Re: Proof of concept: standalone backend with full FE/BE protocol
| От | Bruce Momjian |
|---|---|
| Тема | Re: Proof of concept: standalone backend with full FE/BE protocol |
| Дата | |
| Msg-id | 20131121025131.GA23976@momjian.us обсуждение исходный текст |
| Ответ на | Re: Proof of concept: standalone backend with full FE/BE protocol (Gurjeet Singh <singh.gurjeet@gmail.com>) |
| Список | pgsql-hackers |
On Wed, Nov 20, 2013 at 05:38:14PM -0500, Gurjeet Singh wrote: > On Wed, Nov 20, 2013 at 3:44 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > To my mind, the "create a socket and hope nobody else can get to it" > approach is exactly one of the main things we're trying to avoid here. > If you'll recall, awhile back we had a big discussion about how pg_upgrade > could positively guarantee that nobody messed with the source database > while it was working, and we still don't have a bulletproof guarantee > there. I would like to fix that by making pg_upgrade use only standalone > backends to talk to the source database, never starting a real postmaster > at all. But if the standalone-pg_dump mode goes through a socket, we're > back to square one on that concern. > > > (I couldn't find the pg_upgrade-related thread mentioned above). > > I am not sure of the mechanics of this, but can we not launch the postmaster > with a random magic-cookie, and use that cookie while initiating the connection > from libpq. The postmaster will then reject any connections that don't provide > the cookie. > > We do something similar to enable applications to send cancellation signals > (postmaster.c:Backend.cancel_key), just that it's establishing trust in the > opposite direction. The magic cookie can be tha application_name. I had pg_upgrade code to prevent anyone from connecting unless their application_name was "pg_upgrade", but the idea was rejected. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. +
В списке pgsql-hackers по дате отправления: