Re: could not stat promote trigger file leads to shutdown

On 2019-11-20 16:21, Tom Lane wrote:
>> AFAICT, a GUC check hook wouldn't actually be able to address the
>> specific scenario I described. At the time the GUC is set, the
>> containing the directory of the trigger file does not exist yet. This
>> is currently not an error. The problem only happens if after the GUC is
>> set the containing directory appears and is not readable.
> True, if the hook just consists of trying fopen() and checking the
> errno. Would it be feasible to insist that the containing directory
> exist and be readable? We have enough infrastructure that that
> should only take a few lines of code, so the question is whether
> or not that's a nicer behavior than we have now.

Is it possible to do this in a mostly bullet-proof way? Just because
the directory exists and looks pretty good otherwise, doesn't mean we
can read a file created in it later in a way that doesn't fall afoul of
the existing error checks. There could be something like SELinux
lurking, for example.

Maybe some initial checking would be useful, but I think we still need
to downgrade the error check at use time a bit to not crash in the cases
that we miss.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services