1996-07-09 08:22:35 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
|
*
|
1999-02-14 00:22:53 +01:00
|
|
|
* postmaster.c
|
1997-09-07 07:04:48 +02:00
|
|
|
* This program acts as a clearing house for requests to the
|
|
|
|
|
* POSTGRES system. Frontend programs send a startup message
|
|
|
|
|
* to the Postmaster and the postmaster uses the info in the
|
|
|
|
|
* message to setup a backend process.
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
* The postmaster also manages system-wide operations such as
|
2004-08-29 07:07:03 +02:00
|
|
|
* startup and shutdown. The postmaster itself doesn't do those
|
2004-05-28 07:13:32 +02:00
|
|
|
* operations, mind you --- it just forks off a subprocess to do them
|
|
|
|
|
* at the right times. It also takes care of resetting the system
|
|
|
|
|
* if a backend crashes.
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
*
|
|
|
|
|
* The postmaster process creates the shared memory and semaphore
|
|
|
|
|
* pools during startup, but as a rule does not touch them itself.
|
2002-06-11 15:40:53 +02:00
|
|
|
* In particular, it is not a member of the PGPROC array of backends
|
2001-03-22 05:01:46 +01:00
|
|
|
* and so it cannot participate in lock-manager operations. Keeping
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
* the postmaster away from shared memory operations makes it simpler
|
|
|
|
|
* and more reliable. The postmaster is almost always able to recover
|
|
|
|
|
* from crashes of individual backends by resetting shared memory;
|
|
|
|
|
* if it did much with shared memory then it would be prone to crashing
|
|
|
|
|
* along with the backends.
|
|
|
|
|
*
|
2001-06-21 18:43:24 +02:00
|
|
|
* When a request message is received, we now fork() immediately.
|
|
|
|
|
* The child process performs authentication of the request, and
|
|
|
|
|
* then becomes a backend if successful. This allows the auth code
|
|
|
|
|
* to be written in a simple single-threaded style (as opposed to the
|
|
|
|
|
* crufty "poor man's multitasking" code that used to be needed).
|
|
|
|
|
* More importantly, it ensures that blockages in non-multithreaded
|
|
|
|
|
* libraries like SSL or PAM cannot cause denial of service to other
|
|
|
|
|
* clients.
|
|
|
|
|
*
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
*
|
2011-01-01 19:18:15 +01:00
|
|
|
* Portions Copyright (c) 1996-2011, PostgreSQL Global Development Group
|
2000-01-26 06:58:53 +01:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
* IDENTIFICATION
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/backend/postmaster/postmaster.c
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
* NOTES
|
|
|
|
|
*
|
|
|
|
|
* Initialization:
|
2004-05-30 00:48:23 +02:00
|
|
|
* The Postmaster sets up shared memory data structures
|
|
|
|
|
* for the backends.
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
* Synchronization:
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
* The Postmaster shares memory with the backends but should avoid
|
|
|
|
|
* touching shared memory, so as not to become stuck if a crashing
|
|
|
|
|
* backend screws up locks or shared memory. Likewise, the Postmaster
|
|
|
|
|
* should never block on messages from frontend clients.
|
1997-09-07 07:04:48 +02:00
|
|
|
*
|
1996-07-09 08:22:35 +02:00
|
|
|
* Garbage Collection:
|
1997-09-07 07:04:48 +02:00
|
|
|
* The Postmaster cleans up after backends if they have an emergency
|
|
|
|
|
* exit and/or core dump.
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
2004-07-21 22:34:50 +02:00
|
|
|
* Error Reporting:
|
|
|
|
|
* Use write_stderr() only for reporting "interactive" errors
|
|
|
|
|
* (essentially, bogus arguments on the command line). Once the
|
2004-08-29 07:07:03 +02:00
|
|
|
* postmaster is launched, use ereport(). In particular, don't use
|
2004-07-21 22:34:50 +02:00
|
|
|
* write_stderr() for anything that occurs after pmdaemonize.
|
|
|
|
|
*
|
1996-07-09 08:22:35 +02:00
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
|
*/
|
2000-07-17 05:05:41 +02:00
|
|
|
|
2000-06-04 03:44:38 +02:00
|
|
|
#include "postgres.h"
|
|
|
|
|
|
1999-07-19 04:27:16 +02:00
|
|
|
#include <unistd.h>
|
|
|
|
|
#include <signal.h>
|
2004-06-03 04:08:07 +02:00
|
|
|
#include <time.h>
|
1999-07-19 04:27:16 +02:00
|
|
|
#include <sys/wait.h>
|
|
|
|
|
#include <ctype.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <sys/socket.h>
|
|
|
|
|
#include <fcntl.h>
|
1999-07-16 05:14:30 +02:00
|
|
|
#include <sys/param.h>
|
2003-01-07 19:48:13 +01:00
|
|
|
#include <netinet/in.h>
|
2001-10-19 02:44:08 +02:00
|
|
|
#include <arpa/inet.h>
|
1999-07-16 05:14:30 +02:00
|
|
|
#include <netdb.h>
|
1997-09-07 07:04:48 +02:00
|
|
|
#include <limits.h>
|
1996-07-09 08:22:35 +02:00
|
|
|
|
1997-01-24 19:27:32 +01:00
|
|
|
#ifdef HAVE_SYS_SELECT_H
|
1997-09-07 07:04:48 +02:00
|
|
|
#include <sys/select.h>
|
|
|
|
|
#endif
|
1996-07-09 08:22:35 +02:00
|
|
|
|
1999-07-19 04:27:16 +02:00
|
|
|
#ifdef HAVE_GETOPT_H
|
2000-11-06 23:18:10 +01:00
|
|
|
#include <getopt.h>
|
1999-01-17 07:20:06 +01:00
|
|
|
#endif
|
|
|
|
|
|
2005-05-15 02:26:19 +02:00
|
|
|
#ifdef USE_BONJOUR
|
2009-09-08 18:08:26 +02:00
|
|
|
#include <dns_sd.h>
|
2003-06-11 08:56:07 +02:00
|
|
|
#endif
|
|
|
|
|
|
2006-07-15 17:47:17 +02:00
|
|
|
#include "access/transam.h"
|
2008-06-07 00:35:22 +02:00
|
|
|
#include "access/xlog.h"
|
2005-03-10 08:14:03 +01:00
|
|
|
#include "bootstrap/bootstrap.h"
|
2006-07-15 17:47:17 +02:00
|
|
|
#include "catalog/pg_control.h"
|
1999-07-16 07:00:38 +02:00
|
|
|
#include "lib/dllist.h"
|
1996-07-09 08:22:35 +02:00
|
|
|
#include "libpq/auth.h"
|
2006-07-13 18:49:20 +02:00
|
|
|
#include "libpq/ip.h"
|
1999-07-16 07:00:38 +02:00
|
|
|
#include "libpq/libpq.h"
|
1996-12-26 23:08:34 +01:00
|
|
|
#include "libpq/pqsignal.h"
|
1996-07-09 08:22:35 +02:00
|
|
|
#include "miscadmin.h"
|
2005-03-10 08:14:03 +01:00
|
|
|
#include "pgstat.h"
|
2005-07-14 07:13:45 +02:00
|
|
|
#include "postmaster/autovacuum.h"
|
2005-03-10 08:14:03 +01:00
|
|
|
#include "postmaster/fork_process.h"
|
2004-07-19 04:47:16 +02:00
|
|
|
#include "postmaster/pgarch.h"
|
2005-03-10 08:14:03 +01:00
|
|
|
#include "postmaster/postmaster.h"
|
2004-08-06 01:32:13 +02:00
|
|
|
#include "postmaster/syslogger.h"
|
2010-01-15 10:19:10 +01:00
|
|
|
#include "replication/walsender.h"
|
1997-12-09 04:11:25 +01:00
|
|
|
#include "storage/fd.h"
|
1999-07-16 07:00:38 +02:00
|
|
|
#include "storage/ipc.h"
|
2006-07-15 17:47:17 +02:00
|
|
|
#include "storage/pg_shmem.h"
|
2001-11-04 20:55:31 +01:00
|
|
|
#include "storage/pmsignal.h"
|
1999-07-16 07:00:38 +02:00
|
|
|
#include "storage/proc.h"
|
|
|
|
|
#include "tcop/tcopprot.h"
|
2004-08-08 22:17:36 +02:00
|
|
|
#include "utils/builtins.h"
|
2005-06-30 00:51:57 +02:00
|
|
|
#include "utils/datetime.h"
|
2000-07-17 05:05:41 +02:00
|
|
|
#include "utils/memutils.h"
|
2001-10-19 02:44:08 +02:00
|
|
|
#include "utils/ps_status.h"
|
2001-06-22 21:16:24 +02:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
#ifdef EXEC_BACKEND
|
|
|
|
|
#include "storage/spin.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/*
|
2001-06-21 18:43:24 +02:00
|
|
|
* List of active backends (or child processes anyway; we don't actually
|
|
|
|
|
* know whether a given child has become a backend or is still in the
|
|
|
|
|
* authorization phase). This is used mainly to keep track of how many
|
|
|
|
|
* children we have and send them appropriate signals when necessary.
|
2004-05-30 00:48:23 +02:00
|
|
|
*
|
2007-02-16 00:23:23 +01:00
|
|
|
* "Special" children such as the startup, bgwriter and autovacuum launcher
|
2010-01-15 10:19:10 +01:00
|
|
|
* tasks are not in this list. Autovacuum worker and walsender processes are
|
|
|
|
|
* in it. Also, "dead_end" children are in it: these are children launched just
|
2007-08-09 03:18:43 +02:00
|
|
|
* for the purpose of sending a friendly rejection message to a would-be
|
2007-11-15 22:14:46 +01:00
|
|
|
* client. We must track them because they are attached to shared memory,
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
* but we know they will never become live backends. dead_end children are
|
|
|
|
|
* not assigned a PMChildSlot.
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
1997-09-07 07:04:48 +02:00
|
|
|
typedef struct bkend
|
|
|
|
|
{
|
2001-06-20 20:07:56 +02:00
|
|
|
pid_t pid; /* process id of backend */
|
1998-06-09 06:06:12 +02:00
|
|
|
long cancel_key; /* cancel key for cancels for this backend */
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
int child_slot; /* PMChildSlot for this backend, if any */
|
2007-07-24 06:54:09 +02:00
|
|
|
bool is_autovacuum; /* is it an autovacuum process? */
|
2007-08-09 03:18:43 +02:00
|
|
|
bool dead_end; /* is it going to send an error and quit? */
|
2009-05-04 04:46:36 +02:00
|
|
|
Dlelem elem; /* list link in BackendList */
|
1997-09-08 22:59:27 +02:00
|
|
|
} Backend;
|
1996-07-09 08:22:35 +02:00
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
static Dllist *BackendList;
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2004-01-26 23:59:54 +01:00
|
|
|
#ifdef EXEC_BACKEND
|
|
|
|
|
static Backend *ShmemBackendArray;
|
|
|
|
|
#endif
|
|
|
|
|
|
2000-11-12 21:51:52 +01:00
|
|
|
/* The socket number we are listening for connections on */
|
2001-03-22 05:01:46 +01:00
|
|
|
int PostPortNumber;
|
|
|
|
|
char *UnixSocketDir;
|
2004-03-23 02:23:48 +01:00
|
|
|
char *ListenAddresses;
|
1998-02-26 05:46:47 +01:00
|
|
|
|
2002-08-29 23:02:12 +02:00
|
|
|
/*
|
|
|
|
|
* ReservedBackends is the number of backends reserved for superuser use.
|
|
|
|
|
* This number is taken out of the pool size given by MaxBackends so
|
2002-11-21 07:36:08 +01:00
|
|
|
* number of backend slots available to non-superusers is
|
|
|
|
|
* (MaxBackends - ReservedBackends). Note what this really means is
|
|
|
|
|
* "if there are <= ReservedBackends connections available, only superusers
|
|
|
|
|
* can make new connections" --- pre-existing superuser connections don't
|
|
|
|
|
* count against the limit.
|
2002-08-29 23:02:12 +02:00
|
|
|
*/
|
2003-04-07 00:45:23 +02:00
|
|
|
int ReservedBackends;
|
2002-08-29 23:02:12 +02:00
|
|
|
|
2003-07-24 01:30:41 +02:00
|
|
|
/* The socket(s) we're listening to. */
|
2005-01-12 17:38:17 +01:00
|
|
|
#define MAXLISTEN 64
|
2010-01-10 15:16:08 +01:00
|
|
|
static pgsocket ListenSocket[MAXLISTEN];
|
1996-07-09 08:22:35 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set by the -o option
|
|
|
|
|
*/
|
1999-10-25 05:08:03 +02:00
|
|
|
static char ExtraOptions[MAXPGPATH];
|
1996-07-09 08:22:35 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* These globals control the behavior of the postmaster in case some
|
1997-09-07 07:04:48 +02:00
|
|
|
* backend dumps core. Normally, it kills all peers of the dead backend
|
1996-07-09 08:22:35 +02:00
|
|
|
* and reinitializes shared memory. By specifying -s or -n, we can have
|
|
|
|
|
* the postmaster stop (rather than kill) peers and not reinitialize
|
2007-11-15 22:14:46 +01:00
|
|
|
* shared data structures. (Reinit is currently dead code, though.)
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
1998-09-01 06:40:42 +02:00
|
|
|
static bool Reinit = true;
|
1998-05-27 20:32:05 +02:00
|
|
|
static int SendStop = false;
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2001-06-21 18:43:24 +02:00
|
|
|
/* still more option variables */
|
2001-03-22 05:01:46 +01:00
|
|
|
bool EnableSSL = false;
|
2009-08-24 22:08:32 +02:00
|
|
|
bool SilentMode = false; /* silent_mode */
|
1998-05-29 19:00:34 +02:00
|
|
|
|
2001-09-21 19:06:12 +02:00
|
|
|
int PreAuthDelay = 0;
|
|
|
|
|
int AuthenticationTimeout = 60;
|
2000-11-09 12:26:00 +01:00
|
|
|
|
2004-03-15 16:56:28 +01:00
|
|
|
bool log_hostname; /* for ps display and logging */
|
2001-10-19 02:44:08 +02:00
|
|
|
bool Log_connections = false;
|
2002-08-18 05:03:26 +02:00
|
|
|
bool Db_user_namespace = false;
|
|
|
|
|
|
2009-09-08 19:08:36 +02:00
|
|
|
bool enable_bonjour = false;
|
2005-05-15 02:26:19 +02:00
|
|
|
char *bonjour_name;
|
2010-07-20 02:47:53 +02:00
|
|
|
bool restart_after_crash = true;
|
2003-07-22 22:29:13 +02:00
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
/* PIDs of special child processes; 0 when not running */
|
2001-03-22 05:01:46 +01:00
|
|
|
static pid_t StartupPID = 0,
|
2004-06-14 20:08:19 +02:00
|
|
|
BgWriterPID = 0,
|
2007-07-24 06:54:09 +02:00
|
|
|
WalWriterPID = 0,
|
2010-01-15 10:19:10 +01:00
|
|
|
WalReceiverPID = 0,
|
2005-07-14 07:13:45 +02:00
|
|
|
AutoVacPID = 0,
|
2004-07-19 04:47:16 +02:00
|
|
|
PgArchPID = 0,
|
2007-11-15 22:14:46 +01:00
|
|
|
PgStatPID = 0,
|
|
|
|
|
SysLoggerPID = 0;
|
1998-09-01 06:40:42 +02:00
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
/* Startup/shutdown state */
|
1999-10-06 23:58:18 +02:00
|
|
|
#define NoShutdown 0
|
|
|
|
|
#define SmartShutdown 1
|
|
|
|
|
#define FastShutdown 2
|
1998-09-01 06:40:42 +02:00
|
|
|
|
2000-04-12 19:17:23 +02:00
|
|
|
static int Shutdown = NoShutdown;
|
1999-10-06 23:58:18 +02:00
|
|
|
|
2001-03-22 05:01:46 +01:00
|
|
|
static bool FatalError = false; /* T if recovering from backend crash */
|
2009-06-11 16:49:15 +02:00
|
|
|
static bool RecoveryError = false; /* T if WAL recovery failed */
|
1998-05-29 19:00:34 +02:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
|
|
|
|
* We use a simple state machine to control startup, shutdown, and
|
|
|
|
|
* crash recovery (which is rather like shutdown followed by startup).
|
|
|
|
|
*
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
* After doing all the postmaster initialization work, we enter PM_STARTUP
|
|
|
|
|
* state and the startup process is launched. The startup process begins by
|
2009-06-26 22:29:04 +02:00
|
|
|
* reading the control file and other preliminary initialization steps.
|
|
|
|
|
* In a normal startup, or after crash recovery, the startup process exits
|
2010-02-26 03:01:40 +01:00
|
|
|
* with exit code 0 and we switch to PM_RUN state. However, archive recovery
|
2009-06-26 22:29:04 +02:00
|
|
|
* is handled specially since it takes much longer and we would like to support
|
|
|
|
|
* hot standby during archive recovery.
|
2009-06-11 16:49:15 +02:00
|
|
|
*
|
2009-06-26 22:29:04 +02:00
|
|
|
* When the startup process is ready to start archive recovery, it signals the
|
|
|
|
|
* postmaster, and we switch to PM_RECOVERY state. The background writer is
|
2010-07-06 21:19:02 +02:00
|
|
|
* launched, while the startup process continues applying WAL. If Hot Standby
|
2010-05-14 20:08:33 +02:00
|
|
|
* is enabled, then, after reaching a consistent point in WAL redo, startup
|
2010-05-15 22:01:32 +02:00
|
|
|
* process signals us again, and we switch to PM_HOT_STANDBY state and
|
2010-05-14 20:08:33 +02:00
|
|
|
* begin accepting connections to perform read-only queries. When archive
|
|
|
|
|
* recovery is finished, the startup process exits with exit code 0 and we
|
|
|
|
|
* switch to PM_RUN state.
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
*
|
Allow read only connections during recovery, known as Hot Standby.
Enabled by recovery_connections = on (default) and forcing archive recovery using a recovery.conf. Recovery processing now emulates the original transactions as they are replayed, providing full locking and MVCC behaviour for read only queries. Recovery must enter consistent state before connections are allowed, so there is a delay, typically short, before connections succeed. Replay of recovering transactions can conflict and in some cases deadlock with queries during recovery; these result in query cancellation after max_standby_delay seconds have expired. Infrastructure changes have minor effects on normal running, though introduce four new types of WAL record.
New test mode "make standbycheck" allows regression tests of static command behaviour on a standby server while in recovery. Typical and extreme dynamic behaviours have been checked via code inspection and manual testing. Few port specific behaviours have been utilised, though primary testing has been on Linux only so far.
This commit is the basic patch. Additional changes will follow in this release to enhance some aspects of behaviour, notably improved handling of conflicts, deadlock detection and query cancellation. Changes to VACUUM FULL are also required.
Simon Riggs, with significant and lengthy review by Heikki Linnakangas, including streamlined redesign of snapshot creation and two-phase commit.
Important contributions from Florian Pflug, Mark Kirkwood, Merlin Moncure, Greg Stark, Gianni Ciolli, Gabriele Bartolini, Hannu Krosing, Robert Haas, Tatsuo Ishii, Hiroyuki Yamada plus support and feedback from many other community members.
2009-12-19 02:32:45 +01:00
|
|
|
* Normal child backends can only be launched when we are in PM_RUN or
|
2010-05-15 22:01:32 +02:00
|
|
|
* PM_HOT_STANDBY state. (We also allow launch of normal
|
Allow read only connections during recovery, known as Hot Standby.
Enabled by recovery_connections = on (default) and forcing archive recovery using a recovery.conf. Recovery processing now emulates the original transactions as they are replayed, providing full locking and MVCC behaviour for read only queries. Recovery must enter consistent state before connections are allowed, so there is a delay, typically short, before connections succeed. Replay of recovering transactions can conflict and in some cases deadlock with queries during recovery; these result in query cancellation after max_standby_delay seconds have expired. Infrastructure changes have minor effects on normal running, though introduce four new types of WAL record.
New test mode "make standbycheck" allows regression tests of static command behaviour on a standby server while in recovery. Typical and extreme dynamic behaviours have been checked via code inspection and manual testing. Few port specific behaviours have been utilised, though primary testing has been on Linux only so far.
This commit is the basic patch. Additional changes will follow in this release to enhance some aspects of behaviour, notably improved handling of conflicts, deadlock detection and query cancellation. Changes to VACUUM FULL are also required.
Simon Riggs, with significant and lengthy review by Heikki Linnakangas, including streamlined redesign of snapshot creation and two-phase commit.
Important contributions from Florian Pflug, Mark Kirkwood, Merlin Moncure, Greg Stark, Gianni Ciolli, Gabriele Bartolini, Hannu Krosing, Robert Haas, Tatsuo Ishii, Hiroyuki Yamada plus support and feedback from many other community members.
2009-12-19 02:32:45 +01:00
|
|
|
* child backends in PM_WAIT_BACKUP state, but only for superusers.)
|
2007-08-09 03:18:43 +02:00
|
|
|
* In other states we handle connection requests by launching "dead_end"
|
|
|
|
|
* child processes, which will simply send the client an error message and
|
|
|
|
|
* quit. (We track these in the BackendList so that we can know when they
|
|
|
|
|
* are all gone; this is important because they're still connected to shared
|
|
|
|
|
* memory, and would interfere with an attempt to destroy the shmem segment,
|
|
|
|
|
* possibly leading to SHMALL failure when we try to make a new one.)
|
|
|
|
|
* In PM_WAIT_DEAD_END state we are waiting for all the dead_end children
|
|
|
|
|
* to drain out of the system, and therefore stop accepting connection
|
|
|
|
|
* requests at all until the last existing child has quit (which hopefully
|
|
|
|
|
* will not be very long).
|
|
|
|
|
*
|
|
|
|
|
* Notice that this state variable does not distinguish *why* we entered
|
2008-04-27 00:47:40 +02:00
|
|
|
* states later than PM_RUN --- Shutdown and FatalError must be consulted
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
* to find that out. FatalError is never true in PM_RECOVERY_* or PM_RUN
|
|
|
|
|
* states, nor in PM_SHUTDOWN states (because we don't enter those states
|
|
|
|
|
* when trying to recover from a crash). It can be true in PM_STARTUP state,
|
|
|
|
|
* because we don't clear it until we've successfully started WAL redo.
|
|
|
|
|
* Similarly, RecoveryError means that we have crashed during recovery, and
|
|
|
|
|
* should not try to restart.
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
2007-11-15 22:14:46 +01:00
|
|
|
typedef enum
|
|
|
|
|
{
|
2007-08-09 03:18:43 +02:00
|
|
|
PM_INIT, /* postmaster starting */
|
|
|
|
|
PM_STARTUP, /* waiting for startup subprocess */
|
2009-06-26 22:29:04 +02:00
|
|
|
PM_RECOVERY, /* in archive recovery mode */
|
2010-05-15 22:01:32 +02:00
|
|
|
PM_HOT_STANDBY, /* in hot standby mode */
|
2007-08-09 03:18:43 +02:00
|
|
|
PM_RUN, /* normal "database is alive" state */
|
2008-04-23 15:44:59 +02:00
|
|
|
PM_WAIT_BACKUP, /* waiting for online backup mode to end */
|
2010-04-08 03:39:37 +02:00
|
|
|
PM_WAIT_READONLY, /* waiting for read only backends to exit */
|
2007-08-09 03:18:43 +02:00
|
|
|
PM_WAIT_BACKENDS, /* waiting for live backends to exit */
|
|
|
|
|
PM_SHUTDOWN, /* waiting for bgwriter to do shutdown ckpt */
|
2010-02-26 03:01:40 +01:00
|
|
|
PM_SHUTDOWN_2, /* waiting for archiver and walsenders to
|
|
|
|
|
* finish */
|
2007-08-09 03:18:43 +02:00
|
|
|
PM_WAIT_DEAD_END, /* waiting for dead_end children to exit */
|
|
|
|
|
PM_NO_CHILDREN /* all important children have exited */
|
2007-11-15 23:25:18 +01:00
|
|
|
} PMState;
|
2007-08-09 03:18:43 +02:00
|
|
|
|
|
|
|
|
static PMState pmState = PM_INIT;
|
|
|
|
|
|
2010-07-06 21:19:02 +02:00
|
|
|
static bool ReachedNormalRunning = false; /* T if we've reached PM_RUN */
|
2010-05-26 14:32:41 +02:00
|
|
|
|
2002-09-04 22:31:48 +02:00
|
|
|
bool ClientAuthInProgress = false; /* T during new-client
|
|
|
|
|
* authentication */
|
2002-03-04 02:46:04 +01:00
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
bool redirection_done = false; /* stderr redirected for syslogger? */
|
2007-07-19 21:13:43 +02:00
|
|
|
|
2007-02-16 00:23:23 +01:00
|
|
|
/* received START_AUTOVAC_LAUNCHER signal */
|
2007-07-24 06:54:09 +02:00
|
|
|
static volatile sig_atomic_t start_autovac_launcher = false;
|
2010-02-26 03:01:40 +01:00
|
|
|
|
2009-08-24 19:23:02 +02:00
|
|
|
/* the launcher needs to be signalled to communicate some condition */
|
2010-02-26 03:01:40 +01:00
|
|
|
static volatile bool avlauncher_needs_signal = false;
|
Fix recently-understood problems with handling of XID freezing, particularly
in PITR scenarios. We now WAL-log the replacement of old XIDs with
FrozenTransactionId, so that such replacement is guaranteed to propagate to
PITR slave databases. Also, rather than relying on hint-bit updates to be
preserved, pg_clog is not truncated until all instances of an XID are known to
have been replaced by FrozenTransactionId. Add new GUC variables and
pg_autovacuum columns to allow management of the freezing policy, so that
users can trade off the size of pg_clog against the amount of freezing work
done. Revise the already-existing code that forces autovacuum of tables
approaching the wraparound point to make it more bulletproof; also, revise the
autovacuum logic so that anti-wraparound vacuuming is done per-table rather
than per-database. initdb forced because of changes in pg_class, pg_database,
and pg_autovacuum catalogs. Heikki Linnakangas, Simon Riggs, and Tom Lane.
2006-11-05 23:42:10 +01:00
|
|
|
|
1998-06-09 06:06:12 +02:00
|
|
|
/*
|
|
|
|
|
* State for assigning random salts and cancel keys.
|
|
|
|
|
* Also, the global MyCancelKey passes the cancel key assigned to a given
|
|
|
|
|
* backend from the postmaster to that backend (via fork).
|
|
|
|
|
*/
|
1998-06-08 06:27:59 +02:00
|
|
|
static unsigned int random_seed = 0;
|
2007-08-04 05:15:49 +02:00
|
|
|
static struct timeval random_start_time;
|
1998-06-08 06:27:59 +02:00
|
|
|
|
|
|
|
|
extern char *optarg;
|
|
|
|
|
extern int optind,
|
|
|
|
|
opterr;
|
2001-10-25 07:50:21 +02:00
|
|
|
|
2010-12-16 22:22:05 +01:00
|
|
|
#ifdef HAVE_INT_OPTRESET
|
2009-04-05 06:19:59 +02:00
|
|
|
extern int optreset; /* might not be declared by system headers */
|
2001-04-19 21:09:23 +02:00
|
|
|
#endif
|
1998-06-08 06:27:59 +02:00
|
|
|
|
2009-09-08 18:08:26 +02:00
|
|
|
#ifdef USE_BONJOUR
|
|
|
|
|
static DNSServiceRef bonjour_sdref = NULL;
|
|
|
|
|
#endif
|
|
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
/*
|
1996-07-09 08:22:35 +02:00
|
|
|
* postmaster.c - function prototypes
|
|
|
|
|
*/
|
2009-05-03 00:02:37 +02:00
|
|
|
static void getInstallationPaths(const char *argv0);
|
2004-10-08 03:36:36 +02:00
|
|
|
static void checkDataDir(void);
|
2004-05-28 07:13:32 +02:00
|
|
|
static void pmdaemonize(void);
|
2000-04-12 19:17:23 +02:00
|
|
|
static Port *ConnCreate(int serverFd);
|
|
|
|
|
static void ConnFree(Port *port);
|
2005-06-18 00:32:51 +02:00
|
|
|
static void reset_shared(int port);
|
2000-08-29 11:36:51 +02:00
|
|
|
static void SIGHUP_handler(SIGNAL_ARGS);
|
|
|
|
|
static void pmdie(SIGNAL_ARGS);
|
|
|
|
|
static void reaper(SIGNAL_ARGS);
|
2001-11-04 20:55:31 +01:00
|
|
|
static void sigusr1_handler(SIGNAL_ARGS);
|
2009-08-29 21:26:52 +02:00
|
|
|
static void startup_die(SIGNAL_ARGS);
|
2001-11-04 20:55:31 +01:00
|
|
|
static void dummy_handler(SIGNAL_ARGS);
|
2004-08-04 22:09:47 +02:00
|
|
|
static void CleanupBackend(int pid, int exitstatus);
|
|
|
|
|
static void HandleChildCrash(int pid, int exitstatus, const char *procname);
|
2002-03-04 02:46:04 +01:00
|
|
|
static void LogChildExit(int lev, const char *procname,
|
2002-09-04 22:31:48 +02:00
|
|
|
int pid, int exitstatus);
|
2007-08-09 03:18:43 +02:00
|
|
|
static void PostmasterStateMachine(void);
|
2006-01-04 22:06:32 +01:00
|
|
|
static void BackendInitialize(Port *port);
|
2004-05-27 17:07:41 +02:00
|
|
|
static int BackendRun(Port *port);
|
2003-07-27 23:49:55 +02:00
|
|
|
static void ExitPostmaster(int status);
|
2000-04-12 19:17:23 +02:00
|
|
|
static int ServerLoop(void);
|
|
|
|
|
static int BackendStartup(Port *port);
|
2001-06-21 18:43:24 +02:00
|
|
|
static int ProcessStartupPacket(Port *port, bool SSLdone);
|
2001-10-25 07:50:21 +02:00
|
|
|
static void processCancelRequest(Port *port, void *pkt);
|
2003-07-24 01:30:41 +02:00
|
|
|
static int initMasks(fd_set *rmask);
|
2002-01-06 22:40:02 +01:00
|
|
|
static void report_fork_failure_to_client(Port *port, int errnum);
|
2010-11-14 21:57:37 +01:00
|
|
|
static CAC_state canAcceptConnections(void);
|
2000-04-12 19:17:23 +02:00
|
|
|
static long PostmasterRandom(void);
|
2008-10-28 13:10:44 +01:00
|
|
|
static void RandomSalt(char *md5Salt);
|
2006-11-21 21:59:53 +01:00
|
|
|
static void signal_child(pid_t pid, int signal);
|
2010-01-15 10:19:10 +01:00
|
|
|
static bool SignalSomeChildren(int signal, int targets);
|
|
|
|
|
|
2010-02-26 03:01:40 +01:00
|
|
|
#define SignalChildren(sig) SignalSomeChildren(sig, BACKEND_TYPE_ALL)
|
2010-01-15 10:19:10 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Possible types of a backend. These are OR-able request flag bits
|
|
|
|
|
* for SignalSomeChildren() and CountChildren().
|
|
|
|
|
*/
|
|
|
|
|
#define BACKEND_TYPE_NORMAL 0x0001 /* normal backend */
|
|
|
|
|
#define BACKEND_TYPE_AUTOVAC 0x0002 /* autovacuum worker process */
|
|
|
|
|
#define BACKEND_TYPE_WALSND 0x0004 /* walsender process */
|
|
|
|
|
#define BACKEND_TYPE_ALL 0x0007 /* OR of all the above */
|
2007-11-15 22:14:46 +01:00
|
|
|
|
2010-01-15 10:19:10 +01:00
|
|
|
static int CountChildren(int target);
|
2004-05-14 00:45:04 +02:00
|
|
|
static bool CreateOptsFile(int argc, char *argv[], char *fullprogname);
|
2007-03-07 14:35:03 +01:00
|
|
|
static pid_t StartChildProcess(AuxProcType type);
|
2007-02-16 00:23:23 +01:00
|
|
|
static void StartAutovacuumWorker(void);
|
2000-04-12 19:17:23 +02:00
|
|
|
|
2003-12-20 18:31:21 +01:00
|
|
|
#ifdef EXEC_BACKEND
|
2004-05-14 00:45:04 +02:00
|
|
|
|
2004-01-11 04:49:31 +01:00
|
|
|
#ifdef WIN32
|
2004-01-26 23:59:54 +01:00
|
|
|
static pid_t win32_waitpid(int *exitstatus);
|
2007-10-26 23:50:10 +02:00
|
|
|
static void WINAPI pgwin32_deadchild_callback(PVOID lpParameter, BOOLEAN TimerOrWaitFired);
|
2004-01-26 23:59:54 +01:00
|
|
|
|
2007-10-26 23:50:10 +02:00
|
|
|
static HANDLE win32ChildQueue;
|
|
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
typedef struct
|
2007-10-26 23:50:10 +02:00
|
|
|
{
|
2007-11-15 22:14:46 +01:00
|
|
|
HANDLE waitHandle;
|
|
|
|
|
HANDLE procHandle;
|
|
|
|
|
DWORD procId;
|
2011-04-10 17:42:00 +02:00
|
|
|
} win32_deadchild_waitinfo;
|
2004-05-30 05:50:15 +02:00
|
|
|
|
2004-08-29 07:07:03 +02:00
|
|
|
HANDLE PostmasterHandle;
|
2004-01-11 04:49:31 +01:00
|
|
|
#endif
|
|
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
static pid_t backend_forkexec(Port *port);
|
|
|
|
|
static pid_t internal_forkexec(int argc, char *argv[], Port *port);
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
/* Type for a socket that can be inherited to a client process */
|
|
|
|
|
#ifdef WIN32
|
|
|
|
|
typedef struct
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
SOCKET origsocket; /* Original socket value, or PGINVALID_SOCKET
|
|
|
|
|
* if not a socket */
|
2004-11-17 01:14:14 +01:00
|
|
|
WSAPROTOCOL_INFO wsainfo;
|
2011-04-10 17:42:00 +02:00
|
|
|
} InheritableSocket;
|
2004-11-17 01:14:14 +01:00
|
|
|
#else
|
|
|
|
|
typedef int InheritableSocket;
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
typedef struct LWLock LWLock; /* ugly kluge */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Structure contains all variables passed to exec:ed backends
|
|
|
|
|
*/
|
|
|
|
|
typedef struct
|
|
|
|
|
{
|
2005-10-15 04:49:52 +02:00
|
|
|
Port port;
|
2004-11-17 01:14:14 +01:00
|
|
|
InheritableSocket portsocket;
|
2005-10-15 04:49:52 +02:00
|
|
|
char DataDir[MAXPGPATH];
|
2010-01-10 15:16:08 +01:00
|
|
|
pgsocket ListenSocket[MAXLISTEN];
|
2005-10-15 04:49:52 +02:00
|
|
|
long MyCancelKey;
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
int MyPMChildSlot;
|
2010-01-02 13:01:29 +01:00
|
|
|
#ifndef WIN32
|
2004-11-17 01:14:14 +01:00
|
|
|
unsigned long UsedShmemSegID;
|
2010-01-02 13:01:29 +01:00
|
|
|
#else
|
2010-02-26 03:01:40 +01:00
|
|
|
HANDLE UsedShmemSegID;
|
2010-01-02 13:01:29 +01:00
|
|
|
#endif
|
2005-10-15 04:49:52 +02:00
|
|
|
void *UsedShmemSegAddr;
|
|
|
|
|
slock_t *ShmemLock;
|
2004-11-17 01:14:14 +01:00
|
|
|
VariableCache ShmemVariableCache;
|
2005-10-15 04:49:52 +02:00
|
|
|
Backend *ShmemBackendArray;
|
|
|
|
|
LWLock *LWLockArray;
|
|
|
|
|
slock_t *ProcStructLock;
|
2006-01-04 22:06:32 +01:00
|
|
|
PROC_HDR *ProcGlobal;
|
2007-03-07 14:35:03 +01:00
|
|
|
PGPROC *AuxiliaryProcs;
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
PMSignalData *PMSignalState;
|
2004-11-17 01:14:14 +01:00
|
|
|
InheritableSocket pgStatSock;
|
2005-10-15 04:49:52 +02:00
|
|
|
pid_t PostmasterPid;
|
2005-06-30 00:51:57 +02:00
|
|
|
TimestampTz PgStartTime;
|
2008-05-04 23:13:36 +02:00
|
|
|
TimestampTz PgReloadTime;
|
2007-11-15 22:14:46 +01:00
|
|
|
bool redirection_done;
|
2004-11-17 01:14:14 +01:00
|
|
|
#ifdef WIN32
|
2005-10-15 04:49:52 +02:00
|
|
|
HANDLE PostmasterHandle;
|
|
|
|
|
HANDLE initial_signal_pipe;
|
|
|
|
|
HANDLE syslogPipe[2];
|
2004-11-17 01:14:14 +01:00
|
|
|
#else
|
2005-10-15 04:49:52 +02:00
|
|
|
int syslogPipe[2];
|
2004-11-17 01:14:14 +01:00
|
|
|
#endif
|
2005-10-15 04:49:52 +02:00
|
|
|
char my_exec_path[MAXPGPATH];
|
|
|
|
|
char pkglib_path[MAXPGPATH];
|
|
|
|
|
char ExtraOptions[MAXPGPATH];
|
2011-04-10 17:42:00 +02:00
|
|
|
} BackendParameters;
|
2004-11-17 01:14:14 +01:00
|
|
|
|
|
|
|
|
static void read_backend_variables(char *id, Port *port);
|
2011-04-10 17:42:00 +02:00
|
|
|
static void restore_backend_variables(BackendParameters *param, Port *port);
|
2005-10-15 04:49:52 +02:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
#ifndef WIN32
|
2011-04-10 17:42:00 +02:00
|
|
|
static bool save_backend_variables(BackendParameters *param, Port *port);
|
2004-11-17 01:14:14 +01:00
|
|
|
#else
|
2011-04-10 17:42:00 +02:00
|
|
|
static bool save_backend_variables(BackendParameters *param, Port *port,
|
2005-10-15 04:49:52 +02:00
|
|
|
HANDLE childProcess, pid_t childPid);
|
2004-11-17 01:14:14 +01:00
|
|
|
#endif
|
2004-01-26 23:59:54 +01:00
|
|
|
|
2004-05-27 17:07:41 +02:00
|
|
|
static void ShmemBackendArrayAdd(Backend *bn);
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
static void ShmemBackendArrayRemove(Backend *bn);
|
2004-08-29 07:07:03 +02:00
|
|
|
#endif /* EXEC_BACKEND */
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2007-03-07 14:35:03 +01:00
|
|
|
#define StartupDataBase() StartChildProcess(StartupProcess)
|
|
|
|
|
#define StartBackgroundWriter() StartChildProcess(BgWriterProcess)
|
2007-07-24 06:54:09 +02:00
|
|
|
#define StartWalWriter() StartChildProcess(WalWriterProcess)
|
2010-01-15 10:19:10 +01:00
|
|
|
#define StartWalReceiver() StartChildProcess(WalReceiverProcess)
|
1999-10-06 23:58:18 +02:00
|
|
|
|
2006-11-21 01:49:55 +01:00
|
|
|
/* Macros to check exit status of a child process */
|
|
|
|
|
#define EXIT_STATUS_0(st) ((st) == 0)
|
|
|
|
|
#define EXIT_STATUS_1(st) (WIFEXITED(st) && WEXITSTATUS(st) == 1)
|
|
|
|
|
|
2003-06-11 08:56:07 +02:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/*
|
|
|
|
|
* Postmaster main entry point
|
|
|
|
|
*/
|
1996-07-09 08:22:35 +02:00
|
|
|
int
|
|
|
|
|
PostmasterMain(int argc, char *argv[])
|
|
|
|
|
{
|
2003-08-04 02:43:34 +02:00
|
|
|
int opt;
|
|
|
|
|
int status;
|
2004-10-08 03:36:36 +02:00
|
|
|
char *userDoption = NULL;
|
2011-01-14 01:01:28 +01:00
|
|
|
bool listen_addr_saved = false;
|
2003-08-04 02:43:34 +02:00
|
|
|
int i;
|
2011-01-14 01:01:28 +01:00
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
MyProcPid = PostmasterPid = getpid();
|
|
|
|
|
|
2007-08-03 01:39:45 +02:00
|
|
|
MyStartTime = time(NULL);
|
|
|
|
|
|
2003-05-28 19:25:02 +02:00
|
|
|
IsPostmasterEnvironment = true;
|
|
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* for security, no dir or file created can be group or other accessible
|
1997-09-07 07:04:48 +02:00
|
|
|
*/
|
2010-12-10 23:35:33 +01:00
|
|
|
umask(S_IRWXG | S_IRWXO);
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2000-06-28 05:33:33 +02:00
|
|
|
/*
|
2002-08-10 22:29:18 +02:00
|
|
|
* Fire up essential subsystems: memory management
|
2000-06-28 05:33:33 +02:00
|
|
|
*/
|
|
|
|
|
MemoryContextInit();
|
|
|
|
|
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* By default, palloc() requests in the postmaster will be allocated in
|
|
|
|
|
* the PostmasterContext, which is space that can be recycled by backends.
|
|
|
|
|
* Allocated data that needs to be available to backends should be
|
|
|
|
|
* allocated in TopMemoryContext.
|
2000-06-28 05:33:33 +02:00
|
|
|
*/
|
|
|
|
|
PostmasterContext = AllocSetContextCreate(TopMemoryContext,
|
|
|
|
|
"Postmaster",
|
|
|
|
|
ALLOCSET_DEFAULT_MINSIZE,
|
|
|
|
|
ALLOCSET_DEFAULT_INITSIZE,
|
|
|
|
|
ALLOCSET_DEFAULT_MAXSIZE);
|
|
|
|
|
MemoryContextSwitchTo(PostmasterContext);
|
|
|
|
|
|
2009-05-03 00:02:37 +02:00
|
|
|
/* Initialize paths to installation files */
|
|
|
|
|
getInstallationPaths(argv[0]);
|
2004-05-19 21:11:25 +02:00
|
|
|
|
2000-06-28 05:33:33 +02:00
|
|
|
/*
|
|
|
|
|
* Options setup
|
|
|
|
|
*/
|
2002-05-17 03:19:19 +02:00
|
|
|
InitializeGUCOptions();
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2000-05-31 02:28:42 +02:00
|
|
|
opterr = 1;
|
2001-10-19 22:47:09 +02:00
|
|
|
|
2007-01-04 01:57:51 +01:00
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Parse command-line options. CAUTION: keep this in sync with
|
|
|
|
|
* tcop/postgres.c (the option sets should not conflict) and with the
|
|
|
|
|
* common help() function in main/main.c.
|
2007-01-04 01:57:51 +01:00
|
|
|
*/
|
2011-04-25 18:00:21 +02:00
|
|
|
while ((opt = getopt(argc, argv, "A:B:bc:D:d:EeFf:h:ijk:lN:nOo:Pp:r:S:sTt:W:-:")) != -1)
|
1997-09-07 07:04:48 +02:00
|
|
|
{
|
|
|
|
|
switch (opt)
|
|
|
|
|
{
|
1998-08-25 23:04:41 +02:00
|
|
|
case 'A':
|
2002-02-23 02:31:37 +01:00
|
|
|
SetConfigOption("debug_assertions", optarg, PGC_POSTMASTER, PGC_S_ARGV);
|
1997-09-08 04:41:22 +02:00
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
case 'B':
|
2002-02-23 02:31:37 +01:00
|
|
|
SetConfigOption("shared_buffers", optarg, PGC_POSTMASTER, PGC_S_ARGV);
|
1997-09-08 04:41:22 +02:00
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
2011-04-25 18:00:21 +02:00
|
|
|
case 'b':
|
|
|
|
|
/* Undocumented flag used for binary upgrades */
|
|
|
|
|
IsBinaryUpgrade = true;
|
|
|
|
|
break;
|
|
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
case 'D':
|
2004-10-08 03:36:36 +02:00
|
|
|
userDoption = optarg;
|
1997-09-08 04:41:22 +02:00
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
case 'd':
|
2004-11-14 20:35:35 +01:00
|
|
|
set_debug_options(atoi(optarg), PGC_POSTMASTER, PGC_S_ARGV);
|
|
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
|
|
|
|
case 'E':
|
|
|
|
|
SetConfigOption("log_statement", "all", PGC_POSTMASTER, PGC_S_ARGV);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case 'e':
|
|
|
|
|
SetConfigOption("datestyle", "euro", PGC_POSTMASTER, PGC_S_ARGV);
|
|
|
|
|
break;
|
|
|
|
|
|
2000-06-02 17:57:44 +02:00
|
|
|
case 'F':
|
2002-02-23 02:31:37 +01:00
|
|
|
SetConfigOption("fsync", "false", PGC_POSTMASTER, PGC_S_ARGV);
|
2000-06-02 17:57:44 +02:00
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
|
|
|
|
case 'f':
|
|
|
|
|
if (!set_plan_disabling_options(optarg, PGC_POSTMASTER, PGC_S_ARGV))
|
|
|
|
|
{
|
|
|
|
|
write_stderr("%s: invalid argument for option -f: \"%s\"\n",
|
|
|
|
|
progname, optarg);
|
|
|
|
|
ExitPostmaster(1);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
UUNET is looking into offering PostgreSQL as a part of a managed web
hosting product, on both shared and dedicated machines. We currently
offer Oracle and MySQL, and it would be a nice middle-ground.
However, as shipped, PostgreSQL lacks the following features we need
that MySQL has:
1. The ability to listen only on a particular IP address. Each
hosting customer has their own IP address, on which all of their
servers (http, ftp, real media, etc.) run.
2. The ability to place the Unix-domain socket in a mode 700 directory.
This allows us to automatically create an empty database, with an
empty DBA password, for new or upgrading customers without having
to interactively set a DBA password and communicate it to (or from)
the customer. This in turn cuts down our install and upgrade times.
3. The ability to connect to the Unix-domain socket from within a
change-rooted environment. We run CGI programs chrooted to the
user's home directory, which is another reason why we need to be
able to specify where the Unix-domain socket is, instead of /tmp.
4. The ability to, if run as root, open a pid file in /var/run as
root, and then setuid to the desired user. (mysqld -u can almost
do this; I had to patch it, too).
The patch below fixes problem 1-3. I plan to address #4, also, but
haven't done so yet. These diffs are big enough that they should give
the PG development team something to think about in the meantime :-)
Also, I'm about to leave for 2 weeks' vacation, so I thought I'd get
out what I have, which works (for the problems it tackles), now.
With these changes, we can set up and run PostgreSQL with scripts the
same way we can with apache or proftpd or mysql.
In summary, this patch makes the following enhancements:
1. Adds an environment variable PGUNIXSOCKET, analogous to MYSQL_UNIX_PORT,
and command line options -k --unix-socket to the relevant programs.
2. Adds a -h option to postmaster to set the hostname or IP address to
listen on instead of the default INADDR_ANY.
3. Extends some library interfaces to support the above.
4. Fixes a few memory leaks in PQconnectdb().
The default behavior is unchanged from stock 7.0.2; if you don't use
any of these new features, they don't change the operation.
David J. MacKenzie
2000-11-13 16:18:15 +01:00
|
|
|
case 'h':
|
2004-03-23 02:23:48 +01:00
|
|
|
SetConfigOption("listen_addresses", optarg, PGC_POSTMASTER, PGC_S_ARGV);
|
UUNET is looking into offering PostgreSQL as a part of a managed web
hosting product, on both shared and dedicated machines. We currently
offer Oracle and MySQL, and it would be a nice middle-ground.
However, as shipped, PostgreSQL lacks the following features we need
that MySQL has:
1. The ability to listen only on a particular IP address. Each
hosting customer has their own IP address, on which all of their
servers (http, ftp, real media, etc.) run.
2. The ability to place the Unix-domain socket in a mode 700 directory.
This allows us to automatically create an empty database, with an
empty DBA password, for new or upgrading customers without having
to interactively set a DBA password and communicate it to (or from)
the customer. This in turn cuts down our install and upgrade times.
3. The ability to connect to the Unix-domain socket from within a
change-rooted environment. We run CGI programs chrooted to the
user's home directory, which is another reason why we need to be
able to specify where the Unix-domain socket is, instead of /tmp.
4. The ability to, if run as root, open a pid file in /var/run as
root, and then setuid to the desired user. (mysqld -u can almost
do this; I had to patch it, too).
The patch below fixes problem 1-3. I plan to address #4, also, but
haven't done so yet. These diffs are big enough that they should give
the PG development team something to think about in the meantime :-)
Also, I'm about to leave for 2 weeks' vacation, so I thought I'd get
out what I have, which works (for the problems it tackles), now.
With these changes, we can set up and run PostgreSQL with scripts the
same way we can with apache or proftpd or mysql.
In summary, this patch makes the following enhancements:
1. Adds an environment variable PGUNIXSOCKET, analogous to MYSQL_UNIX_PORT,
and command line options -k --unix-socket to the relevant programs.
2. Adds a -h option to postmaster to set the hostname or IP address to
listen on instead of the default INADDR_ANY.
3. Extends some library interfaces to support the above.
4. Fixes a few memory leaks in PQconnectdb().
The default behavior is unchanged from stock 7.0.2; if you don't use
any of these new features, they don't change the operation.
David J. MacKenzie
2000-11-13 16:18:15 +01:00
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
1997-11-10 06:10:50 +01:00
|
|
|
case 'i':
|
2004-03-23 02:23:48 +01:00
|
|
|
SetConfigOption("listen_addresses", "*", PGC_POSTMASTER, PGC_S_ARGV);
|
1999-10-08 06:28:57 +02:00
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
|
|
|
|
case 'j':
|
|
|
|
|
/* only used by interactive backend */
|
|
|
|
|
break;
|
|
|
|
|
|
UUNET is looking into offering PostgreSQL as a part of a managed web
hosting product, on both shared and dedicated machines. We currently
offer Oracle and MySQL, and it would be a nice middle-ground.
However, as shipped, PostgreSQL lacks the following features we need
that MySQL has:
1. The ability to listen only on a particular IP address. Each
hosting customer has their own IP address, on which all of their
servers (http, ftp, real media, etc.) run.
2. The ability to place the Unix-domain socket in a mode 700 directory.
This allows us to automatically create an empty database, with an
empty DBA password, for new or upgrading customers without having
to interactively set a DBA password and communicate it to (or from)
the customer. This in turn cuts down our install and upgrade times.
3. The ability to connect to the Unix-domain socket from within a
change-rooted environment. We run CGI programs chrooted to the
user's home directory, which is another reason why we need to be
able to specify where the Unix-domain socket is, instead of /tmp.
4. The ability to, if run as root, open a pid file in /var/run as
root, and then setuid to the desired user. (mysqld -u can almost
do this; I had to patch it, too).
The patch below fixes problem 1-3. I plan to address #4, also, but
haven't done so yet. These diffs are big enough that they should give
the PG development team something to think about in the meantime :-)
Also, I'm about to leave for 2 weeks' vacation, so I thought I'd get
out what I have, which works (for the problems it tackles), now.
With these changes, we can set up and run PostgreSQL with scripts the
same way we can with apache or proftpd or mysql.
In summary, this patch makes the following enhancements:
1. Adds an environment variable PGUNIXSOCKET, analogous to MYSQL_UNIX_PORT,
and command line options -k --unix-socket to the relevant programs.
2. Adds a -h option to postmaster to set the hostname or IP address to
listen on instead of the default INADDR_ANY.
3. Extends some library interfaces to support the above.
4. Fixes a few memory leaks in PQconnectdb().
The default behavior is unchanged from stock 7.0.2; if you don't use
any of these new features, they don't change the operation.
David J. MacKenzie
2000-11-13 16:18:15 +01:00
|
|
|
case 'k':
|
2002-02-23 02:31:37 +01:00
|
|
|
SetConfigOption("unix_socket_directory", optarg, PGC_POSTMASTER, PGC_S_ARGV);
|
UUNET is looking into offering PostgreSQL as a part of a managed web
hosting product, on both shared and dedicated machines. We currently
offer Oracle and MySQL, and it would be a nice middle-ground.
However, as shipped, PostgreSQL lacks the following features we need
that MySQL has:
1. The ability to listen only on a particular IP address. Each
hosting customer has their own IP address, on which all of their
servers (http, ftp, real media, etc.) run.
2. The ability to place the Unix-domain socket in a mode 700 directory.
This allows us to automatically create an empty database, with an
empty DBA password, for new or upgrading customers without having
to interactively set a DBA password and communicate it to (or from)
the customer. This in turn cuts down our install and upgrade times.
3. The ability to connect to the Unix-domain socket from within a
change-rooted environment. We run CGI programs chrooted to the
user's home directory, which is another reason why we need to be
able to specify where the Unix-domain socket is, instead of /tmp.
4. The ability to, if run as root, open a pid file in /var/run as
root, and then setuid to the desired user. (mysqld -u can almost
do this; I had to patch it, too).
The patch below fixes problem 1-3. I plan to address #4, also, but
haven't done so yet. These diffs are big enough that they should give
the PG development team something to think about in the meantime :-)
Also, I'm about to leave for 2 weeks' vacation, so I thought I'd get
out what I have, which works (for the problems it tackles), now.
With these changes, we can set up and run PostgreSQL with scripts the
same way we can with apache or proftpd or mysql.
In summary, this patch makes the following enhancements:
1. Adds an environment variable PGUNIXSOCKET, analogous to MYSQL_UNIX_PORT,
and command line options -k --unix-socket to the relevant programs.
