: 64 MB in 1.02 seconds = 62.77 MB/sec

[root@linux root]#

上面兩台PC伺服器，A最近配置的，B是半年前配置的，從對比可以看出兩塊ATA100的RAID0，與單塊ATA133。前者慢，但我想如果用4塊硬碟做RAID 0 性能一定會超過A

2.9 安全的TCP/IP聯接

2.9.1 使用SSL進行安全的TCP/IP聯接

1. 設置用戶資訊：

[root@linux8 root]# su - postgres

-bash-2.05b$ ls

data initdb.i18n

-bash-2.05b$ cd data/

-bash-2.05b$ ls

base pg_clog pg_ident.conf pg_xlog postmaster.opts

global pg_hba.conf PG_VERSION postgresql.conf postmaster.pid

-bash-2.05b$ openssl req -new -text -out server.req

Using configuration from /usr/share/ssl/openssl.cnf

Generating a 1024 bit RSA private key

....++++++

............................................................++++++

writing new private key to 'privkey.pem'

Enter PEM pass phrase:

Verifying password - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Guang Zhou

Locality Name (eg, city) [Newbury]:Shen Zhen

Organization Name (eg, company) [My Company Ltd]:Open Source Organization

Organizational Unit Name (eg, section) []:technical

Common Name (eg, your name or your server's hostname) []:www.9812.net

Email Address []:openunix@163.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:chen

An optional company name []:netkiller

-bash-2.05b$ ls

base pg_clog pg_ident.conf pg_xlog postmaster.opts privkey.pem

global pg_hba.conf PG_VERSION postgresql.conf postmaster.pid server.req

-bash-2.05b$

注意上面的server.req檔，我們來看看它的內容：

-bash-2.05b$ cat server.req

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=CN, ST=Guang Zhou, L=Shen Zhen, O=Open Source Organization, OU=technical, CN=www.9812.net/Email=openunix@163.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:a5:30:9a:ef:75:9f:40:40:ee:90:4e:06:f7:f7:

0b:de:97:d0:1a:2e:48:ef:4c:7b:c2:cd:f2:f4:30:

1b:f4:c7:9d:65:7a:53:d7:d7:7c:ea:25:8f:be:b0:

57:f5:89:91:2e:80:4c:ff:f1:96:1e:42:06:01:64:

9f:98:69:24:c1:7f:e6:0c:a5:ae:b9:9c:4c:29:db:

a3:a3:3d:76:da:89:c0:33:29:c5:a5:8b:7a:e1:e5:

f4:3b:f3:7d:54:d4:65:fa:c8:c0:1c:11:07:1c:24:

03:8e:f0:61:d9:70:cf:fa:dd:e2:04:4a:31:c2:63:

2a:5f:44:ec:48:68:30:44:8d

Exponent: 65537 (0x10001)

Attributes:

challengePassword :chen

unstructuredName :netkiller

Signature Algorithm: md5WithRSAEncryption

09:4a:1c:e5:87:7a:9c:6f:69:ed:cd:11:8d:b6:bc:da:e0:4a:

f5:7a:33:70:0d:5f:28:63:82:79:39:6b:a5:ae:02:7b:87:cb:

86:74:2e:2b:eb:ec:23:3b:dc:02:25:29:02:74:e7:92:76:ed:

34:e1:63:e9:ef:dc:12:33:31:84:31:ce:b3:d4:f2:49:92:a5:

2c:5e:0a:3d:73:f8:1f:95:8f:71:f9:2d:ee:eb:4a:9c:8c:13:

a5:26:a2:d2:49:c3:7e:69:c7:1b:73:bb:59:8d:9c:bf:dd:ac:

4b:c4:41:02:b1:3c:a6:c9:c9:eb:00:b3:75:2d:e2:ab:29:b3:

85:75

-----BEGIN CERTIFICATE REQUEST-----

MIICFzCCAYACAQAwgacxCzAJBgNVBAYTAkNOMRMwEQYDVQQIEwpHdWFuZyBaaG91

MRIwEAYDVQQHEwlTaGVuIFpoZW4xITAfBgNVBAoTGE9wZW4gU291cmNlIE9yZ2Fu

aXphdGlvbjESMBAGA1UECxMJdGVjaG5pY2FsMRUwEwYDVQQDEwx3d3cuOTgxMi5u

ZXQxITAfBgkqhkiG9w0BCQEWEm5ldGtpbGxlckA5ODEyLm5ldDCBnzANBgkqhkiG

9w0BAQEFAAOBjQAwgYkCgYEApTCa73WfQEDukE4G9/cL3pfQGi5I70x7ws3y9DAb

9MedZXpT19d86iWPvrBX9YmRLoBM//GWHkIGAWSfmGkkwX/mDKWuuZxMKdujoz12

2onAMynFpYt64eX0O/N9VNRl+sjAHBEHHCQDjvBh2XDP+t3iBEoxwmMqX0TsSGgw

RI0CAwEAAaAvMBMGCSqGSIb3DQEJBzEGEwRjaGVuMBgGCSqGSIb3DQEJAjELEwlu

ZXRraWxsZXIwDQYJKoZIhvcNAQEEBQADgYEACUoc5Yd6nG9p7c0Rjba82uBK9Xoz

cA1fKGOCeTlrpa4Ce4fLhnQuK+vsIzvcAiUpAnTnknbtNOFj6e/cEjMxhDHOs9Ty

SZKlLF4KPXP4H5WPcfkt7utKnIwTpSai0knDfmnHG3O7WY2cv92sS8RBArE8psnJ

6wCzdS3iqymzhXU=

-----END CERTIFICATE REQUEST-----

2. 生產秘鑰檔：

-bash-2.05b$ openssl rsa -in privkey.pem -out server.key

read RSA key

Enter PEM pass phrase:

writing RSA key

-bash-2.05b$ ls

base pg_clog pg_ident.conf pg_xlog postmaster.opts privkey.pem server.req

global pg_hba.conf PG_VERSION postgresql.conf postmaster.pid server.key

-bash-2.05b$

注意上面的privkey.pem ，server.key檔，我們來看看它們的內容：

-bash-2.05b$ cat privkey.pem

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,EE59B06E786A2FCA

C8RnlMX5tF7CRdx/jxHk/2D4SUu+PVNfphwDbsytmUJIx5qMQAHxCy+NdIDZX9L/

AWIwaShdwFOaP6CMwrzBav54DW1/IlbF688X3DA6xUY1+ZvV4RU4t1O6EhEPINth

1KBqgtSw8lnu6HQa6aIFvZ4f/Wqluk04ylGe4CLLW1xPQ36ntw3tFXPm3eIFl3wQ

lNxYjNTxSjA9x5IBzyJpaJJk27f+/WJARDkFKOwUn9J71lPC5yYybv6IG65xFg6/

kpLqfzx/wAaJxReB/EP95jLVkEmzyi6rqzsBLLgAl6mxGGN5kT34lfK4v9xuRWRz

J2AlBJnloq8NTE48N2g7N1UqHl0r3nNkLdfYEeq6th7d12hiSAcGECvSfhlWirsx

sFYcrAhBGCK+4OXjn717AYeAYw+/JPrX0ZuDVFogVKNB9x/S15+y8yh2AgIUjpJ/

BOZ3LCxXyFznu4yBvxNoTOJT2xWuAXVk5AI3UftOfBAvRZdayAwh6LdoNG77ead1

hNwIAvS5LUiLG8KeAbQHlJuh51YCpmEBCsTqrZybMNoEAiCg0Gn/5tE5cfVmH3Ei

LjhCTtRJ6oGx6dsYaY4A1Jt1+B8DMNnRTez8NN5D2+4wasr4dTYwsRXRyqMCPZJH

+z8m6zautVoHlhGQhRxO4ZcBunyJrdW5XQBGfAcUbp1xORCvqP+SW8Z4wDyu2Sk+

MlxPL1T4P3xEANG7hOlsabBiQ2kyCq1iiJCHBlfXxIm86c1ffRYTrdB+PoFyyaII

ErS68kMbv+Y5Tr+X3Ml1AMNEEU5YAn/O1wSoL5Cz0nIpKeknKAl/vA==

-----END RSA PRIVATE KEY-----

-bash-2.05b$ cat server.key

-----BEGIN RSA PRIVATE KEY-----

MIICXAIBAAKBgQClMJrvdZ9AQO6QTgb39wvel9AaLkjvTHvCzfL0MBv0x51lelPX

13zqJY++sFf1iZEugEz/8ZYeQgYBZJ+YaSTBf+YMpa65nEwp26OjPXbaicAzKcWl

i3rh5fQ7831U1GX6yMAcEQccJAOO8GHZcM/63eIESjHCYypfROxIaDBEjQIDAQAB

AoGABMbGBByLkUkPXN7UtsDO+A29t7QU6c51Wamo18S4WjiXZYLG/9u8Qez6HhJt

SK1EpGqTT2dF5vQTxmCJeNe5d078YIFCbIQckgG2hLSsRyV8QclSguJLC5Tgvzua

tTFdVH50UbyAtkifiR3wt5qBuIjtxz/v0ePJ2EdhcdCAqQUCQQDUarpjOof/hTKb

wwOyJIVDycQs27dF+LiGD6YxD97WC6iZR5u7YukqzJk+GXi9EbjdQzybkp1oxDuF

LQAFXJoDAkEAxxVCo1MgYiKtc2lqSr/q2j1R//sPQq5ajv7pvU1WGhx3xS2iZt9l

/jzNx6ZUG7hxd5gi6G6I3UFAFoOLq06qLwJAPT7InvOxYqs0/FQuLJ77DaCPP5/a

KAKesYixklPRHEYgRpGvBUhvkjeLt6wAdAM4GhPY1cJgQGTUBIIFD4azoQJAVjap

xgrwoi78SFelVTupW9tkUGOL50eUJgrUdEsyd1pOr9AkXUJva9svDj/EesC0OqNi

sp9zm8VvGJDdAlGttwJBAMEnnl9ZGglIBRbS7srVLHhXFYs+xkQgTW6bvcQ+aW+G

MW/vpVcsFzSuaAtlBVoZ1ltCRGPSbVgQkp14yqGITQg=

-----END RSA PRIVATE KEY-----

上面的privkey.pem ，server.key檔內容一看就知道是BASE64編碼的，我對它的內容也很好奇，將它解碼看看內容是什麼：

0?\[1][1]亖?泛u烜@類N鼢迼?.H風{巒螋0羥漞zS鬃|?従癢鯄?€L lang=ZH-TW style='font-size:9.0pt;font-family:PMingLiU;mso-ascii-font-family: "Times New Roman";mso-hansi-font-family:"Times New Roman";mso-fareast-language: ZH-TW'>駯‑Bd煒i$??ギ箿L)郟?v趬?)鈕媧徨?髛T詄?$

庰a賞銷葩

J1耤*_D霩h0D?

[1]亐

破

嫅I\拊獨硒椒?槲uY┄啄竄8梕偲 lang=ZH-TW style='font-size:9.0pt;font-family:PMingLiU;mso-ascii-font-family: "Times New Roman";mso-hansi-font-family:"Times New Roman";mso-fareast-language: ZH-TW'>奐A禚‑mH璂揙gE驃芵墄墜wN黗丅l??秳船G%|A蒖傗K 斷?毜1]T~tQ紑禜焿鴟殎笀砬?鋂閔溪aq衻?[1]A詊篶:??浢

?匔贍,鄯E??拗 G濜b?虣>x?篙C<洅漢??\?[1]A?B b"璼ijJ筷?Q lang=EN-US style='font-size:9.0pt;mso-fareast-font-family:PMingLiU; mso-fareast-language:ZH-TW'>?B罌廅榻MVw?遝?頹竡w?鑞堓A@儖玁?[1]@=>葹蟊b?黅.,烕爮?熩([1]灡埍扴?F F懐Ho?嫹t

8卣耟@d??喅?@V6┢ 稷.麳W;踕Pc嬬G? 詔K2wZN$]Bok?
?膠來:矡s浥o愝[1]Q[1]A?瀇Y H翌收,xW?艱 Mn浗?io?o銃W,4甴 eZ諿BDc襪X挐x省圡

看來是二制的，哈哈。

3. 產生證書檔：

-bash-2.05b$ openssl req -x509 -in server.req -text -key server.key -out server. crt

Using configuration from /usr/share/ssl/openssl.cnf

-bash-2.05b$

-bash-2.05b$ cat server.crt

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 0 (0x0)

Signature Algorithm: md5WithRSAEncryption

Issuer: C=CN, ST=Guang Zhou, L=Shen Zhen, O=Open Source Organization, OU=technical, CN=www.9812.net/Email=openunix@163.com

Validity

Not Before: Oct 25 01:13:05 2003 GMT

Not After : Nov 24 01:13:05 2003 GMT

Subject: C=CN, ST=Guang Zhou, L=Shen Zhen, O=Open Source Organization, OU=technical, CN=www.9812.net/Email=openunix@163.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:a5:30:9a:ef:75:9f:40:40:ee:90:4e:06:f7:f7:

0b:de:97:d0:1a:2e:48:ef:4c:7b:c2:cd:f2:f4:30:

1b:f4:c7:9d:65:7a:53:d7:d7:7c:ea:25:8f:be:b0:

57:f5:89:91:2e:80:4c:ff:f1:96:1e:42:06:01:64:

9f:98:69:24:c1:7f:e6:0c:a5:ae:b9:9c:4c:29:db:

a3:a3:3d:76:da:89:c0:33:29:c5:a5:8b:7a:e1:e5:

f4:3b:f3:7d:54:d4:65:fa:c8:c0:1c:11:07:1c:24:

03:8e:f0:61:d9:70:cf:fa:dd:e2:04:4a:31:c2:63:

2a:5f:44:ec:48:68:30:44:8d

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

93:4F:D5:41:4A:CA:A2:83:19:C3:5D:BE:58:E6:45:70:7E:95:A5:0A

X509v3 Authority Key Identifier:

keyid:93:4F:D5:41:4A:CA:A2:83:19:C3:5D:BE:58:E6:45:70:7E:95:A5:0A

DirName:/C=CN/ST=Guang Zhou/L=Shen Zhen/O=Open Source Organization/OU=technical/CN=www.9812.net/Email=openunix@163.com

serial:00

X509v3 Basic Constraints:

CA:TRUE

Signature Algorithm: md5WithRSAEncryption

3f:f1:99:89:37:ec:1b:80:e2:c6:3a:8e:ed:e8:94:b8:70:10:

34:1c:9a:ef:f7:be:b7:05:51:f4:a2:cb:03:4e:f4:dd:6f:73:

51:49:d2:91:fc:eb:40:3c:30:54:b6:f0:aa:a1:e8:d4:33:b2:

9b:d0:0e:0d:b4:4b:65:c5:ae:bf:ed:fa:ff:1c:e6:1d:aa:41:

4f:da:76:7a:57:7d:8d:f5:1b:17:65:fc:63:4f:db:dd:45:33:

3d:e7:c9:dd:e8:d6:8d:6f:a5:d7:97:da:7f:cf:09:15:ab:2f:

0a:f3:70:e0:d0:d3:50:90:05:78:92:ac:8a:17:78:23:b7:66:

c6:55

-----BEGIN CERTIFICATE-----

MIID0DCCAzmgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpzELMAkGA1UEBhMCQ04x

EzARBgNVBAgTCkd1YW5nIFpob3UxEjAQBgNVBAcTCVNoZW4gWmhlbjEhMB8GA1UE

ChMYT3BlbiBTb3VyY2UgT3JnYW5pemF0aW9uMRIwEAYDVQQLEwl0ZWNobmljYWwx

FTATBgNVBAMTDHd3dy45ODEyLm5ldDEhMB8GCSqGSIb3DQEJARYSbmV0a2lsbGVy

QDk4MTIubmV0MB4XDTAzMTAyNTAxMTMwNVoXDTAzMTEyNDAxMTMwNVowgacxCzAJ

BgNVBAYTAkNOMRMwEQYDVQQIEwpHdWFuZyBaaG91MRIwEAYDVQQHEwlTaGVuIFpo

ZW4xITAfBgNVBAoTGE9wZW4gU291cmNlIE9yZ2FuaXphdGlvbjESMBAGA1UECxMJ

dGVjaG5pY2FsMRUwEwYDVQQDEwx3d3cuOTgxMi5uZXQxITAfBgkqhkiG9w0BCQEW

Em5ldGtpbGxlckA5ODEyLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

pTCa73WfQEDukE4G9/cL3pfQGi5I70x7ws3y9DAb9MedZXpT19d86iWPvrBX9YmR

LoBM//GWHkIGAWSfmGkkwX/mDKWuuZxMKdujoz122onAMynFpYt64eX0O/N9VNRl

+sjAHBEHHCQDjvBh2XDP+t3iBEoxwmMqX0TsSGgwRI0CAwEAAaOCAQgwggEEMB0G

A1UdDgQWBBSTT9VBSsqigxnDXb5Y5kVwfpWlCjCB1AYDVR0jBIHMMIHJgBSTT9VB

SsqigxnDXb5Y5kVwfpWlCqGBraSBqjCBpzELMAkGA1UEBhMCQ04xEzARBgNVBAgT

Ckd1YW5nIFpob3UxEjAQBgNVBAcTCVNoZW4gWmhlbjEhMB8GA1UEChMYT3BlbiBT

b3VyY2UgT3JnYW5pemF0aW9uMRIwEAYDVQQLEwl0ZWNobmljYWwxFTATBgNVBAMT

DHd3dy45ODEyLm5ldDEhMB8GCSqGSIb3DQEJARYSbmV0a2lsbGVyQDk4MTIubmV0

ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAP/GZiTfsG4DixjqO

7eiUuHAQNBya7/e+twVR9KLLA0703W9zUUnSkfzrQDwwVLbwqqHo1DOym9AODbRL

ZcWuv+36/xzmHapBT9p2eld9jfUbF2X8Y0/b3UUzPefJ3ejWjW+l15faf88JFasv

CvNw4NDTUJAFeJKsihd4I7dmxlU=

-----END CERTIFICATE-----

-bash-2.05b$

4. 許可權方面：

刪除rm privkey.pem文件，server.key許可權設為600

-bash-2.05b$ rm privkey.pem

-bash-2.05b$ chmod og-rwx server.key

-bash-2.05b$ ls -l

total 56

drwx------ 10 postgres postgres 4096 Oct 23 12:03 base

drwx------ 2 postgres postgres 4096 Oct 25 08:35 global

drwx------ 2 postgres postgres 4096 Jul 8 17:01 pg_clog

-rw------- 1 postgres postgres 2714 Jul 8 17:57 pg_hba.conf

-rw------- 1 postgres postgres 1441 Jul 8 17:01 pg_ident.conf

-rw------- 1 postgres postgres 4 Jul 8 17:01 PG_VERSION

drwx------ 2 postgres postgres 4096 Oct 15 01:03 pg_xlog

-rw------- 1 postgres postgres 5336 Oct 24 17:01 postgresql.conf

-rw------- 1 postgres postgres 32 Oct 25 08:35 postmaster.opts

-rw------- 1 postgres postgres 44 Oct 25 08:35 postmaster.pid

-rw-r--r-- 1 postgres postgres 3670 Oct 25 09:13 server.crt

-rw------- 1 postgres postgres 887 Oct 25 09:04 server.key

-rw-r--r-- 1 postgres postgres 2377 Oct 25 08:59 server.req

-bash-2.05b$

5. 配置postgresql.conf文件：

開啟SSL。將#ssl = false改為ssl = true

-bash-2.05b$ vi postgresql.conf

ssl = true

我的postgresql.conf文件：

-bash-2.05b$ cat postgresql.conf

# PostgreSQL configuration file

# -----------------------------

# This file consists of lines of the form:

# name = value

# (The '=' is optional.) White space may be used. Comments are introduced

# with '#' anywhere on a line. The complete list of option names and

# allowed values can be found in the PostgreSQL documentation. The

# commented-out settings shown in this file represent the default values.

# Any option can also be given as a command line switch to the

# postmaster, e.g. 'postmaster -c log_connections=on'. Some options

# can be changed at run-time with the 'SET' SQL command.

# This file is read on postmaster startup and when the postmaster

# receives a SIGHUP. If you edit the file on a running system, you have

# to SIGHUP the postmaster for the changes to take effect, or use

# "pg_ctl reload".

#========================================================================

# Connection Parameters

#tcpip_socket = false

tcpip_socket = true

#ssl = false

ssl = true

#max_connections = 32

max_connections = 100

#superuser_reserved_connections = 2

#port = 5432

#hostname_lookup = false

#show_source_port = false

#unix_socket_directory = ''

#unix_socket_group = ''

#unix_socket_permissions = 0777 # octal

#virtual_host = ''

#krb_server_keyfile = ''

# Shared Memory Size

#shared_buffers = 64 # min max_connections*2 or 16, 8KB each

shared_buffers = 200 # min max_connections*2 or 16, 8KB each

#max_fsm_relations = 1000 # min 10, fsm is free space map, ~40 bytes

#max_fsm_pages = 10000 # min 1000, fsm is free space map, ~6 bytes

#max_locks_per_transaction = 64 # min 10

#wal_buffers = 8 # min 4, typically 8KB each

# Non-shared Memory Sizes

#sort_mem = 1024 # min 64, size in KB

#vacuum_mem = 8192 # min 1024, size in KB

# Write-ahead log (WAL)

#checkpoint_segments = 3 # in logfile segments, min 1, 16MB each

#checkpoint_timeout = 300 # range 30-3600, in seconds

#commit_delay = 0 # range 0-100000, in microseconds

#commit_siblings = 5 # range 1-1000

#fsync = true

#wal_sync_method = fsync # the default varies across platforms:

# # fsync, fdatasync, open_sync, or open_datasync

#wal_debug = 0 # range 0-16

# Optimizer Parameters

#enable_seqscan = true

#enable_indexscan = true

#enable_tidscan = true

#enable_sort = true

#enable_nestloop = true

#enable_mergejoin = true

#enable_hashjoin = true

#effective_cache_size = 1000 # typically 8KB each

#random_page_cost = 4 # units are one sequential page fetch cost

#cpu_tuple_cost = 0.01 # (same)

#cpu_index_tuple_cost = 0.001 # (same)

#cpu_operator_cost = 0.0025 # (same)

#default_statistics_target = 10 # range 1-1000

# GEQO Optimizer Parameters

#geqo = true

#geqo_selection_bias = 2.0 # range 1.5-2.0

#geqo_threshold = 11

#geqo_pool_size = 0 # default based on tables in statement,

# range 128-1024

#geqo_effort = 1

#geqo_generations = 0

#geqo_random_seed = -1 # auto-compute seed

# Message display

#server_min_messages = notice # Values, in order of decreasing detail:

# debug5, debug4, debug3, debug2, debug1,

# info, notice, warning, error, log, fatal,

# panic

#client_min_messages = notice # Values, in order of decreasing detail:

# debug5, debug4, debug3, debug2, debug1,

# log, info, notice, warning, error

#silent_mode = false

#log_connections = false

#log_pid = false

#log_statement = false

#log_duration = false

#log_timestamp = false

#log_min_error_statement = panic # Values in order of increasing severity:

# debug5, debug4, debug3, debug2, debug1,

# info, notice, warning, error, panic(off)

#debug_print_parse = false

#debug_print_rewritten = false

#debug_print_plan = false

#debug_pretty_print = false

#explain_pretty_print = true

# requires USE_ASSERT_CHECKING

#debug_assertions = true

# Syslog

#syslog = 0 # range 0-2

#syslog_facility = 'LOCAL0'

#syslog_ident = 'postgres'

# Statistics

#show_parser_stats = false

#show_planner_stats = false

#show_executor_stats = false

#show_statement_stats = false

# requires BTREE_BUILD_STATS

#show_btree_build_stats = false

# Access statistics collection

#stats_start_collector = true

#stats_reset_on_server_start = true

#stats_command_string = false

#stats_row_level = false

#stats_block_level = false

# Lock Tracing

#trace_notify = false

# requires LOCK_DEBUG

#trace_locks = false

#trace_userlocks = false

#trace_lwlocks = false

#debug_deadlocks = false

#trace_lock_oidmin = 16384

#trace_lock_table = 0

# Misc

#autocommit = true

#dynamic_library_path = '$libdir'

#search_path = '$user,public'

#datestyle = 'iso, us'

#timezone = unknown # actually, defaults to TZ environment setting

#australian_timezones = false

#client_encoding = sql_ascii # actually, defaults to database encoding

#authentication_timeout = 60 # 1-600, in seconds

#deadlock_timeout = 1000 # in milliseconds

#default_transaction_isolation = 'read committed'

#max_expr_depth = 10000 # min 10

#max_files_per_process = 1000 # min 25

#password_encryption = true

#sql_inheritance = true

#transform_null_equals = false

#statement_timeout = 0 # 0 is disabled, in milliseconds

#db_user_namespace = false

# Locale settings

# (initialized by initdb -- may be changed)

LC_MESSAGES = 'en_US.UTF-8'

LC_MONETARY = 'en_US.UTF-8'

LC_NUMERIC = 'en_US.UTF-8'

LC_TIME = 'en_US.UTF-8'

6. 測試SSL

[root@linux root]# psql -h 127.0.0.1 -Uchen member

Welcome to psql 7.3.3, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help on internal slash commands

\g or terminate with semicolon to execute query

\q to quit

member=> \q

[root@linux root]# service postgresql restart

[ OK ]

Starting postgresql service: [ OK ]

[root@linux root]

[root@linux root]# psql -h 127.0.0.1 -Uchen member

Welcome to psql 7.3.3, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help on internal slash commands

\g or terminate with semicolon to execute query

\q to quit

SSL connection (cipher: EDH-RSA-DES-CBC3-SHA, bits: 168)

member=>

登陸後下方顯示SSL connection (cipher: EDH-RSA-DES-CBC3-SHA, bits: 168)恭喜你成功了！

伺服器將在同一個 TCP 埠上同時監聽標準的和SSL的聯接，並且將與任何正在聯接的用戶端進行協商，協商是否使用SSL．參閱 Chapter 19 獲取如何強制伺服器端只使用SSL進行某些聯接的資訊．這段引用http://www.pgsqldb.org/pgsqldoc-cvs/ssl-tcp.html

7. 配置pg_hba.conf強制使用SSL聯接：

-bash-2.05b$ vi pg_hba.conf

hostssl all all 127.0.0.1 255.255.255.255 md5

8. 連接測試：

[root@linux8 root]# service postgresql restart

[ OK ]

Starting postgresql service: [ OK ]

[root@linux8 root]# psql -h 127.0.0.1 -Uchen member

Welcome to psql 7.3.3, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help on internal slash commands

\g or terminate with semicolon to execute query

\q to quit

SSL connection (cipher: EDH-RSA-DES-CBC3-SHA, bits: 168)

member=>

我的pg_hba.conf文件：

-bash-2.05b$ cat pg_hba.conf

# PostgreSQL Client Authentication Configuration File

# ===================================================

# Refer to the PostgreSQL Administrator's Guide, chapter "Client

# Authentication" for a complete description. A short synopsis

# follows.

# This file controls: which hosts are allowed to connect, how clients

# are authenticated, which PostgreSQL user names they can use, which

# databases they can access. Records take one of three forms:

# local DATABASE USER METHOD [OPTION]

# host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]

# hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]

# (The uppercase quantities should be replaced by actual values.)

# DATABASE can be "all", "sameuser", "samegroup", a database name (or

# a comma-separated list thereof), or a file name prefixed with "@".

# USER can be "all", an actual user name or a group name prefixed with

# "+" or a list containing either. IP-ADDRESS and IP-MASK specify the

# set of hosts the record matches. METHOD can be "trust", "reject",

# "md5", "crypt", "password", "krb4", "krb5", "ident", or "pam". Note

# that "password" uses clear-text passwords; "md5" is preferred for

# encrypted passwords. OPTION is the ident map or the name of the PAM

# service.

# This file is read on server startup and when the postmaster receives

# a SIGHUP signal. If you edit the file on a running system, you have

# to SIGHUP the postmaster for the changes to take effect, or use

# "pg_ctl reload".

# Put your actual configuration here

# ----------------------------------

# CAUTION: The default configuration allows any local user to connect

# using any PostgreSQL user name, including the superuser, over either

# Unix-domain sockets or TCP/IP. If you are on a multiple-user

# machine, the default configuration is probably too liberal for you.

# Change it to use something other than "trust" authentication.

# If you want to allow non-local connections, you need to add more

# "host" records. Also, remember TCP/IP connections are only enabled

# if you enable "tcpip_socket" in postgresql.conf.

# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD

local all all trust

host all all 127.0.0.1 255.255.255.255 trust

# Using sockets credentials for improved security. Not available everywhere,

# but works on Linux, *BSD (and probably some others)

#local all all ident sameuser

#host all all 127.0.0.1 255.255.255.255 md5

#local all all trust

#host all all 0.0.0.0 0.0.0.0 md5

hostssl all all 127.0.0.1 255.255.255.255 md5

9. 注意事項：

1. 秘鑰和證書（server.key，server.crt）必須放在data目前中，即與postgresql.conf同在一個目錄中

2. server.key許可權必須設為600，所有者為postgres，否則會提示你許可權或用戶、組不正確。

3. 刪除privkey.pem文件

2.9.2 使用SSH進行安全TCP/IP聯接

ＳＳＨ幫助資訊，注意-L、-R兩個參數：

[chen@linux chen]$ ssh --help

Usage: ssh [options] host [command]

Options:

-l user Log in using this user name.

-n Redirect input from /dev/null.

-F config Config file (default: ~/.ssh/config).

-A Enable authentication agent forwarding.

-a Disable authentication agent forwarding (default).

-X Enable X11 connection forwarding.

-x Disable X11 connection forwarding (default).

-i file Identity for public key authentication (default: ~/.ssh/identity)

-t Tty; allocate a tty even if command is given.

-T Do not allocate a tty.

-v Verbose; display verbose debugging messages.

Multiple -v increases verbosity.

-V Display version number only.

-P Don't allocate a privileged port.

-q Quiet; don't display any warning messages.

-f Fork into background after authentication.

-e char Set escape character; ``none'' = disable (default: ~).

-c cipher Select encryption algorithm

-m macs Specify MAC algorithms for protocol version 2.

-p port Connect to this port. Server must be on the same port.

-L listen-port:host:port Forward local port to remote address

-R listen-port:host:port Forward remote port to local address

These cause ssh to listen for connections on a port, and

forward them to the other side by connecting to host:port.

-D port Enable dynamic application-level port forwarding.

-C Enable compression.

-N Do not execute a shell or command.

-g Allow remote hosts to connect to forwarded ports.

-1 Force protocol version 1.

-2 Force protocol version 2.

-4 Use IPv4 only.

-6 Use IPv6 only.

-o 'option' Process the option as if it was read from a configuration file.

-s Invoke command (mandatory) as SSH2 subsystem.

-b addr Local IP address.

說明：

-L listen-port:host:port 轉發本地埠到遠端位址

-R listen-port:host:port 轉發遠端埠到本地位址

使用方法：

ssh –L 本地埠:連接PostgreSQL的host:5432 登錄用戶@要轉發的遠端主機

[root@linux8 root]# ssh –L 3333:localhost:5432 root@127.0.0.1

root@127.0.0.1’s password:

Last login: Sat Oct 25 09:27:30 2003 from 192.168.1.2

[root@linux8 root]# psql –p3333 –Uchen

psql: could not connect to server: No such file or directory

Is the server running locally and accepting

Connections on Unix domain socket “/tmp/.s.PGSQL.3333”?

[root@linux8 root]# psql –p3333 –Uchen member

psql: could not connect to server: No such file or directory

Is the server running locally and accepting

Connections on Unix domain socket “/tmp/.s.PGSQL.3333”?

[root@linux8 root]# psql –h 127.0.0.1 –p3333 –Uchen member

Welcome to psql 7.3.3, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? For help on internal slash commands

\g or terminate with semicolon to execute query

\q to quit

SSL connection (cipher: EDH-RSA-DES-CBC3-SHA, bits: 168)

Member=>

注意：我上面用了SSH+SSL。伺服器àSSHàSSL-------Fast Ethernet------ SSLàSSHà用戶端

實例：

請看上面圖片，現在假設server1應用伺服器，server2是資料庫資料伺服器。現在要從server1連接通過SSH連接server2。

server1環境：

IP：192.168.0.1

功能變數名稱：client.9812.net

server2環境：

IP：192.168.0.2

功能變數名稱：server.9812.net

SSH命令：

登陸server1輸入命令

server1$ ssh -f –n –L 8000:server.9812.net:5432 server.9812.net

server1$ psql –h 127.0.0.1 –p 8000 –Unetkiller mydb

2.10 連接ipv6主機

控制臺1：

Sent username "root"

root@192.168.1.4's password:

Last login: Sun Dec 28 13:07:40 2003 from 192.168.1.3

[root@linux9 root]# ifconfig

eth0 Link encap:Ethernet HWaddr 00:0C:29:09:0B:60

inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe09:b60/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:34364 errors:0 dropped:0 overruns:0 frame:0

TX packets:29074 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:22502007 (21.4 Mb) TX bytes:3561608 (3.3 Mb)

Interrupt:10 Base address:0x10e0

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:114 errors:0 dropped:0 overruns:0 frame:0

TX packets:114 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:10918 (10.6 Kb) TX bytes:10918 (10.6 Kb)

[root@linux9 root]# ifconfig eth0 inet6 add 3ffe:ffff:0:f101::1/64

[root@linux9 root]# ifconfig

eth0 Link encap:Ethernet HWaddr 00:0C:29:09:0B:60

inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0

inet6 addr: 3ffe:ffff:0:f101::1/64 Scope:Global

inet6 addr: fe80::20c:29ff:fe09:b60/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:34392 errors:0 dropped:0 overruns:0 frame:0

TX packets:29106 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:22503903 (21.4 Mb) TX bytes:3565060 (3.3 Mb)

Interrupt:10 Base address:0x10e0

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:114 errors:0 dropped:0 overruns:0 frame:0

TX packets:114 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:10918 (10.6 Kb) TX bytes:10918 (10.6 Kb)

[root@linux9 root]#

[root@linux9 root]# ping6 3ffe:ffff:0:f101::1

PING 3ffe:ffff:0:f101::1(3ffe:ffff:0:f101::1) 56 data bytes

64 bytes from 3ffe:ffff:0:f101::1: icmp_seq=1 ttl=64 time=0.863 ms

64 bytes from 3ffe:ffff:0:f101::1: icmp_seq=2 ttl=64 time=0.099 ms

64 bytes from 3ffe:ffff:0:f101::1: icmp_seq=3 ttl=64 time=0.086 ms

64 bytes from 3ffe:ffff:0:f101::1: icmp_seq=4 ttl=64 time=0.080 ms

64 bytes from 3ffe:ffff:0:f101::1: icmp_seq=5 ttl=64 time=0.124 ms

--- 3ffe:ffff:0:f101::1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4011ms

rtt min/avg/max/mdev = 0.080/0.250/0.863/0.307 ms

[root@linux9 root]#

測試：

[root@linux classes]# ssh -6 chen@::1

chen@::1's password:

[chen@linux chen]$

控制臺2：

[root@linux9 root]# service postgresql start

Initializing database: [ OK ]

Starting postgresql service: [ OK ]

[root@linux9 root]# su postgres

bash-2.05b$ createdb -E unicode

CREATE DATABASE

bash-2.05b$ psql -l

List of databases

Name | Owner | Encoding

-----------+----------+-----------

postgres | postgres | UNICODE

template0 | postgres | SQL_ASCII

template1 | postgres | SQL_ASCII

(3 rows)

bash-2.05b$ psql

Welcome to psql 7.3.2, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help on internal slash commands

\g or terminate with semicolon to execute query

\q to quit

postgres=# \q

配置pg_hba.conf

bash-2.05b$ vi /var/lib/pgsql/data/pg_hba.conf

local all all ident sameuser

host all all 3ffe:ffff:0:f101::1/64 trust

3 資料定義（DDL）

3.1 日期時間常量

3.1.1 當前日期

current_date

netkiller=> select current_date;

date

------------

2003-11-28

(1 row)

netkiller=>

3.1.2 當前時間

current_time

netkiller=> select current_time;

timetz

--------------------

19:38:47.270235+08

(1 row)

netkiller=>

3.1.3 當前日期時間

current_timestamp

netkiller=> select current_timestamp;

timestamptz

-------------------------------

2003-11-28 19:39:25.548505+08

(1 row)

netkiller=>

3.1.4 除去時區

1. current_timestamp::timestamp (0)

2. current_timestamp::timestamp (0) without time zone;

netkiller=> select current_timestamp::timestamp (0);

timestamp

---------------------

2003-11-28 19:44:33

(1 row)

netkiller=>

netkiller=> select current_timestamp::timestamp (0) without time zone;

timestamp

---------------------

2003-11-28 19:40:10

(1 row)

netkiller=>

3.1.5 計算時間差

netkiller=> select to_date('2003-12-2','YYYY-MM-DD')-to_date('2003-12-1','YYYY-MM-DD');

?column?

