Re: Supporting huge pages on Windows
От | Tsunakawa, Takayuki |
---|---|
Тема | Re: Supporting huge pages on Windows |
Дата | |
Msg-id | 0A3221C70F24FB45833433255569204D1F6C0825@G01JPEXMBYT05 обсуждение исходный текст |
Ответ на | Re: Supporting huge pages on Windows (Craig Ringer <craig.ringer@2ndquadrant.com>) |
Ответы |
Re: Supporting huge pages on Windows
|
Список | pgsql-hackers |
From: Craig Ringer [mailto:craig.ringer@2ndquadrant.com] > TBH, anyone who cares about security and runs Win7 or Win2k8 or newer should > be using virtual service accounts and managed service accounts. > > https://technet.microsoft.com/en-us/library/dd548356 > > > Those are more like Unix service accounts. Notably they don't need a password, > getting rid of some of the management pain that led us to abandon the > 'postgres' system user on Windows. > > Now that older platforms are EoL and even the oldest that added this feature > are also near EoL or in extended maintenance, I think installers should > switch to these by default instead of using NETWORK SERVICE. > > Then the issue of priv dropping would be a lesser concern anyway. Good point! And I said earlier in this thread, I think managing privileges (adding/revoking privileges from the user account)is the DBA's or sysadmin's duty, and PG's removing all privileges feels overkill. OTOH, I tried again to leave the DISABLE_MAX_PRIVILEGE as is and add Lock Pages in Memory, using the attached pg_ctl.c. Please see EnableLockPagesPrivilege() and its call site. But pg_ctl -w start fails emitting the following message: error code 1300 waiting for server to start....FATAL: could not enable "Lock pages in memory" privilege HINT: Assign "Lock pages in memory" privilege to the Windows user account which runs PostgreSQL. LOG: database system is shut down stopped waiting pg_ctl: could not start server Examine the log output. error code 1300 is ERROR_NOT_ALL_ASSIGNED, which means AdjustTokenPrivileges() cound not enable Lock Pages in Memory privilege. It seems that the privilege cannot be enabled once it was removed with CreateRestrictedToken(DISABLE_MAX_PRIVILEGE). Regards Takayuki Tsunakawa
Вложения
В списке pgsql-hackers по дате отправления: