|From:||"Tsunakawa, Takayuki" <tsunakawa(dot)takay(at)jp(dot)fujitsu(dot)com>|
|To:||'Craig Ringer' <craig(dot)ringer(at)2ndquadrant(dot)com>, Andres Freund <andres(at)anarazel(dot)de>|
|Cc:||PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Amit Kapila <amit(dot)kapila16(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>|
|Subject:||Re: Supporting huge pages on Windows|
|Views:||Raw Message | Whole Thread | Download mbox|
From: Craig Ringer [mailto:craig(dot)ringer(at)2ndquadrant(dot)com]
> TBH, anyone who cares about security and runs Win7 or Win2k8 or newer should
> be using virtual service accounts and managed service accounts.
> Those are more like Unix service accounts. Notably they don't need a password,
> getting rid of some of the management pain that led us to abandon the
> 'postgres' system user on Windows.
> Now that older platforms are EoL and even the oldest that added this feature
> are also near EoL or in extended maintenance, I think installers should
> switch to these by default instead of using NETWORK SERVICE.
> Then the issue of priv dropping would be a lesser concern anyway.
Good point! And I said earlier in this thread, I think managing privileges (adding/revoking privileges from the user account) is the DBA's or sysadmin's duty, and PG's removing all privileges feels overkill.
OTOH, I tried again to leave the DISABLE_MAX_PRIVILEGE as is and add Lock Pages in Memory, using the attached pg_ctl.c. Please see EnableLockPagesPrivilege() and its call site. But pg_ctl -w start fails emitting the following message:
error code 1300
waiting for server to start....FATAL: could not enable "Lock pages in memory" privilege
HINT: Assign "Lock pages in memory" privilege to the Windows user account which runs PostgreSQL.
LOG: database system is shut down
pg_ctl: could not start server
Examine the log output.
error code 1300 is ERROR_NOT_ALL_ASSIGNED, which means AdjustTokenPrivileges() cound not enable Lock Pages in Memory privilege. It seems that the privilege cannot be enabled once it was removed with CreateRestrictedToken(DISABLE_MAX_PRIVILEGE).
|Next Message||Craig Ringer||2017-04-05 02:44:14||Re: Faster methods for getting SPI results (460% improvement)|
|Previous Message||Ashutosh Bapat||2017-04-05 02:31:01||Re: Parallel Append implementation|