2011-11-02 15:25:01 +01:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
|
*
|
|
|
|
|
* startup.c
|
|
|
|
|
*
|
|
|
|
|
* The Startup process initialises the server and performs any recovery
|
|
|
|
|
* actions that have been specified. Notice that there is no "main loop"
|
|
|
|
|
* since the Startup process ends as soon as initialisation is complete.
|
Allow a streaming replication standby to follow a timeline switch.
Before this patch, streaming replication would refuse to start replicating
if the timeline in the primary doesn't exactly match the standby. The
situation where it doesn't match is when you have a master, and two
standbys, and you promote one of the standbys to become new master.
Promoting bumps up the timeline ID, and after that bump, the other standby
would refuse to continue.
There's significantly more timeline related logic in streaming replication
now. First of all, when a standby connects to primary, it will ask the
primary for any timeline history files that are missing from the standby.
The missing files are sent using a new replication command TIMELINE_HISTORY,
and stored in standby's pg_xlog directory. Using the timeline history files,
the standby can follow the latest timeline present in the primary
(recovery_target_timeline='latest'), just as it can follow new timelines
appearing in an archive directory.
START_REPLICATION now takes a TIMELINE parameter, to specify exactly which
timeline to stream WAL from. This allows the standby to request the primary
to send over WAL that precedes the promotion. The replication protocol is
changed slightly (in a backwards-compatible way although there's little hope
of streaming replication working across major versions anyway), to allow
replication to stop when the end of timeline reached, putting the walsender
back into accepting a replication command.
Many thanks to Amit Kapila for testing and reviewing various versions of
this patch.
2012-12-13 18:00:00 +01:00
|
|
|
* (in standby mode, one can think of the replay loop as a main loop,
|
|
|
|
|
* though.)
|
2011-11-02 15:25:01 +01:00
|
|
|
*
|
|
|
|
|
*
|
2019-01-02 18:44:25 +01:00
|
|
|
* Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
|
2011-11-02 15:25:01 +01:00
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
* IDENTIFICATION
|
|
|
|
|
* src/backend/postmaster/startup.c
|
|
|
|
|
*
|
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#include "postgres.h"
|
|
|
|
|
|
|
|
|
|
#include <signal.h>
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
|
|
|
|
|
#include "access/xlog.h"
|
|
|
|
|
#include "libpq/pqsignal.h"
|
|
|
|
|
#include "miscadmin.h"
|
2017-03-27 04:02:22 +02:00
|
|
|
#include "pgstat.h"
|
2011-11-02 15:25:01 +01:00
|
|
|
#include "postmaster/startup.h"
|
|
|
|
|
#include "storage/ipc.h"
|
|
|
|
|
#include "storage/latch.h"
|
|
|
|
|
#include "storage/pmsignal.h"
|
2019-11-25 22:08:53 +01:00
|
|
|
#include "storage/procsignal.h"
|
Introduce timeout handling framework
Management of timeouts was getting a little cumbersome; what we
originally had was more than enough back when we were only concerned
about deadlocks and query cancel; however, when we added timeouts for
standby processes, the code got considerably messier. Since there are
plans to add more complex timeouts, this seems a good time to introduce
a central timeout handling module.
External modules register their timeout handlers during process
initialization, and later enable and disable them as they see fit using
a simple API; timeout.c is in charge of keeping track of which timeouts
are in effect at any time, installing a common SIGALRM signal handler,
and calling setitimer() as appropriate to ensure timely firing of
external handlers.
timeout.c additionally supports pluggable modules to add their own
timeouts, though this capability isn't exercised anywhere yet.
Additionally, as of this commit, walsender processes are aware of
timeouts; we had a preexisting bug there that made those ignore SIGALRM,
thus being subject to unhandled deadlocks, particularly during the
authentication phase. This has already been fixed in back branches in
commit 0bf8eb2a, which see for more details.
Main author: Zoltán Böszörményi
Some review and cleanup by Álvaro Herrera
Extensive reworking by Tom Lane
2012-07-17 00:43:21 +02:00
|
|
|
#include "storage/standby.h"
|
2011-11-02 15:25:01 +01:00
|
|
|
#include "utils/guc.h"
|
Introduce timeout handling framework
Management of timeouts was getting a little cumbersome; what we
originally had was more than enough back when we were only concerned
about deadlocks and query cancel; however, when we added timeouts for
standby processes, the code got considerably messier. Since there are
plans to add more complex timeouts, this seems a good time to introduce
a central timeout handling module.
External modules register their timeout handlers during process
initialization, and later enable and disable them as they see fit using
a simple API; timeout.c is in charge of keeping track of which timeouts
are in effect at any time, installing a common SIGALRM signal handler,
and calling setitimer() as appropriate to ensure timely firing of
external handlers.
timeout.c additionally supports pluggable modules to add their own
timeouts, though this capability isn't exercised anywhere yet.
Additionally, as of this commit, walsender processes are aware of
timeouts; we had a preexisting bug there that made those ignore SIGALRM,
thus being subject to unhandled deadlocks, particularly during the
authentication phase. This has already been fixed in back branches in
commit 0bf8eb2a, which see for more details.
Main author: Zoltán Böszörményi
Some review and cleanup by Álvaro Herrera
Extensive reworking by Tom Lane
2012-07-17 00:43:21 +02:00
|
|
|
#include "utils/timeout.h"
|
2011-11-02 15:25:01 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Flags set by interrupt handlers for later service in the redo loop.
|
|
|
|
|
*/
|
|
|
|
|
static volatile sig_atomic_t got_SIGHUP = false;
|
|
|
|
|
static volatile sig_atomic_t shutdown_requested = false;
|
|
|
|
|
static volatile sig_atomic_t promote_triggered = false;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Flag set when executing a restore command, to tell SIGTERM signal handler
|
|
|
|
|
* that it's safe to just proc_exit.
|
|
|
|
|
*/
|
|
|
|
|
static volatile sig_atomic_t in_restore_command = false;
|
|
|
|
|
|
|
|
|
|
/* Signal handlers */
|
|
|
|
|
static void startupproc_quickdie(SIGNAL_ARGS);
|
|
|
|
|
static void StartupProcTriggerHandler(SIGNAL_ARGS);
|
|
|
|
|
static void StartupProcSigHupHandler(SIGNAL_ARGS);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* --------------------------------
|
|
|
|
|
* signal handler routines
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* startupproc_quickdie() occurs when signalled SIGQUIT by the postmaster.
|
|
|
|
|
*
|
|
|
|
|
* Some backend has bought the farm,
|
|
|
|
|
* so we need to stop what we're doing and exit.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
startupproc_quickdie(SIGNAL_ARGS)
|
|
|
|
|
{
|
|
|
|
|
/*
|
2018-08-08 18:08:10 +02:00
|
|
|
* We DO NOT want to run proc_exit() or atexit() callbacks -- we're here
|
|
|
|
|
* because shared memory may be corrupted, so we don't want to try to
|
|
|
|
|
* clean up our transaction. Just nail the windows shut and get out of
|
|
|
|
|
* town. The callbacks wouldn't be safe to run from a signal handler,
|
|
|
|
|
* anyway.
|
|
|
|
|
*
|
|
|
|
|
* Note we do _exit(2) not _exit(0). This is to force the postmaster into
|
|
|
|
|
* a system reset cycle if someone sends a manual SIGQUIT to a random
|
2011-11-02 15:25:01 +01:00
|
|
|
* backend. This is necessary precisely because we don't clean up our
|
|
|
|
|
* shared memory state. (The "dead man switch" mechanism in pmsignal.c
|
|
|
|
|
* should ensure the postmaster sees this as a crash, too, but no harm in
|
|
|
|
|
* being doubly sure.)
|
|
|
|
|
*/
|
2018-08-08 18:08:10 +02:00
|
|
|
_exit(2);
|
2011-11-02 15:25:01 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* SIGUSR2: set flag to finish recovery */
|
|
|
|
|
static void
|
|
|
|
|
StartupProcTriggerHandler(SIGNAL_ARGS)
|
|
|
|
|
{
|
|
|
|
|
int save_errno = errno;
|
|
|
|
|
|
|
|
|
|
promote_triggered = true;
|
|
|
|
|
WakeupRecovery();
|
|
|
|
|
|
|
|
|
|
errno = save_errno;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* SIGHUP: set flag to re-read config file at next convenient time */
|
|
|
|
|
static void
|
|
|
|
|
StartupProcSigHupHandler(SIGNAL_ARGS)
|
|
|
|
|
{
|
|
|
|
|
int save_errno = errno;
|
|
|
|
|
|
|
|
|
|
got_SIGHUP = true;
|
|
|
|
|
WakeupRecovery();
|
|
|
|
|
|
|
|
|
|
errno = save_errno;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* SIGTERM: set flag to abort redo and exit */
|
|
|
|
|
static void
|
|
|
|
|
StartupProcShutdownHandler(SIGNAL_ARGS)
|
|
|
|
|
{
|
|
|
|
|
int save_errno = errno;
|
|
|
|
|
|
|
|
|
|
if (in_restore_command)
|
|
|
|
|
proc_exit(1);
|
|
|
|
|
else
|
|
|
|
|
shutdown_requested = true;
|
|
|
|
|
WakeupRecovery();
|
|
|
|
|
|
|
|
|
|
errno = save_errno;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Handle SIGHUP and SIGTERM signals of startup process */
|
|
|
|
|
void
|
|
|
|
|
HandleStartupProcInterrupts(void)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Check if we were requested to re-read config file.
|
|
|
|
|
*/
|
|
|
|
|
if (got_SIGHUP)
|
|
|
|
|
{
|
|
|
|
|
got_SIGHUP = false;
|
|
|
|
|
ProcessConfigFile(PGC_SIGHUP);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check if we were requested to exit without finishing recovery.
|
|
|
|
|
*/
|
|
|
|
|
if (shutdown_requested)
|
|
|
|
|
proc_exit(1);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Emergency bailout if postmaster has died. This is to avoid the
|
|
|
|
|
* necessity for manual cleanup of all postmaster children.
|
|
|
|
|
*/
|
|
|
|
|
if (IsUnderPostmaster && !PostmasterIsAlive())
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* ----------------------------------
|
|
|
|
|
* Startup Process main entry point
|
|
|
|
|
* ----------------------------------
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
StartupProcessMain(void)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Properly accept or ignore signals the postmaster might send us.
|
|
|
|
|
*/
|
|
|
|
|
pqsignal(SIGHUP, StartupProcSigHupHandler); /* reload config file */
|
|
|
|
|
pqsignal(SIGINT, SIG_IGN); /* ignore query cancel */
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
pqsignal(SIGTERM, StartupProcShutdownHandler); /* request shutdown */
|
2011-11-02 15:25:01 +01:00
|
|
|
pqsignal(SIGQUIT, startupproc_quickdie); /* hard crash time */
|
Introduce timeout handling framework
Management of timeouts was getting a little cumbersome; what we
originally had was more than enough back when we were only concerned
about deadlocks and query cancel; however, when we added timeouts for
standby processes, the code got considerably messier. Since there are
plans to add more complex timeouts, this seems a good time to introduce
a central timeout handling module.
External modules register their timeout handlers during process
initialization, and later enable and disable them as they see fit using
a simple API; timeout.c is in charge of keeping track of which timeouts
are in effect at any time, installing a common SIGALRM signal handler,
and calling setitimer() as appropriate to ensure timely firing of
external handlers.
timeout.c additionally supports pluggable modules to add their own
timeouts, though this capability isn't exercised anywhere yet.
Additionally, as of this commit, walsender processes are aware of
timeouts; we had a preexisting bug there that made those ignore SIGALRM,
thus being subject to unhandled deadlocks, particularly during the
authentication phase. This has already been fixed in back branches in
commit 0bf8eb2a, which see for more details.
Main author: Zoltán Böszörményi
Some review and cleanup by Álvaro Herrera
Extensive reworking by Tom Lane
2012-07-17 00:43:21 +02:00
|
|
|
InitializeTimeouts(); /* establishes SIGALRM handler */
|
2011-11-02 15:25:01 +01:00
|
|
|
pqsignal(SIGPIPE, SIG_IGN);
|
2019-11-25 22:08:53 +01:00
|
|
|
pqsignal(SIGUSR1, procsignal_sigusr1_handler);
|
2011-11-02 15:25:01 +01:00
|
|
|
pqsignal(SIGUSR2, StartupProcTriggerHandler);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Reset some signals that are accepted by postmaster but not here
|
|
|
|
|
*/
|
|
|
|
|
pqsignal(SIGCHLD, SIG_DFL);
|
|
|
|
|
|
Introduce timeout handling framework
Management of timeouts was getting a little cumbersome; what we
originally had was more than enough back when we were only concerned
about deadlocks and query cancel; however, when we added timeouts for
standby processes, the code got considerably messier. Since there are
plans to add more complex timeouts, this seems a good time to introduce
a central timeout handling module.
External modules register their timeout handlers during process
initialization, and later enable and disable them as they see fit using
a simple API; timeout.c is in charge of keeping track of which timeouts
are in effect at any time, installing a common SIGALRM signal handler,
and calling setitimer() as appropriate to ensure timely firing of
external handlers.
timeout.c additionally supports pluggable modules to add their own
timeouts, though this capability isn't exercised anywhere yet.
Additionally, as of this commit, walsender processes are aware of
timeouts; we had a preexisting bug there that made those ignore SIGALRM,
thus being subject to unhandled deadlocks, particularly during the
authentication phase. This has already been fixed in back branches in
commit 0bf8eb2a, which see for more details.
Main author: Zoltán Böszörményi
Some review and cleanup by Álvaro Herrera
Extensive reworking by Tom Lane
2012-07-17 00:43:21 +02:00
|
|
|
/*
|
|
|
|
|
* Register timeouts needed for standby mode
|
|
|
|
|
*/
|
|
|
|
|
RegisterTimeout(STANDBY_DEADLOCK_TIMEOUT, StandbyDeadLockHandler);
|
|
|
|
|
RegisterTimeout(STANDBY_TIMEOUT, StandbyTimeoutHandler);
|
2016-03-10 20:26:24 +01:00
|
|
|
RegisterTimeout(STANDBY_LOCK_TIMEOUT, StandbyLockTimeoutHandler);
|
Introduce timeout handling framework
Management of timeouts was getting a little cumbersome; what we
originally had was more than enough back when we were only concerned
about deadlocks and query cancel; however, when we added timeouts for
standby processes, the code got considerably messier. Since there are
plans to add more complex timeouts, this seems a good time to introduce
a central timeout handling module.
External modules register their timeout handlers during process
initialization, and later enable and disable them as they see fit using
a simple API; timeout.c is in charge of keeping track of which timeouts
are in effect at any time, installing a common SIGALRM signal handler,
and calling setitimer() as appropriate to ensure timely firing of
external handlers.
timeout.c additionally supports pluggable modules to add their own
timeouts, though this capability isn't exercised anywhere yet.
Additionally, as of this commit, walsender processes are aware of
timeouts; we had a preexisting bug there that made those ignore SIGALRM,
thus being subject to unhandled deadlocks, particularly during the
authentication phase. This has already been fixed in back branches in
commit 0bf8eb2a, which see for more details.
Main author: Zoltán Böszörményi
Some review and cleanup by Álvaro Herrera
Extensive reworking by Tom Lane
2012-07-17 00:43:21 +02:00
|
|
|
|
2011-11-02 15:25:01 +01:00
|
|
|
/*
|
|
|
|
|
* Unblock signals (they were blocked when the postmaster forked us)
|
|
|
|
|
*/
|
|
|
|
|
PG_SETMASK(&UnBlockSig);
|
|
|
|
|
|
Introduce timeout handling framework
Management of timeouts was getting a little cumbersome; what we
originally had was more than enough back when we were only concerned
about deadlocks and query cancel; however, when we added timeouts for
standby processes, the code got considerably messier. Since there are
plans to add more complex timeouts, this seems a good time to introduce
a central timeout handling module.
External modules register their timeout handlers during process
initialization, and later enable and disable them as they see fit using
a simple API; timeout.c is in charge of keeping track of which timeouts
are in effect at any time, installing a common SIGALRM signal handler,
and calling setitimer() as appropriate to ensure timely firing of
external handlers.
timeout.c additionally supports pluggable modules to add their own
timeouts, though this capability isn't exercised anywhere yet.
Additionally, as of this commit, walsender processes are aware of
timeouts; we had a preexisting bug there that made those ignore SIGALRM,
thus being subject to unhandled deadlocks, particularly during the
authentication phase. This has already been fixed in back branches in
commit 0bf8eb2a, which see for more details.
Main author: Zoltán Böszörményi
Some review and cleanup by Álvaro Herrera
Extensive reworking by Tom Lane
2012-07-17 00:43:21 +02:00
|
|
|
/*
|
|
|
|
|
* Do what we came for.
|
|
|
|
|
*/
|
2011-11-02 15:25:01 +01:00
|
|
|
StartupXLOG();
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Exit normally. Exit code 0 tells postmaster that we completed recovery
|
|
|
|
|
* successfully.
|
|
|
|
|
*/
|
|
|
|
|
proc_exit(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
PreRestoreCommand(void)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Set in_restore_command to tell the signal handler that we should exit
|
|
|
|
|
* right away on SIGTERM. We know that we're at a safe point to do that.
|
|
|
|
|
* Check if we had already received the signal, so that we don't miss a
|
|
|
|
|
* shutdown request received just before this.
|
|
|
|
|
*/
|
|
|
|
|
in_restore_command = true;
|
|
|
|
|
if (shutdown_requested)
|
|
|
|
|
proc_exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
PostRestoreCommand(void)
|
|
|
|
|
{
|
|
|
|
|
in_restore_command = false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool
|
|
|
|
|
IsPromoteTriggered(void)
|
|
|
|
|
{
|
|
|
|
|
return promote_triggered;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
ResetPromoteTriggered(void)
|
|
|
|
|
{
|
|
|
|
|
promote_triggered = false;
|
|
|
|
|
}
|
