From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, Andreas Karlsson <andreas(at)proxel(dot)se>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PATCH] Reload SSL certificates on SIGHUP |
Date: | 2015-07-29 02:01:55 |
Message-ID: | CAB7nPqTHBiT-JfBqRL8jJBJk3m8HhCiF9sGzp26bJS_gZ08CSg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, Jul 29, 2015 at 10:24 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
>> I don't have a problem with rebuilding the SSL context on every reload
>> cycle. We already do a lot of extra reloading every time, so a bit more
>> shouldn't hurt. But I'm not so sure whether we should do that in the
>> SIGHUP handler. I don't know how we got into the situation of doing all
>> the file reloads directly in the handler, but at least we can control
>> that code. Making a bunch of calls into an external library is a
>> different thing, though. Can we find a way to do this differently?
>
> Do we have an idea how expensive it is to load that data?
There are no numbers on this thread. And honestly I would be curious
as well to see a run of pgbench with -C doing or similar to check how
long it takes to establish a connection. I would expect it to be
measurable though, but here I'm just hand-waving ;)
> A brute-force answer is to not have the postmaster load it at all,
> but to have new backends do so (if needed) during their connection
> acceptance/authentication phase. I'm not sure how much that would
> add to the SSL connection startup time though. It would also mean
> that problems with the SSL config files would only be reported during
> subsequent connection starts, not at SIGHUP time, and indeed that
> SIGHUP is more or less meaningless for SSL file changes: the instant
> you change a file, it's live for later connections. On the plus side,
> it would make Windows and Unix behavior closer, since (I suppose)
> we're reloading that stuff anyway in EXEC_BACKEND builds.
Indeed.
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Kouhei Kaigai | 2015-07-29 02:02:23 | Re: [DESIGN] ParallelAppend |
Previous Message | Andreas Karlsson | 2015-07-29 01:45:08 | Re: [PATCH] Reload SSL certificates on SIGHUP |