2. Adds a -h option to postmaster to set the hostname or IP address to
listen on instead of the default INADDR_ANY.
3. Extends some library interfaces to support the above.
4. Fixes a few memory leaks in PQconnectdb().
The default behavior is unchanged from stock 7.0.2; if you don't use
any of these new features, they don't change the operation.
David J. MacKenzie
2000-11-13 16:18:15 +01:00
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
1999-10-08 06:28:57 +02:00
|
|
|
case 'l':
|
2002-02-23 02:31:37 +01:00
|
|
|
SetConfigOption("ssl", "true", PGC_POSTMASTER, PGC_S_ARGV);
|
1997-11-07 21:52:15 +01:00
|
|
|
break;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
1999-02-19 07:06:39 +01:00
|
|
|
case 'N':
|
2002-02-23 02:31:37 +01:00
|
|
|
SetConfigOption("max_connections", optarg, PGC_POSTMASTER, PGC_S_ARGV);
|
1999-02-19 07:06:39 +01:00
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
case 'n':
|
|
|
|
|
/* Don't reinit shared mem after abnormal exit */
|
1998-05-27 20:32:05 +02:00
|
|
|
Reinit = false;
|
1997-09-08 04:41:22 +02:00
|
|
|
break;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2006-01-05 11:07:46 +01:00
|
|
|
case 'O':
|
|
|
|
|
SetConfigOption("allow_system_table_mods", "true", PGC_POSTMASTER, PGC_S_ARGV);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case 'o':
|
|
|
|
|
/* Other options to pass to the backend on the command line */
|
2004-07-11 01:29:16 +02:00
|
|
|
snprintf(ExtraOptions + strlen(ExtraOptions),
|
|
|
|
|
sizeof(ExtraOptions) - strlen(ExtraOptions),
|
|
|
|
|
" %s", optarg);
|
1997-09-08 04:41:22 +02:00
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
|
|
|
|
case 'P':
|
|
|
|
|
SetConfigOption("ignore_system_indexes", "true", PGC_POSTMASTER, PGC_S_ARGV);
|
|
|
|
|
break;
|
|
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
case 'p':
|
2002-02-23 02:31:37 +01:00
|
|
|
SetConfigOption("port", optarg, PGC_POSTMASTER, PGC_S_ARGV);
|
1997-09-08 04:41:22 +02:00
|
|
|
break;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2006-01-05 11:07:46 +01:00
|
|
|
case 'r':
|
|
|
|
|
/* only used by single-user backend */
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case 'S':
|
|
|
|
|
SetConfigOption("work_mem", optarg, PGC_POSTMASTER, PGC_S_ARGV);
|
1997-09-08 04:41:22 +02:00
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
case 's':
|
2007-01-04 01:57:51 +01:00
|
|
|
SetConfigOption("log_statement_stats", "true", PGC_POSTMASTER, PGC_S_ARGV);
|
2006-01-05 11:07:46 +01:00
|
|
|
break;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2006-01-05 11:07:46 +01:00
|
|
|
case 'T':
|
2006-10-04 02:30:14 +02:00
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* In the event that some backend dumps core, send SIGSTOP,
|
|
|
|
|
* rather than SIGQUIT, to all its peers. This lets the wily
|
|
|
|
|
* post_hacker collect core dumps from everyone.
|
1997-09-08 04:41:22 +02:00
|
|
|
*/
|
1998-05-27 20:32:05 +02:00
|
|
|
SendStop = true;
|
1997-09-08 04:41:22 +02:00
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
|
|
|
|
|
case 't':
|
|
|
|
|
{
|
2006-10-04 02:30:14 +02:00
|
|
|
const char *tmp = get_stats_option_name(optarg);
|
|
|
|
|
|
|
|
|
|
if (tmp)
|
|
|
|
|
{
|
|
|
|
|
SetConfigOption(tmp, "true", PGC_POSTMASTER, PGC_S_ARGV);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
write_stderr("%s: invalid argument for option -t: \"%s\"\n",
|
|
|
|
|
progname, optarg);
|
|
|
|
|
ExitPostmaster(1);
|
|
|
|
|
}
|
|
|
|
|
break;
|
2006-01-05 11:07:46 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case 'W':
|
|
|
|
|
SetConfigOption("post_auth_delay", optarg, PGC_POSTMASTER, PGC_S_ARGV);
|
|
|
|
|
break;
|
|
|
|
|
|
2000-11-08 18:57:46 +01:00
|
|
|
case 'c':
|
2000-06-02 17:57:44 +02:00
|
|
|
case '-':
|
2000-11-08 18:57:46 +01:00
|
|
|
{
|
2001-03-22 05:01:46 +01:00
|
|
|
char *name,
|
|
|
|
|
*value;
|
|
|
|
|
|
|
|
|
|
ParseLongOption(optarg, &name, &value);
|
|
|
|
|
if (!value)
|
|
|
|
|
{
|
|
|
|
|
if (opt == '-')
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_SYNTAX_ERROR),
|
|
|
|
|
errmsg("--%s requires a value",
|
|
|
|
|
optarg)));
|
2001-03-22 05:01:46 +01:00
|
|
|
else
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_SYNTAX_ERROR),
|
|
|
|
|
errmsg("-c %s requires a value",
|
|
|
|
|
optarg)));
|
2001-03-22 05:01:46 +01:00
|
|
|
}
|
|
|
|
|
|
2002-02-23 02:31:37 +01:00
|
|
|
SetConfigOption(name, value, PGC_POSTMASTER, PGC_S_ARGV);
|
2001-03-22 05:01:46 +01:00
|
|
|
free(name);
|
|
|
|
|
if (value)
|
|
|
|
|
free(value);
|
|
|
|
|
break;
|
2000-11-08 18:57:46 +01:00
|
|
|
}
|
2000-07-03 22:46:10 +02:00
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
default:
|
2004-07-21 22:34:50 +02:00
|
|
|
write_stderr("Try \"%s --help\" for more information.\n",
|
|
|
|
|
progname);
|
2000-11-29 21:59:54 +01:00
|
|
|
ExitPostmaster(1);
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
|
|
|
|
}
|
1999-06-04 23:14:46 +02:00
|
|
|
|
2002-02-23 02:31:37 +01:00
|
|
|
/*
|
|
|
|
|
* Postmaster accepts no non-option switch arguments.
|
|
|
|
|
*/
|
|
|
|
|
if (optind < argc)
|
|
|
|
|
{
|
2004-07-21 22:34:50 +02:00
|
|
|
write_stderr("%s: invalid argument: \"%s\"\n",
|
|
|
|
|
progname, argv[optind]);
|
|
|
|
|
write_stderr("Try \"%s --help\" for more information.\n",
|
|
|
|
|
progname);
|
2002-02-23 02:31:37 +01:00
|
|
|
ExitPostmaster(1);
|
|
|
|
|
}
|
|
|
|
|
|
2004-10-08 03:36:36 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Locate the proper configuration files and data directory, and read
|
|
|
|
|
* postgresql.conf for the first time.
|
2004-10-08 03:36:36 +02:00
|
|
|
*/
|
|
|
|
|
if (!SelectConfigFiles(userDoption, progname))
|
|
|
|
|
ExitPostmaster(2);
|
2004-05-27 17:07:41 +02:00
|
|
|
|
2004-10-08 03:36:36 +02:00
|
|
|
/* Verify that DataDir looks reasonable */
|
|
|
|
|
checkDataDir();
|
2004-05-21 07:08:06 +02:00
|
|
|
|
2005-07-04 06:51:52 +02:00
|
|
|
/* And switch working directory into it */
|
|
|
|
|
ChangeToDataDir();
|
|
|
|
|
|
2002-11-21 07:36:08 +01:00
|
|
|
/*
|
|
|
|
|
* Check for invalid combinations of GUC settings.
|
1999-06-04 23:14:46 +02:00
|
|
|
*/
|
2002-08-29 23:02:12 +02:00
|
|
|
if (ReservedBackends >= MaxBackends)
|
2002-11-21 07:36:08 +01:00
|
|
|
{
|
2004-07-21 22:34:50 +02:00
|
|
|
write_stderr("%s: superuser_reserved_connections must be less than max_connections\n", progname);
|
2002-11-21 07:36:08 +01:00
|
|
|
ExitPostmaster(1);
|
|
|
|
|
}
|
Introduce wal_level GUC to explicitly control if information needed for
archival or hot standby should be WAL-logged, instead of deducing that from
other options like archive_mode. This replaces recovery_connections GUC in
the primary, where it now has no effect, but it's still used in the standby
to enable/disable hot standby.
Remove the WAL-logging of "unlogged operations", like creating an index
without WAL-logging and fsyncing it at the end. Instead, we keep a copy of
the wal_mode setting and the settings that affect how much shared memory a
hot standby server needs to track master transactions (max_connections,
max_prepared_xacts, max_locks_per_xact) in pg_control. Whenever the settings
change, at server restart, write a WAL record noting the new settings and
update pg_control. This allows us to notice the change in those settings in
the standby at the right moment, they used to be included in checkpoint
records, but that meant that a changed value was not reflected in the
standby until the first checkpoint after the change.
Bump PG_CONTROL_VERSION and XLOG_PAGE_MAGIC. Whack XLOG_PAGE_MAGIC back to
the sequence it used to follow, before hot standby and subsequent patches
changed it to 0x9003.
2010-04-28 18:10:43 +02:00
|
|
|
if (XLogArchiveMode && wal_level == WAL_LEVEL_MINIMAL)
|
|
|
|
|
ereport(ERROR,
|
2010-06-03 23:02:12 +02:00
|
|
|
(errmsg("WAL archival (archive_mode=on) requires wal_level \"archive\" or \"hot_standby\"")));
|
Introduce wal_level GUC to explicitly control if information needed for
archival or hot standby should be WAL-logged, instead of deducing that from
other options like archive_mode. This replaces recovery_connections GUC in
the primary, where it now has no effect, but it's still used in the standby
to enable/disable hot standby.
Remove the WAL-logging of "unlogged operations", like creating an index
without WAL-logging and fsyncing it at the end. Instead, we keep a copy of
the wal_mode setting and the settings that affect how much shared memory a
hot standby server needs to track master transactions (max_connections,
max_prepared_xacts, max_locks_per_xact) in pg_control. Whenever the settings
change, at server restart, write a WAL record noting the new settings and
update pg_control. This allows us to notice the change in those settings in
the standby at the right moment, they used to be included in checkpoint
records, but that meant that a changed value was not reflected in the
standby until the first checkpoint after the change.
Bump PG_CONTROL_VERSION and XLOG_PAGE_MAGIC. Whack XLOG_PAGE_MAGIC back to
the sequence it used to follow, before hot standby and subsequent patches
changed it to 0x9003.
2010-04-28 18:10:43 +02:00
|
|
|
if (max_wal_senders > 0 && wal_level == WAL_LEVEL_MINIMAL)
|
|
|
|
|
ereport(ERROR,
|
2010-06-03 23:02:12 +02:00
|
|
|
(errmsg("WAL streaming (max_wal_senders > 0) requires wal_level \"archive\" or \"hot_standby\"")));
|
2002-08-29 23:02:12 +02:00
|
|
|
|
2003-01-16 01:26:49 +01:00
|
|
|
/*
|
2005-10-20 22:05:45 +02:00
|
|
|
* Other one-time internal sanity checks can go here, if they are fast.
|
|
|
|
|
* (Put any slow processing further down, after postmaster.pid creation.)
|
2003-01-16 01:26:49 +01:00
|
|
|
*/
|
|
|
|
|
if (!CheckDateTokenTables())
|
|
|
|
|
{
|
2004-07-21 22:34:50 +02:00
|
|
|
write_stderr("%s: invalid datetoken tables, please fix\n", progname);
|
2003-01-16 01:26:49 +01:00
|
|
|
ExitPostmaster(1);
|
|
|
|
|
}
|
|
|
|
|
|
2001-10-19 22:47:09 +02:00
|
|
|
/*
|
2001-10-25 07:50:21 +02:00
|
|
|
* Now that we are done processing the postmaster arguments, reset
|
|
|
|
|
* getopt(3) library so that it will work correctly in subprocesses.
|
2001-10-19 22:47:09 +02:00
|
|
|
*/
|
|
|
|
|
optind = 1;
|
2010-12-16 22:22:05 +01:00
|
|
|
#ifdef HAVE_INT_OPTRESET
|
2001-10-21 05:25:36 +02:00
|
|
|
optreset = 1; /* some systems need this too */
|
2001-10-19 22:47:09 +02:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* For debugging: display postmaster environment */
|
2000-11-12 21:51:52 +01:00
|
|
|
{
|
|
|
|
|
extern char **environ;
|
|
|
|
|
char **p;
|
|
|
|
|
|
2003-08-12 20:23:21 +02:00
|
|
|
ereport(DEBUG3,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errmsg_internal("%s: PostmasterMain: initial environ dump:",
|
|
|
|
|
progname)));
|
2003-08-12 20:23:21 +02:00
|
|
|
ereport(DEBUG3,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errmsg_internal("-----------------------------------------")));
|
2000-11-12 21:51:52 +01:00
|
|
|
for (p = environ; *p; ++p)
|
2003-08-12 20:23:21 +02:00
|
|
|
ereport(DEBUG3,
|
|
|
|
|
(errmsg_internal("\t%s", *p)));
|
|
|
|
|
ereport(DEBUG3,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errmsg_internal("-----------------------------------------")));
|
2000-11-12 21:51:52 +01:00
|
|
|
}
|
|
|
|
|
|
2000-11-29 21:59:54 +01:00
|
|
|
/*
|
2009-08-24 22:08:32 +02:00
|
|
|
* Fork away from controlling terminal, if silent_mode specified.
|
2000-11-29 21:59:54 +01:00
|
|
|
*
|
2005-11-22 19:17:34 +01:00
|
|
|
* Must do this before we grab any interlock files, else the interlocks
|
|
|
|
|
* will show the wrong PID.
|
2000-11-29 21:59:54 +01:00
|
|
|
*/
|
|
|
|
|
if (SilentMode)
|
2004-05-28 07:13:32 +02:00
|
|
|
pmdaemonize();
|
2000-11-29 21:59:54 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Create lockfile for data directory.
|
|
|
|
|
*
|
2005-10-15 04:49:52 +02:00
|
|
|
* We want to do this before we try to grab the input sockets, because the
|
|
|
|
|
* data directory interlock is more reliable than the socket-file
|
|
|
|
|
* interlock (thanks to whoever decided to put socket files in /tmp :-().
|
|
|
|
|
* For the same reason, it's best to grab the TCP socket(s) before the
|
|
|
|
|
* Unix socket.
|
2000-11-29 21:59:54 +01:00
|
|
|
*/
|
2005-07-04 06:51:52 +02:00
|
|
|
CreateDataDirLockFile(true);
|
2000-11-29 21:59:54 +01:00
|
|
|
|
2005-10-20 22:05:45 +02:00
|
|
|
/*
|
2005-11-22 19:17:34 +01:00
|
|
|
* If timezone is not set, determine what the OS uses. (In theory this
|
2005-10-20 22:05:45 +02:00
|
|
|
* should be done during GUC initialization, but because it can take as
|
|
|
|
|
* much as several seconds, we delay it until after we've created the
|
|
|
|
|
* postmaster.pid file. This prevents problems with boot scripts that
|
2006-07-29 05:02:56 +02:00
|
|
|
* expect the pidfile to appear quickly. Also, we avoid problems with
|
|
|
|
|
* trying to locate the timezone files too early in initialization.)
|
2005-10-20 22:05:45 +02:00
|
|
|
*/
|
|
|
|
|
pg_timezone_initialize();
|
|
|
|
|
|
2006-07-29 05:02:56 +02:00
|
|
|
/*
|
|
|
|
|
* Likewise, init timezone_abbreviations if not already set.
|
|
|
|
|
*/
|
|
|
|
|
pg_timezone_abbrev_initialize();
|
|
|
|
|
|
2005-10-20 22:05:45 +02:00
|
|
|
/*
|
|
|
|
|
* Initialize SSL library, if specified.
|
|
|
|
|
*/
|
|
|
|
|
#ifdef USE_SSL
|
|
|
|
|
if (EnableSSL)
|
|
|
|
|
secure_initialize();
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
2006-08-08 21:15:09 +02:00
|
|
|
* process any libraries that should be preloaded at postmaster start
|
2005-10-20 22:05:45 +02:00
|
|
|
*/
|
2006-08-15 20:26:59 +02:00
|
|
|
process_shared_preload_libraries();
|
2005-10-20 22:05:45 +02:00
|
|
|
|
2001-06-11 06:12:29 +02:00
|
|
|
/*
|
2001-10-25 07:50:21 +02:00
|
|
|
* Remove old temporary files. At this point there can be no other
|
2005-10-15 04:49:52 +02:00
|
|
|
* Postgres processes running in this directory, so this should be safe.
|
2001-06-11 06:12:29 +02:00
|
|
|
*/
|
|
|
|
|
RemovePgTempFiles();
|
|
|
|
|
|
2000-11-12 21:51:52 +01:00
|
|
|
/*
|
|
|
|
|
* Establish input sockets.
|
|
|
|
|
*/
|
2003-06-12 09:36:51 +02:00
|
|
|
for (i = 0; i < MAXLISTEN; i++)
|
2010-01-10 15:16:08 +01:00
|
|
|
ListenSocket[i] = PGINVALID_SOCKET;
|
2003-07-24 01:30:41 +02:00
|
|
|
|
2004-03-23 02:23:48 +01:00
|
|
|
if (ListenAddresses)
|
1997-11-10 06:10:50 +01:00
|
|
|
{
|
2004-08-29 07:07:03 +02:00
|
|
|
char *rawstring;
|
|
|
|
|
List *elemlist;
|
|
|
|
|
ListCell *l;
|
2005-06-30 12:02:22 +02:00
|
|
|
int success = 0;
|
2004-03-23 02:23:48 +01:00
|
|
|
|
2004-08-08 22:17:36 +02:00
|
|
|
/* Need a modifiable copy of ListenAddresses */
|
|
|
|
|
rawstring = pstrdup(ListenAddresses);
|
|
|
|
|
|
|
|
|
|
/* Parse string into list of identifiers */
|
2004-08-29 07:07:03 +02:00
|
|
|
if (!SplitIdentifierString(rawstring, ',', &elemlist))
|
2000-04-12 19:17:23 +02:00
|
|
|
{
|
2004-08-08 22:17:36 +02:00
|
|
|
/* syntax error in list */
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
|
2005-10-15 04:49:52 +02:00
|
|
|
errmsg("invalid list syntax for \"listen_addresses\"")));
|
2004-08-08 22:17:36 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
foreach(l, elemlist)
|
|
|
|
|
{
|
2004-08-29 07:07:03 +02:00
|
|
|
char *curhost = (char *) lfirst(l);
|
2004-08-08 22:17:36 +02:00
|
|
|
|
2004-05-27 17:07:41 +02:00
|
|
|
if (strcmp(curhost, "*") == 0)
|
2004-03-23 02:23:48 +01:00
|
|
|
status = StreamServerPort(AF_UNSPEC, NULL,
|
|
|
|
|
(unsigned short) PostPortNumber,
|
|
|
|
|
UnixSocketDir,
|
|
|
|
|
ListenSocket, MAXLISTEN);
|
|
|
|
|
else
|
2003-07-24 01:30:41 +02:00
|
|
|
status = StreamServerPort(AF_UNSPEC, curhost,
|
|
|
|
|
(unsigned short) PostPortNumber,
|
|
|
|
|
UnixSocketDir,
|
|
|
|
|
ListenSocket, MAXLISTEN);
|
2010-12-31 23:24:26 +01:00
|
|
|
|
2005-06-30 12:02:22 +02:00
|
|
|
if (status == STATUS_OK)
|
2011-01-14 01:01:28 +01:00
|
|
|
{
|
2005-06-30 12:02:22 +02:00
|
|
|
success++;
|
2011-01-14 01:01:28 +01:00
|
|
|
/* record the first successful host addr in lockfile */
|
|
|
|
|
if (!listen_addr_saved)
|
|
|
|
|
{
|
|
|
|
|
AddToDataDirLockFile(LOCK_FILE_LINE_LISTEN_ADDR, curhost);
|
|
|
|
|
listen_addr_saved = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
2005-06-30 12:02:22 +02:00
|
|
|
else
|
2004-03-23 02:23:48 +01:00
|
|
|
ereport(WARNING,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errmsg("could not create listen socket for \"%s\"",
|
|
|
|
|
curhost)));
|
2000-04-12 19:17:23 +02:00
|
|
|
}
|
2004-08-08 22:17:36 +02:00
|
|
|
|
2005-06-30 12:02:22 +02:00
|
|
|
if (!success && list_length(elemlist))
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errmsg("could not create any TCP/IP sockets")));
|
|
|
|
|
|
2004-08-08 22:17:36 +02:00
|
|
|
list_free(elemlist);
|
|
|
|
|
pfree(rawstring);
|
2004-03-23 02:23:48 +01:00
|
|
|
}
|
2003-07-24 01:30:41 +02:00
|
|
|
|
2005-05-15 02:26:19 +02:00
|
|
|
#ifdef USE_BONJOUR
|
|
|
|
|
/* Register for Bonjour only if we opened TCP socket(s) */
|
2010-01-10 15:16:08 +01:00
|
|
|
if (enable_bonjour && ListenSocket[0] != PGINVALID_SOCKET)
|
2004-03-23 02:23:48 +01:00
|
|
|
{
|
2009-09-08 18:08:26 +02:00
|
|
|
DNSServiceErrorType err;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We pass 0 for interface_index, which will result in registering on
|
|
|
|
|
* all "applicable" interfaces. It's not entirely clear from the
|
|
|
|
|
* DNS-SD docs whether this would be appropriate if we have bound to
|
|
|
|
|
* just a subset of the available network interfaces.
|
|
|
|
|
*/
|
|
|
|
|
err = DNSServiceRegister(&bonjour_sdref,
|
|
|
|
|
0,
|
|
|
|
|
0,
|
|
|
|
|
bonjour_name,
|
|
|
|
|
"_postgresql._tcp.",
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
htons(PostPortNumber),
|
|
|
|
|
0,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL);
|
|
|
|
|
if (err != kDNSServiceErr_NoError)
|
|
|
|
|
elog(LOG, "DNSServiceRegister() failed: error code %ld",
|
|
|
|
|
(long) err);
|
2010-02-26 03:01:40 +01:00
|
|
|
|
2009-09-08 18:08:26 +02:00
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* We don't bother to read the mDNS daemon's reply, and we expect that
|
|
|
|
|
* it will automatically terminate our registration when the socket is
|
|
|
|
|
* closed at postmaster termination. So there's nothing more to be
|
|
|
|
|
* done here. However, the bonjour_sdref is kept around so that
|
|
|
|
|
* forked children can close their copies of the socket.
|
2009-09-08 18:08:26 +02:00
|
|
|
*/
|
1997-11-10 06:10:50 +01:00
|
|
|
}
|
2004-03-23 02:23:48 +01:00
|
|
|
#endif
|
1999-09-27 05:13:16 +02:00
|
|
|
|
2000-08-20 12:55:35 +02:00
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
2003-06-12 09:36:51 +02:00
|
|
|
status = StreamServerPort(AF_UNIX, NULL,
|
2003-07-24 01:30:41 +02:00
|
|
|
(unsigned short) PostPortNumber,
|
|
|
|
|
UnixSocketDir,
|
|
|
|
|
ListenSocket, MAXLISTEN);
|
1997-09-07 07:04:48 +02:00
|
|
|
if (status != STATUS_OK)
|
2004-03-23 02:23:48 +01:00
|
|
|
ereport(WARNING,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("could not create Unix-domain socket")));
|
1999-01-17 07:20:06 +01:00
|
|
|
#endif
|
2000-11-12 21:51:52 +01:00
|
|
|
|
2004-03-23 02:23:48 +01:00
|
|
|
/*
|
|
|
|
|
* check that we have some socket to listen on
|
|
|
|
|
*/
|
2010-01-10 15:16:08 +01:00
|
|
|
if (ListenSocket[0] == PGINVALID_SOCKET)
|
2004-03-23 02:23:48 +01:00
|
|
|
ereport(FATAL,
|
2004-03-24 16:20:54 +01:00
|
|
|
(errmsg("no socket created for listening")));
|
2004-03-23 02:23:48 +01:00
|
|
|
|
2011-01-14 01:01:28 +01:00
|
|
|
/*
|
|
|
|
|
* If no valid TCP ports, write an empty line for listen address,
|
|
|
|
|
* indicating the Unix socket must be used. Note that this line is not
|
|
|
|
|
* added to the lock file until there is a socket backing it.
|
|
|
|
|
*/
|
|
|
|
|
if (!listen_addr_saved)
|
|
|
|
|
AddToDataDirLockFile(LOCK_FILE_LINE_LISTEN_ADDR, "");
|
|
|
|
|
|
2000-11-29 21:59:54 +01:00
|
|
|
/*
|
|
|
|
|
* Set up shared memory and semaphores.
|
|
|
|
|
*/
|
2000-11-14 02:15:06 +01:00
|
|
|
reset_shared(PostPortNumber);
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2004-02-23 21:45:59 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Estimate number of openable files. This must happen after setting up
|
|
|
|
|
* semaphores, because on some platforms semaphores count as open files.
|
2004-02-23 21:45:59 +01:00
|
|
|
*/
|
|
|
|
|
set_max_safe_fds();
|
|
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
/*
|
2001-06-21 18:43:24 +02:00
|
|
|
* Initialize the list of active backends.
|
1997-09-07 07:04:48 +02:00
|
|
|
*/
|
|
|
|
|
BackendList = DLNewList();
|
|
|
|
|
|
2004-01-26 23:59:54 +01:00
|
|
|
#ifdef WIN32
|
2004-08-29 07:07:03 +02:00
|
|
|
|
2004-01-26 23:59:54 +01:00
|
|
|
/*
|
2007-10-26 23:50:10 +02:00
|
|
|
* Initialize I/O completion port used to deliver list of dead children.
|
2004-01-26 23:59:54 +01:00
|
|
|
*/
|
2007-10-26 23:50:10 +02:00
|
|
|
win32ChildQueue = CreateIoCompletionPort(INVALID_HANDLE_VALUE, NULL, 0, 1);
|
|
|
|
|
if (win32ChildQueue == NULL)
|
2004-02-23 21:45:59 +01:00
|
|
|
ereport(FATAL,
|
2007-11-15 22:14:46 +01:00
|
|
|
(errmsg("could not create I/O completion port for child queue")));
|
2004-05-30 05:50:15 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set up a handle that child processes can use to check whether the
|
|
|
|
|
* postmaster is still running.
|
|
|
|
|
*/
|
|
|
|
|
if (DuplicateHandle(GetCurrentProcess(),
|
|
|
|
|
GetCurrentProcess(),
|
|
|
|
|
GetCurrentProcess(),
|
|
|
|
|
&PostmasterHandle,
|
|
|
|
|
0,
|
|
|
|
|
TRUE,
|
|
|
|
|
DUPLICATE_SAME_ACCESS) == 0)
|
|
|
|
|
ereport(FATAL,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errmsg_internal("could not duplicate postmaster handle: error code %d",
|
|
|
|
|
(int) GetLastError())));
|
2004-01-26 23:59:54 +01:00
|
|
|
#endif
|
|
|
|
|
|
2000-11-29 21:59:54 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Record postmaster options. We delay this till now to avoid recording
|
|
|
|
|
* bogus options (eg, NBuffers too high for available memory).
|
2000-11-29 21:59:54 +01:00
|
|
|
*/
|
2004-05-14 00:45:04 +02:00
|
|
|
if (!CreateOptsFile(argc, argv, my_exec_path))
|
2000-11-29 21:59:54 +01:00
|
|
|
ExitPostmaster(1);
|
2000-04-12 19:17:23 +02:00
|
|
|
|
2004-10-10 01:13:22 +02:00
|
|
|
#ifdef EXEC_BACKEND
|
2007-08-09 03:18:43 +02:00
|
|
|
/* Write out nondefault GUC settings for child processes to use */
|
2004-10-10 01:13:22 +02:00
|
|
|
write_nondefault_variables(PGC_POSTMASTER);
|
|
|
|
|
#endif
|
|
|
|
|
|
2004-10-08 03:36:36 +02:00
|
|
|
/*
|
|
|
|
|
* Write the external PID file if requested
|
|
|
|
|
*/
|
2004-10-10 01:13:22 +02:00
|
|
|
if (external_pid_file)
|
2004-10-08 03:36:36 +02:00
|
|
|
{
|
2004-10-10 01:13:22 +02:00
|
|
|
FILE *fpidfile = fopen(external_pid_file, "w");
|
2004-10-08 03:36:36 +02:00
|
|
|
|
|
|
|
|
if (fpidfile)
|
|
|
|
|
{
|
|
|
|
|
fprintf(fpidfile, "%d\n", MyProcPid);
|
|
|
|
|
fclose(fpidfile);
|
|
|
|
|
/* Should we remove the pid file on postmaster exit? */
|
|
|
|
|
}
|
|
|
|
|
else
|
2004-10-12 23:54:45 +02:00
|
|
|
write_stderr("%s: could not write external PID file \"%s\": %s\n",
|
2004-10-10 01:13:22 +02:00
|
|
|
progname, external_pid_file, strerror(errno));
|
2004-10-08 03:36:36 +02:00
|
|
|
}
|
|
|
|
|
|
1998-07-09 05:29:11 +02:00
|
|
|
/*
|
|
|
|
|
* Set up signal handlers for the postmaster process.
|
2002-02-19 20:53:35 +01:00
|
|
|
*
|
2002-09-04 22:31:48 +02:00
|
|
|
* CAUTION: when changing this list, check for side-effects on the signal
|
|
|
|
|
* handling setup of child processes. See tcop/postgres.c,
|
2007-07-24 06:54:09 +02:00
|
|
|
* bootstrap/bootstrap.c, postmaster/bgwriter.c, postmaster/walwriter.c,
|
|
|
|
|
* postmaster/autovacuum.c, postmaster/pgarch.c, postmaster/pgstat.c, and
|
|
|
|
|
* postmaster/syslogger.c.
|
1998-07-09 05:29:11 +02:00
|
|
|
*/
|
2000-06-28 05:33:33 +02:00
|
|
|
pqinitmask();
|
1999-10-06 23:58:18 +02:00
|
|
|
PG_SETMASK(&BlockSig);
|
|
|
|
|
|
2001-03-22 05:01:46 +01:00
|
|
|
pqsignal(SIGHUP, SIGHUP_handler); /* reread config file and have
|
|
|
|
|
* children do same */
|
2004-05-30 00:48:23 +02:00
|
|
|
pqsignal(SIGINT, pmdie); /* send SIGTERM and shut down */
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
pqsignal(SIGQUIT, pmdie); /* send SIGQUIT and die */
|
2004-05-30 00:48:23 +02:00
|
|
|
pqsignal(SIGTERM, pmdie); /* wait for children and shut down */
|
2000-04-12 19:17:23 +02:00
|
|
|
pqsignal(SIGALRM, SIG_IGN); /* ignored */
|
|
|
|
|
pqsignal(SIGPIPE, SIG_IGN); /* ignored */
|
2001-11-05 18:46:40 +01:00
|
|
|
pqsignal(SIGUSR1, sigusr1_handler); /* message from child process */
|
2001-11-04 20:55:31 +01:00
|
|
|
pqsignal(SIGUSR2, dummy_handler); /* unused, reserve for children */
|
2000-04-12 19:17:23 +02:00
|
|
|
pqsignal(SIGCHLD, reaper); /* handle child termination */
|
|
|
|
|
pqsignal(SIGTTIN, SIG_IGN); /* ignored */
|
|
|
|
|
pqsignal(SIGTTOU, SIG_IGN); /* ignored */
|
2003-03-24 23:40:14 +01:00
|
|
|
/* ignore SIGXFSZ, so that ulimit violations work like disk full */
|
|
|
|
|
#ifdef SIGXFSZ
|
|
|
|
|
pqsignal(SIGXFSZ, SIG_IGN); /* ignored */
|
|
|
|
|
#endif
|
1999-10-06 23:58:18 +02:00
|
|
|
|
2004-08-06 01:32:13 +02:00
|
|
|
/*
|
|
|
|
|
* If enabled, start up syslogger collection subprocess
|
|
|
|
|
*/
|
|
|
|
|
SysLoggerPID = SysLogger_Start();
|
|
|
|
|
|
2001-09-08 03:10:21 +02:00
|
|
|
/*
|
2005-11-22 19:17:34 +01:00
|
|
|
* Reset whereToSendOutput from DestDebug (its starting state) to
|
|
|
|
|
* DestNone. This stops ereport from sending log messages to stderr unless
|
2004-08-29 07:07:03 +02:00
|
|
|
* Log_destination permits. We don't do this until the postmaster is
|
|
|
|
|
* fully launched, since startup failures may as well be reported to
|
|
|
|
|
* stderr.
|
2001-09-08 03:10:21 +02:00
|
|
|
*/
|
2005-11-03 18:11:40 +01:00
|
|
|
whereToSendOutput = DestNone;
|
2001-09-08 03:10:21 +02:00
|
|
|
|
2001-07-03 18:52:12 +02:00
|
|
|
/*
|
2006-07-25 03:23:34 +02:00
|
|
|
* Initialize stats collection subsystem (this does NOT start the
|
|
|
|
|
* collector process!)
|
2001-07-03 18:52:12 +02:00
|
|
|
*/
|
2003-04-26 04:57:14 +02:00
|
|
|
pgstat_init();
|
2001-07-03 18:52:12 +02:00
|
|
|
|
2001-11-02 19:39:57 +01:00
|
|
|
/*
|
2006-07-25 03:23:34 +02:00
|
|
|
* Initialize the autovacuum subsystem (again, no process start yet)
|
2000-11-29 21:59:54 +01:00
|
|
|
*/
|
2006-07-25 03:23:34 +02:00
|
|
|
autovac_init();
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2009-08-24 22:08:32 +02:00
|
|
|
/*
|
|
|
|
|
* Load configuration files for client authentication.
|
|
|
|
|
*/
|
|
|
|
|
if (!load_hba())
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* It makes no sense to continue if we fail to load the HBA file,
|
|
|
|
|
* since there is no way to connect to the database in this case.
|
|
|
|
|
*/
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errmsg("could not load pg_hba.conf")));
|
|
|
|
|
}
|
|
|
|
|
load_ident();
|
|
|
|
|
|
2005-06-14 23:04:42 +02:00
|
|
|
/*
|
2005-06-30 00:51:57 +02:00
|
|
|
* Remember postmaster startup time
|
2005-06-14 23:04:42 +02:00
|
|
|
*/
|
2005-06-30 00:51:57 +02:00
|
|
|
PgStartTime = GetCurrentTimestamp();
|
2007-08-04 05:15:49 +02:00
|
|
|
/* PostmasterRandom wants its own copy */
|
|
|
|
|
gettimeofday(&random_start_time, NULL);
|
2005-06-14 23:04:42 +02:00
|
|
|
|
2005-07-14 07:13:45 +02:00
|
|
|
/*
|
2006-07-25 03:23:34 +02:00
|
|
|
* We're ready to rock and roll...
|
2005-07-14 07:13:45 +02:00
|
|
|
*/
|
2006-07-25 03:23:34 +02:00
|
|
|
StartupPID = StartupDataBase();
|
2007-08-09 03:18:43 +02:00
|
|
|
Assert(StartupPID != 0);
|
|
|
|
|
pmState = PM_STARTUP;
|
2005-07-14 07:13:45 +02:00
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
status = ServerLoop();
|
|
|
|
|
|
2000-11-29 21:59:54 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* ServerLoop probably shouldn't ever return, but if it does, close down.
|
2000-11-29 21:59:54 +01:00
|
|
|
*/
|
1997-09-07 07:04:48 +02:00
|
|
|
ExitPostmaster(status != STATUS_OK);
|
2000-11-29 21:59:54 +01:00
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
return 0; /* not reached */
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2009-05-03 00:02:37 +02:00
|
|
|
/*
|
|
|
|
|
* Compute and check the directory paths to files that are part of the
|
|
|
|
|
* installation (as deduced from the postgres executable's own location)
|
|
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
getInstallationPaths(const char *argv0)
|
|
|
|
|
{
|
|
|
|
|
DIR *pdir;
|
|
|
|
|
|
|
|
|
|
/* Locate the postgres executable itself */
|
|
|
|
|
if (find_my_exec(argv0, my_exec_path) < 0)
|
|
|
|
|
elog(FATAL, "%s: could not locate my own executable path", argv0);
|
|
|
|
|
|
|
|
|
|
#ifdef EXEC_BACKEND
|
|
|
|
|
/* Locate executable backend before we change working directory */
|
|
|
|
|
if (find_other_exec(argv0, "postgres", PG_BACKEND_VERSIONSTR,
|
|
|
|
|
postgres_exec_path) < 0)
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errmsg("%s: could not locate matching postgres executable",
|
|
|
|
|
argv0)));
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Locate the pkglib directory --- this has to be set early in case we try
|
|
|
|
|
* to load any modules from it in response to postgresql.conf entries.
|
|
|
|
|
*/
|
|
|
|
|
get_pkglib_path(my_exec_path, pkglib_path);
|
|
|
|
|
|
|
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* Verify that there's a readable directory there; otherwise the Postgres
|
|
|
|
|
* installation is incomplete or corrupt. (A typical cause of this
|
|
|
|
|
* failure is that the postgres executable has been moved or hardlinked to
|
|
|
|
|
* some directory that's not a sibling of the installation lib/
|
|
|
|
|
* directory.)
|
2009-05-03 00:02:37 +02:00
|
|
|
*/
|
|
|
|
|
pdir = AllocateDir(pkglib_path);
|
|
|
|
|
if (pdir == NULL)
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode_for_file_access(),
|
|
|
|
|
errmsg("could not open directory \"%s\": %m",
|
|
|
|
|
pkglib_path),
|
|
|
|
|
errhint("This may indicate an incomplete PostgreSQL installation, or that the file \"%s\" has been moved away from its proper location.",
|
|
|
|
|
my_exec_path)));
|
|
|
|
|
FreeDir(pdir);
|
|
|
|
|
|
|
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* XXX is it worth similarly checking the share/ directory? If the lib/
|
|
|
|
|
* directory is there, then share/ probably is too.
|
2009-05-03 00:02:37 +02:00
|
|
|
*/
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/*
|
|
|
|
|
* Validate the proposed data directory
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2004-10-08 03:36:36 +02:00
|
|
|
checkDataDir(void)
|
2004-05-28 07:13:32 +02:00
|
|
|
{
|
|
|
|
|
char path[MAXPGPATH];
|
|
|
|
|
FILE *fp;
|
|
|
|
|
struct stat stat_buf;
|
|
|
|
|
|
2004-10-08 03:36:36 +02:00
|
|
|
Assert(DataDir);
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2004-10-08 03:36:36 +02:00
|
|
|
if (stat(DataDir, &stat_buf) != 0)
|
2004-05-28 07:13:32 +02:00
|
|
|
{
|
|
|
|
|
if (errno == ENOENT)
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode_for_file_access(),
|
2004-08-06 01:32:13 +02:00
|
|
|
errmsg("data directory \"%s\" does not exist",
|
2004-10-08 03:36:36 +02:00
|
|
|
DataDir)));
|
2004-05-28 07:13:32 +02:00
|
|
|
else
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode_for_file_access(),
|
2005-10-15 04:49:52 +02:00
|
|
|
errmsg("could not read permissions of directory \"%s\": %m",
|
|
|
|
|
DataDir)));
|
2004-05-28 07:13:32 +02:00
|
|
|
}
|
|
|
|
|
|
2008-03-31 04:43:14 +02:00
|
|
|
/* eventual chdir would fail anyway, but let's test ... */
|
|
|
|
|
if (!S_ISDIR(stat_buf.st_mode))
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
|
|
|
errmsg("specified data directory \"%s\" is not a directory",
|
|
|
|
|
DataDir)));
|
|
|
|
|
|
2005-03-18 04:48:49 +01:00
|
|
|
/*
|
|
|
|
|
* Check that the directory belongs to my userid; if not, reject.
|
|
|
|
|
*
|
|
|
|
|
* This check is an essential part of the interlock that prevents two
|
|
|
|
|
* postmasters from starting in the same directory (see CreateLockFile()).
|
|
|
|
|
* Do not remove or weaken it.
|
|
|
|
|
*
|
|
|
|
|
* XXX can we safely enable this check on Windows?
|
|
|
|
|
*/
|
|
|
|
|
#if !defined(WIN32) && !defined(__CYGWIN__)
|
|
|
|
|
if (stat_buf.st_uid != geteuid())
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
|
|
|
errmsg("data directory \"%s\" has wrong ownership",
|
|
|
|
|
DataDir),
|
|
|
|
|
errhint("The server must be started by the user that owns the data directory.")));
|
|
|
|
|
#endif
|
|
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/*
|
|
|
|
|
* Check if the directory has group or world access. If so, reject.
|
|
|
|
|
*
|
2005-11-22 19:17:34 +01:00
|
|
|
* It would be possible to allow weaker constraints (for example, allow
|
|
|
|
|
* group access) but we cannot make a general assumption that that is
|
|
|
|
|
* okay; for example there are platforms where nearly all users
|
|
|
|
|
* customarily belong to the same group. Perhaps this test should be
|
|
|
|
|
* configurable.
|
2005-03-18 04:48:49 +01:00
|
|
|
*
|
2005-11-22 19:17:34 +01:00
|
|
|
* XXX temporarily suppress check when on Windows, because there may not
|
|
|
|
|
* be proper support for Unix-y file permissions. Need to think of a
|
2004-05-28 07:13:32 +02:00
|
|
|
* reasonable check to apply on Windows.
|
|
|
|
|
*/
|
2004-09-09 02:59:49 +02:00
|
|
|
#if !defined(WIN32) && !defined(__CYGWIN__)
|
2004-05-28 07:13:32 +02:00
|
|
|
if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
|
|
|
errmsg("data directory \"%s\" has group or world access",
|
2004-10-08 03:36:36 +02:00
|
|
|
DataDir),
|
2004-05-28 07:13:32 +02:00
|
|
|
errdetail("Permissions should be u=rwx (0700).")));
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* Look for PG_VERSION before looking for pg_control */
|
2004-10-08 03:36:36 +02:00
|
|
|
ValidatePgVersion(DataDir);
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2004-10-08 03:36:36 +02:00
|
|
|
snprintf(path, sizeof(path), "%s/global/pg_control", DataDir);
|
2004-05-28 07:13:32 +02:00
|
|
|
|
|
|
|
|
fp = AllocateFile(path, PG_BINARY_R);
|
|
|
|
|
if (fp == NULL)
|
|
|
|
|
{
|
2004-07-21 22:34:50 +02:00
|
|
|
write_stderr("%s: could not find the database system\n"
|
|
|
|
|
"Expected to find it in the directory \"%s\",\n"
|
|
|
|
|
"but could not open file \"%s\": %s\n",
|
2004-10-08 03:36:36 +02:00
|
|
|
progname, DataDir, path, strerror(errno));
|
2004-05-28 07:13:32 +02:00
|
|
|
ExitPostmaster(2);
|
|
|
|
|
}
|
|
|
|
|
FreeFile(fp);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
2009-08-24 22:08:32 +02:00
|
|
|
* Fork away from the controlling terminal (silent_mode option)
|
|
|
|
|
*
|
|
|
|
|
* Since this requires disconnecting from stdin/stdout/stderr (in case they're
|
|
|
|
|
* linked to the terminal), we re-point stdin to /dev/null and stdout/stderr
|
|
|
|
|
* to "postmaster.log" in the data directory, where we're already chdir'd.
|
2004-05-28 07:13:32 +02:00
|
|
|
*/
|
1996-07-09 08:22:35 +02:00
|
|
|
static void
|
2004-05-28 07:13:32 +02:00
|
|
|
pmdaemonize(void)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2004-05-30 00:48:23 +02:00
|
|
|
#ifndef WIN32
|
2009-08-24 22:08:32 +02:00
|
|
|
const char *pmlogname = "postmaster.log";
|
|
|
|
|
int dvnull;
|
|
|
|
|
int pmlog;
|
2000-04-12 19:17:23 +02:00
|
|
|
pid_t pid;
|
2009-08-24 22:08:32 +02:00
|
|
|
int res;
|
2002-09-04 22:31:48 +02:00
|
|
|
|
2009-08-24 22:08:32 +02:00
|
|
|
/*
|
|
|
|
|
* Make sure we can open the files we're going to redirect to. If this
|
|
|
|
|
* fails, we want to complain before disconnecting. Mention the full path
|
|
|
|
|
* of the logfile in the error message, even though we address it by
|
|
|
|
|
* relative path.
|
|
|
|
|
*/
|
|
|
|
|
dvnull = open(DEVNULL, O_RDONLY, 0);
|
|
|
|
|
if (dvnull < 0)
|
|
|
|
|
{
|
|
|
|
|
write_stderr("%s: could not open file \"%s\": %s\n",
|
|
|
|
|
progname, DEVNULL, strerror(errno));
|
|
|
|
|
ExitPostmaster(1);
|
|
|
|
|
}
|
2010-12-10 23:35:33 +01:00
|
|
|
pmlog = open(pmlogname, O_CREAT | O_WRONLY | O_APPEND, S_IRUSR | S_IWUSR);
|
2009-08-24 22:08:32 +02:00
|
|
|
if (pmlog < 0)
|
|
|
|
|
{
|
|
|
|
|
write_stderr("%s: could not open log file \"%s/%s\": %s\n",
|
|
|
|
|
progname, DataDir, pmlogname, strerror(errno));
|
|
|
|
|
ExitPostmaster(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Okay to fork.
|
|
|
|
|
*/
|
2005-03-10 08:14:03 +01:00
|
|
|
pid = fork_process();
|
2000-11-29 23:04:04 +01:00
|
|
|
if (pid == (pid_t) -1)
|
2000-04-12 19:17:23 +02:00
|
|
|
{
|
2004-07-21 22:34:50 +02:00
|
|
|
write_stderr("%s: could not fork background process: %s\n",
|
|
|
|
|
progname, strerror(errno));
|
1999-12-04 09:23:43 +01:00
|
|
|
ExitPostmaster(1);
|
2000-04-12 19:17:23 +02:00
|
|
|
}
|
|
|
|
|
else if (pid)
|
|
|
|
|
{ /* parent */
|
2000-11-29 21:59:54 +01:00
|
|
|
/* Parent should just exit, without doing any atexit cleanup */
|
|
|
|
|
_exit(0);
|
1999-12-04 09:23:43 +01:00
|
|
|
}
|
1999-12-06 08:21:12 +01:00
|
|
|
|
2004-08-29 07:07:03 +02:00
|
|
|
MyProcPid = PostmasterPid = getpid(); /* reset PID vars to child */
|
2000-11-29 23:04:04 +01:00
|
|
|
|
2007-08-03 01:39:45 +02:00
|
|
|
MyStartTime = time(NULL);
|
|
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
2009-08-24 22:08:32 +02:00
|
|
|
* Some systems use setsid() to dissociate from the TTY's process group,
|
2010-02-26 03:01:40 +01:00
|
|
|
* while on others it depends on stdin/stdout/stderr. Do both if
|
|
|
|
|
* possible.
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
1997-02-13 09:32:20 +01:00
|
|
|
#ifdef HAVE_SETSID
|
1997-09-07 07:04:48 +02:00
|
|
|
if (setsid() < 0)
|
|
|
|
|
{
|
2004-07-21 22:34:50 +02:00
|
|
|
write_stderr("%s: could not dissociate from controlling TTY: %s\n",
|
|
|
|
|
progname, strerror(errno));
|
2000-11-29 21:59:54 +01:00
|
|
|
ExitPostmaster(1);
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
1997-02-13 09:32:20 +01:00
|
|
|
#endif
|
2009-08-24 22:08:32 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Reassociate stdin/stdout/stderr. fork_process() cleared any pending
|
2010-02-26 03:01:40 +01:00
|
|
|
* output, so this should be safe. The only plausible error is EINTR,
|
2009-08-24 22:08:32 +02:00
|
|
|
* which just means we should retry.
|
|
|
|
|
*/
|
2010-02-26 03:01:40 +01:00
|
|
|
do
|
|
|
|
|
{
|
2009-08-24 22:08:32 +02:00
|
|
|
res = dup2(dvnull, 0);
|
|
|
|
|
} while (res < 0 && errno == EINTR);
|
|
|
|
|
close(dvnull);
|
2010-02-26 03:01:40 +01:00
|
|
|
do
|
|
|
|
|
{
|
2009-08-24 22:08:32 +02:00
|
|
|
res = dup2(pmlog, 1);
|
|
|
|
|
} while (res < 0 && errno == EINTR);
|
2010-02-26 03:01:40 +01:00
|
|
|
do
|
|
|
|
|
{
|
2009-08-24 22:08:32 +02:00
|
|
|
res = dup2(pmlog, 2);
|
|
|
|
|
} while (res < 0 && errno == EINTR);
|
|
|
|
|
close(pmlog);
|
2004-08-29 07:07:03 +02:00
|
|
|
#else /* WIN32 */
|
2004-05-30 00:48:23 +02:00
|
|
|
/* not supported */
|
2009-08-24 22:08:32 +02:00
|
|
|
elog(FATAL, "silent_mode is not supported under Windows");
|
2004-08-29 07:07:03 +02:00
|
|
|
#endif /* WIN32 */
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
2000-07-12 19:38:53 +02:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/*
|
2004-05-30 00:48:23 +02:00
|
|
|
* Main idle loop of postmaster
|
2004-05-28 07:13:32 +02:00
|
|
|
*/
|
1997-08-19 23:40:56 +02:00
|
|
|
static int
|
1996-10-04 22:17:11 +02:00
|
|
|
ServerLoop(void)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2003-08-04 02:43:34 +02:00
|
|
|
fd_set readmask;
|
1998-02-26 05:46:47 +01:00
|
|
|
int nSockets;
|
2004-05-30 00:48:23 +02:00
|
|
|
time_t now,
|
|
|
|
|
last_touch_time;
|
1998-06-08 06:27:59 +02:00
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
last_touch_time = time(NULL);
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2003-07-24 01:30:41 +02:00
|
|
|
nSockets = initMasks(&readmask);
|
1997-09-07 07:04:48 +02:00
|
|
|
|
|
|
|
|
for (;;)
|
|
|
|
|
{
|
2003-07-24 01:30:41 +02:00
|
|
|
fd_set rmask;
|
2004-05-30 00:48:23 +02:00
|
|
|
int selres;
|
2001-11-04 20:55:31 +01:00
|
|
|
|
|
|
|
|
/*
|
2007-08-09 03:18:43 +02:00
|
|
|
* Wait for a connection request to arrive.
|
2004-05-30 00:48:23 +02:00
|
|
|
*
|
2007-02-16 00:23:23 +01:00
|
|
|
* We wait at most one minute, to ensure that the other background
|
|
|
|
|
* tasks handled below get done even when no requests are arriving.
|
2007-08-09 03:18:43 +02:00
|
|
|
*
|
2007-11-15 22:14:46 +01:00
|
|
|
* If we are in PM_WAIT_DEAD_END state, then we don't want to accept
|
|
|
|
|
* any new connections, so we don't call select() at all; just sleep
|
|
|
|
|
* for a little bit with signals unblocked.
|
2001-11-04 20:55:31 +01:00
|
|
|
*/
|
2004-05-30 00:48:23 +02:00
|
|
|
memcpy((char *) &rmask, (char *) &readmask, sizeof(fd_set));
|
|
|
|
|
|
|
|
|
|
PG_SETMASK(&UnBlockSig);
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
if (pmState == PM_WAIT_DEAD_END)
|
|
|
|
|
{
|
2007-11-15 22:14:46 +01:00
|
|
|
pg_usleep(100000L); /* 100 msec seems reasonable */
|
2007-08-09 03:18:43 +02:00
|
|
|
selres = 0;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* must set timeout each time; some OSes change it! */
|
|
|
|
|
struct timeval timeout;
|
|
|
|
|
|
|
|
|
|
timeout.tv_sec = 60;
|
|
|
|
|
timeout.tv_usec = 0;
|
|
|
|
|
|
|
|
|
|
selres = select(nSockets, &rmask, NULL, NULL, &timeout);
|
|
|
|
|
}
|
2003-11-19 16:55:08 +01:00
|
|
|
|
2000-10-26 00:27:25 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Block all signals until we wait again. (This makes it safe for our
|
|
|
|
|
* signal handlers to do nontrivial work.)
|
2000-10-26 00:27:25 +02:00
|
|
|
*/
|
2004-05-30 00:48:23 +02:00
|
|
|
PG_SETMASK(&BlockSig);
|
2000-10-24 23:33:52 +02:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/* Now check the select() result */
|
2004-05-30 00:48:23 +02:00
|
|
|
if (selres < 0)
|
1997-09-07 07:04:48 +02:00
|
|
|
{
|
2004-07-27 03:46:03 +02:00
|
|
|
if (errno != EINTR && errno != EWOULDBLOCK)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("select() failed in postmaster: %m")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
2000-10-24 23:33:52 +02:00
|
|
|
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* New connection pending on any of our sockets? If so, fork a child
|
|
|
|
|
* process to deal with it.
|
1998-06-09 06:06:12 +02:00
|
|
|
*/
|
2004-05-30 00:48:23 +02:00
|
|
|
if (selres > 0)
|
1998-06-08 06:27:59 +02:00
|
|
|
{
|
2007-08-09 03:18:43 +02:00
|
|
|
int i;
|
|
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
for (i = 0; i < MAXLISTEN; i++)
|
2001-06-21 18:43:24 +02:00
|
|
|
{
|
2010-01-10 15:16:08 +01:00
|
|
|
if (ListenSocket[i] == PGINVALID_SOCKET)
|
2004-05-30 00:48:23 +02:00
|
|
|
break;
|
|
|
|
|
if (FD_ISSET(ListenSocket[i], &rmask))
|
2003-06-12 09:36:51 +02:00
|
|
|
{
|
2007-08-09 03:18:43 +02:00
|
|
|
Port *port;
|
|
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
port = ConnCreate(ListenSocket[i]);
|
|
|
|
|
if (port)
|
|
|
|
|
{
|
|
|
|
|
BackendStartup(port);
|
|
|
|
|
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* We no longer need the open socket or port structure
|
|
|
|
|
* in this process
|
2004-05-30 00:48:23 +02:00
|
|
|
*/
|
|
|
|
|
StreamClose(port->sock);
|
|
|
|
|
ConnFree(port);
|
|
|
|
|
}
|
2003-06-12 09:36:51 +02:00
|
|
|
}
|
2001-06-21 18:43:24 +02:00
|
|
|
}
|
1999-09-27 05:13:16 +02:00
|
|
|
}
|
2003-04-26 04:57:14 +02:00
|
|
|
|
2007-08-19 03:41:25 +02:00
|
|
|
/* If we have lost the log collector, try to start a new one */
|
|
|
|
|
if (SysLoggerPID == 0 && Logging_collector)
|
2004-08-06 01:32:13 +02:00
|
|
|
SysLoggerPID = SysLogger_Start();
|
|
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
/*
|
2004-08-29 07:07:03 +02:00
|
|
|
* If no background writer process is running, and we are not in a
|
|
|
|
|
* state that prevents it, start one. It doesn't matter if this
|
2004-05-30 00:48:23 +02:00
|
|
|
* fails, we'll just try again later.
|
|
|
|
|
*/
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
if (BgWriterPID == 0 &&
|
2009-06-11 16:49:15 +02:00
|
|
|
(pmState == PM_RUN || pmState == PM_RECOVERY ||
|
2010-05-15 22:01:32 +02:00
|
|
|
pmState == PM_HOT_STANDBY))
|
2004-05-30 00:48:23 +02:00
|
|
|
BgWriterPID = StartBackgroundWriter();
|
|
|
|
|
|
2007-07-24 06:54:09 +02:00
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Likewise, if we have lost the walwriter process, try to start a new
|
|
|
|
|
* one.
|
2007-07-24 06:54:09 +02:00
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
if (WalWriterPID == 0 && pmState == PM_RUN)
|
2007-07-24 06:54:09 +02:00
|
|
|
WalWriterPID = StartWalWriter();
|
|
|
|
|
|
2011-04-25 18:00:21 +02:00
|
|
|
/*
|
|
|
|
|
* If we have lost the autovacuum launcher, try to start a new one.
|
|
|
|
|
* We don't want autovacuum to run in binary upgrade mode because
|
|
|
|
|
* autovacuum might update relfrozenxid for empty tables before
|
|
|
|
|
* the physical files are put in place.
|
|
|
|
|
*/
|
|
|
|
|
if (!IsBinaryUpgrade && AutoVacPID == 0 &&
|
2007-07-01 20:28:41 +02:00
|
|
|
(AutoVacuumingActive() || start_autovac_launcher) &&
|
2007-08-09 03:18:43 +02:00
|
|
|
pmState == PM_RUN)
|
Fix recently-understood problems with handling of XID freezing, particularly
in PITR scenarios. We now WAL-log the replacement of old XIDs with
FrozenTransactionId, so that such replacement is guaranteed to propagate to
PITR slave databases. Also, rather than relying on hint-bit updates to be
preserved, pg_clog is not truncated until all instances of an XID are known to
have been replaced by FrozenTransactionId. Add new GUC variables and
pg_autovacuum columns to allow management of the freezing policy, so that
users can trade off the size of pg_clog against the amount of freezing work
done. Revise the already-existing code that forces autovacuum of tables
approaching the wraparound point to make it more bulletproof; also, revise the
autovacuum logic so that anti-wraparound vacuuming is done per-table rather
than per-database. initdb forced because of changes in pg_class, pg_database,
and pg_autovacuum catalogs. Heikki Linnakangas, Simon Riggs, and Tom Lane.
2006-11-05 23:42:10 +01:00
|
|
|
{
|
2007-02-16 00:23:23 +01:00
|
|
|
AutoVacPID = StartAutoVacLauncher();
|
Fix recently-understood problems with handling of XID freezing, particularly
in PITR scenarios. We now WAL-log the replacement of old XIDs with
FrozenTransactionId, so that such replacement is guaranteed to propagate to
PITR slave databases. Also, rather than relying on hint-bit updates to be
preserved, pg_clog is not truncated until all instances of an XID are known to
have been replaced by FrozenTransactionId. Add new GUC variables and
pg_autovacuum columns to allow management of the freezing policy, so that
users can trade off the size of pg_clog against the amount of freezing work
done. Revise the already-existing code that forces autovacuum of tables
approaching the wraparound point to make it more bulletproof; also, revise the
autovacuum logic so that anti-wraparound vacuuming is done per-table rather
than per-database. initdb forced because of changes in pg_class, pg_database,
and pg_autovacuum catalogs. Heikki Linnakangas, Simon Riggs, and Tom Lane.
2006-11-05 23:42:10 +01:00
|
|
|
if (AutoVacPID != 0)
|
2007-11-15 22:14:46 +01:00
|
|
|
start_autovac_launcher = false; /* signal processed */
|
Fix recently-understood problems with handling of XID freezing, particularly
in PITR scenarios. We now WAL-log the replacement of old XIDs with
FrozenTransactionId, so that such replacement is guaranteed to propagate to
PITR slave databases. Also, rather than relying on hint-bit updates to be
preserved, pg_clog is not truncated until all instances of an XID are known to
have been replaced by FrozenTransactionId. Add new GUC variables and
pg_autovacuum columns to allow management of the freezing policy, so that
users can trade off the size of pg_clog against the amount of freezing work
done. Revise the already-existing code that forces autovacuum of tables
approaching the wraparound point to make it more bulletproof; also, revise the
autovacuum logic so that anti-wraparound vacuuming is done per-table rather
than per-database. initdb forced because of changes in pg_class, pg_database,
and pg_autovacuum catalogs. Heikki Linnakangas, Simon Riggs, and Tom Lane.
2006-11-05 23:42:10 +01:00
|
|
|
}
|
2005-07-14 07:13:45 +02:00
|
|
|
|
2008-01-11 01:54:09 +01:00
|
|
|
/* If we have lost the archiver, try to start a new one */
|
|
|
|
|
if (XLogArchivingActive() && PgArchPID == 0 && pmState == PM_RUN)
|
2004-07-19 04:47:16 +02:00
|
|
|
PgArchPID = pgarch_start();
|
2004-08-29 07:07:03 +02:00
|
|
|
|
2003-04-26 04:57:14 +02:00
|
|
|
/* If we have lost the stats collector, try to start a new one */
|
2007-08-09 03:18:43 +02:00
|
|
|
if (PgStatPID == 0 && pmState == PM_RUN)
|
2004-06-14 20:08:19 +02:00
|
|
|
PgStatPID = pgstat_start();
|
2004-05-30 00:48:23 +02:00
|
|
|
|
2009-08-24 19:23:02 +02:00
|
|
|
/* If we need to signal the autovacuum launcher, do so now */
|
|
|
|
|
if (avlauncher_needs_signal)
|
|
|
|
|
{
|
|
|
|
|
avlauncher_needs_signal = false;
|
|
|
|
|
if (AutoVacPID != 0)
|
2009-08-31 21:41:00 +02:00
|
|
|
kill(AutoVacPID, SIGUSR2);
|
2009-08-24 19:23:02 +02:00
|
|
|
}
|
|
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Touch the socket and lock file every 58 minutes, to ensure that
|
|
|
|
|
* they are not removed by overzealous /tmp-cleaning tasks. We assume
|
|
|
|
|
* no one runs cleaners with cutoff times of less than an hour ...
|
2004-05-30 00:48:23 +02:00
|
|
|
*/
|
|
|
|
|
now = time(NULL);
|
2005-07-21 05:56:25 +02:00
|
|
|
if (now - last_touch_time >= 58 * SECS_PER_MINUTE)
|
2004-05-30 00:48:23 +02:00
|
|
|
{
|
|
|
|
|
TouchSocketFile();
|
|
|
|
|
TouchSocketLockFile();
|
|
|
|
|
last_touch_time = now;
|
|
|
|
|
}
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
1996-10-12 09:48:49 +02:00
|
|
|
|
|
|
|
|
/*
|
2004-05-30 00:48:23 +02:00
|
|
|
* Initialise the masks for select() for the ports we are listening on.
|
|
|
|
|
* Return the number of sockets to listen on.
|
1998-01-26 02:42:53 +01:00
|
|
|
*/
|
1998-02-26 05:46:47 +01:00
|
|
|
static int
|
2003-07-24 01:30:41 +02:00
|
|
|
initMasks(fd_set *rmask)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2007-08-09 03:18:43 +02:00
|
|
|
int maxsock = -1;
|
2003-06-12 09:36:51 +02:00
|
|
|
int i;
|
1998-01-26 02:42:53 +01:00
|
|
|
|
|
|
|
|
FD_ZERO(rmask);
|
|
|
|
|
|
2003-06-12 09:36:51 +02:00
|
|
|
for (i = 0; i < MAXLISTEN; i++)
|
1997-09-07 07:04:48 +02:00
|
|
|
{
|
2003-08-04 02:43:34 +02:00
|
|
|
int fd = ListenSocket[i];
|
2003-07-24 01:30:41 +02:00
|
|
|
|
2010-01-10 15:16:08 +01:00
|
|
|
if (fd == PGINVALID_SOCKET)
|
2003-07-24 01:30:41 +02:00
|
|
|
break;
|
2010-07-06 21:19:02 +02:00
|
|
|
FD_SET(fd, rmask);
|
2009-06-11 16:49:15 +02:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
if (fd > maxsock)
|
|
|
|
|
maxsock = fd;
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
return maxsock + 1;
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
1996-10-12 09:48:49 +02:00
|
|
|
|
|
|
|
|
/*
|
2007-08-09 03:18:43 +02:00
|
|
|
* Read a client's startup packet and do something according to it.
|
2001-06-20 20:07:56 +02:00
|
|
|
*
|
2003-07-22 21:00:12 +02:00
|
|
|
* Returns STATUS_OK or STATUS_ERROR, or might call ereport(FATAL) and
|
2001-06-20 20:07:56 +02:00
|
|
|
* not return at all.
|
2001-08-30 21:02:42 +02:00
|
|
|
*
|
2003-07-22 21:00:12 +02:00
|
|
|
* (Note that ereport(FATAL) stuff is sent to the client, so only use it
|
2001-10-19 02:44:08 +02:00
|
|
|
* if that's what you want. Return STATUS_ERROR if you don't want to
|
|
|
|
|
* send anything to the client, which would typically be appropriate
|
|
|
|
|
* if we detect a communications failure.)
|
1998-01-26 02:42:53 +01:00
|
|
|
*/
|
1998-07-09 05:29:11 +02:00
|
|
|
static int
|
2001-06-21 18:43:24 +02:00
|
|
|
ProcessStartupPacket(Port *port, bool SSLdone)
|
1996-10-12 09:48:49 +02:00
|
|
|
{
|
2001-06-20 20:07:56 +02:00
|
|
|
int32 len;
|
|
|
|
|
void *buf;
|
2003-04-18 00:26:02 +02:00
|
|
|
ProtocolVersion proto;
|
|
|
|
|
MemoryContext oldcontext;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2001-10-19 02:44:08 +02:00
|
|
|
if (pq_getbytes((char *) &len, 4) == EOF)
|
|
|
|
|
{
|
2003-04-22 02:08:07 +02:00
|
|
|
/*
|
|
|
|
|
* EOF after SSLdone probably means the client didn't like our
|
2005-10-15 04:49:52 +02:00
|
|
|
* response to NEGOTIATE_SSL_CODE. That's not an error condition, so
|
|
|
|
|
* don't clutter the log with a complaint.
|
2003-04-22 02:08:07 +02:00
|
|
|
*/
|
|
|
|
|
if (!SSLdone)
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("incomplete startup packet")));
|
2001-10-19 02:44:08 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
len = ntohl(len);
|
|
|
|
|
len -= 4;
|
|
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
if (len < (int32) sizeof(ProtocolVersion) ||
|
|
|
|
|
len > MAX_STARTUP_PACKET_LENGTH)
|
2003-04-22 02:08:07 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("invalid length of startup packet")));
|
2003-04-22 02:08:07 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2001-06-20 20:07:56 +02:00
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
/*
|
|
|
|
|
* Allocate at least the size of an old-style startup packet, plus one
|
2005-10-15 04:49:52 +02:00
|
|
|
* extra byte, and make sure all are zeroes. This ensures we will have
|
|
|
|
|
* null termination of all strings, in both fixed- and variable-length
|
|
|
|
|
* packet layouts.
|
2003-04-18 00:26:02 +02:00
|
|
|
*/
|
|
|
|
|
if (len <= (int32) sizeof(StartupPacket))
|
|
|
|
|
buf = palloc0(sizeof(StartupPacket) + 1);
|
|
|
|
|
else
|
|
|
|
|
buf = palloc0(len + 1);
|
2001-10-19 02:44:08 +02:00
|
|
|
|
|
|
|
|
if (pq_getbytes(buf, len) == EOF)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("incomplete startup packet")));
|
2001-10-19 02:44:08 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2001-07-30 16:50:24 +02:00
|
|
|
|
1998-09-01 06:40:42 +02:00
|
|
|
/*
|
|
|
|
|
* The first field is either a protocol version number or a special
|
|
|
|
|
* request code.
|
1998-07-09 05:29:11 +02:00
|
|
|
*/
|
2003-04-18 00:26:02 +02:00
|
|
|
port->proto = proto = ntohl(*((ProtocolVersion *) buf));
|
1998-07-09 05:29:11 +02:00
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
if (proto == CANCEL_REQUEST_CODE)
|
2001-06-20 20:07:56 +02:00
|
|
|
{
|
2003-04-18 00:26:02 +02:00
|
|
|
processCancelRequest(port, buf);
|
2009-08-29 21:26:52 +02:00
|
|
|
/* Not really an error, but we don't want to proceed further */
|
|
|
|
|
return STATUS_ERROR;
|
2001-06-20 20:07:56 +02:00
|
|
|
}
|
1998-07-09 05:29:11 +02:00
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
if (proto == NEGOTIATE_SSL_CODE && !SSLdone)
|
2000-04-12 19:17:23 +02:00
|
|
|
{
|
|
|
|
|
char SSLok;
|
|
|
|
|
|
1999-09-27 05:13:16 +02:00
|
|
|
#ifdef USE_SSL
|
2000-10-26 00:27:25 +02:00
|
|
|
/* No SSL when disabled or on Unix sockets */
|
2003-08-02 01:25:00 +02:00
|
|
|
if (!EnableSSL || IS_AF_UNIX(port->laddr.addr.ss_family))
|
2000-10-26 00:27:25 +02:00
|
|
|
SSLok = 'N';
|
2000-08-30 16:54:24 +02:00
|
|
|
else
|
2000-10-26 00:27:25 +02:00
|
|
|
SSLok = 'S'; /* Support for SSL */
|
1999-09-27 05:13:16 +02:00
|
|
|
#else
|
2000-04-12 19:17:23 +02:00
|
|
|
SSLok = 'N'; /* No support for SSL */
|
1999-09-27 05:13:16 +02:00
|
|
|
#endif
|
2006-07-16 20:17:14 +02:00
|
|
|
|
|
|
|
|
retry1:
|
2000-04-12 19:17:23 +02:00
|
|
|
if (send(port->sock, &SSLok, 1, 0) != 1)
|
|
|
|
|
{
|
2006-07-16 20:17:14 +02:00
|
|
|
if (errno == EINTR)
|
|
|
|
|
goto retry1; /* if interrupted, just retry */
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode_for_socket_access(),
|
2005-10-15 04:49:52 +02:00
|
|
|
errmsg("failed to send SSL negotiation response: %m")));
|
2001-10-28 07:26:15 +01:00
|
|
|
return STATUS_ERROR; /* close the connection */
|
2000-04-12 19:17:23 +02:00
|
|
|
}
|
|
|
|
|
|
1999-09-27 05:13:16 +02:00
|
|
|
#ifdef USE_SSL
|
UPDATED PATCH:
Attached are a revised set of SSL patches. Many of these patches
are motivated by security concerns, it's not just bug fixes. The key
differences (from stock 7.2.1) are:
*) almost all code that directly uses the OpenSSL library is in two
new files,
src/interfaces/libpq/fe-ssl.c
src/backend/postmaster/be-ssl.c
in the long run, it would be nice to merge these two files.
*) the legacy code to read and write network data have been
encapsulated into read_SSL() and write_SSL(). These functions
should probably be renamed - they handle both SSL and non-SSL
cases.
the remaining code should eliminate the problems identified
earlier, albeit not very cleanly.
*) both front- and back-ends will send a SSL shutdown via the
new close_SSL() function. This is necessary for sessions to
work properly.
(Sessions are not yet fully supported, but by cleanly closing
the SSL connection instead of just sending a TCP FIN packet
other SSL tools will be much happier.)
*) The client certificate and key are now expected in a subdirectory
of the user's home directory. Specifically,
- the directory .postgresql must be owned by the user, and
allow no access by 'group' or 'other.'
- the file .postgresql/postgresql.crt must be a regular file
owned by the user.
- the file .postgresql/postgresql.key must be a regular file
owned by the user, and allow no access by 'group' or 'other'.
At the current time encrypted private keys are not supported.
There should also be a way to support multiple client certs/keys.
*) the front-end performs minimal validation of the back-end cert.
Self-signed certs are permitted, but the common name *must*
match the hostname used by the front-end. (The cert itself
should always use a fully qualified domain name (FDQN) in its
common name field.)
This means that
psql -h eris db
will fail, but
psql -h eris.example.com db
will succeed. At the current time this must be an exact match;
future patches may support any FQDN that resolves to the address
returned by getpeername(2).
Another common "problem" is expiring certs. For now, it may be
a good idea to use a very-long-lived self-signed cert.
As a compile-time option, the front-end can specify a file
containing valid root certificates, but it is not yet required.
*) the back-end performs minimal validation of the client cert.
It allows self-signed certs. It checks for expiration. It
supports a compile-time option specifying a file containing
valid root certificates.
*) both front- and back-ends default to TLSv1, not SSLv3/SSLv2.
*) both front- and back-ends support DSA keys. DSA keys are
moderately more expensive on startup, but many people consider
them preferable than RSA keys. (E.g., SSH2 prefers DSA keys.)
*) if /dev/urandom exists, both client and server will read 16k
of randomization data from it.
*) the server can read empheral DH parameters from the files
$DataDir/dh512.pem
$DataDir/dh1024.pem
$DataDir/dh2048.pem
$DataDir/dh4096.pem
if none are provided, the server will default to hardcoded
parameter files provided by the OpenSSL project.
Remaining tasks:
*) the select() clauses need to be revisited - the SSL abstraction
layer may need to absorb more of the current code to avoid rare
deadlock conditions. This also touches on a true solution to
the pg_eof() problem.
*) the SIGPIPE signal handler may need to be revisited.
*) support encrypted private keys.
*) sessions are not yet fully supported. (SSL sessions can span
multiple "connections," and allow the client and server to avoid
costly renegotiations.)
*) makecert - a script that creates back-end certs.
*) pgkeygen - a tool that creates front-end certs.
*) the whole protocol issue, SASL, etc.
*) certs are fully validated - valid root certs must be available.
This is a hassle, but it means that you *can* trust the identity
of the server.
*) the client library can handle hardcoded root certificates, to
avoid the need to copy these files.
*) host name of server cert must resolve to IP address, or be a
recognized alias. This is more liberal than the previous
iteration.
*) the number of bytes transferred is tracked, and the session
key is periodically renegotiated.
*) basic cert generation scripts (mkcert.sh, pgkeygen.sh). The
configuration files have reasonable defaults for each type
of use.
Bear Giles
2002-06-14 06:23:17 +02:00
|
|
|
if (SSLok == 'S' && secure_open_server(port) == -1)
|
2002-09-04 22:31:48 +02:00
|
|
|
return STATUS_ERROR;
|
1999-09-27 05:13:16 +02:00
|
|
|
#endif
|
2001-06-21 18:43:24 +02:00
|
|
|
/* regular startup packet, cancel, etc packet should follow... */
|
|
|
|
|
/* but not another SSL negotiation request */
|
|
|
|
|
return ProcessStartupPacket(port, true);
|
2000-04-12 19:17:23 +02:00
|
|
|
}
|
1999-09-27 05:13:16 +02:00
|
|
|
|
1998-07-09 05:29:11 +02:00
|
|
|
/* Could add additional special packet types here */
|
|
|
|
|
|
2003-04-22 02:08:07 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Set FrontendProtocol now so that ereport() knows what format to send if
|
|
|
|
|
* we fail during startup.
|
2003-04-22 02:08:07 +02:00
|
|
|
*/
|
|
|
|
|
FrontendProtocol = proto;
|
1999-09-27 05:13:16 +02:00
|
|
|
|
1998-07-09 05:29:11 +02:00
|
|
|
/* Check we can handle the protocol the frontend is using. */
|
|
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
if (PG_PROTOCOL_MAJOR(proto) < PG_PROTOCOL_MAJOR(PG_PROTOCOL_EARLIEST) ||
|
2005-10-15 04:49:52 +02:00
|
|
|
PG_PROTOCOL_MAJOR(proto) > PG_PROTOCOL_MAJOR(PG_PROTOCOL_LATEST) ||
|
|
|
|
|
(PG_PROTOCOL_MAJOR(proto) == PG_PROTOCOL_MAJOR(PG_PROTOCOL_LATEST) &&
|
|
|
|
|
PG_PROTOCOL_MINOR(proto) > PG_PROTOCOL_MINOR(PG_PROTOCOL_LATEST)))
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
|
|
|
errmsg("unsupported frontend protocol %u.%u: server supports %u.0 to %u.%u",
|
2005-10-15 04:49:52 +02:00
|
|
|
PG_PROTOCOL_MAJOR(proto), PG_PROTOCOL_MINOR(proto),
|
2003-07-22 21:00:12 +02:00
|
|
|
PG_PROTOCOL_MAJOR(PG_PROTOCOL_EARLIEST),
|
|
|
|
|
PG_PROTOCOL_MAJOR(PG_PROTOCOL_LATEST),
|
|
|
|
|
PG_PROTOCOL_MINOR(PG_PROTOCOL_LATEST))));
|
1998-07-09 05:29:11 +02:00
|
|
|
|
2001-03-22 05:01:46 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Now fetch parameters out of startup packet and save them into the Port
|
|
|
|
|
* structure. All data structures attached to the Port struct must be
|
2010-02-26 03:01:40 +01:00
|
|
|
* allocated in TopMemoryContext so that they will remain available in a
|
|
|
|
|
* running backend (even after PostmasterContext is destroyed). We need
|
2009-08-29 21:26:52 +02:00
|
|
|
* not worry about leaking this storage on failure, since we aren't in the
|
|
|
|
|
* postmaster process anymore.
|
2001-03-22 05:01:46 +01:00
|
|
|
*/
|
2003-04-18 00:26:02 +02:00
|
|
|
oldcontext = MemoryContextSwitchTo(TopMemoryContext);
|
|
|
|
|
|
|
|
|
|
if (PG_PROTOCOL_MAJOR(proto) >= 3)
|
|
|
|
|
{
|
2003-08-04 02:43:34 +02:00
|
|
|
int32 offset = sizeof(ProtocolVersion);
|
2003-04-18 00:26:02 +02:00
|
|
|
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Scan packet body for name/option pairs. We can assume any string
|
|
|
|
|
* beginning within the packet body is null-terminated, thanks to
|
|
|
|
|
* zeroing extra byte above.
|
2003-04-18 00:26:02 +02:00
|
|
|
*/
|
|
|
|
|
port->guc_options = NIL;
|
|
|
|
|
|
|
|
|
|
while (offset < len)
|
|
|
|
|
{
|
2003-08-04 02:43:34 +02:00
|
|
|
char *nameptr = ((char *) buf) + offset;
|
|
|
|
|
int32 valoffset;
|
|
|
|
|
char *valptr;
|
2003-04-18 00:26:02 +02:00
|
|
|
|
|
|
|
|
if (*nameptr == '\0')
|
|
|
|
|
break; /* found packet terminator */
|
|
|
|
|
valoffset = offset + strlen(nameptr) + 1;
|
|
|
|
|
if (valoffset >= len)
|
|
|
|
|
break; /* missing value, will complain below */
|
|
|
|
|
valptr = ((char *) buf) + valoffset;
|
|
|
|
|
|
|
|
|
|
if (strcmp(nameptr, "database") == 0)
|
|
|
|
|
port->database_name = pstrdup(valptr);
|
|
|
|
|
else if (strcmp(nameptr, "user") == 0)
|
|
|
|
|
port->user_name = pstrdup(valptr);
|
|
|
|
|
else if (strcmp(nameptr, "options") == 0)
|
|
|
|
|
port->cmdline_options = pstrdup(valptr);
|
2010-01-15 10:19:10 +01:00
|
|
|
else if (strcmp(nameptr, "replication") == 0)
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
if (!parse_bool(valptr, &am_walsender))
|
2010-01-15 10:19:10 +01:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
|
|
|
|
|
errmsg("invalid value for boolean option \"replication\"")));
|
|
|
|
|
}
|
2003-04-18 00:26:02 +02:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* Assume it's a generic GUC option */
|
|
|
|
|
port->guc_options = lappend(port->guc_options,
|
|
|
|
|
pstrdup(nameptr));
|
|
|
|
|
port->guc_options = lappend(port->guc_options,
|
|
|
|
|
pstrdup(valptr));
|
|
|
|
|
}
|
|
|
|
|
offset = valoffset + strlen(valptr) + 1;
|
|
|
|
|
}
|
2003-08-04 02:43:34 +02:00
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
/*
|
|
|
|
|
* If we didn't find a packet terminator exactly at the end of the
|
|
|
|
|
* given packet length, complain.
|
|
|
|
|
*/
|
2003-08-04 02:43:34 +02:00
|
|
|
if (offset != len - 1)
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("invalid startup packet layout: expected terminator as last byte")));
|
2003-04-18 00:26:02 +02:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Get the parameters from the old-style, fixed-width-fields startup
|
|
|
|
|
* packet as C strings. The packet destination was cleared first so a
|
|
|
|
|
* short packet has zeros silently added. We have to be prepared to
|
|
|
|
|
* truncate the pstrdup result for oversize fields, though.
