On Fri, Aug 28, 2020 at 09:27:10AM -0400, Daniel Jakots wrote: > On Fri, 28 Aug 2020 08:32:59 +0200, Sebastien Marie <sema...@online.fr> > wrote: > > > On Thu, Aug 27, 2020 at 03:27:58PM -0400, Daniel Jakots wrote: > > > Hi, > > > > > > I'm chasing a weird behavior with postgresql. Sometimes (it's very > > > infrequent) a sql request fails with "could not send data to client: > > > Permission denied". I reported the problem on pgsql-general@ [0] > > > and if I understood correctly, this happens when pgsql uses send(2) > > > and gets EACCES. > > > > > > According to send(2) this happens when "The connection was blocked > > > by pf(4)". I have a cron that modifies a table with > > > `pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH` > > > > > > The file is large so it's not exactly immediate. Could pf > > > temporarily block new connections while it loads the file? Or am I > > > looking at the wrong thing? > > > > > > > From your pf rules, does the postgresql connection could be blocked if > > TABLE_NAME is empty/inconsistent ? > > > > Could you add (if you don't have already tested it), an explicit > > allow rule for postgresql to ensure the connection will success ? > > They are distinct rules: > # grep -e api_bans -e 5432 /etc/pf.conf > table <api_bans> persist file "/etc/pf.api" > block drop in quick from <api_bans> > pass in on vio0 proto tcp from $docker3 to (self) port 5432 > pass in on vio0 proto tcp from $web1 to (self) port 5432 > > The thing is that it happens very rarely, and I'm not sure how to > reproduce it. >
if the problem is related to `pfctl -Treplace', you could try: - generate lot of postgresql access. from postgresql thread, the statement seems to be a SELECT, so it would be fine to ran in loop (hopping no cache and real traffic generated). - run pfctl -Treplace in a loop (with a set of different files as the kernel code takes care if host are added, changed, deleted) - maybe doing it at a "safe" time when not used a lot, if the host is on production :) assuming the problem is a race somewhere, it should raise the possible occurences of it. -- Sebastien Marie
