citus

Commit Graph

Author	SHA1	Message	Date
Mehmet YILMAZ	188c182be4	PG18 - Enable NUMA syscalls in CI containers to fix PG18 numa.out regression test failures (#8258 ) fixes #8246 PostgreSQL 18 introduced stricter NUMA page-inquiry permissions for the `pg_shmem_allocations_numa` view. Without the required kernel capabilities, the test fails with: ``` ERROR: failed NUMA pages inquiry status: Operation not permitted ``` This PR updates our test containers to include the necessary privileges: * Adds `--cap-add=SYS_NICE` and `--security-opt seccomp=unconfined` When PostgreSQL’s new NUMA views (`pg_shmem_allocations_numa`, `pg_buffercache_numa`) run, they call `move_pages()` to ask the kernel which NUMA node holds each shared memory page. https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=8cc139bec That syscall (`move_pages()`) requires `CAP_SYS_NICE` when inspecting another process. So: `--cap-add=SYS_NICE` grants the container permission to perform that NUMA page query. https://man7.org/linux/man-pages/man2/move_pages.2.html#:~:text=must%20be%20privileged%0A%20%20%20%20%20%20%20%20%20%20(-,CAP_SYS_NICE,-)%20or%20the%20real `--security-opt seccomp=unconfined` Docker containers still run under a seccomp filter which a kernel-level sandbox that blocks many system calls entirely for safety. The default Docker seccomp profile blocks `move_pages()` outright, because it can expose kernel memory layout information. https://docs.docker.com/engine/security/seccomp/#:~:text=You%20can%20pass-,unconfined,-to%20run%20a In combination Both flags are required for NUMA introspection inside a container: - `SYS_NICE` → permission - `seccomp=unconfined` → ability	2025-10-27 21:00:32 +03:00
Nils Dijk	cbb90cc4ae	Devcontainer: enable coredumps (#7523 ) Add configuration for coredumps and document how to make sure they are enabled when developing in a devcontainer. --------- Co-authored-by: Jelte Fennema-Nio <jelte.fennema@microsoft.com>	2024-02-23 13:38:11 +00:00
Nils Dijk	76fdfa3c0f	Add devcontainer for development purposes (#7102 ) This change adds a devcontainer configuration to the Citus project. This devcontainer allows for quick generation of isolated development environments, either local on the machine of a developer or in a cloud, like github codepaces. The devcontainer is updated automatically by github actions when its configuration changes. For more detailed instructions on how to quickstart the development in a container see CONTRIBUTING.md	2023-10-09 15:37:21 +02:00

Author

SHA1

Message

Date

Mehmet YILMAZ

188c182be4

PG18 - Enable NUMA syscalls in CI containers to fix PG18 numa.out regression test failures (#8258 )

fixes #8246

PostgreSQL 18 introduced stricter NUMA page-inquiry permissions for the
`pg_shmem_allocations_numa` view.
Without the required kernel capabilities, the test fails with:

```
ERROR:  failed NUMA pages inquiry status: Operation not permitted
```

This PR updates our test containers to include the necessary privileges:

* Adds `--cap-add=SYS_NICE` and `--security-opt seccomp=unconfined`

When PostgreSQL’s new NUMA views (`pg_shmem_allocations_numa`,
`pg_buffercache_numa`) run, they call `move_pages()` to ask the kernel
which NUMA node holds each shared memory page.


https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=8cc139bec

That syscall (`move_pages()`) requires `CAP_SYS_NICE` when inspecting
another process.

So: `--cap-add=SYS_NICE` grants the container permission to perform that
NUMA page query.


https://man7.org/linux/man-pages/man2/move_pages.2.html#:~:text=must%20be%20privileged%0A%20%20%20%20%20%20%20%20%20%20(-,CAP_SYS_NICE,-)%20or%20the%20real


`--security-opt seccomp=unconfined`

Docker containers still run under a seccomp filter which a kernel-level
sandbox that blocks many system calls entirely for safety.
The default Docker seccomp profile blocks `move_pages()` outright,
because it can expose kernel memory layout information.


https://docs.docker.com/engine/security/seccomp/#:~:text=You%20can%20pass-,unconfined,-to%20run%20a


**In combination**

Both flags are required for NUMA introspection inside a container:
- `SYS_NICE` → permission
- `seccomp=unconfined` → ability

2025-10-27 21:00:32 +03:00

Nils Dijk

cbb90cc4ae

Devcontainer: enable coredumps (#7523 )

Add configuration for coredumps and document how to make sure they are
enabled when developing in a devcontainer.

---------

Co-authored-by: Jelte Fennema-Nio <jelte.fennema@microsoft.com>

2024-02-23 13:38:11 +00:00

Nils Dijk

76fdfa3c0f

Add devcontainer for development purposes (#7102 )

This change adds a devcontainer configuration to the Citus project. This
devcontainer allows for quick generation of isolated development
environments, either local on the machine of a developer or in a cloud,
like github codepaces.

The devcontainer is updated automatically by github actions when its
configuration changes.

For more detailed instructions on how to quickstart the development in a
container see CONTRIBUTING.md

2023-10-09 15:37:21 +02:00

3 Commits (e42d36a96276c0ae56d5b329ff5baab6993fab70)