2ndQuadrant is now part of EDB

Bringing together some of the world's top PostgreSQL experts.

2ndQuadrant | PostgreSQL
Mission Critical Databases
  • Contact us
  • EN
    • FR
    • IT
    • ES
    • DE
    • PT
  • Support & Services
  • Products
  • Downloads
    • Installers
      • Postgres Installer
      • 2UDA – Unified Data Analytics
    • Whitepapers
      • Business Case for PostgreSQL Support
      • Security Best Practices for PostgreSQL
    • Case Studies
      • Performance Tuning
        • BenchPrep
        • tastyworks
      • Distributed Clusters
        • ClickUp
        • European Space Agency (ESA)
        • Telefónica del Sur
        • Animal Logic
      • Database Administration
        • Agilis Systems
      • Professional Training
        • Met Office
        • London & Partners
      • Database Upgrades
        • Alfred Wegener Institute (AWI)
      • Database Migration
        • International Game Technology (IGT)
        • Healthcare Software Solutions (HSS)
        • Navionics
  • Postgres Learning Center
    • Webinars
      • Upcoming Webinars
      • Webinar Library
    • Whitepapers
      • Business Case for PostgreSQL Support
      • Security Best Practices for PostgreSQL
    • Blog
    • Training
      • Course Catalogue
    • Case Studies
      • Performance Tuning
        • BenchPrep
        • tastyworks
      • Distributed Clusters
        • ClickUp
        • European Space Agency (ESA)
        • Telefónica del Sur
        • Animal Logic
      • Database Administration
        • Agilis Systems
      • Professional Training
        • Met Office
        • London & Partners
      • Database Upgrades
        • Alfred Wegener Institute (AWI)
      • Database Migration
        • International Game Technology (IGT)
        • Healthcare Software Solutions (HSS)
        • Navionics
    • Books
      • PostgreSQL 11 Administration Cookbook
      • PostgreSQL 10 Administration Cookbook
      • PostgreSQL High Availability Cookbook – 2nd Edition
      • PostgreSQL 9 Administration Cookbook – 3rd Edition
      • PostgreSQL Server Programming Cookbook – 2nd Edition
      • PostgreSQL 9 Cookbook – Chinese Edition
    • Videos
    • Events
    • PostgreSQL
      • PostgreSQL – History
      • Who uses PostgreSQL?
      • PostgreSQL FAQ
      • PostgreSQL vs MySQL
      • The Business Case for PostgreSQL
      • Security Information
      • Documentation
  • About Us
    • About 2ndQuadrant
    • 2ndQuadrant’s Passion for PostgreSQL
    • News
    • Careers
    • Team Profile
  • Blog
  • Menu Menu
You are here: Home1 / Blog2 / Simon's PlanetPostgreSQL3 / PostgreSQL Meltdown
Simon Riggs

PostgreSQL Meltdown

January 10, 2018/2 Comments/in Simon's PlanetPostgreSQL /by Simon Riggs

Spectre and Meltdown have caused severe alarm in recent days. You may have read about up to 30% impact on PostgreSQL databases, which I believe to be overstated because of misunderstandings in the media. Let’s dig into this in more detail.

TL;DR Summary: no PostgreSQL patch required, -7% performance hit

In response to these new security threats various OS patches have been released. Various authors have published benchmarks around these and they have, in some cases, stated worst-case measurements as impact measurements. For example: stating a 30% hit when, in fact, we are seeing a 7% hit on a busy server. Regrettably, it looks to me like some people outside the PostgreSQL community have spread this news as a problem for PostgreSQL, without clearly stating the workload measured, or that it could affect all types of database about the same amount.
So let’s back up a little: these patches affect the OS – there is no specific vulnerability in PostgreSQL and crucially, there is no security patch planned. Yup, that’s right, no patch.

Why? The published exploits require access to the OS, which is not possible through PostgreSQL except where the user has SuperUser access through the use of untrusted PL languages, such as PL/PerlU. So in general, there is no attack vector through user access to PostgreSQL databases.
However, there is a noticeable CPU impact because of generalized patches being applied at OS level.

These will have a greater impact on CPU-bound database requests, so we expect the impact on I/O bound transactional workloads to be much smaller. The impact will be more noticeable on a server that is already heavily loaded than on a lightly loaded server, so the impact may vary as your workload increases/decreases. There is a small increase in latency.

Patches are now available for Red Hat and Ubuntu that allow you to enable the Page Table Isolation feature (pti:on).

We have performed a series of benchmarking tests to have a better idea on the real impact that can be caused by the patches. In general, a drop of around 7% on the number of transactions per second (TPS) was observed on standard pgbench tests on PostgreSQL 10. The impact is roughly the same on both smaller and larger systems.
http://www.postgresql.org/docs/current/static/pgbench.html

OS security patches will need to be applied. Now, the big question is whether we should enable PTI or not? If PTI is disabled the 7% drop in performance goes away to almost nothing, maybe 1% or less. Whilst this might prove tactically advantageous, 2ndQuadrant would never recommend or endorse disabling PTI – use at your own risk!

Known exploits require attackers to be able to execute arbitrary code on the machine – the chance of this happening can be minimised by using a fully locked down application and/or using an SQLFirewall, like the one available to 2ndQuadrant Support Customers.

References:
http://en.wikipedia.org/wiki/Kernel_page-table_isolation
Hackers Discussion on PostgreSQL Hackers mailing list

Tags: Benchmark, database, Meltdown, PostgreSQL, security, Spectre
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
2 replies
  1. thomas flatley
    thomas flatley says:
    January 10, 2018 at 7:12 pm

    was this test run on vm or physical? thanks

    Reply
  2. Eric Green
    Eric Green says:
    February 9, 2018 at 11:21 pm

    On my own benchmarks on my own workload (not artificial workload, not other workloads), pti=on has a 43% impact on Postgres performance. Note that this is for *my* workload. Other workloads may be less drastically impacted.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Search

Get in touch with us!

Recent Posts

  • Random Data December 3, 2020
  • Webinar: COMMIT Without Fear – The Beauty of CAMO [Follow Up] November 13, 2020
  • Full-text search since PostgreSQL 8.3 November 5, 2020
  • Random numbers November 3, 2020
  • Webinar: Best Practices for Bulk Data Loading in PostgreSQL [Follow Up] November 2, 2020

Featured External Blogs

Tomas Vondra's Blog

Our Bloggers

  • Simon Riggs
  • Alvaro Herrera
  • Andrew Dunstan
  • Craig Ringer
  • Francesco Canovai
  • Gabriele Bartolini
  • Giulio Calacoci
  • Ian Barwick
  • Marco Nenciarini
  • Mark Wong
  • Pavan Deolasee
  • Petr Jelinek
  • Shaun Thomas
  • Tomas Vondra
  • Umair Shahid

PostgreSQL Cloud

2QLovesPG 2UDA 9.6 backup Barman BDR Business Continuity community conference database DBA development devops disaster recovery greenplum Hot Standby JSON JSONB logical replication monitoring OmniDB open source Orange performance PG12 pgbarman pglogical PG Phriday postgres Postgres-BDR postgres-xl PostgreSQL PostgreSQL 9.6 PostgreSQL10 PostgreSQL11 PostgreSQL 11 PostgreSQL 11 New Features postgresql repmgr Recovery replication security sql wal webinar webinars

Support & Services

24/7 Production Support

Developer Support

Remote DBA for PostgreSQL

PostgreSQL Database Monitoring

PostgreSQL Health Check

PostgreSQL Performance Tuning

Database Security Audit

Upgrade PostgreSQL

PostgreSQL Migration Assessment

Migrate from Oracle to PostgreSQL

Products

HA Postgres Clusters

Postgres-BDR®

2ndQPostgres

pglogical

repmgr

Barman

Postgres Cloud Manager

SQL Firewall

Postgres-XL

OmniDB

Postgres Installer

2UDA

Postgres Learning Center

Introducing Postgres

Blog

Webinars

Books

Videos

Training

Case Studies

Events

About Us

About 2ndQuadrant

What does 2ndQuadrant Mean?

News

Careers 

Team Profile

© 2ndQuadrant Ltd. All rights reserved. | Privacy Policy
  • Twitter
  • LinkedIn
  • Facebook
  • Youtube
  • Mail
PostgreSQL is the DBMS of the Year 2017 PG Phriday: Adventures in BAR Management
Scroll to top
×