Hello Viktor, Viktor Dukhovni via Postfix-users <postfix-users@postfix.org> writes:
> On Sat, Oct 26, 2024 at 12:06:12AM +0900, Nico Schottelius via Postfix-users > wrote: > >> The maps/hashes that make a lot of sense on VMs/servers for avoiding >> reloading postfix, do not make much sense in the k8s/container context. > > Restarts are much more disruptive that reloads, because the entire > active queue moves back to the incoming queue, client connections are > closed abruptly, ... It is not clear why k8s makes that a non-issue. First of all, I fully agree with you in regards to reload vs. restart being disruptive, if we are considering a single system. In the k8s context the behaviour of one instance does not really change. However often you would deploy a multitude of instances and combine them in what k8s calls a "Service", basically a primitive load balancer. Let's say you are running 2 postfix instance per service. One restarts, one still accepts smtp connections. No disruption at all. k8s also has a concept of "being healthy" and "having started", so you can wait for a specific instance to return to health before returing traffic to it. >> Instead of reparsing something, a container can be fully restarted. > > But this is not a good way to routinely update some tables in a running > Postix. Might be very true, but see it more as "postfix clusters" as the default. >> The above postfix runs with TLS enabled with receiving certificates from >> the cert manager. Automatic restart on certificate change is not yet >> implemented. > > Postfix does not need to be reloaded or restarted when certificates > change, the processes that use the certificate files are ephemeral, age > out, and their replacements will read the latest certificate files. Ohh, that is good to know. So as long as a couple of weeks before expiration (think letsencrypt) the certs are renewed, it is virtually guaranteed to work all the time? That's nice! > If > you're using SNI, with an indexed DB backend, then of course (as with > other tables), you'll need to rebuild those, again does not require > either a reload or restart. Pretty cool, thanks for the heads up! BR, Nico
-- Sustainable and modern Infrastructures by ungleich.ch
signature.asc
Description: PGP signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
