-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Workaround postconf
write settling logic
#2998
fix: Workaround postconf
write settling logic
#2998
Conversation
After updating `main.cf`, to avoid an enforced delay from reading the config by postfix tools, we can ensure the modified time is at least 2 seconds in the past.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍🏼 Nice work!
I'm thinking perhaps to add a check on the
|
The pipeline |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
- Slight improvement by avoiding unnecessary writes with a conditional check on the util method. - Can more comfortably call this during `postfix reload` in the change detection cycle now. - Identified other tests that'd benefit from this, created a helper method to call instead of copy/paste. - The `setup email restrict` command also did a modification and reload. Added util method here too.
e614b82
|
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
- `postfix reload` fails if the service is not ready yet. - `service postfix reload` and `/etc/init.d/postfix reload` presumably wait until it is ready? (as these work regardless)
Just to be save or do you expect any problems? |
From what I understand there shouldn't be any. EDIT: I originally responded about the feature itself, then realized the question was only about the conditional check 😅 I added the conditional to not write to disk an The conditional handling probably isn't that important. The current change detection writes to the filesystem every interval (which isn't ideal): docker-mailserver/target/scripts/check-for-changes.sh Lines 39 to 41 in 0ecb647
Original responseIn the associated issue I linked to the source code upstream in Postfix that is responsible for the delay. It's a safety guard for reading I believe it's safe to read after make changes, but perhaps depending on hardware or third-party software something may not play well (or try to abuse/exploit it?). Postfix will tend to ignore anything that it doesn't recognize as valid config keys, which could result in a default setting used instead, or the key is valid but the value is not the intended value? I think exploiting sensitive timing like that is a difficult attack and if that were an option the system is likely already vulnerable to much worse? It's mostly tests that will benefit from this, or in actual deployments minimal downtime during change events (seems to be an actual concern, I think there are some similar issues reported). Additionally reduces container start-up time, but I doubt that matters much to most users. I am inclined to say it should be fine to workaround. It's usually more of an issue when wanting to write to a file that other processes might also attempt, or reading while a file is actively being written to (what this protects against). |
Description
After updating
main.cf
, to avoid an enforced delay from reading the config by postfix tools, we can ensure the modified time is at least 2 seconds in the past as a workaround. This should be ok with our usage AFAIK.Shaves off 2+ seconds roughly off each container startup, reduces roughly 2+ minutes off tests.
Fixes #2985
Type of change
Checklist: