Installation Best Practices
Operational rules for bootstrapping PostgreSQL clusters that survive audits, upgrades, and 3 AM pages.
How to Use This List
- Apply during first production install, not as a retrofit after an incident.
- Check off items in your infrastructure-as-code PR before marking the host in-service.
- Revisit after major version upgrades - init defaults and paths may change.
A - Platform & Version
- Run a supported major on a supported OS minor. EOL OS or Postgres major is a compliance defect waiting to happen.
- Pin PostgreSQL major in package names or images.
postgresqlmetapackages drift across distros. - Enable
--data-checksumsat initdb. Cannot be added later without rebuild. - Use UTF8 encoding and document collation choice.
C.UTF-8vs locale-specific affects sort order forever. - Record exact version string in inventory.
SELECT version();in your CMDB.
B - Storage Layout
- Separate WAL onto its own volume when IO-bound. Append-heavy WAL competes with random heap IO.
- Size PGDATA filesystem with 30%+ headroom. Full disk stops writes and can corrupt recovery.
- Use
chmod 700andpostgres:postgresownership on PGDATA. World-readable data dirs fail audits. - Prefer XFS or ext4 with noatime on data volumes. Document mount options in runbooks.
- Avoid NFS for primary PGDATA unless vendor-approved. Latency and locking bite hard.
C - Configuration
- Document every non-default GUC with rationale. Future operators cannot guess why
max_connections = 400. - Set conservative
shared_buffers,work_mem,max_connectionsfirst pass. Tune with metrics, not blog posts. - Use
include_if_existsfor local overrides. Keeppostgresql.confpackage-manager friendly. - Set
log_line_prefixwith pid, user, db, app name. You will need it in the first incident. - Enable
log_connectionsandlog_disconnectionsuntil stable, then reduce. Helps trace auth failures.
D - Network & Auth
- Default-deny in
pg_hba.conf; allow explicit subnets only. First-match wins - order rules carefully. - Use
scram-sha-256for password auth. Retiremd5and bantruston TCP. - Require
hostsslfor remote application connections. Pair with valid TLS certificates. - Bind
listen_addressesto internal NICs only. Public listener + weak hba is a breach pattern. - Create dedicated replication and admin roles. Never reuse application passwords for replication.
E - Service Management
- Enable systemd unit at boot with adequate
TimeoutStopSec. 300s+ on large memory systems. - Verify
PGDATAin unit matchesSHOW data_directory. Multi-instance hosts confuse this easily. - Test
reloadvsrestartprocedures in a drill. Operators must know which config needs which. - Ship logs to centralized storage. journald alone is lost on disk failure.
- Automate backup before declaring production-ready. Empty runbook is not a cluster.
FAQs
Biggest day-one mistake?
Opening pg_hba.conf to 0.0.0.0/0 with weak auth. Lock network first, then tune performance.
Docker for production?
Possible with operator discipline (volumes, resources, backups). Many teams prefer packages or managed cloud for SLA clarity.
How much disk headroom?
Plan for WAL spikes during bulk loads and replication lag. 30% free minimum; alert at 20%.
Related
- Installation Basics - platform install examples
- initdb & Data Directory - PGDATA layout
- postgresql.conf Essentials - first tuning pass
- pg_hba.conf & Authentication - network auth rules
Stack versions: This page was written for PostgreSQL 18.4 (stable 18, maintenance 17), pgvector 0.8+, PgBouncer 1.x, Patroni 3.x, and PostGIS 3.5+.