|
2003-04-18 00:26:02 +02:00
|
|
|
*/
|
|
|
|
|
StartupPacket *packet = (StartupPacket *) buf;
|
|
|
|
|
|
|
|
|
|
port->database_name = pstrdup(packet->database);
|
|
|
|
|
if (strlen(port->database_name) > sizeof(packet->database))
|
|
|
|
|
port->database_name[sizeof(packet->database)] = '\0';
|
|
|
|
|
port->user_name = pstrdup(packet->user);
|
|
|
|
|
if (strlen(port->user_name) > sizeof(packet->user))
|
|
|
|
|
port->user_name[sizeof(packet->user)] = '\0';
|
|
|
|
|
port->cmdline_options = pstrdup(packet->options);
|
|
|
|
|
if (strlen(port->cmdline_options) > sizeof(packet->options))
|
|
|
|
|
port->cmdline_options[sizeof(packet->options)] = '\0';
|
|
|
|
|
port->guc_options = NIL;
|
|
|
|
|
}
|
2001-02-20 02:34:40 +01:00
|
|
|
|
1998-01-26 02:42:53 +01:00
|
|
|
/* Check a user name was given. */
|
2003-04-18 00:26:02 +02:00
|
|
|
if (port->user_name == NULL || port->user_name[0] == '\0')
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
2005-10-15 04:49:52 +02:00
|
|
|
errmsg("no PostgreSQL user name specified in startup packet")));
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
/* The database defaults to the user name. */
|
|
|
|
|
if (port->database_name == NULL || port->database_name[0] == '\0')
|
|
|
|
|
port->database_name = pstrdup(port->user_name);
|
|
|
|
|
|
2002-08-18 05:03:26 +02:00
|
|
|
if (Db_user_namespace)
|
2002-09-04 22:31:48 +02:00
|
|
|
{
|
2002-08-18 05:03:26 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* If user@, it is a global user, remove '@'. We only want to do this
|
|
|
|
|
* if there is an '@' at the end and no earlier in the user string or
|
|
|
|
|
* they may fake as a local user of another database attaching to this
|
|
|
|
|
* database.
|
2002-08-18 05:03:26 +02:00
|
|
|
*/
|
2003-04-18 00:26:02 +02:00
|
|
|
if (strchr(port->user_name, '@') ==
|
|
|
|
|
port->user_name + strlen(port->user_name) - 1)
|
|
|
|
|
*strchr(port->user_name, '@') = '\0';
|
2002-08-18 05:03:26 +02:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* Append '@' and dbname */
|
2003-04-18 00:26:02 +02:00
|
|
|
char *db_user;
|
2002-09-04 22:31:48 +02:00
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
db_user = palloc(strlen(port->user_name) +
|
|
|
|
|
strlen(port->database_name) + 2);
|
|
|
|
|
sprintf(db_user, "%s@%s", port->user_name, port->database_name);
|
|
|
|
|
port->user_name = db_user;
|
2002-08-18 05:03:26 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Truncate given database and user names to length of a Postgres name.
|
|
|
|
|
* This avoids lookup failures when overlength names are given.
|
2003-04-18 00:26:02 +02:00
|
|
|
*/
|
|
|
|
|
if (strlen(port->database_name) >= NAMEDATALEN)
|
|
|
|
|
port->database_name[NAMEDATALEN - 1] = '\0';
|
|
|
|
|
if (strlen(port->user_name) >= NAMEDATALEN)
|
|
|
|
|
port->user_name[NAMEDATALEN - 1] = '\0';
|
|
|
|
|
|
2010-01-15 10:19:10 +01:00
|
|
|
/* Walsender is not related to a particular database */
|
|
|
|
|
if (am_walsender)
|
|
|
|
|
port->database_name[0] = '\0';
|
|
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
/*
|
|
|
|
|
* Done putting stuff in TopMemoryContext.
|
|
|
|
|
*/
|
|
|
|
|
MemoryContextSwitchTo(oldcontext);
|
|
|
|
|
|
2000-11-29 21:59:54 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* If we're going to reject the connection due to database state, say so
|
|
|
|
|
* now instead of wasting cycles on an authentication exchange. (This also
|
|
|
|
|
* allows a pg_ping utility to be written.)
|
2000-11-29 21:59:54 +01:00
|
|
|
*/
|
2003-12-20 18:31:21 +01:00
|
|
|
switch (port->canAcceptConnections)
|
2001-08-30 21:02:42 +02:00
|
|
|
{
|
|
|
|
|
case CAC_STARTUP:
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_CANNOT_CONNECT_NOW),
|
|
|
|
|
errmsg("the database system is starting up")));
|
2001-08-30 21:02:42 +02:00
|
|
|
break;
|
|
|
|
|
case CAC_SHUTDOWN:
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_CANNOT_CONNECT_NOW),
|
|
|
|
|
errmsg("the database system is shutting down")));
|
2001-08-30 21:02:42 +02:00
|
|
|
break;
|
|
|
|
|
case CAC_RECOVERY:
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_CANNOT_CONNECT_NOW),
|
|
|
|
|
errmsg("the database system is in recovery mode")));
|
2001-08-30 21:02:42 +02:00
|
|
|
break;
|
|
|
|
|
case CAC_TOOMANY:
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_TOO_MANY_CONNECTIONS),
|
|
|
|
|
errmsg("sorry, too many clients already")));
|
2001-08-30 21:02:42 +02:00
|
|
|
break;
|
2008-04-27 00:47:40 +02:00
|
|
|
case CAC_WAITBACKUP:
|
|
|
|
|
/* OK for now, will check in InitPostgres */
|
|
|
|
|
break;
|
2001-08-30 21:02:42 +02:00
|
|
|
case CAC_OK:
|
2002-05-29 01:56:51 +02:00
|
|
|
break;
|
2001-08-30 21:02:42 +02:00
|
|
|
}
|
2000-11-29 21:59:54 +01:00
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
return STATUS_OK;
|
1998-07-09 05:29:11 +02:00
|
|
|
}
|
|
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
|
1998-07-09 05:29:11 +02:00
|
|
|
/*
|
|
|
|
|
* The client has sent a cancel request packet, not a normal
|
2001-06-20 20:07:56 +02:00
|
|
|
* start-a-new-connection packet. Perform the necessary processing.
|
|
|
|
|
* Nothing is sent back to the client.
|
1998-07-09 05:29:11 +02:00
|
|
|
*/
|
2001-06-20 20:07:56 +02:00
|
|
|
static void
|
|
|
|
|
processCancelRequest(Port *port, void *pkt)
|
1998-07-09 05:29:11 +02:00
|
|
|
{
|
1998-09-01 06:40:42 +02:00
|
|
|
CancelRequestPacket *canc = (CancelRequestPacket *) pkt;
|
1998-07-09 05:29:11 +02:00
|
|
|
int backendPID;
|
|
|
|
|
long cancelAuthCode;
|
2004-01-26 23:54:58 +01:00
|
|
|
Backend *bp;
|
2005-10-15 04:49:52 +02:00
|
|
|
|
2004-01-26 23:59:54 +01:00
|
|
|
#ifndef EXEC_BACKEND
|
|
|
|
|
Dlelem *curr;
|
|
|
|
|
#else
|
2004-05-27 17:07:41 +02:00
|
|
|
int i;
|
2004-01-26 23:59:54 +01:00
|
|
|
#endif
|
1998-07-09 05:29:11 +02:00
|
|
|
|
|
|
|
|
backendPID = (int) ntohl(canc->backendPID);
|
|
|
|
|
cancelAuthCode = (long) ntohl(canc->cancelAuthCode);
|
|
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* See if we have a matching backend. In the EXEC_BACKEND case, we can no
|
|
|
|
|
* longer access the postmaster's own backend list, and must rely on the
|
|
|
|
|
* duplicate array in shared memory.
|
2004-05-28 07:13:32 +02:00
|
|
|
*/
|
2004-01-26 23:59:54 +01:00
|
|
|
#ifndef EXEC_BACKEND
|
1998-07-09 05:29:11 +02:00
|
|
|
for (curr = DLGetHead(BackendList); curr; curr = DLGetSucc(curr))
|
|
|
|
|
{
|
|
|
|
|
bp = (Backend *) DLE_VAL(curr);
|
2004-01-26 23:59:54 +01:00
|
|
|
#else
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
for (i = MaxLivePostmasterChildren() - 1; i >= 0; i--)
|
2004-01-26 23:59:54 +01:00
|
|
|
{
|
2004-05-27 17:07:41 +02:00
|
|
|
bp = (Backend *) &ShmemBackendArray[i];
|
2004-01-26 23:59:54 +01:00
|
|
|
#endif
|
1998-07-09 05:29:11 +02:00
|
|
|
if (bp->pid == backendPID)
|
|
|
|
|
{
|
|
|
|
|
if (bp->cancel_key == cancelAuthCode)
|
|
|
|
|
{
|
|
|
|
|
/* Found a match; signal that backend to cancel current op */
|
2003-08-12 20:23:21 +02:00
|
|
|
ereport(DEBUG2,
|
|
|
|
|
(errmsg_internal("processing cancel request: sending SIGINT to process %d",
|
|
|
|
|
backendPID)));
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(bp->pid, SIGINT);
|
1998-07-09 05:29:11 +02:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
/* Right PID, wrong key: no way, Jose */
|
2007-11-05 01:00:34 +01:00
|
|
|
ereport(LOG,
|
2007-12-13 12:55:44 +01:00
|
|
|
(errmsg("wrong key in cancel request for process %d",
|
2007-11-05 01:00:34 +01:00
|
|
|
backendPID)));
|
2001-06-20 20:07:56 +02:00
|
|
|
return;
|
1998-07-09 05:29:11 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* No matching backend */
|
2007-11-05 01:00:34 +01:00
|
|
|
ereport(LOG,
|
2007-12-13 12:55:44 +01:00
|
|
|
(errmsg("PID %d in cancel request did not match any process",
|
2007-11-05 01:00:34 +01:00
|
|
|
backendPID)));
|
1996-10-12 09:48:49 +02:00
|
|
|
}
|
|
|
|
|
|
2000-11-29 21:59:54 +01:00
|
|
|
/*
|
|
|
|
|
* canAcceptConnections --- check to see if database state allows connections.
|
|
|
|
|
*/
|
2010-11-14 21:57:37 +01:00
|
|
|
static CAC_state
|
2000-11-29 21:59:54 +01:00
|
|
|
canAcceptConnections(void)
|
|
|
|
|
{
|
2010-11-14 21:57:37 +01:00
|
|
|
CAC_state result = CAC_OK;
|
|
|
|
|
|
2008-04-23 15:44:59 +02:00
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* Can't start backends when in startup/shutdown/inconsistent recovery
|
|
|
|
|
* state.
|
2008-04-27 00:47:40 +02:00
|
|
|
*
|
|
|
|
|
* In state PM_WAIT_BACKUP only superusers can connect (this must be
|
|
|
|
|
* allowed so that a superuser can end online backup mode); we return
|
2011-04-10 17:42:00 +02:00
|
|
|
* CAC_WAITBACKUP code to indicate that this must be checked later. Note
|
|
|
|
|
* that neither CAC_OK nor CAC_WAITBACKUP can safely be returned until we
|
|
|
|
|
* have checked for too many children.
|
2008-04-23 15:44:59 +02:00
|
|
|
*/
|
2008-04-27 00:47:40 +02:00
|
|
|
if (pmState != PM_RUN)
|
2007-08-09 03:18:43 +02:00
|
|
|
{
|
2008-04-27 00:47:40 +02:00
|
|
|
if (pmState == PM_WAIT_BACKUP)
|
2010-11-14 21:57:37 +01:00
|
|
|
result = CAC_WAITBACKUP; /* allow superusers only */
|
|
|
|
|
else if (Shutdown > NoShutdown)
|
2007-11-15 22:14:46 +01:00
|
|
|
return CAC_SHUTDOWN; /* shutdown is pending */
|
2010-11-14 21:57:37 +01:00
|
|
|
else if (!FatalError &&
|
|
|
|
|
(pmState == PM_STARTUP ||
|
|
|
|
|
pmState == PM_RECOVERY))
|
2011-04-10 17:42:00 +02:00
|
|
|
return CAC_STARTUP; /* normal startup */
|
2010-11-14 21:57:37 +01:00
|
|
|
else if (!FatalError &&
|
|
|
|
|
pmState == PM_HOT_STANDBY)
|
2011-04-10 17:42:00 +02:00
|
|
|
result = CAC_OK; /* connection OK during hot standby */
|
2010-11-14 21:57:37 +01:00
|
|
|
else
|
|
|
|
|
return CAC_RECOVERY; /* else must be crash recovery */
|
2007-08-09 03:18:43 +02:00
|
|
|
}
|
2001-10-25 07:50:21 +02:00
|
|
|
|
2001-06-17 00:58:17 +02:00
|
|
|
/*
|
|
|
|
|
* Don't start too many children.
|
|
|
|
|
*
|
2001-10-25 07:50:21 +02:00
|
|
|
* We allow more connections than we can have backends here because some
|
2005-10-15 04:49:52 +02:00
|
|
|
* might still be authenticating; they might fail auth, or some existing
|
|
|
|
|
* backend might exit before the auth cycle is completed. The exact
|
|
|
|
|
* MaxBackends limit is enforced when a new backend tries to join the
|
|
|
|
|
* shared-inval backend array.
|
2007-08-09 03:18:43 +02:00
|
|
|
*
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
* The limit here must match the sizes of the per-child-process arrays;
|
|
|
|
|
* see comments for MaxLivePostmasterChildren().
|
2001-06-17 00:58:17 +02:00
|
|
|
*/
|
2010-01-15 10:19:10 +01:00
|
|
|
if (CountChildren(BACKEND_TYPE_ALL) >= MaxLivePostmasterChildren())
|
2010-11-14 21:57:37 +01:00
|
|
|
result = CAC_TOOMANY;
|
2000-11-29 21:59:54 +01:00
|
|
|
|
2010-11-14 21:57:37 +01:00
|
|
|
return result;
|
2000-11-29 21:59:54 +01:00
|
|
|
}
|
1996-10-12 09:48:49 +02:00
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/*
|
|
|
|
|
* ConnCreate -- create a local connection data structure
|
2010-10-27 21:26:24 +02:00
|
|
|
*
|
|
|
|
|
* Returns NULL on failure, other than out-of-memory which is fatal.
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
1998-01-26 02:42:53 +01:00
|
|
|
static Port *
|
|
|
|
|
ConnCreate(int serverFd)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
1997-09-08 04:41:22 +02:00
|
|
|
Port *port;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
|
|
|
|
if (!(port = (Port *) calloc(1, sizeof(Port))))
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
|
errmsg("out of memory")));
|
1997-09-07 07:04:48 +02:00
|
|
|
ExitPostmaster(1);
|
|
|
|
|
}
|
|
|
|
|
|
1998-01-26 02:42:53 +01:00
|
|
|
if (StreamConnection(serverFd, port) != STATUS_OK)
|
1997-09-07 07:04:48 +02:00
|
|
|
{
|
2007-02-13 20:18:54 +01:00
|
|
|
if (port->sock >= 0)
|
|
|
|
|
StreamClose(port->sock);
|
2000-05-26 03:38:08 +02:00
|
|
|
ConnFree(port);
|
2010-10-27 19:03:00 +02:00
|
|
|
return NULL;
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
2010-10-27 21:26:24 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Precompute password salt values to use for this connection. It's
|
2011-04-10 17:42:00 +02:00
|
|
|
* slightly annoying to do this long in advance of knowing whether we'll
|
|
|
|
|
* need 'em or not, but we must do the random() calls before we fork, not
|
|
|
|
|
* after. Else the postmaster's random sequence won't get advanced, and
|
|
|
|
|
* all backends would end up using the same salt...
|
2010-10-27 21:26:24 +02:00
|
|
|
*/
|
|
|
|
|
RandomSalt(port->md5Salt);
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2007-07-10 15:14:22 +02:00
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Allocate GSSAPI specific state struct
|
2007-07-10 15:14:22 +02:00
|
|
|
*/
|
2007-07-23 12:16:54 +02:00
|
|
|
#ifndef EXEC_BACKEND
|
2007-11-15 22:14:46 +01:00
|
|
|
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
|
|
|
|
|
port->gss = (pg_gssinfo *) calloc(1, sizeof(pg_gssinfo));
|
2007-07-11 10:27:33 +02:00
|
|
|
if (!port->gss)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
|
errmsg("out of memory")));
|
|
|
|
|
ExitPostmaster(1);
|
|
|
|
|
}
|
2007-07-23 12:16:54 +02:00
|
|
|
#endif
|
2007-07-10 15:14:22 +02:00
|
|
|
#endif
|
|
|
|
|
|
1998-01-26 02:42:53 +01:00
|
|
|
return port;
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
|
1999-09-27 05:13:16 +02:00
|
|
|
/*
|
2000-05-26 03:38:08 +02:00
|
|
|
* ConnFree -- free a local connection data structure
|
1999-09-27 05:13:16 +02:00
|
|
|
*/
|
2000-03-17 03:36:41 +01:00
|
|
|
static void
|
2000-04-12 19:17:23 +02:00
|
|
|
ConnFree(Port *conn)
|
1999-09-27 05:13:16 +02:00
|
|
|
{
|
|
|
|
|
#ifdef USE_SSL
|
UPDATED PATCH:
Attached are a revised set of SSL patches. Many of these patches
are motivated by security concerns, it's not just bug fixes. The key
differences (from stock 7.2.1) are:
*) almost all code that directly uses the OpenSSL library is in two
new files,
src/interfaces/libpq/fe-ssl.c
src/backend/postmaster/be-ssl.c
in the long run, it would be nice to merge these two files.
*) the legacy code to read and write network data have been
encapsulated into read_SSL() and write_SSL(). These functions
should probably be renamed - they handle both SSL and non-SSL
cases.
the remaining code should eliminate the problems identified
earlier, albeit not very cleanly.
*) both front- and back-ends will send a SSL shutdown via the
new close_SSL() function. This is necessary for sessions to
work properly.
(Sessions are not yet fully supported, but by cleanly closing
the SSL connection instead of just sending a TCP FIN packet
other SSL tools will be much happier.)
*) The client certificate and key are now expected in a subdirectory
of the user's home directory. Specifically,
- the directory .postgresql must be owned by the user, and
allow no access by 'group' or 'other.'
- the file .postgresql/postgresql.crt must be a regular file
owned by the user.
- the file .postgresql/postgresql.key must be a regular file
owned by the user, and allow no access by 'group' or 'other'.
At the current time encrypted private keys are not supported.
There should also be a way to support multiple client certs/keys.
*) the front-end performs minimal validation of the back-end cert.
Self-signed certs are permitted, but the common name *must*
match the hostname used by the front-end. (The cert itself
should always use a fully qualified domain name (FDQN) in its
common name field.)
This means that
psql -h eris db
will fail, but
psql -h eris.example.com db
will succeed. At the current time this must be an exact match;
future patches may support any FQDN that resolves to the address
returned by getpeername(2).
Another common "problem" is expiring certs. For now, it may be
a good idea to use a very-long-lived self-signed cert.
As a compile-time option, the front-end can specify a file
containing valid root certificates, but it is not yet required.
*) the back-end performs minimal validation of the client cert.
It allows self-signed certs. It checks for expiration. It
supports a compile-time option specifying a file containing
valid root certificates.
*) both front- and back-ends default to TLSv1, not SSLv3/SSLv2.
*) both front- and back-ends support DSA keys. DSA keys are
moderately more expensive on startup, but many people consider
them preferable than RSA keys. (E.g., SSH2 prefers DSA keys.)
*) if /dev/urandom exists, both client and server will read 16k
of randomization data from it.
*) the server can read empheral DH parameters from the files
$DataDir/dh512.pem
$DataDir/dh1024.pem
$DataDir/dh2048.pem
$DataDir/dh4096.pem
if none are provided, the server will default to hardcoded
parameter files provided by the OpenSSL project.
Remaining tasks:
*) the select() clauses need to be revisited - the SSL abstraction
layer may need to absorb more of the current code to avoid rare
deadlock conditions. This also touches on a true solution to
the pg_eof() problem.
*) the SIGPIPE signal handler may need to be revisited.
*) support encrypted private keys.
*) sessions are not yet fully supported. (SSL sessions can span
multiple "connections," and allow the client and server to avoid
costly renegotiations.)
*) makecert - a script that creates back-end certs.
*) pgkeygen - a tool that creates front-end certs.
*) the whole protocol issue, SASL, etc.
*) certs are fully validated - valid root certs must be available.
This is a hassle, but it means that you *can* trust the identity
of the server.
*) the client library can handle hardcoded root certificates, to
avoid the need to copy these files.
*) host name of server cert must resolve to IP address, or be a
recognized alias. This is more liberal than the previous
iteration.
*) the number of bytes transferred is tracked, and the session
key is periodically renegotiated.
*) basic cert generation scripts (mkcert.sh, pgkeygen.sh). The
configuration files have reasonable defaults for each type
of use.
Bear Giles
2002-06-14 06:23:17 +02:00
|
|
|
secure_close(conn);
|
1999-09-27 05:13:16 +02:00
|
|
|
#endif
|
2007-07-10 15:14:22 +02:00
|
|
|
if (conn->gss)
|
|
|
|
|
free(conn->gss);
|
1999-09-27 05:13:16 +02:00
|
|
|
free(conn);
|
|
|
|
|
}
|
|
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
|
2001-02-08 01:35:10 +01:00
|
|
|
/*
|
|
|
|
|
* ClosePostmasterPorts -- close all the postmaster's open sockets
|
|
|
|
|
*
|
|
|
|
|
* This is called during child process startup to release file descriptors
|
2001-06-21 18:43:24 +02:00
|
|
|
* that are not needed by that child process. The postmaster still has
|
|
|
|
|
* them open, of course.
|
2004-08-06 01:32:13 +02:00
|
|
|
*
|
|
|
|
|
* Note: we pass am_syslogger as a boolean because we don't want to set
|
|
|
|
|
* the global variable yet when this is called.
|
2001-02-08 01:35:10 +01:00
|
|
|
*/
|
2001-08-05 04:06:50 +02:00
|
|
|
void
|
2004-08-06 01:32:13 +02:00
|
|
|
ClosePostmasterPorts(bool am_syslogger)
|
2001-02-08 01:35:10 +01:00
|
|
|
{
|
2003-08-04 02:43:34 +02:00
|
|
|
int i;
|
2003-06-12 09:36:51 +02:00
|
|
|
|
2001-02-08 01:35:10 +01:00
|
|
|
/* Close the listen sockets */
|
2003-06-12 09:36:51 +02:00
|
|
|
for (i = 0; i < MAXLISTEN; i++)
|
|
|
|
|
{
|
2010-01-10 15:16:08 +01:00
|
|
|
if (ListenSocket[i] != PGINVALID_SOCKET)
|
2003-06-12 09:36:51 +02:00
|
|
|
{
|
|
|
|
|
StreamClose(ListenSocket[i]);
|
2010-01-10 15:16:08 +01:00
|
|
|
ListenSocket[i] = PGINVALID_SOCKET;
|
2003-06-12 09:36:51 +02:00
|
|
|
}
|
|
|
|
|
}
|
2004-08-06 01:32:13 +02:00
|
|
|
|
|
|
|
|
/* If using syslogger, close the read side of the pipe */
|
|
|
|
|
if (!am_syslogger)
|
|
|
|
|
{
|
|
|
|
|
#ifndef WIN32
|
|
|
|
|
if (syslogPipe[0] >= 0)
|
|
|
|
|
close(syslogPipe[0]);
|
|
|
|
|
syslogPipe[0] = -1;
|
|
|
|
|
#else
|
|
|
|
|
if (syslogPipe[0])
|
|
|
|
|
CloseHandle(syslogPipe[0]);
|
|
|
|
|
syslogPipe[0] = 0;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2009-09-08 18:08:26 +02:00
|
|
|
|
|
|
|
|
#ifdef USE_BONJOUR
|
|
|
|
|
/* If using Bonjour, close the connection to the mDNS daemon */
|
|
|
|
|
if (bonjour_sdref)
|
|
|
|
|
close(DNSServiceRefSockFD(bonjour_sdref));
|
|
|
|
|
#endif
|
2001-02-08 01:35:10 +01:00
|
|
|
}
|
|
|
|
|
|
UUNET is looking into offering PostgreSQL as a part of a managed web
hosting product, on both shared and dedicated machines. We currently
offer Oracle and MySQL, and it would be a nice middle-ground.
However, as shipped, PostgreSQL lacks the following features we need
that MySQL has:
1. The ability to listen only on a particular IP address. Each
hosting customer has their own IP address, on which all of their
servers (http, ftp, real media, etc.) run.
2. The ability to place the Unix-domain socket in a mode 700 directory.
This allows us to automatically create an empty database, with an
empty DBA password, for new or upgrading customers without having
to interactively set a DBA password and communicate it to (or from)
the customer. This in turn cuts down our install and upgrade times.
3. The ability to connect to the Unix-domain socket from within a
change-rooted environment. We run CGI programs chrooted to the
user's home directory, which is another reason why we need to be
able to specify where the Unix-domain socket is, instead of /tmp.
4. The ability to, if run as root, open a pid file in /var/run as
root, and then setuid to the desired user. (mysqld -u can almost
do this; I had to patch it, too).
The patch below fixes problem 1-3. I plan to address #4, also, but
haven't done so yet. These diffs are big enough that they should give
the PG development team something to think about in the meantime :-)
Also, I'm about to leave for 2 weeks' vacation, so I thought I'd get
out what I have, which works (for the problems it tackles), now.
With these changes, we can set up and run PostgreSQL with scripts the
same way we can with apache or proftpd or mysql.
In summary, this patch makes the following enhancements:
1. Adds an environment variable PGUNIXSOCKET, analogous to MYSQL_UNIX_PORT,
and command line options -k --unix-socket to the relevant programs.
2. Adds a -h option to postmaster to set the hostname or IP address to
listen on instead of the default INADDR_ANY.
3. Extends some library interfaces to support the above.
4. Fixes a few memory leaks in PQconnectdb().
The default behavior is unchanged from stock 7.0.2; if you don't use
any of these new features, they don't change the operation.