----------

(1 row)

netkiller=>

netkiller=> select to_date('2003-12-2','YYYY-MM-DD')-to_date('2003-10-2','YYYY-MM-DD');

?column?

----------

(1 row)

3.1.6 計算時間和

netkiller=> select to_date('2003-12-6','yyyy-mm-dd')+12 ;
?column?
------------
2003-12-18
(1 row)

netkiller=> select to_date('2003-12-6','yyyy-mm-dd')+20 ;
?column?
------------
2003-12-26
(1 row)

3.1.7 date_part

netkiller=> select date_part('epoch', '2003-12-3 10:20:30' - timestamp '2003-12-1 02:00:00') ;

date_part

-----------

202830

(1 row)

netkiller=> select date_part('day', '2003-12-3 10:20:30' - timestamp '2003-12-1 02:00:00') ;

date_part

-----------

(1 row)

netkiller=> select date_part('hour', '2003-12-3 10:20:30' - timestamp '2003-12-1 02:00:00') ;

date_part

-----------

(1 row)

netkiller=>

詳細使用方法請參考http://www.pgsqldb.org上的文檔。

3.2 漢字做欄位名

PostgreSQL是支援“區域”，“字元集支援”的，允許你使用本區域的字元集做為欄位名。但要注意，你的終端要支援該字元集支援。我這裏使用UNICODE，EUC_CN也適用。

Create table "組"(

"序號" Serial NOT NULL UNIQUE,

"組名" Varchar(20) NOT NULL,

"描述" Varchar(255),

UNIQUE ("組名"),

PRIMARY KEY ("序號")

);

創建表：

member=> Create table "組"(

member(> "序號" Serial NOT NULL UNIQUE,

member(> "組名" Varchar(20) NOT NULL,

member(> "描述" Varchar(255),

member(> UNIQUE ("組名"),

member(> PRIMARY KEY ("序號")

member(> );

NOTICE: CREATE TABLE will create implicit sequence '組_序號_seq' for SERIAL column '組.序號'

NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index '組_pkey' for table '組'

NOTICE: CREATE TABLE / UNIQUE will create implicit index '組_組名_key' for table '組'

CREATE TABLE

member=> \d

List of relations

Schema | Name | Type | Owner

--------+--------------------+----------+-------

public | group | table | chen

public | group_id_seq | sequence | chen

public | groupmember | table | chen

public | groupmember_id_seq | sequence | chen

public | role | table | chen

public | role_id_seq | sequence | chen

public | rolemember | table | chen

public | rolemember_id_seq | sequence | chen

public | system_log | table | chen

public | system_log_id_seq | sequence | chen

public | trust | table | chen

public | trust_id_seq | sequence | chen

public | user | table | chen

public | user_id_seq | sequence | chen

public | user_log | table | chen

public | user_log_id_seq | sequence | chen

public | userinfo | table | chen

public | userinfo_id_seq | sequence | chen

public | vgroup | view | chen

public | vgroupmember | view | chen

public | vsystem_log | view | chen

public | vuser | view | chen

public | 組 | table | chen

public | 組_序號_seq | sequence | chen

(24 rows)

查看表結構：

member=> \d 組

Table "public.組"

Column | Type | Modifiers

--------+------------------------+-----------------------------------------------------------

序號 | integer | not null default nextval('public."組_序號_seq"'::text)

組名 | character varying(20) | not null

描述 | character varying(255) |

Indexes: 組_pkey primary key btree ("序號"),

組_組名_key unique btree ("組名")

插入資料：

member=> insert into 組(組名,描述) values('域用戶','9812.net域內用戶');

INSERT 110971 1

member=> insert into "組"("組名","描述") values('域用戶','9812.net域內用戶');

ERROR: Cannot insert a duplicate key into unique index 組_組名_key

member=> insert into "組"("組名","描述") values('電腦維護組','維護電腦的用戶用戶');

INSERT 110973 1

查看數據：

member=> select * from 組;

序號 | 組名 | 描述

--------+--------------------+--------------------------------

1 | 域用戶 | 9812.net域內用戶

3 | 電腦維護組 | 維護電腦的用戶用戶

(2 rows)

member=> select * from "組";

序號 | 組名 | 描述

--------+--------------------+--------------------------------

1 | 域用戶 | 9812.net域內用戶

3 | 電腦維護組 | 維護電腦的用戶用戶

(2 rows)

注：在操作非英文欄位的表時。建議最好前，後加上“"”，“"”符號。並非所有API都支援非英文的編碼。

3.3 “：：”資料轉換

PostgreSQL 資料之間的轉換可以使用“：：”操作符。

3.3.1 text to varchar

vperson 表gender欄位為布林型（boolean）在視圖中要顯示為true顯示為“先生”，false顯示為“女士”CASE WHEN 運算式應該是：

CASE WHEN p.gender = true THEN '先生' ELSE '女士' END as gender,

直接使用'先生', '女士' PostgreSQL認為' '中間的字元為text類型，請看下面：

postgres=# CREATE OR REPLACE VIEW vperson AS

postgres-# SELECT p.uid,p.name,

postgres-# CASE WHEN p.gender = true THEN '先生' ELSE '女士' END as gender,

postgres-# p.nickname,p.mobile,p.tel,p.fax,p.email,p.province,p.city,p.addre

ss,p.postalcode

postgres-# FROM "person" p

postgres-# Order By p.uid;

CREATE VIEW

postgres=# \dv vperson

List of relations

Schema | Name | Type | Owner

--------+---------+------+----------

public | vperson | view | postgres

(1 row)

postgres=# \d person

Table "public.person"

Column | Type | Modifiers

-------------+------------------------+----------------------

uid | integer | not null default 0

name | character varying(20) | not null

gender | boolean | not null default 'F'

nickname | character varying(20) |

mobile | character varying(13) |

tel | character varying(20) | not null

fax | character varying(20) |

email | character varying(60) |

province | character varying(10) | not null

city | character varying(10) | not null

address | character varying(255) | not null

postalcode | character varying(6) | not null

rate | character varying(20) | default '0'

bank | character varying(20) | not null default ''

bankaccount | character varying(20) | not null default ''

Indexes: person_pkey primary key btree (uid)

Check constraints: "person_rate" ((((((rate = '0'::character varying) OR (rate = '1'::character varying)) OR (rate = '2'::character varying)) OR (rate = '3'::character varying)) OR (rate = '4'::character varying)) OR (rate = '5'::character varying))

postgres=#

postgres=# \d vperson

View "public.vperson"

Column | Type | Modifiers

------------+------------------------+-----------

uid | integer |

name | character varying(20) |

gender | text |

nickname | character varying(20) |

mobile | character varying(13) |

tel | character varying(20) |

fax | character varying(20) |

email | character varying(60) |

province | character varying(10) |

city | character varying(10) |

address | character varying(255) |

postalcode | character varying(6) |

View definition: SELECT p.uid, p.name, CASE WHEN (p.gender = true) THEN '先生'::

text ELSE '女士'::text END AS gender, p.nickname, p.mobile, p.tel, p.fax, p.emai

l, p.province, p.city, p.address, p.postalcode FROM person p ORDER BY p.uid;

使用“：：”將test 轉為varchar：

CASE WHEN p.gender = true THEN '先生'::varchar(2) ELSE '女士'::varchar(2) END as gender,

例：

CREATE OR REPLACE VIEW vperson AS

SELECT p.uid,p.name,

CASE WHEN p.gender = true THEN '先生'::varchar(2) ELSE '女士'::varchar(2) END as gender,

p.nickname,p.mobile,p.tel,p.fax,p.email,p.province,p.city,p.address,p.postalcode

FROM "person" p

Order By p.uid;

postgres=# drop view vperson ;

DROP VIEW

postgres=# CREATE OR REPLACE VIEW vperson AS

postgres-# SELECT p.uid,p.name,

postgres-# CASE WHEN p.gender = true THEN '先生'::varchar(2) ELSE '女士'::varchar(2) END as gender,

postgres-# p.nickname,p.mobile,p.tel,p.fax,p.email,p.province,p.city,p.address,p.postalcode

postgres-# FROM "person" p

postgres-# Order By p.uid;

CREATE VIEW

postgres=# \d vperson

View "public.vperson"

