From: | "Tsunakawa, Takayuki" <tsunakawa(dot)takay(at)jp(dot)fujitsu(dot)com> |
---|---|
To: | 'Craig Ringer' <craig(dot)ringer(at)2ndquadrant(dot)com>, Andres Freund <andres(at)anarazel(dot)de> |
Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Amit Kapila <amit(dot)kapila16(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com> |
Subject: | Re: Supporting huge pages on Windows |
Date: | 2017-04-05 02:37:28 |
Message-ID: | 0A3221C70F24FB45833433255569204D1F6C0825@G01JPEXMBYT05 |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
From: Craig Ringer [mailto:craig(dot)ringer(at)2ndquadrant(dot)com]
> TBH, anyone who cares about security and runs Win7 or Win2k8 or newer should
> be using virtual service accounts and managed service accounts.
>
> https://technet.microsoft.com/en-us/library/dd548356
>
>
> Those are more like Unix service accounts. Notably they don't need a password,
> getting rid of some of the management pain that led us to abandon the
> 'postgres' system user on Windows.
>
> Now that older platforms are EoL and even the oldest that added this feature
> are also near EoL or in extended maintenance, I think installers should
> switch to these by default instead of using NETWORK SERVICE.
>
> Then the issue of priv dropping would be a lesser concern anyway.
Good point! And I said earlier in this thread, I think managing privileges (adding/revoking privileges from the user account) is the DBA's or sysadmin's duty, and PG's removing all privileges feels overkill.
OTOH, I tried again to leave the DISABLE_MAX_PRIVILEGE as is and add Lock Pages in Memory, using the attached pg_ctl.c. Please see EnableLockPagesPrivilege() and its call site. But pg_ctl -w start fails emitting the following message:
error code 1300
waiting for server to start....FATAL: could not enable "Lock pages in memory" privilege
HINT: Assign "Lock pages in memory" privilege to the Windows user account which runs PostgreSQL.
LOG: database system is shut down
stopped waiting
pg_ctl: could not start server
Examine the log output.
error code 1300 is ERROR_NOT_ALL_ASSIGNED, which means AdjustTokenPrivileges() cound not enable Lock Pages in Memory privilege. It seems that the privilege cannot be enabled once it was removed with CreateRestrictedToken(DISABLE_MAX_PRIVILEGE).
Regards
Takayuki Tsunakawa
Attachment | Content-Type | Size |
---|---|---|
pg_ctl.c | text/plain | 65.9 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Craig Ringer | 2017-04-05 02:44:14 | Re: Faster methods for getting SPI results (460% improvement) |
Previous Message | Ashutosh Bapat | 2017-04-05 02:31:01 | Re: Parallel Append implementation |