David J. MacKenzie
2000-11-13 16:18:15 +01:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/*
|
|
|
|
|
* reset_shared -- reset shared memory and semaphores
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2005-06-18 00:32:51 +02:00
|
|
|
reset_shared(int port)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2000-11-29 00:27:57 +01:00
|
|
|
/*
|
|
|
|
|
* Create or re-create shared memory and semaphores.
|
2002-05-05 02:03:29 +02:00
|
|
|
*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Note: in each "cycle of life" we will normally assign the same IPC keys
|
|
|
|
|
* (if using SysV shmem and/or semas), since the port number is used to
|
|
|
|
|
* determine IPC keys. This helps ensure that we will clean up dead IPC
|
|
|
|
|
* objects if the postmaster crashes and is restarted.
|
2000-11-29 00:27:57 +01:00
|
|
|
*/
|
2005-06-18 00:32:51 +02:00
|
|
|
CreateSharedMemoryAndSemaphores(false, port);
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
2000-05-31 02:28:42 +02:00
|
|
|
|
|
|
|
|
/*
|
2001-11-04 21:12:57 +01:00
|
|
|
* SIGHUP -- reread config files, and tell children to do same
|
2000-05-31 02:28:42 +02:00
|
|
|
*/
|
|
|
|
|
static void
|
2000-08-29 11:36:51 +02:00
|
|
|
SIGHUP_handler(SIGNAL_ARGS)
|
2000-05-31 02:28:42 +02:00
|
|
|
{
|
2000-12-18 18:33:42 +01:00
|
|
|
int save_errno = errno;
|
|
|
|
|
|
2001-06-14 21:59:24 +02:00
|
|
|
PG_SETMASK(&BlockSig);
|
|
|
|
|
|
|
|
|
|
if (Shutdown <= SmartShutdown)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errmsg("received SIGHUP, reloading configuration files")));
|
2001-11-04 20:55:31 +01:00
|
|
|
ProcessConfigFile(PGC_SIGHUP);
|
2003-05-08 22:43:07 +02:00
|
|
|
SignalChildren(SIGHUP);
|
2009-03-04 14:56:40 +01:00
|
|
|
if (StartupPID != 0)
|
|
|
|
|
signal_child(StartupPID, SIGHUP);
|
2004-05-30 00:48:23 +02:00
|
|
|
if (BgWriterPID != 0)
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(BgWriterPID, SIGHUP);
|
2007-07-24 06:54:09 +02:00
|
|
|
if (WalWriterPID != 0)
|
|
|
|
|
signal_child(WalWriterPID, SIGHUP);
|
2010-01-15 10:19:10 +01:00
|
|
|
if (WalReceiverPID != 0)
|
|
|
|
|
signal_child(WalReceiverPID, SIGHUP);
|
2005-07-14 07:13:45 +02:00
|
|
|
if (AutoVacPID != 0)
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(AutoVacPID, SIGHUP);
|
2004-07-19 04:47:16 +02:00
|
|
|
if (PgArchPID != 0)
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(PgArchPID, SIGHUP);
|
2004-08-06 01:32:13 +02:00
|
|
|
if (SysLoggerPID != 0)
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(SysLoggerPID, SIGHUP);
|
2008-08-25 17:11:01 +02:00
|
|
|
if (PgStatPID != 0)
|
|
|
|
|
signal_child(PgStatPID, SIGHUP);
|
2005-02-20 03:22:07 +01:00
|
|
|
|
|
|
|
|
/* Reload authentication config files too */
|
2008-09-15 14:32:57 +02:00
|
|
|
if (!load_hba())
|
|
|
|
|
ereport(WARNING,
|
|
|
|
|
(errmsg("pg_hba.conf not reloaded")));
|
|
|
|
|
|
2002-04-04 06:25:54 +02:00
|
|
|
load_ident();
|
2003-11-19 16:55:08 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
#ifdef EXEC_BACKEND
|
|
|
|
|
/* Update the starting-point file for future children */
|
|
|
|
|
write_nondefault_variables(PGC_SIGHUP);
|
|
|
|
|
#endif
|
2001-06-14 21:59:24 +02:00
|
|
|
}
|
|
|
|
|
|
2001-11-04 20:55:31 +01:00
|
|
|
PG_SETMASK(&UnBlockSig);
|
|
|
|
|
|
2000-12-18 18:33:42 +01:00
|
|
|
errno = save_errno;
|
2000-05-31 02:28:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/*
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
* pmdie -- signal handler for processing various postmaster signals.
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
|
|
|
|
static void
|
2000-08-29 11:36:51 +02:00
|
|
|
pmdie(SIGNAL_ARGS)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2000-12-18 18:33:42 +01:00
|
|
|
int save_errno = errno;
|
|
|
|
|
|
1999-10-06 23:58:18 +02:00
|
|
|
PG_SETMASK(&BlockSig);
|
2000-04-12 19:17:23 +02:00
|
|
|
|
2003-08-12 20:23:21 +02:00
|
|
|
ereport(DEBUG2,
|
|
|
|
|
(errmsg_internal("postmaster received signal %d",
|
|
|
|
|
postgres_signal_arg)));
|
1998-08-25 23:34:10 +02:00
|
|
|
|
2000-08-29 11:36:51 +02:00
|
|
|
switch (postgres_signal_arg)
|
1998-09-01 06:40:42 +02:00
|
|
|
{
|
1998-08-25 23:34:10 +02:00
|
|
|
case SIGTERM:
|
2004-08-29 07:07:03 +02:00
|
|
|
|
1999-10-06 23:58:18 +02:00
|
|
|
/*
|
|
|
|
|
* Smart Shutdown:
|
|
|
|
|
*
|
2004-05-30 00:48:23 +02:00
|
|
|
* Wait for children to end their work, then shut down.
|
1999-10-06 23:58:18 +02:00
|
|
|
*/
|
|
|
|
|
if (Shutdown >= SmartShutdown)
|
2001-11-04 20:55:31 +01:00
|
|
|
break;
|
1999-10-06 23:58:18 +02:00
|
|
|
Shutdown = SmartShutdown;
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("received smart shutdown request")));
|
2004-02-11 23:25:02 +01:00
|
|
|
|
2009-02-23 10:28:50 +01:00
|
|
|
if (pmState == PM_RUN || pmState == PM_RECOVERY ||
|
2010-05-26 14:32:41 +02:00
|
|
|
pmState == PM_HOT_STANDBY || pmState == PM_STARTUP)
|
2007-08-09 03:18:43 +02:00
|
|
|
{
|
|
|
|
|
/* autovacuum workers are told to shut down immediately */
|
2010-12-17 19:56:54 +01:00
|
|
|
SignalSomeChildren(SIGTERM, BACKEND_TYPE_AUTOVAC);
|
2007-08-09 03:18:43 +02:00
|
|
|
/* and the autovac launcher too */
|
|
|
|
|
if (AutoVacPID != 0)
|
|
|
|
|
signal_child(AutoVacPID, SIGTERM);
|
|
|
|
|
/* and the walwriter too */
|
|
|
|
|
if (WalWriterPID != 0)
|
|
|
|
|
signal_child(WalWriterPID, SIGTERM);
|
2010-07-06 21:19:02 +02:00
|
|
|
|
2010-04-08 03:39:37 +02:00
|
|
|
/*
|
|
|
|
|
* If we're in recovery, we can't kill the startup process
|
|
|
|
|
* right away, because at present doing so does not release
|
|
|
|
|
* its locks. We might want to change this in a future
|
|
|
|
|
* release. For the time being, the PM_WAIT_READONLY state
|
|
|
|
|
* indicates that we're waiting for the regular (read only)
|
|
|
|
|
* backends to die off; once they do, we'll kill the startup
|
|
|
|
|
* and walreceiver processes.
|
|
|
|
|
*/
|
|
|
|
|
pmState = (pmState == PM_RUN) ?
|
|
|
|
|
PM_WAIT_BACKUP : PM_WAIT_READONLY;
|
2007-08-09 03:18:43 +02:00
|
|
|
}
|
2000-04-12 19:17:23 +02:00
|
|
|
|
1999-10-06 23:58:18 +02:00
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* Now wait for online backup mode to end and backends to exit. If
|
|
|
|
|
* that is already the case, PostmasterStateMachine will take the
|
|
|
|
|
* next step.
|
1999-10-06 23:58:18 +02:00
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
PostmasterStateMachine();
|
2001-11-04 20:55:31 +01:00
|
|
|
break;
|
1999-10-06 23:58:18 +02:00
|
|
|
|
|
|
|
|
case SIGINT:
|
2004-08-29 07:07:03 +02:00
|
|
|
|
1999-10-06 23:58:18 +02:00
|
|
|
/*
|
|
|
|
|
* Fast Shutdown:
|
2000-04-12 19:17:23 +02:00
|
|
|
*
|
2005-11-22 19:17:34 +01:00
|
|
|
* Abort all children with SIGTERM (rollback active transactions
|
|
|
|
|
* and exit) and shut down when they are gone.
|
1999-10-06 23:58:18 +02:00
|
|
|
*/
|
|
|
|
|
if (Shutdown >= FastShutdown)
|
2001-11-04 20:55:31 +01:00
|
|
|
break;
|
2004-02-11 23:25:02 +01:00
|
|
|
Shutdown = FastShutdown;
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("received fast shutdown request")));
|
2004-02-11 23:25:02 +01:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
if (StartupPID != 0)
|
|
|
|
|
signal_child(StartupPID, SIGTERM);
|
2010-01-15 10:19:10 +01:00
|
|
|
if (WalReceiverPID != 0)
|
|
|
|
|
signal_child(WalReceiverPID, SIGTERM);
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
if (pmState == PM_RECOVERY)
|
|
|
|
|
{
|
|
|
|
|
/* only bgwriter is active in this state */
|
|
|
|
|
pmState = PM_WAIT_BACKENDS;
|
|
|
|
|
}
|
2010-06-24 18:40:45 +02:00
|
|
|
else if (pmState == PM_RUN ||
|
|
|
|
|
pmState == PM_WAIT_BACKUP ||
|
|
|
|
|
pmState == PM_WAIT_READONLY ||
|
|
|
|
|
pmState == PM_WAIT_BACKENDS ||
|
|
|
|
|
pmState == PM_HOT_STANDBY)
|
1998-09-01 06:40:42 +02:00
|
|
|
{
|
2007-08-09 03:18:43 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("aborting any active transactions")));
|
|
|
|
|
/* shut down all backends and autovac workers */
|
2010-01-15 10:19:10 +01:00
|
|
|
SignalSomeChildren(SIGTERM,
|
2010-02-26 03:01:40 +01:00
|
|
|
BACKEND_TYPE_NORMAL | BACKEND_TYPE_AUTOVAC);
|
2007-08-09 03:18:43 +02:00
|
|
|
/* and the autovac launcher too */
|
|
|
|
|
if (AutoVacPID != 0)
|
|
|
|
|
signal_child(AutoVacPID, SIGTERM);
|
|
|
|
|
/* and the walwriter too */
|
|
|
|
|
if (WalWriterPID != 0)
|
|
|
|
|
signal_child(WalWriterPID, SIGTERM);
|
|
|
|
|
pmState = PM_WAIT_BACKENDS;
|
1998-08-25 23:34:10 +02:00
|
|
|
}
|
2000-04-12 19:17:23 +02:00
|
|
|
|
1999-10-06 23:58:18 +02:00
|
|
|
/*
|
2007-08-09 03:18:43 +02:00
|
|
|
* Now wait for backends to exit. If there are none,
|
|
|
|
|
* PostmasterStateMachine will take the next step.
|
1999-10-06 23:58:18 +02:00
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
PostmasterStateMachine();
|
2001-11-04 20:55:31 +01:00
|
|
|
break;
|
1999-10-06 23:58:18 +02:00
|
|
|
|
|
|
|
|
case SIGQUIT:
|
2004-08-29 07:07:03 +02:00
|
|
|
|
2000-04-12 19:17:23 +02:00
|
|
|
/*
|
1999-10-06 23:58:18 +02:00
|
|
|
* Immediate Shutdown:
|
2000-04-12 19:17:23 +02:00
|
|
|
*
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
* abort all children with SIGQUIT and exit without attempt to
|
2004-05-30 00:48:23 +02:00
|
|
|
* properly shut down data base system.
|
1999-10-06 23:58:18 +02:00
|
|
|
*/
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("received immediate shutdown request")));
|
2007-08-09 03:18:43 +02:00
|
|
|
SignalChildren(SIGQUIT);
|
2004-05-30 00:48:23 +02:00
|
|
|
if (StartupPID != 0)
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(StartupPID, SIGQUIT);
|
2004-05-30 00:48:23 +02:00
|
|
|
if (BgWriterPID != 0)
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(BgWriterPID, SIGQUIT);
|
2007-07-24 06:54:09 +02:00
|
|
|
if (WalWriterPID != 0)
|
|
|
|
|
signal_child(WalWriterPID, SIGQUIT);
|
2010-01-15 10:19:10 +01:00
|
|
|
if (WalReceiverPID != 0)
|
|
|
|
|
signal_child(WalReceiverPID, SIGQUIT);
|
2005-07-14 07:13:45 +02:00
|
|
|
if (AutoVacPID != 0)
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(AutoVacPID, SIGQUIT);
|
2004-07-19 04:47:16 +02:00
|
|
|
if (PgArchPID != 0)
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(PgArchPID, SIGQUIT);
|
2004-06-14 20:08:19 +02:00
|
|
|
if (PgStatPID != 0)
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(PgStatPID, SIGQUIT);
|
2001-11-04 20:55:31 +01:00
|
|
|
ExitPostmaster(0);
|
1999-10-06 23:58:18 +02:00
|
|
|
break;
|
1998-08-25 23:34:10 +02:00
|
|
|
}
|
|
|
|
|
|
2001-11-04 20:55:31 +01:00
|
|
|
PG_SETMASK(&UnBlockSig);
|
|
|
|
|
|
|
|
|
|
errno = save_errno;
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2007-08-09 03:18:43 +02:00
|
|
|
* Reaper -- signal handler to cleanup after a child process dies.
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
|
|
|
|
static void
|
2000-08-29 11:36:51 +02:00
|
|
|
reaper(SIGNAL_ARGS)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2000-12-18 18:33:42 +01:00
|
|
|
int save_errno = errno;
|
2007-08-09 03:18:43 +02:00
|
|
|
int pid; /* process id of dead child process */
|
|
|
|
|
int exitstatus; /* its exit status */
|
2001-11-05 18:46:40 +01:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/* These macros hide platform variations in getting child status */
|
1997-02-13 09:32:20 +01:00
|
|
|
#ifdef HAVE_WAITPID
|
2007-08-09 03:18:43 +02:00
|
|
|
int status; /* child exit status */
|
2007-11-15 22:14:46 +01:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
#define LOOPTEST() ((pid = waitpid(-1, &status, WNOHANG)) > 0)
|
|
|
|
|
#define LOOPHEADER() (exitstatus = status)
|
2007-11-15 22:14:46 +01:00
|
|
|
#else /* !HAVE_WAITPID */
|
2004-01-26 23:59:54 +01:00
|
|
|
#ifndef WIN32
|
2007-08-09 03:18:43 +02:00
|
|
|
union wait status; /* child exit status */
|
2007-11-15 22:14:46 +01:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
#define LOOPTEST() ((pid = wait3(&status, WNOHANG, NULL)) > 0)
|
|
|
|
|
#define LOOPHEADER() (exitstatus = status.w_status)
|
2007-11-15 22:14:46 +01:00
|
|
|
#else /* WIN32 */
|
2007-08-09 03:18:43 +02:00
|
|
|
#define LOOPTEST() ((pid = win32_waitpid(&exitstatus)) > 0)
|
2007-10-26 23:50:10 +02:00
|
|
|
#define LOOPHEADER()
|
2007-08-09 03:18:43 +02:00
|
|
|
#endif /* WIN32 */
|
|
|
|
|
#endif /* HAVE_WAITPID */
|
1997-09-07 07:04:48 +02:00
|
|
|
|
1999-10-06 23:58:18 +02:00
|
|
|
PG_SETMASK(&BlockSig);
|
|
|
|
|
|
2003-08-12 20:23:21 +02:00
|
|
|
ereport(DEBUG4,
|
|
|
|
|
(errmsg_internal("reaping dead processes")));
|
2007-08-09 03:18:43 +02:00
|
|
|
|
|
|
|
|
while (LOOPTEST())
|
2004-01-26 23:59:54 +01:00
|
|
|
{
|
2007-08-09 03:18:43 +02:00
|
|
|
LOOPHEADER();
|
2001-10-25 07:50:21 +02:00
|
|
|
|
2001-11-06 19:02:48 +01:00
|
|
|
/*
|
2004-05-30 00:48:23 +02:00
|
|
|
* Check if this child was a startup process.
|
2001-11-06 19:02:48 +01:00
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
if (pid == StartupPID)
|
1999-10-06 23:58:18 +02:00
|
|
|
{
|
2004-05-30 00:48:23 +02:00
|
|
|
StartupPID = 0;
|
2007-08-09 03:18:43 +02:00
|
|
|
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
/*
|
|
|
|
|
* Unexpected exit of startup process (including FATAL exit)
|
2009-06-26 22:29:04 +02:00
|
|
|
* during PM_STARTUP is treated as catastrophic. There are no
|
|
|
|
|
* other processes running yet, so we can just exit.
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
*/
|
2009-02-23 10:28:50 +01:00
|
|
|
if (pmState == PM_STARTUP && !EXIT_STATUS_0(exitstatus))
|
1999-10-08 04:16:22 +02:00
|
|
|
{
|
2005-02-22 05:43:23 +01:00
|
|
|
LogChildExit(LOG, _("startup process"),
|
2001-11-11 00:06:12 +01:00
|
|
|
pid, exitstatus);
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errmsg("aborting startup due to startup process failure")));
|
2000-11-29 21:59:54 +01:00
|
|
|
ExitPostmaster(1);
|
1999-10-08 04:16:22 +02:00
|
|
|
}
|
2009-06-11 16:49:15 +02:00
|
|
|
|
2009-02-23 10:28:50 +01:00
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* Startup process exited in response to a shutdown request (or it
|
|
|
|
|
* completed normally regardless of the shutdown request).
|
2009-02-23 10:28:50 +01:00
|
|
|
*/
|
|
|
|
|
if (Shutdown > NoShutdown &&
|
|
|
|
|
(EXIT_STATUS_0(exitstatus) || EXIT_STATUS_1(exitstatus)))
|
|
|
|
|
{
|
|
|
|
|
pmState = PM_WAIT_BACKENDS;
|
|
|
|
|
/* PostmasterStateMachine logic does the rest */
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2009-06-11 16:49:15 +02:00
|
|
|
|
2003-02-23 05:48:19 +01:00
|
|
|
/*
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
* Any unexpected exit (including FATAL exit) of the startup
|
2009-06-11 16:49:15 +02:00
|
|
|
* process is treated as a crash, except that we don't want to
|
|
|
|
|
* reinitialize.
|
2003-02-23 05:48:19 +01:00
|
|
|
*/
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
if (!EXIT_STATUS_0(exitstatus))
|
2007-08-09 03:18:43 +02:00
|
|
|
{
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
RecoveryError = true;
|
|
|
|
|
HandleChildCrash(pid, exitstatus,
|
|
|
|
|
_("startup process"));
|
2007-08-09 03:18:43 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
2009-02-23 10:28:50 +01:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
2009-02-23 10:28:50 +01:00
|
|
|
* Startup succeeded, commence normal operations
|
2003-02-23 05:48:19 +01:00
|
|
|
*/
|
2009-02-23 10:28:50 +01:00
|
|
|
FatalError = false;
|
2010-05-26 14:32:41 +02:00
|
|
|
ReachedNormalRunning = true;
|
2009-02-23 10:28:50 +01:00
|
|
|
pmState = PM_RUN;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Crank up the background writer, if we didn't do that already
|
2009-06-26 22:29:04 +02:00
|
|
|
* when we entered consistent recovery state. It doesn't matter
|
2009-02-23 10:28:50 +01:00
|
|
|
* if this fails, we'll just try again later.
|
|
|
|
|
*/
|
|
|
|
|
if (BgWriterPID == 0)
|
|
|
|
|
BgWriterPID = StartBackgroundWriter();
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Likewise, start other special children as needed. In a restart
|
|
|
|
|
* situation, some of them may be alive already.
|
|
|
|
|
*/
|
|
|
|
|
if (WalWriterPID == 0)
|
|
|
|
|
WalWriterPID = StartWalWriter();
|
2011-04-25 18:00:21 +02:00
|
|
|
if (!IsBinaryUpgrade && AutoVacuumingActive() && AutoVacPID == 0)
|
2009-02-23 10:28:50 +01:00
|
|
|
AutoVacPID = StartAutoVacLauncher();
|
|
|
|
|
if (XLogArchivingActive() && PgArchPID == 0)
|
|
|
|
|
PgArchPID = pgarch_start();
|
|
|
|
|
if (PgStatPID == 0)
|
|
|
|
|
PgStatPID = pgstat_start();
|
|
|
|
|
|
|
|
|
|
/* at this point we are really open for business */
|
|
|
|
|
ereport(LOG,
|
2009-02-25 12:07:43 +01:00
|
|
|
(errmsg("database system is ready to accept connections")));
|
|
|
|
|
|
|
|
|
|
continue;
|
2004-05-30 00:48:23 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Was it the bgwriter?
|
|
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
if (pid == BgWriterPID)
|
2004-05-30 00:48:23 +02:00
|
|
|
{
|
2004-06-14 20:08:19 +02:00
|
|
|
BgWriterPID = 0;
|
2007-08-09 03:18:43 +02:00
|
|
|
if (EXIT_STATUS_0(exitstatus) && pmState == PM_SHUTDOWN)
|
1999-10-06 23:58:18 +02:00
|
|
|
{
|
2004-05-30 00:48:23 +02:00
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* OK, we saw normal exit of the bgwriter after it's been told
|
|
|
|
|
* to shut down. We expect that it wrote a shutdown
|
|
|
|
|
* checkpoint. (If for some reason it didn't, recovery will
|
2007-08-09 03:18:43 +02:00
|
|
|
* occur on next postmaster start.)
|
2004-07-27 03:46:03 +02:00
|
|
|
*
|
2008-01-11 01:54:09 +01:00
|
|
|
* At this point we should have no normal backend children
|
|
|
|
|
* left (else we'd not be in PM_SHUTDOWN state) but we might
|
|
|
|
|
* have dead_end children to wait for.
|
|
|
|
|
*
|
|
|
|
|
* If we have an archiver subprocess, tell it to do a last
|
2010-01-15 10:19:10 +01:00
|
|
|
* archive cycle and quit. Likewise, if we have walsender
|
|
|
|
|
* processes, tell them to send any remaining WAL and quit.
|
2004-05-30 00:48:23 +02:00
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
Assert(Shutdown > NoShutdown);
|
2008-01-11 01:54:09 +01:00
|
|
|
|
2010-01-15 10:19:10 +01:00
|
|
|
/* Waken archiver for the last time */
|
2008-01-11 01:54:09 +01:00
|
|
|
if (PgArchPID != 0)
|
|
|
|
|
signal_child(PgArchPID, SIGUSR2);
|
2010-01-15 10:19:10 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Waken walsenders for the last time. No regular backends
|
|
|
|
|
* should be around anymore.
|
|
|
|
|
*/
|
|
|
|
|
SignalChildren(SIGUSR2);
|
|
|
|
|
|
|
|
|
|
pmState = PM_SHUTDOWN_2;
|
2008-01-11 01:54:09 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We can also shut down the stats collector now; there's
|
|
|
|
|
* nothing left for it to do.
|
|
|
|
|
*/
|
|
|
|
|
if (PgStatPID != 0)
|
|
|
|
|
signal_child(PgStatPID, SIGQUIT);
|
1999-10-06 23:58:18 +02:00
|
|
|
}
|
2007-08-09 03:18:43 +02:00
|
|
|
else
|
2006-11-30 19:29:12 +01:00
|
|
|
{
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
|
|
|
|
* Any unexpected exit of the bgwriter (including FATAL exit)
|
|
|
|
|
* is treated as a crash.
|
|
|
|
|
*/
|
|
|
|
|
HandleChildCrash(pid, exitstatus,
|
|
|
|
|
_("background writer process"));
|
2006-11-30 19:29:12 +01:00
|
|
|
}
|
|
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
continue;
|
1999-10-06 23:58:18 +02:00
|
|
|
}
|
2001-06-22 21:16:24 +02:00
|
|
|
|
2007-07-24 06:54:09 +02:00
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Was it the wal writer? Normal exit can be ignored; we'll start a
|
|
|
|
|
* new one at the next iteration of the postmaster's main loop, if
|
|
|
|
|
* necessary. Any other exit condition is treated as a crash.
|
2007-07-24 06:54:09 +02:00
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
if (pid == WalWriterPID)
|
2007-07-24 06:54:09 +02:00
|
|
|
{
|
|
|
|
|
WalWriterPID = 0;
|
|
|
|
|
if (!EXIT_STATUS_0(exitstatus))
|
|
|
|
|
HandleChildCrash(pid, exitstatus,
|
2007-11-08 15:47:51 +01:00
|
|
|
_("WAL writer process"));
|
2007-07-24 06:54:09 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-15 10:19:10 +01:00
|
|
|
/*
|
|
|
|
|
* Was it the wal receiver? If exit status is zero (normal) or one
|
|
|
|
|
* (FATAL exit), we assume everything is all right just like normal
|
|
|
|
|
* backends.
|
|
|
|
|
*/
|
|
|
|
|
if (pid == WalReceiverPID)
|
|
|
|
|
{
|
|
|
|
|
WalReceiverPID = 0;
|
|
|
|
|
if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
|
|
|
|
|
HandleChildCrash(pid, exitstatus,
|
|
|
|
|
_("WAL receiver process"));
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2005-07-14 07:13:45 +02:00
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Was it the autovacuum launcher? Normal exit can be ignored; we'll
|
|
|
|
|
* start a new one at the next iteration of the postmaster's main
|
|
|
|
|
* loop, if necessary. Any other exit condition is treated as a
|
|
|
|
|
* crash.
|
2005-07-14 07:13:45 +02:00
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
if (pid == AutoVacPID)
|
2005-07-14 07:13:45 +02:00
|
|
|
{
|
|
|
|
|
AutoVacPID = 0;
|
2007-02-16 00:23:23 +01:00
|
|
|
if (!EXIT_STATUS_0(exitstatus))
|
2005-07-14 07:13:45 +02:00
|
|
|
HandleChildCrash(pid, exitstatus,
|
2007-02-16 00:23:23 +01:00
|
|
|
_("autovacuum launcher process"));
|
2005-07-14 07:13:45 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2004-07-19 04:47:16 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Was it the archiver? If so, just try to start a new one; no need
|
|
|
|
|
* to force reset of the rest of the system. (If fail, we'll try
|
2010-02-26 03:01:40 +01:00
|
|
|
* again in future cycles of the main loop.). Unless we were waiting
|
|
|
|
|
* for it to shut down; don't restart it in that case, and and
|
|
|
|
|
* PostmasterStateMachine() will advance to the next shutdown step.
|
2004-07-19 04:47:16 +02:00
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
if (pid == PgArchPID)
|
2004-07-19 04:47:16 +02:00
|
|
|
{
|
|
|
|
|
PgArchPID = 0;
|
2006-11-21 01:49:55 +01:00
|
|
|
if (!EXIT_STATUS_0(exitstatus))
|
2005-02-22 05:43:23 +01:00
|
|
|
LogChildExit(LOG, _("archiver process"),
|
2004-07-19 04:47:16 +02:00
|
|
|
pid, exitstatus);
|
2008-01-11 01:54:09 +01:00
|
|
|
if (XLogArchivingActive() && pmState == PM_RUN)
|
2004-07-19 04:47:16 +02:00
|
|
|
PgArchPID = pgarch_start();
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2004-06-14 20:08:19 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Was it the statistics collector? If so, just try to start a new
|
|
|
|
|
* one; no need to force reset of the rest of the system. (If fail,
|
|
|
|
|
* we'll try again in future cycles of the main loop.)
|
2004-06-14 20:08:19 +02:00
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
if (pid == PgStatPID)
|
2004-06-14 20:08:19 +02:00
|
|
|
{
|
|
|
|
|
PgStatPID = 0;
|
2006-11-21 01:49:55 +01:00
|
|
|
if (!EXIT_STATUS_0(exitstatus))
|
2005-02-22 05:43:23 +01:00
|
|
|
LogChildExit(LOG, _("statistics collector process"),
|
2004-06-14 20:08:19 +02:00
|
|
|
pid, exitstatus);
|
2007-08-09 03:18:43 +02:00
|
|
|
if (pmState == PM_RUN)
|
2004-06-14 20:08:19 +02:00
|
|
|
PgStatPID = pgstat_start();
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/* Was it the system logger? If so, try to start a new one */
|
|
|
|
|
if (pid == SysLoggerPID)
|
2004-08-06 01:32:13 +02:00
|
|
|
{
|
|
|
|
|
SysLoggerPID = 0;
|
|
|
|
|
/* for safety's sake, launch new logger *first* */
|
|
|
|
|
SysLoggerPID = SysLogger_Start();
|
2006-11-21 01:49:55 +01:00
|
|
|
if (!EXIT_STATUS_0(exitstatus))
|
2005-02-22 05:43:23 +01:00
|
|
|
LogChildExit(LOG, _("system logger process"),
|
2004-08-06 01:32:13 +02:00
|
|
|
pid, exitstatus);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2003-05-10 20:15:42 +02:00
|
|
|
/*
|
2004-05-30 00:48:23 +02:00
|
|
|
* Else do standard backend child cleanup.
|
2003-05-10 20:15:42 +02:00
|
|
|
*/
|
2004-08-04 22:09:47 +02:00
|
|
|
CleanupBackend(pid, exitstatus);
|
2003-08-04 02:43:34 +02:00
|
|
|
} /* loop over pending child-death reports */
|
1999-10-06 23:58:18 +02:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
|
|
|
|
* After cleaning out the SIGCHLD queue, see if we have any state changes
|
|
|
|
|
* or actions to make.
|
|
|
|
|
*/
|
|
|
|
|
PostmasterStateMachine();
|
1999-10-06 23:58:18 +02:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/* Done with signal handler */
|
2001-11-04 20:55:31 +01:00
|
|
|
PG_SETMASK(&UnBlockSig);
|
|
|
|
|
|
2000-12-18 18:33:42 +01:00
|
|
|
errno = save_errno;
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
2004-03-24 05:04:51 +01:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/*
|
2004-08-04 22:09:47 +02:00
|
|
|
* CleanupBackend -- cleanup after terminated backend.