Column | Type | Modifiers

------------+------------------------+-----------

uid | integer |

name | character varying(20) |

gender | character varying(2) |

nickname | character varying(20) |

mobile | character varying(13) |

tel | character varying(20) |

fax | character varying(20) |

email | character varying(60) |

province | character varying(10) |

city | character varying(10) |

address | character varying(255) |

postalcode | character varying(6) |

View definition: SELECT p.uid, p.name, CASE WHEN (p.gender = true) THEN ('先生'::character varying)::character varying(2) ELSE ('女士'::character varying)::character varying(2) END AS gender, p.nickname, p.mobile, p.tel, p.fax, p.email, p.province, p.city, p.address, p.postalcode FROM person p ORDER BY p.uid;

postgres=#

3.4 序列

3.4.1 等差列

-- ------------------------------------------------------

-- 'Region'

-- ------------------------------------------------------

DROP TABLE region;

DROP SEQUENCE region_id_seq;

DROP INDEX region_id_index;

DROP VIEW vregion;

CREATE TABLE region (

id integer DEFAULT nextval('region_id_seq') NOT NULL,

region varchar(20) DEFAULT '' NOT NULL,

description text ,

note text ,

remark text ,

create_date timestamp DEFAULT now() ,

modify_date timestamp DEFAULT now() ,

PRIMARY KEY (id),

UNIQUE (id,region)

);

CREATE SEQUENCE region_id_seq;

CREATE INDEX region_id_index ON region (id);

CREATE VIEW vregion AS

SELECT pv.id,pv.region,pv.description,pv.note,pv.remark,to_char(pv.create_date,'YYYY-MM-DD HH:MI:SS') as date

FROM region pv

ORDER BY pv.id;

3.4.2 “1，2，3，4，5，6，7，8，9…”

DROP SEQUENCE region_id_seq;

CREATE SEQUENCE region_id_seq;

member=> insert into region(region) values('廣西');

INSERT 111264 1

member=>

member=> insert into region(region) values('貴州');

INSERT 111265 1

member=>

member=> insert into region(region) values('海南');

INSERT 111266 1

member=>

member=> insert into region(region) values('河北');

INSERT 111267 1

member=>

member=> insert into region(region) values('河南');

INSERT 111268 1

member=>

member=> insert into region(region) values('黑龍江');

INSERT 111269 1

member=> select * from vregion ;

----+--------+-------------+------+--------+---------------------

1 | 安徽 | | | | 2003-11-01 10:44:26

2 | 北京 | | | | 2003-11-01 10:44:26

3 | 重慶 | | | | 2003-11-01 10:44:26

4 | 福建 | | | | 2003-11-01 10:44:26

5 | 甘肅 | | | | 2003-11-01 10:44:26

6 | 廣東 | | | | 2003-11-01 10:44:26

7 | 廣西 | | | | 2003-11-01 10:44:26

8 | 貴州 | | | | 2003-11-01 10:44:26

9 | 海南 | | | | 2003-11-01 10:44:26

10 | 河北 | | | | 2003-11-01 10:44:26

11 | 河南 | | | | 2003-11-01 10:44:26

12 | 黑龍江 | | | | 2003-11-01 10:44:26

(12 rows)

3.4.3 “1，3，5，7，9…”

DROP SEQUENCE region_id_seq;

Delete from region;

CREATE SEQUENCE region_id_seq INCREMENT 2 START 1;

member=> DROP SEQUENCE region_id_seq;

DROP SEQUENCE

member=> Delete from region;

DELETE 15

member=>

member=> CREATE SEQUENCE region_id_seq INCREMENT 2 START 1;

CREATE SEQUENCE

member=> insert into region(region) values('廣東');

INSERT 111282 1

member=>

member=> insert into region(region) values('廣西');

INSERT 111283 1

member=>

member=> insert into region(region) values('貴州');

INSERT 111284 1

member=>

member=> insert into region(region) values('海南');

INSERT 111285 1

member=>

member=> insert into region(region) values('河北');

INSERT 111286 1

member=>

member=> insert into region(region) values('河南');

INSERT 111287 1

member=>

member=> insert into region(region) values('黑龍江');

INSERT 111288 1

member=> select * from region ;

----+--------+-------------+------+--------+----------------------------+----------------------------

1 | 安徽 | | | | 2003-11-01 11:49:58.004475 | 2003-11-01 11:49:58.004475

3 | 北京 | | | | 2003-11-01 11:49:58.093188 | 2003-11-01 11:49:58.093188

5 | 重慶 | | | | 2003-11-01 11:49:58.138582 | 2003-11-01 11:49:58.138582

7 | 福建 | | | | 2003-11-01 11:49:58.166903 | 2003-11-01 11:49:58.166903

9 | 甘肅 | | | | 2003-11-01 11:49:58.195132 | 2003-11-01 11:49:58.195132

11 | 廣東 | | | | 2003-11-01 11:49:58.239133 | 2003-11-01 11:49:58.239133

13 | 廣西 | | | | 2003-11-01 11:49:58.267372 | 2003-11-01 11:49:58.267372

15 | 貴州 | | | | 2003-11-01 11:49:58.295643 | 2003-11-01 11:49:58.295643

17 | 海南 | | | | 2003-11-01 11:49:58.324202 | 2003-11-01 11:49:58.324202

19 | 河北 | | | | 2003-11-01 11:49:58.352543 | 2003-11-01 11:49:58.352543

21 | 河南 | | | | 2003-11-01 11:49:58.381273 | 2003-11-01 11:49:58.381273

23 | 黑龍江 | | | | 2003-11-01 11:49:58.415112 | 2003-11-01 11:49:58.415112

(12 rows)

3.4.4 “2，4，6，8，10…”

DROP SEQUENCE region_id_seq;

Delete from region;

CREATE SEQUENCE region_id_seq INCREMENT 2 START 2;

member=> DROP SEQUENCE region_id_seq;

ERROR: sequence "region_id_seq" does not exist

member=> Delete from region;

DELETE 0

member=> CREATE SEQUENCE region_id_seq INCREMENT 2 START 2;

CREATE SEQUENCE

member=> insert into region(region) values('安徽');

INSERT 111303 1

member=> insert into region(region) values('北京');

INSERT 111304 1

……

member=> insert into region(region) values('海南');

INSERT 111311 1

member=> insert into region(region) values('河北');

INSERT 111312 1

member=> select * from vregion;

----+--------+-------------+------+--------+---------------------

2 | 安徽 | | | | 2003-11-01 12:00:28

4 | 北京 | | | | 2003-11-01 12:00:28

6 | 重慶 | | | | 2003-11-01 12:00:28

8 | 福建 | | | | 2003-11-01 12:00:28

10 | 甘肅 | | | | 2003-11-01 12:00:28

12 | 廣東 | | | | 2003-11-01 12:00:28

14 | 廣西 | | | | 2003-11-01 12:00:28

16 | 貴州 | | | | 2003-11-01 12:00:28

18 | 海南 | | | | 2003-11-01 12:00:28

20 | 河北 | | | | 2003-11-01 12:00:28

(10 rows)

3.4.5 n₁+n₂

CREATE SEQUENCE region_id_seq INCREMENT n₂ START n₁;

3.5 約束

3.6 檢查約束

例子1：

有這樣一個需求，在很多電子商務網站上都要對用戶進行誠信評估，誠信分為五級（五個星），這樣就要求某欄位插入的資料0，1，2，3，4，5。“0”表示該用戶沒用評估。

-- ======================================================

-- 'trust'

-- ======================================================

Create table "trust"

(

"id" Serial NOT NULL UNIQUE,

"uid" integer NOT NULL Default 0,

"rate" Varchar(20) Default '0' Check (rate in ('0','1','2','3','4','5')),

primary key ("id")

);

Alter table "trust" add foreign key ("uid") references "user" ("id") on update restrict on delete restrict;

member=> Insert into trust (uid) values((select id from "user" where userid='netkiller'));

INSERT 111237 1

member=> Insert into trust (uid,rate) values((select id from "user" where userid='netkiller'),5);

INSERT 111220 1

member=> Insert into trust (uid,rate) values((select id from "user" where userid='netkiller'),2);

INSERT 111236 1

member=> Insert into trust (uid,rate) values((select id from "user" where userid='netkiller'),6);

ERROR: ExecInsert: rejected due to CHECK constraint "trust_rate" on "trust"

member=> Insert into trust (uid,rate) values((select id from "user" where userid='netkiller'),10);

ERROR: ExecInsert: rejected due to CHECK constraint "trust_rate" on "trust"

member=> select * from trust;

id | uid | rate

----+-----+------

1 | 257 | 2

4 | 257 | 0

5 | 257 | 5

(3 rows)

當插入資料不在枚舉的範圍內，提示ERROR: ExecInsert: rejected due to CHECK constraint "trust_rate" on "trust"。

例子2：

檢查某欄位，不允許出現數值，使用not in 來完成。

DROP TABLE ctoc.bid CASCADE;

CREATE TABLE ctoc.bid(

id Serial NOT NULL UNIQUE,

salesroom_id integer DEFAULT '1' NOT NULL, -- foreign key

bidder integer DEFAULT '1' NOT NULL, -- foreign key

price numeric(8,2) DEFAULT '0.00' NOT NULL,

quantity Integer DEFAULT '1' NOT NULL Check (quantity not in ('0')),

created timestamp DEFAULT current_timestamp::timestamp (0) without time zone,

status boolean DEFAULT true,

PRIMARY KEY (id),

FOREIGN KEY (salesroom_id) REFERENCES ctoc.salesroom (id) ON UPDATE CASCADE ON DELETE CASCADE,

FOREIGN KEY (bidder) REFERENCES person (uid) ON UPDATE CASCADE ON DELETE CASCADE

);

netkiller=> insert into ctoc.bid(salesroom_id,bidder,price,quantity,status) values(1,8,100,0,true);

ERROR: ExecInsert: rejected due to CHECK constraint "bid_quantity" on "bid"

3.7 非空約束

顯示的有note欄位為空的記錄：

member=> select * from vregion where note is null;

3.8 唯一約束

3.8.1 單字段約束

這個例子對groupname欄位做唯一操作。

-- ======================================================

-- 'group'

-- ======================================================

Create table "group"

(

"id" Serial NOT NULL UNIQUE,

"groupname" Varchar(20) NOT NULL,

"description" Varchar(255),

UNIQUE (groupname),

PRIMARY KEY ("id")

);

測試：

member=> insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

INSERT 110497 1

member=> insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

ERROR: Cannot insert a duplicate key into unique index group_groupname_key

member=> insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

ERROR: Cannot insert a duplicate key into unique index group_groupname_key

Psql 命令行返回ERROR: Cannot insert a duplicate key into unique index group_groupname_key唯一約束成功。

3.8.2 多個欄位組合約束

UNIQUE (rid,uid)中有多個參數，是對rid,uid組合約束。

例如：

1，1

1，2

是正確的

1，1

2，1

也是正確的

2，1

1，1

2，2

1，2

1，1

不正確的不允許插入資料“1，1”，資料“1，1”出現了兩次，所以要同時滿足rid,uid兩個條件。

三個欄位以上組合：

1,1,1

1,1,2

1,2,1

2,1,2

2,1,1

2,2,2

正確可以插入資料

1，2，1

2，1，2

2，2，1

1，1，2

2，2，1

“2，2，1”，“2，2，1”出現兩次，違反約束條件，所以不能再次插入資料“2，2，1”。

-- ======================================================

-- 'rolemember'

-- ======================================================

-- drop table rolemember CASCADE ;

Create table "rolemember"

(

"id" Serial NOT NULL UNIQUE,

"rid" integer NOT NULL Default 0,

"uid" integer NOT NULL Default 0,

UNIQUE (rid,uid),

primary key ("id")

);

member=> insert into rolemember(rid,uid) values((select id from role where rolename ='System'),(select id from vuser where userid='sysop'));

INSERT 110954 1

member=> insert into rolemember(rid,uid) values((select id from role where rolename ='System'),(select id from vuser where userid='sysop'));

ERROR: Cannot insert a duplicate key into unique index rolemember_rid_key

member=> insert into rolemember(rid,uid) values((select id from role where rolename ='System'),(select id from vuser where userid='admin'));

ERROR: More than one tuple returned by a subselect used as an expression.

member=> insert into rolemember(rid,uid) values((select id from role where rolename ='System'),(select id from vuser where userid='test'));

INSERT 110956 1

member=> insert into rolemember(rid,uid) values((select id from role where rolename ='System'),(select id from vuser where userid='test'));

ERROR: Cannot insert a duplicate key into unique index rolemember_rid_key

3.8.3 唯一約束的注意事項

這個例子對groupname欄位做唯一操作。

-- ======================================================

-- 'group'

-- ======================================================

Create table "group"

(

"id" Serial NOT NULL UNIQUE,

"groupname" Varchar(20) NOT NULL,

"description" Varchar(255),

UNIQUE (id,groupname),

PRIMARY KEY ("id")

);

仔細看這個例子沒有錯。

運行結果：

postgres=# Create table "group"

postgres-# (

postgres(# "id" Serial NOT NULL UNIQUE,

postgres(# "groupname" Varchar(20) NOT NULL,

postgres(# "description" Varchar(255),

postgres(# UNIQUE (id,groupname),

postgres(# PRIMARY KEY ("id")

postgres(# );

NOTICE: CREATE TABLE will create implicit sequence 'group_id_seq' for SERIAL column 'group.id'

NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index 'group_pkey' for table 'group'

NOTICE: CREATE TABLE / UNIQUE will create implicit index 'group_id_key' for table 'group'

CREATE TABLE

運行結果也沒有錯，現在插入資料。

insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

insert into "group"(groupname,description) values('Guest','xxxxxxxxxxxxxxxxxx');

insert into "group"(groupname,description) values('Domain','xxxxxxxxxxxxxxxxxx');

postgres=# insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

INSERT 110466 1

postgres=# insert into "group"(groupname,description) values('Guest','xxxxxxxxxxxxxxxxxx');

INSERT 110467 1

postgres=# insert into "group"(groupname,description) values('Domain','xxxxxxxxxxxxxxxxxx');

INSERT 110468 1

postgres=#

postgres=# insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

INSERT 110469 1

postgres=# insert into "group"(groupname,description) values('Guest','xxxxxxxxxxxxxxxxxx');

INSERT 110470 1

postgres=# insert into "group"(groupname,description) values('Domain','xxxxxxxxxxxxxxxxxx');

INSERT 110471 1

postgres=# insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

INSERT 110472 1

postgres=# insert into "group"(groupname,description) values('Guest','xxxxxxxxxxxxxxxxxx');

INSERT 110473 1

postgres=# insert into "group"(groupname,description) values('Domain','xxxxxxxxxxxxxxxxxx');

INSERT 110474 1

postgres=# insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

INSERT 110475 1

postgres=# insert into "group"(groupname,description) values('Guest','xxxxxxxxxxxxxxxxxx');

INSERT 110476 1

postgres=# insert into "group"(groupname,description) values('Domain','xxxxxxxxxxxxxxxxxx');

INSERT 110477 1

postgres=# insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

INSERT 110478 1

postgres=# insert into "group"(groupname,description) values('Guest','xxxxxxxxxxxxxxxxxx');

INSERT 110479 1

postgres=# insert into "group"(groupname,description) values('Domain','xxxxxxxxxxxxxxxxxx');

INSERT 110480 1

postgres=# select * from "group";

id | groupname | description

----+-----------+--------------------

1 | Admin | xxxxxxxxxxxxxxxxxx

2 | Guest | xxxxxxxxxxxxxxxxxx

3 | Domain | xxxxxxxxxxxxxxxxxx

4 | Admin | xxxxxxxxxxxxxxxxxx

5 | Guest | xxxxxxxxxxxxxxxxxx

6 | Domain | xxxxxxxxxxxxxxxxxx

7 | Admin | xxxxxxxxxxxxxxxxxx

8 | Guest | xxxxxxxxxxxxxxxxxx

9 | Domain | xxxxxxxxxxxxxxxxxx

10 | Admin | xxxxxxxxxxxxxxxxxx

11 | Guest | xxxxxxxxxxxxxxxxxx

12 | Domain | xxxxxxxxxxxxxxxxxx

13 | Admin | xxxxxxxxxxxxxxxxxx

14 | Guest | xxxxxxxxxxxxxxxxxx

15 | Domain | xxxxxxxxxxxxxxxxxx

(15 rows)

但你會發現對groupname欄位的唯一約束不起使用。失效原因：

"id" Serial NOT NULL UNIQUE, (唯一約束)

UNIQUE (id,groupname), (id欄位又做了一次唯一約束)

這就是它失效的原因。正確的腳本寫法是：

Create table "group"

(

"id" Serial NOT NULL UNIQUE,

"groupname" Varchar(20) NOT NULL,

"description" Varchar(255),

UNIQUE (groupname),

PRIMARY KEY ("id")

);

member=> insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

INSERT 110497 1

member=> insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

ERROR: Cannot insert a duplicate key into unique index group_groupname_key

member=> insert into "group"(groupname,description) values('Admin','xxxxxxxxxxxxxxxxxx');

ERROR: Cannot insert a duplicate key into unique index group_groupname_key

Psql 命令行返回ERROR: Cannot insert a duplicate key into unique index group_groupname_key
唯一約束成功。

3.9 主鍵/外鍵

3.9.1 主鍵

下面書寫方式，推薦第二種，比較清晰。

CREATE TABLE products (

product_no integer PRIMARY KEY,

name text,

price numeric

);

CREATE TABLE example (

a integer,

b integer,

c integer,

PRIMARY KEY (a, c)

);

3.9.2 外鍵約束

下面第前兩種寫法不推薦。第三、四種寫法較清晰。

1. 第一種書寫方式

CREATE TABLE orders (

order_id integer PRIMARY KEY,

product_no integer REFERENCES products,

quantity integer

);

2. 第二種書寫方式

CREATE TABLE orders (

order_id integer PRIMARY KEY,

product_no integer REFERENCES products (product_no),

quantity integer

);

3. 第三種書寫方式

CREATE TABLE table1 (

a integer PRIMARY KEY,

b integer,

c integer,

FOREIGN KEY (b, c) REFERENCES other_table (c1, c2)

);

4. 第四種書寫方式，在SQL腳本最後面添加外鍵約束

Alter table "groupmember" add foreign key ("uid") references "user" ("id") on update restrict on delete restrict;

Alter table "groupmember" add foreign key ("gid") references "group" ("id") on update restrict on delete restrict;

Alter table "rolemember" add foreign key ("uid") references "user" ("id") on update restrict on delete restrict;

Alter table "rolemember" add foreign key ("rid") references "role" ("id") on update restrict on delete restrict;

3.9.3 PostgreSQL 7.3.x 新增功能

CREATE TABLE order_items (

product_no integer REFERENCES products ON DELETE RESTRICT,

order_id integer REFERENCES orders ON DELETE CASCADE,

quantity integer,

PRIMARY KEY (product_no, order_id)

);

類似 ON DELETE，還有 ON UPDATE 選項，它是在主鍵被修改（更新）的時候調用的。

以前我們刪除其他表中受外鍵約束的記錄，使用規則或觸發器來完成。現可以用CASCADE

3.9.4 層次遞迴-分類目錄

實現一個無限向下分類的目錄，例如：

電腦與互聯網

免費資源

軟體下載(3431)

壁紙/屏保/桌面(109)

免費電子賀卡(197)

代理伺服器(33)

免費電子郵箱(73)

免費主頁空間(75)

免費聊天室(11)

免費論壇(36)

軟體

XXXXXXXX

硬體

互聯網

編程

資料結構定義：

Drop table "directory" CASCADE;

Create table "directory"

(

"id" Serial NOT NULL,

"root_id" Integer NOT NULL Default 0,

"name" Varchar(20)NOT NULL ,

"status" boolean Default 'true',

"created" Timestamp Default current_timestamp,

"modified" Timestamp Default current_timestamp,

UNIQUE (id,root_id),

PRIMARY KEY ("id")

-- FOREIGN KEY (root_id) REFERENCES directory (id) ON DELETE CASCADE

);

INSERT INTO directory (id,root_id,name) VALUES (0,0,'/');

Alter table "directory" add FOREIGN KEY (root_id) REFERENCES directory (id) ON DELETE CASCADE;

Create index "directory_index" on "directory" using btree ("id","root_id","name");

資料存儲狀態：

Id	Root_id	Name
0	0	/
1	0	電腦
2	1	顯示器
3	1	滑鼠
4	1	主板
5	2	Samsung 顯示器
6	2	LG顯示器
7	2	SONY顯示器

上圖是一個分類目錄，當刪除子目錄時如果子目錄中有目錄或資料，將刪除這些資料和目錄

說明：

id 目錄根

root_id REFERENCES id ON DELETE CASCADE當pk刪除時關聯的fk自動刪除

name 目錄名

status 狀態true可用，false不可用

created 創建時間

modified 修改時間

注意：

因為使用了關聯欄位，所以不能在create table 中使用
FOREIGN KEY (root_id) REFERENCES directory (id) ON DELETE CASCADE

因為插入記錄做參考表中的“id”欄位，創建表的中沒有資料，所以無法插入資料。
先創建表，不定義FOREIGN KEY，然後初始化插入第一條資料：

INSERT INTO directory (id,root_id,name) VALUES (0,0,'/');

再定義外建：

Alter table "directory" add FOREIGN KEY (root_id) REFERENCES directory (id) ON DELETE CASCADE;

postgres=# Create table "directory"

postgres-# (

postgres(# "id" Serial NOT NULL,

postgres(# "root_id" Integer NOT NULL Default 0,

postgres(# "name" Varchar(20)NOT NULL ,

postgres(# "status"boolean Default 'true',

postgres(# "created" Timestamp Default current_timestamp,

postgres(# "modified" Timestamp Default current_timestamp,

postgres(# UNIQUE (id,root_id),

postgres(# PRIMARY KEY ("id")

postgres(# -- FOREIGN KEY (root_id) REFERENCES directory (id) ON DELETE CASCADE

postgres(# );

NOTICE: CREATE TABLE will create implicit sequence 'directory_id_seq' for SERIAL column 'directory.id'

NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index 'directory_pkey' for table 'directory'

NOTICE: CREATE TABLE / UNIQUE will create implicit index 'directory_id_key' for table 'directory'

CREATE TABLE

postgres=# INSERT INTO directory (id,root_id,name) VALUES (0,0,'/');

INSERT 17110 1

postgres=# Alter table "directory" add FOREIGN KEY (root_id) REFERENCES directory (id) ON DELETE CASCADE;

NOTICE: ALTER TABLE will create implicit trigger(s) for FOREIGN KEY check(s)

ALTER TABLE

postgres=# Create index "directory_index" on "directory" using btree ("id","root_id","name");

CREATE INDEX

postgres=# INSERT INTO directory (root_id,name) VALUES (0,'電腦');

INSERT 17116 1

postgres=# SELECT * from directory ;

----+---------+-----------+--------+----------------------------+----------------------------

0 | 0 | / | t | 2003-11-12 16:55:39.727365 | 2003-11-12 16:55:39.727365

1 | 0 | 電腦 | t | 2003-11-12 16:56:39.663584 | 2003-11-12 16:56:39.663584

(2 rows)

postgres=# INSERT INTO directory (root_id,name) VALUES (0,'金融');

INSERT 17117 1

postgres=# SELECT * from directory ;

----+---------+-----------+--------+----------------------------+----------------------------

0 | 0 | / | t | 2003-11-12 16:55:39.727365 | 2003-11-12 16:55:39.727365

1 | 0 | 電腦 | t | 2003-11-12 16:56:39.663584 | 2003-11-12 16:56:39.663584

2 | 0 | 金融 | t | 2003-11-12 16:57:50.509436 | 2003-11-12 16:57:50.509436

(3 rows)

postgres=# INSERT INTO directory (root_id,name) VALUES (1,'顯示器');

INSERT 17118 1

postgres=# INSERT INTO directory (root_id,name) VALUES (1,'滑鼠');

INSERT 17119 1

postgres=# INSERT INTO directory (root_id,name) VALUES (1,'主板');

INSERT 17120 1

postgres=# SELECT * from directory ;

----+---------+-----------+--------+----------------------------+----------------------------

0 | 0 | / | t | 2003-11-12 16:55:39.727365 | 2003-11-12 16:55:39.727365

1 | 0 | 電腦 | t | 2003-11-12 16:56:39.663584 | 2003-11-12 16:56:39.663584

2 | 0 | 金融 | t | 2003-11-12 16:57:50.509436 | 2003-11-12 16:57:50.509436

3 | 1 | 顯示器 | t | 2003-11-12 16:59:15.911196 | 2003-11-12 16:59:15.911196

4 | 1 | 滑鼠 | t | 2003-11-12 16:59:30.646916 | 2003-11-12 16:59:30.646916

5 | 1 | 主板 | t | 2003-11-12 16:59:44.400317 | 2003-11-12 16:59:44.400317

(6 rows)

postgres=# INSERT INTO directory (root_id,name) VALUES (3,'Samsung 顯示器');

INSERT 17121 1

postgres=# INSERT INTO directory (root_id,name) VALUES (3,'LG顯示器');

INSERT 17122 1

postgres=# INSERT INTO directory (root_id,name) VALUES (3,'SONY顯示器');

INSERT 17123 1

postgres=# SELECT * from directory ;

----+---------+-------------------+--------+----------------------------+----------------------------

0 | 0 | / | t | 2003-11-12 16:55:39.727365 | 2003-11-12 16:55:39.727365

1 | 0 | 電腦 | t | 2003-11-12 16:56:39.663584 | 2003-11-12 16:56:39.663584

2 | 0 | 金融 | t | 2003-11-12 16:57:50.509436 | 2003-11-12 16:57:50.509436

3 | 1 | 顯示器 | t | 2003-11-12 16:59:15.911196 | 2003-11-12 16:59:15.911196

4 | 1 | 滑鼠 | t | 2003-11-12 16:59:30.646916 | 2003-11-12 16:59:30.646916

5 | 1 | 主板 | t | 2003-11-12 16:59:44.400317 | 2003-11-12 16:59:44.400317

6 | 3 | Samsung 顯示器 | t | 2003-11-12 17:00:45.964053 | 2003-11-12 17:00:45.964053

7 | 3 | LG顯示器 | t | 2003-11-12 17:01:03.736121 | 2003-11-12 17:01:03.736121

8| 3 | SONY顯示器 | t | 2003-11-12 17:01:18.257337 | 2003-11-12 17:01:18.257337

(9 rows)

postgres=# INSERT INTO directory (root_id,name) VALUES (7,'CRT顯示器');

INSERT 17124 1

postgres=# INSERT INTO directory (root_id,name) VALUES (7,'液晶顯示器');

INSERT 17125 1

postgres=# INSERT INTO directory (root_id,name) VALUES (8,'液晶顯示器');

INSERT 17126 1

postgres=# INSERT INTO directory (root_id,name) VALUES (8,'特利隆顯示器');

INSERT 17127 1

postgres=# INSERT INTO directory (root_id,name) VALUES (7,'鑽石隆顯示器');

INSERT 17128 1

postgres=# SELECT * from directory ;

----+---------+--------------------+--------+----------------------------+----------------------------