Replied: Wed, 25 Jul 2018 13:54:22 +0200
Replied: "Toshi Harada <harada.toshi@po.ntt-tx.co.jp> pgsql-hackers@postgresql.org"
X-MHE-Checksum: 32cd751b0052a004fb180e2999967de1
Return-Path: <harada.toshi@po.ntt-tx.co.jp>
Delivered-To: unknown
Received: from imap.mailbox.org (80.241.60.199:993) by localhost with
  IMAP4-SSL; 24 Jul 2018 11:37:27 -0000
Delivered-To: ah@cybertec.at
Received: from director-01.heinlein-hosting.de ([80.241.60.212])
	by dobby20b with LMTP id oLd8Osd3VVtkvgEAxFfjEA
	for <ah@cybertec.at>; Mon, 23 Jul 2018 08:38:00 +0200
Received: from mx1.mailbox.org ([80.241.60.212])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by director-01.heinlein-hosting.de with LMTP id EMikN8d3VVtnlwAA1Tw0/A
	; Mon, 23 Jul 2018 08:37:59 +0200
Received: from spamfilter03.heinlein-hosting.de (spamfilter03.heinlein-hosting.de [80.241.56.117])
	by mx1.mailbox.org (Postfix) with ESMTP id D2BAF4A47E
	for <ah@cybertec.at>; Mon, 23 Jul 2018 08:37:59 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from mx1.mailbox.org ([80.241.60.212])
	by spamfilter03.heinlein-hosting.de (spamfilter03.heinlein-hosting.de [91.198.250.170]) (amavisd-new, port 10024)
	with ESMTP id h8A40gahYvQ8 for <ah@cybertec.at>;
	Mon, 23 Jul 2018 08:37:55 +0200 (CEST)
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 HELO_IP_IN_CL_SUBNET=-1.2 (check from: .ntt-tx. - helo: .mail04.ics.ntt-tx. - helo-domain: .ntt-tx.)  FROM/MX_MATCHES_HELO(DOMAIN)=-2; rate: -4.7
Received: from mail04.ics.ntt-tx.co.jp (mail05.ics.ntt-tx.co.jp [210.232.35.69])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.mailbox.org (Postfix) with ESMTPS
	for <ah@cybertec.at>; Mon, 23 Jul 2018 08:37:55 +0200 (CEST)
Received: from gwchk03.silk.ntt-tx.co.jp (gwchk03.silk.ntt-tx.co.jp [10.107.0.111])
	by mail04.ics.ntt-tx.co.jp (unknown) with ESMTP id w6N6bcmQ016001;
	Mon, 23 Jul 2018 15:37:38 +0900
Received: (from root@localhost)
	by gwchk03.silk.ntt-tx.co.jp (unknown) id w6N6bchS008539;
	Mon, 23 Jul 2018 15:37:38 +0900
Received: from gwchk.silk.ntt-tx.co.jp [10.107.0.110] 
	 by gwchk03.silk.ntt-tx.co.jp with ESMTP id RAA08538;
	 Mon, 23 Jul 2018 15:37:38 +0900
Received: from imss06.silk.ntt-tx.co.jp (localhost [127.0.0.1])
        by ccmail04.silk.ntt-tx.co.jp (unknown) with ESMTP id w6N6bcbF029059;
        Mon, 23 Jul 2018 15:37:38 +0900
Received: from imss06.silk.ntt-tx.co.jp (localhost [127.0.0.1])
	by imss06.silk.ntt-tx.co.jp (unknown) with ESMTP id w6N6bcck009547;
	Mon, 23 Jul 2018 15:37:38 +0900
Received: from ccmail04 (smtp03.silk.ntt-tx.co.jp [10.107.0.135]) by imss06.silk.ntt-tx.co.jp (unknown) with SMTP id w6N6bcW9009544; Mon, 23 Jul 2018 15:37:38 +0900
Date: Mon, 23 Jul 2018 15:36:40 +0900
From: Toshi Harada <harada.toshi@po.ntt-tx.co.jp>
X-Mailer: EdMax Ver2.86.3F
MIME-Version: 1.0
Subject: "WIP: Data at rest encryption" patch and, 2 phase commit.
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
In-Reply-To: <1248.1530086523@localhost>
References: <1248.1530086523@localhost>
X-CCMail7: CC-Mail-V7.0.2-Client-Relayed
Message-Id: <201807230637.w6N6bDnQ028675@ccmail04.silk.ntt-tx.co.jp>
X-TM-AS-MML: No
X-CC-Mail-RelayStamp: CC-Mail-V5.14-Server
To: pgsql-hackers@postgresql.org
Cc: Antonin Houska <ah@cybertec.at>
X-getmail-retrieved-from-mailbox: INBOX
X-Envelope-Date: Tue Jul 24 13:37:27 2018
X-Envelope-Sender: harada.toshi@po.ntt-tx.co.jp

Hi.

I applied the patch "WIP: Data at rest encryption" to PostgreSQL 11 - beta 2 and I'm working on it.

When this patch is applied, the following problem occurs.

* An error occurs when CHECKPOINT is executed during two-phase commit.
* After an error occurs, if you stop PostgreSQL, it will never start again.

(1) First, execute PREPARE TRANSACTION.

postgres=# BEGIN;
BEGIN
postgres=# PREPARE TRANSACTION 'foo';
PREPARE TRANSACTION
postgres=#

(2) Execute the CHECKPOINT command from another terminal.
    CHEKPOINT command fails.

postgres=# CHECKPOINT;
ERROR:  checkpoint request failed
HINT:  Consult recent messages in the server log for details.
postgres=#


(3) ROLLBACK PREPARED command also fails.

postgres=# ROLLBACK PREPARED 'foo';
ERROR:  could not read two-phase state from WAL at 0/167EBA0
postgres=# 


(4) Shut down the PostgreSQL server.
    During shutdown, a "could not read two-phase state from WAL" error occurs.


2018-07-23 14:49:08.924 JST [15821] LOG:  received fast shutdown request
2018-07-23 14:49:08.925 JST [15821] LOG:  aborting any active transactions
2018-07-23 14:49:08.925 JST [15831] FATAL:  terminating connection due to administrator command
2018-07-23 14:49:08.928 JST [15821] LOG:  background worker "logical replication launcher" (PID 15829) exited with exit code 1
2018-07-23 14:49:08.928 JST [15824] LOG:  shutting down
2018-07-23 14:49:08.935 JST [15824] FATAL:  could not read two-phase state from WAL at 0/167EBA0
2018-07-23 14:49:08.936 JST [15821] LOG:  checkpointer process (PID 15824) exited with exit code 1
2018-07-23 14:49:08.936 JST [15821] LOG:  terminating any other active server processes
2018-07-23 14:49:08.937 JST [15821] LOG:  abnormal database system shutdown
2018-07-23 14:49:08.945 JST [15821] LOG:  database system is shut down


(5) When restarting the PostgreSQL server, an error(could not read two-phase state from WAL) occurs 
    and the PostgreSQL server can not be started.

2018-07-23 14:49:42.489 JST [15864] LOG:  listening on IPv6 address "::1", port 5432
2018-07-23 14:49:42.489 JST [15864] LOG:  listening on IPv4 address "127.0.0.1", port 5432
2018-07-23 14:49:42.492 JST [15864] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5432"
2018-07-23 14:49:42.521 JST [15866] LOG:  database system shutdown was interrupted; last known up at 2018-07-23 14:49:08 JST
2018-07-23 14:49:42.674 JST [15866] LOG:  database system was not properly shut down; automatic recovery in progress
2018-07-23 14:49:42.676 JST [15866] LOG:  redo starts at 0/167EB60
2018-07-23 14:49:42.676 JST [15866] LOG:  invalid record length at 0/167EC70: wanted 24, got 0
2018-07-23 14:49:42.676 JST [15866] LOG:  redo done at 0/167EC30
2018-07-23 14:49:42.677 JST [15866] FATAL:  could not read two-phase state from WAL at 0/167EBA0
2018-07-23 14:49:42.678 JST [15864] LOG:  startup process (PID 15866) exited with exit code 1
2018-07-23 14:49:42.678 JST [15864] LOG:  aborting startup due to startup process failure
2018-07-23 14:49:42.682 JST [15864] LOG:  database system is shut down

Regards.

Antonin Houska <ah@cybertec.at> wrote:
> Ants Aasma <ants.aasma@gmail.com> wrote:
> 
> > Attached to this mail is a work in progress patch that adds an
> > extensible encryption mechanism. There are some loose ends left to tie
> > up, but the general concept and architecture is at a point where it's
> > ready for some feedback, fresh ideas and bikeshedding.
> 
> Rebased patch is attached here, in case it helps to achieve (some of) the
> goals mentioned in the related thread [1].
> 
> Besides encrypting table and WAL pages, it encrypts the temporary files
> (buffile.c), data stored during logical decoding (reorderbuffer.c) and
> statistics temporary files (pgstat.c). Unlike the previous version, SLRU files
> (e.g. CLOG) are not encrypted (it does not seem critical and the encryption
> makes torn page write quite difficult to handle).
> 
> Another difference is that we use the OpenSSL of the (tweaked) AES XTS cipher
> now.
> 
> Binary upgrade from unencrypted to encrypted cluster is not implemented yet.
> 
> 
> [1] https://www.postgresql.org/message-id/031401d3f41d$5c70ed90$1552c8b0$@lab.ntt.co.jp
> 
> -- 
> Antonin Houska
> Cybertec Schonig & Schonig GmbH
> Grohrmuhlgasse 26, A-2700 Wiener Neustadt
> Web: https://www.cybertec-postgresql.com
>