From 9ecc54e30bb009bac8846d176ba94dc65657e616 Mon Sep 17 00:00:00 2001 From: Konstantin Knizhnik Date: Wed, 9 Nov 2022 11:50:47 +0200 Subject: [PATCH] Fix merge conflicts --- pageserver/src/walredo.rs | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/pageserver/src/walredo.rs b/pageserver/src/walredo.rs index c746580e8a..6e1e7483db 100644 --- a/pageserver/src/walredo.rs +++ b/pageserver/src/walredo.rs @@ -10,7 +10,7 @@ //! process. Then we get the page image back. Communication with the //! postgres process happens via stdin/stdout //! -//! See src/backend/tcop/zenith_wal_redo.c for the other side of +//! See pgxn/neon_walredo/walredoproc.c for the other side of //! this communication. //! //! The Postgres process is assumed to be secure against malicious WAL @@ -816,14 +816,12 @@ impl PostgresRedoProcess { ), )); } else { - // Limit shared cache for wal-redo-postres + // Limit shared cache for wal-redo-postgres let mut config = OpenOptions::new() .append(true) .open(PathBuf::from(&datadir).join("postgresql.conf"))?; config.write_all(b"shared_buffers=128kB\n")?; config.write_all(b"fsync=off\n")?; - config.write_all(b"shared_preload_libraries=neon\n")?; - config.write_all(b"neon.wal_redo=on\n")?; } // Start postgres itself @@ -836,18 +834,15 @@ impl PostgresRedoProcess { .env("LD_LIBRARY_PATH", &pg_lib_dir_path) .env("DYLD_LIBRARY_PATH", &pg_lib_dir_path) .env("PGDATA", &datadir) - // The redo process is not trusted, so it runs in seccomp mode - // (see seccomp in zenith_wal_redo.c). We have to make sure it doesn't - // inherit any file descriptors from the pageserver that would allow - // an attacker to do bad things. + // The redo process is not trusted, and runs in seccomp mode that + // doesn't allow it to open any files. We have to also make sure it + // doesn't inherit any file descriptors from the pageserver, that + // would allow an attacker to read any files that happen to be open + // in the pageserver. // // The Rust standard library makes sure to mark any file descriptors with // as close-on-exec by default, but that's not enough, since we use // libraries that directly call libc open without setting that flag. - // - // One example is the pidfile of the daemonize library, which doesn't - // currently mark file descriptors as close-on-exec. Either way, we - // want to be on the safe side and prevent accidental regression. .close_fds() .spawn_no_leak_child() .map_err(|e| { @@ -999,7 +994,7 @@ impl NoLeakChildCommandExt for Command { } // Functions for constructing messages to send to the postgres WAL redo -// process. See vendor/postgres/src/backend/tcop/zenith_wal_redo.c for +// process. See pgxn/neon_walredo/walredoproc.c for // explanation of the protocol. fn build_begin_redo_for_block_msg(tag: BufferTag, buf: &mut Vec) {