On 2019-11-15 03:14, Fujii Masao wrote:
>>> One thought is to try to detect the misconfiguration at postmaster
>>> start --- better to fail at startup than sometime later. But I'm
>>> not sure how reliably we could do that.
>> I think that we could do something close to the area where
>> RemovePromoteSignalFiles() gets called. Why not simply checking the
>> path defined by PromoteTriggerFile() at startup time then? I take it
>> that the only thing we should not complain about is stat() returning
>> ENOENT when looking at the promote file defined.
> promote_trigger_file is declared as PGC_SIGHUP,
> so such check would be necessary even while the standby is running.
> Which can cause the server to fail after the startup.
Let me illustrate a scenario in a more lively way:
Say you want to set up promote_trigger_file to point to a file outside
of the data directory, maybe because you want to integrate it with some
external tooling. So you go into your configuration and set
promote_trigger_file = '/srv/foobar/trigger'
and reload the server. Everything is happy. The fact that the
directory /srv/foobar/ does not exist at this point is completely ignored.
Now you become root and run
mkdir /srv/foobar
and, depending circumstances such as root's umask or the permissions of
/srv, your PostgreSQL server crashes immediately. That can't be good.
Also imagine the above steps being run by a configuration management system.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