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
* Remove all local state associated with backend.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2004-08-04 22:09:47 +02:00
|
|
|
CleanupBackend(int pid,
|
2004-08-29 07:07:03 +02:00
|
|
|
int exitstatus) /* child's exit status. */
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2004-05-30 00:48:23 +02:00
|
|
|
Dlelem *curr;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2005-02-22 05:43:23 +01:00
|
|
|
LogChildExit(DEBUG2, _("server process"), pid, exitstatus);
|
1997-09-07 07:04:48 +02:00
|
|
|
|
|
|
|
|
/*
|
2006-11-21 01:49:55 +01:00
|
|
|
* If a backend dies in an ugly way then we must signal all other backends
|
|
|
|
|
* to quickdie. If exit status is zero (normal) or one (FATAL exit), we
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
* assume everything is all right and proceed to remove the backend from
|
|
|
|
|
* the active backend list.
|
1997-09-07 07:04:48 +02:00
|
|
|
*/
|
2010-09-16 22:37:13 +02:00
|
|
|
#ifdef WIN32
|
2011-04-10 17:42:00 +02:00
|
|
|
|
2010-09-16 22:37:13 +02:00
|
|
|
/*
|
2011-04-10 17:42:00 +02:00
|
|
|
* On win32, also treat ERROR_WAIT_NO_CHILDREN (128) as nonfatal case,
|
|
|
|
|
* since that sometimes happens under load when the process fails to start
|
|
|
|
|
* properly (long before it starts using shared memory). Microsoft reports
|
|
|
|
|
* it is related to mutex failure:
|
|
|
|
|
* http://archives.postgresql.org/pgsql-hackers/2010-09/msg00790.php
|
2010-09-16 22:37:13 +02:00
|
|
|
*/
|
|
|
|
|
if (exitstatus == ERROR_WAIT_NO_CHILDREN)
|
|
|
|
|
{
|
|
|
|
|
LogChildExit(LOG, _("server process"), pid, exitstatus);
|
|
|
|
|
exitstatus = 0;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2006-11-21 01:49:55 +01:00
|
|
|
if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
|
2004-05-30 00:48:23 +02:00
|
|
|
{
|
2005-02-22 05:43:23 +01:00
|
|
|
HandleChildCrash(pid, exitstatus, _("server process"));
|
2004-05-30 00:48:23 +02:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (curr = DLGetHead(BackendList); curr; curr = DLGetSucc(curr))
|
1997-09-07 07:04:48 +02:00
|
|
|
{
|
2004-05-30 00:48:23 +02:00
|
|
|
Backend *bp = (Backend *) DLE_VAL(curr);
|
|
|
|
|
|
|
|
|
|
if (bp->pid == pid)
|
1997-09-07 07:04:48 +02:00
|
|
|
{
|
2007-08-09 03:18:43 +02:00
|
|
|
if (!bp->dead_end)
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
{
|
|
|
|
|
if (!ReleasePostmasterChildSlot(bp->child_slot))
|
|
|
|
|
{
|
|
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* Uh-oh, the child failed to clean itself up. Treat as a
|
|
|
|
|
* crash after all.
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
*/
|
|
|
|
|
HandleChildCrash(pid, exitstatus, _("server process"));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
#ifdef EXEC_BACKEND
|
|
|
|
|
ShmemBackendArrayRemove(bp);
|
2007-08-09 03:18:43 +02:00
|
|
|
#endif
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
}
|
2004-05-30 00:48:23 +02:00
|
|
|
DLRemove(curr);
|
|
|
|
|
free(bp);
|
|
|
|
|
break;
|
|
|
|
|
}
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
2004-05-30 00:48:23 +02:00
|
|
|
}
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
/*
|
2007-07-24 06:54:09 +02:00
|
|
|
* HandleChildCrash -- cleanup after failed backend, bgwriter, walwriter,
|
|
|
|
|
* or autovacuum.
|
2004-05-30 00:48:23 +02:00
|
|
|
*
|
|
|
|
|
* The objectives here are to clean up our local state about the child
|
|
|
|
|
* process, and to signal all other remaining children to quickdie.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2004-08-04 22:09:47 +02:00
|
|
|
HandleChildCrash(int pid, int exitstatus, const char *procname)
|
2004-05-30 00:48:23 +02:00
|
|
|
{
|
|
|
|
|
Dlelem *curr,
|
|
|
|
|
*next;
|
|
|
|
|
Backend *bp;
|
2001-08-30 21:02:42 +02:00
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Make log entry unless there was a previous crash (if so, nonzero exit
|
|
|
|
|
* status is to be expected in SIGQUIT response; don't clutter log)
|
2004-05-30 00:48:23 +02:00
|
|
|
*/
|
1999-10-08 04:16:22 +02:00
|
|
|
if (!FatalError)
|
|
|
|
|
{
|
2004-08-04 22:09:47 +02:00
|
|
|
LogChildExit(LOG, procname, pid, exitstatus);
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errmsg("terminating any other active server processes")));
|
1999-10-08 04:16:22 +02:00
|
|
|
}
|
2000-12-20 22:51:52 +01:00
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
/* Process regular backends */
|
|
|
|
|
for (curr = DLGetHead(BackendList); curr; curr = next)
|
1997-09-07 07:04:48 +02:00
|
|
|
{
|
1999-10-06 23:58:18 +02:00
|
|
|
next = DLGetSucc(curr);
|
1997-09-07 07:04:48 +02:00
|
|
|
bp = (Backend *) DLE_VAL(curr);
|
2004-05-30 00:48:23 +02:00
|
|
|
if (bp->pid == pid)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Found entry for freshly-dead backend, so remove it.
|
|
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
if (!bp->dead_end)
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
{
|
|
|
|
|
(void) ReleasePostmasterChildSlot(bp->child_slot);
|
|
|
|
|
#ifdef EXEC_BACKEND
|
|
|
|
|
ShmemBackendArrayRemove(bp);
|
2007-08-09 03:18:43 +02:00
|
|
|
#endif
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
}
|
2004-05-30 00:48:23 +02:00
|
|
|
DLRemove(curr);
|
|
|
|
|
free(bp);
|
|
|
|
|
/* Keep looping so we can signal remaining backends */
|
|
|
|
|
}
|
|
|
|
|
else
|
1997-09-07 07:04:48 +02:00
|
|
|
{
|
2000-12-20 22:51:52 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* This backend is still alive. Unless we did so already, tell it
|
|
|
|
|
* to commit hara-kiri.
|
2000-12-20 22:51:52 +01:00
|
|
|
*
|
2005-11-22 19:17:34 +01:00
|
|
|
* SIGQUIT is the special signal that says exit without proc_exit
|
|
|
|
|
* and let the user know what's going on. But if SendStop is set
|
|
|
|
|
* (-s on command line), then we send SIGSTOP instead, so that we
|
|
|
|
|
* can get core dumps from all backends by hand.
|
2007-08-09 03:18:43 +02:00
|
|
|
*
|
|
|
|
|
* We could exclude dead_end children here, but at least in the
|
|
|
|
|
* SIGSTOP case it seems better to include them.
|
2000-12-20 22:51:52 +01:00
|
|
|
*/
|
|
|
|
|
if (!FatalError)
|
|
|
|
|
{
|
2003-08-12 20:23:21 +02:00
|
|
|
ereport(DEBUG2,
|
|
|
|
|
(errmsg_internal("sending %s to process %d",
|
2005-10-15 04:49:52 +02:00
|
|
|
(SendStop ? "SIGSTOP" : "SIGQUIT"),
|
2003-08-12 20:23:21 +02:00
|
|
|
(int) bp->pid)));
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(bp->pid, (SendStop ? SIGSTOP : SIGQUIT));
|
2000-12-20 22:51:52 +01:00
|
|
|
}
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
/* Take care of the startup process too */
|
|
|
|
|
if (pid == StartupPID)
|
|
|
|
|
StartupPID = 0;
|
|
|
|
|
else if (StartupPID != 0 && !FatalError)
|
|
|
|
|
{
|
|
|
|
|
ereport(DEBUG2,
|
|
|
|
|
(errmsg_internal("sending %s to process %d",
|
|
|
|
|
(SendStop ? "SIGSTOP" : "SIGQUIT"),
|
|
|
|
|
(int) StartupPID)));
|
2009-03-03 11:42:05 +01:00
|
|
|
signal_child(StartupPID, (SendStop ? SIGSTOP : SIGQUIT));
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
}
|
|
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
/* Take care of the bgwriter too */
|
|
|
|
|
if (pid == BgWriterPID)
|
2003-11-19 16:55:08 +01:00
|
|
|
BgWriterPID = 0;
|
2004-05-30 00:48:23 +02:00
|
|
|
else if (BgWriterPID != 0 && !FatalError)
|
2001-06-22 21:16:24 +02:00
|
|
|
{
|
2004-05-30 00:48:23 +02:00
|
|
|
ereport(DEBUG2,
|
|
|
|
|
(errmsg_internal("sending %s to process %d",
|
|
|
|
|
(SendStop ? "SIGSTOP" : "SIGQUIT"),
|
|
|
|
|
(int) BgWriterPID)));
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(BgWriterPID, (SendStop ? SIGSTOP : SIGQUIT));
|
2001-06-22 21:16:24 +02:00
|
|
|
}
|
2000-12-20 22:51:52 +01:00
|
|
|
|
2007-07-24 06:54:09 +02:00
|
|
|
/* Take care of the walwriter too */
|
|
|
|
|
if (pid == WalWriterPID)
|
|
|
|
|
WalWriterPID = 0;
|
|
|
|
|
else if (WalWriterPID != 0 && !FatalError)
|
|
|
|
|
{
|
|
|
|
|
ereport(DEBUG2,
|
|
|
|
|
(errmsg_internal("sending %s to process %d",
|
|
|
|
|
(SendStop ? "SIGSTOP" : "SIGQUIT"),
|
|
|
|
|
(int) WalWriterPID)));
|
|
|
|
|
signal_child(WalWriterPID, (SendStop ? SIGSTOP : SIGQUIT));
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-15 10:19:10 +01:00
|
|
|
/* Take care of the walreceiver too */
|
|
|
|
|
if (pid == WalReceiverPID)
|
|
|
|
|
WalReceiverPID = 0;
|
|
|
|
|
else if (WalReceiverPID != 0 && !FatalError)
|
|
|
|
|
{
|
|
|
|
|
ereport(DEBUG2,
|
|
|
|
|
(errmsg_internal("sending %s to process %d",
|
|
|
|
|
(SendStop ? "SIGSTOP" : "SIGQUIT"),
|
|
|
|
|
(int) WalReceiverPID)));
|
|
|
|
|
signal_child(WalReceiverPID, (SendStop ? SIGSTOP : SIGQUIT));
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-16 00:23:23 +01:00
|
|
|
/* Take care of the autovacuum launcher too */
|
2005-07-14 07:13:45 +02:00
|
|
|
if (pid == AutoVacPID)
|
|
|
|
|
AutoVacPID = 0;
|
|
|
|
|
else if (AutoVacPID != 0 && !FatalError)
|
|
|
|
|
{
|
|
|
|
|
ereport(DEBUG2,
|
|
|
|
|
(errmsg_internal("sending %s to process %d",
|
|
|
|
|
(SendStop ? "SIGSTOP" : "SIGQUIT"),
|
|
|
|
|
(int) AutoVacPID)));
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(AutoVacPID, (SendStop ? SIGSTOP : SIGQUIT));
|
2005-07-14 07:13:45 +02:00
|
|
|
}
|
|
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
|
|
|
|
* Force a power-cycle of the pgarch process too. (This isn't absolutely
|
|
|
|
|
* necessary, but it seems like a good idea for robustness, and it
|
2007-11-15 22:14:46 +01:00
|
|
|
* simplifies the state-machine logic in the case where a shutdown request
|
|
|
|
|
* arrives during crash processing.)
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
2004-07-19 04:47:16 +02:00
|
|
|
if (PgArchPID != 0 && !FatalError)
|
|
|
|
|
{
|
|
|
|
|
ereport(DEBUG2,
|
|
|
|
|
(errmsg_internal("sending %s to process %d",
|
|
|
|
|
"SIGQUIT",
|
|
|
|
|
(int) PgArchPID)));
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(PgArchPID, SIGQUIT);
|
2004-07-19 04:47:16 +02:00
|
|
|
}
|
|
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
|
|
|
|
* Force a power-cycle of the pgstat process too. (This isn't absolutely
|
|
|
|
|
* necessary, but it seems like a good idea for robustness, and it
|
2007-11-15 22:14:46 +01:00
|
|
|
* simplifies the state-machine logic in the case where a shutdown request
|
|
|
|
|
* arrives during crash processing.)
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
2004-06-14 20:08:19 +02:00
|
|
|
if (PgStatPID != 0 && !FatalError)
|
|
|
|
|
{
|
|
|
|
|
ereport(DEBUG2,
|
|
|
|
|
(errmsg_internal("sending %s to process %d",
|
|
|
|
|
"SIGQUIT",
|
|
|
|
|
(int) PgStatPID)));
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(PgStatPID, SIGQUIT);
|
2007-03-22 20:53:31 +01:00
|
|
|
allow_immediate_pgstat_restart();
|
2004-06-14 20:08:19 +02:00
|
|
|
}
|
|
|
|
|
|
2004-08-06 01:32:13 +02:00
|
|
|
/* We do NOT restart the syslogger */
|
|
|
|
|
|
2000-12-20 22:51:52 +01:00
|
|
|
FatalError = true;
|
2007-08-09 03:18:43 +02:00
|
|
|
/* We now transit into a state of waiting for children to die */
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
if (pmState == PM_RECOVERY ||
|
2010-05-15 22:01:32 +02:00
|
|
|
pmState == PM_HOT_STANDBY ||
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
pmState == PM_RUN ||
|
2008-04-27 00:47:40 +02:00
|
|
|
pmState == PM_WAIT_BACKUP ||
|
2010-04-08 03:39:37 +02:00
|
|
|
pmState == PM_WAIT_READONLY ||
|
2008-04-27 00:47:40 +02:00
|
|
|
pmState == PM_SHUTDOWN)
|
2007-08-09 03:18:43 +02:00
|
|
|
pmState = PM_WAIT_BACKENDS;
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
2001-11-06 19:02:48 +01:00
|
|
|
/*
|
2001-11-11 00:06:12 +01:00
|
|
|
* Log the death of a child process.
|
2001-11-06 19:02:48 +01:00
|
|
|
*/
|
2001-11-11 00:06:12 +01:00
|
|
|
static void
|
2002-03-04 02:46:04 +01:00
|
|
|
LogChildExit(int lev, const char *procname, int pid, int exitstatus)
|
2001-11-06 19:02:48 +01:00
|
|
|
{
|
|
|
|
|
if (WIFEXITED(exitstatus))
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(lev,
|
2003-08-04 02:43:34 +02:00
|
|
|
|
2006-11-28 13:54:42 +01:00
|
|
|
/*------
|
|
|
|
|
translator: %s is a noun phrase describing a child process, such as
|
|
|
|
|
"server process" */
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("%s (PID %d) exited with exit code %d",
|
2003-07-22 21:00:12 +02:00
|
|
|
procname, pid, WEXITSTATUS(exitstatus))));
|
2001-11-06 19:02:48 +01:00
|
|
|
else if (WIFSIGNALED(exitstatus))
|
2007-01-28 02:12:05 +01:00
|
|
|
#if defined(WIN32)
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(lev,
|
2003-08-04 02:43:34 +02:00
|
|
|
|
2006-11-28 13:54:42 +01:00
|
|
|
/*------
|
|
|
|
|
translator: %s is a noun phrase describing a child process, such as
|
|
|
|
|
"server process" */
|
2007-01-28 07:32:03 +01:00
|
|
|
(errmsg("%s (PID %d) was terminated by exception 0x%X",
|
2007-01-28 02:12:05 +01:00
|
|
|
procname, pid, WTERMSIG(exitstatus)),
|
2007-11-08 15:47:51 +01:00
|
|
|
errhint("See C include file \"ntstatus.h\" for a description of the hexadecimal value.")));
|
2007-01-28 07:32:03 +01:00
|
|
|
#elif defined(HAVE_DECL_SYS_SIGLIST) && HAVE_DECL_SYS_SIGLIST
|
2007-11-15 22:14:46 +01:00
|
|
|
ereport(lev,
|
|
|
|
|
|
|
|
|
|
/*------
|
|
|
|
|
translator: %s is a noun phrase describing a child process, such as
|
|
|
|
|
"server process" */
|
|
|
|
|
(errmsg("%s (PID %d) was terminated by signal %d: %s",
|
|
|
|
|
procname, pid, WTERMSIG(exitstatus),
|
|
|
|
|
WTERMSIG(exitstatus) < NSIG ?
|
|
|
|
|
sys_siglist[WTERMSIG(exitstatus)] : "(unknown)")));
|
2007-01-22 19:31:51 +01:00
|
|
|
#else
|
2007-01-23 02:45:11 +01:00
|
|
|
ereport(lev,
|
2007-01-23 04:28:49 +01:00
|
|
|
|
2007-01-22 19:31:51 +01:00
|
|
|
/*------
|
|
|
|
|
translator: %s is a noun phrase describing a child process, such as
|
|
|
|
|
"server process" */
|
2007-01-28 02:12:05 +01:00
|
|
|
(errmsg("%s (PID %d) was terminated by signal %d",
|
|
|
|
|
procname, pid, WTERMSIG(exitstatus))));
|
2007-01-22 19:31:51 +01:00
|
|
|
#endif
|
2001-11-06 19:02:48 +01:00
|
|
|
else
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(lev,
|
2003-08-04 02:43:34 +02:00
|
|
|
|
2006-11-28 13:54:42 +01:00
|
|
|
/*------
|
|
|
|
|
translator: %s is a noun phrase describing a child process, such as
|
|
|
|
|
"server process" */
|
2007-01-28 07:32:03 +01:00
|
|
|
(errmsg("%s (PID %d) exited with unrecognized status %d",
|
2003-07-22 21:00:12 +02:00
|
|
|
procname, pid, exitstatus)));
|
2001-11-06 19:02:48 +01:00
|
|
|
}
|
|
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
|
|
|
|
* Advance the postmaster's state machine and take actions as appropriate
|
|
|
|
|
*
|
2011-04-04 01:42:00 +02:00
|
|
|
* This is common code for pmdie(), reaper() and sigusr1_handler(), which
|
|
|
|
|
* receive the signals that might mean we need to change state.
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
PostmasterStateMachine(void)
|
|
|
|
|
{
|
2008-04-23 15:44:59 +02:00
|
|
|
if (pmState == PM_WAIT_BACKUP)
|
|
|
|
|
{
|
|
|
|
|
/*
|
2008-04-27 00:47:40 +02:00
|
|
|
* PM_WAIT_BACKUP state ends when online backup mode is not active.
|
2008-04-23 15:44:59 +02:00
|
|
|
*/
|
|
|
|
|
if (!BackupInProgress())
|
|
|
|
|
pmState = PM_WAIT_BACKENDS;
|
|
|
|
|
}
|
|
|
|
|
|
2010-04-08 03:39:37 +02:00
|
|
|
if (pmState == PM_WAIT_READONLY)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* PM_WAIT_READONLY state ends when we have no regular backends that
|
|
|
|
|
* have been started during recovery. We kill the startup and
|
|
|
|
|
* walreceiver processes and transition to PM_WAIT_BACKENDS. Ideally,
|
|
|
|
|
* we might like to kill these processes first and then wait for
|
|
|
|
|
* backends to die off, but that doesn't work at present because
|
|
|
|
|
* killing the startup process doesn't release its locks.
|
|
|
|
|
*/
|
|
|
|
|
if (CountChildren(BACKEND_TYPE_NORMAL) == 0)
|
|
|
|
|
{
|
|
|
|
|
if (StartupPID != 0)
|
|
|
|
|
signal_child(StartupPID, SIGTERM);
|
|
|
|
|
if (WalReceiverPID != 0)
|
|
|
|
|
signal_child(WalReceiverPID, SIGTERM);
|
|
|
|
|
pmState = PM_WAIT_BACKENDS;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* If we are in a state-machine state that implies waiting for backends to
|
|
|
|
|
* exit, see if they're all gone, and change state if so.
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
|
|
|
|
if (pmState == PM_WAIT_BACKENDS)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* PM_WAIT_BACKENDS state ends when we have no regular backends
|
|
|
|
|
* (including autovac workers) and no walwriter or autovac launcher.
|
2007-11-15 22:14:46 +01:00
|
|
|
* If we are doing crash recovery then we expect the bgwriter to exit
|
|
|
|
|
* too, otherwise not. The archiver, stats, and syslogger processes
|
|
|
|
|
* are disregarded since they are not connected to shared memory; we
|
2010-01-15 10:19:10 +01:00
|
|
|
* also disregard dead_end children here. Walsenders are also
|
|
|
|
|
* disregarded, they will be terminated later after writing the
|
|
|
|
|
* checkpoint record, like the archiver process.
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
2010-01-15 10:19:10 +01:00
|
|
|
if (CountChildren(BACKEND_TYPE_NORMAL | BACKEND_TYPE_AUTOVAC) == 0 &&
|
2007-08-09 03:18:43 +02:00
|
|
|
StartupPID == 0 &&
|
2010-01-15 10:19:10 +01:00
|
|
|
WalReceiverPID == 0 &&
|
2007-08-09 03:18:43 +02:00
|
|
|
(BgWriterPID == 0 || !FatalError) &&
|
|
|
|
|
WalWriterPID == 0 &&
|
|
|
|
|
AutoVacPID == 0)
|
|
|
|
|
{
|
|
|
|
|
if (FatalError)
|
|
|
|
|
{
|
|
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Start waiting for dead_end children to die. This state
|
2007-08-09 03:18:43 +02:00
|
|
|
* change causes ServerLoop to stop creating new ones.
|
|
|
|
|
*/
|
|
|
|
|
pmState = PM_WAIT_DEAD_END;
|
2008-01-11 01:54:09 +01:00
|
|
|
|
|
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* We already SIGQUIT'd the archiver and stats processes, if
|
|
|
|
|
* any, when we entered FatalError state.
|
2008-01-11 01:54:09 +01:00
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* If we get here, we are proceeding with normal shutdown. All
|
|
|
|
|
* the regular children are gone, and it's time to tell the
|
|
|
|
|
* bgwriter to do a shutdown checkpoint.
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
|
|
|
|
Assert(Shutdown > NoShutdown);
|
|
|
|
|
/* Start the bgwriter if not running */
|
|
|
|
|
if (BgWriterPID == 0)
|
|
|
|
|
BgWriterPID = StartBackgroundWriter();
|
|
|
|
|
/* And tell it to shut down */
|
|
|
|
|
if (BgWriterPID != 0)
|
|
|
|
|
{
|
|
|
|
|
signal_child(BgWriterPID, SIGUSR2);
|
|
|
|
|
pmState = PM_SHUTDOWN;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* If we failed to fork a bgwriter, just shut down. Any
|
|
|
|
|
* required cleanup will happen at next restart. We set
|
|
|
|
|
* FatalError so that an "abnormal shutdown" message gets
|
|
|
|
|
* logged when we exit.
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
|
|
|
|
FatalError = true;
|
|
|
|
|
pmState = PM_WAIT_DEAD_END;
|
2008-01-11 01:54:09 +01:00
|
|
|
|
2010-01-15 10:19:10 +01:00
|
|
|
/* Kill the walsenders, archiver and stats collector too */
|
2010-12-16 16:20:38 +01:00
|
|
|
SignalChildren(SIGQUIT);
|
2008-01-11 01:54:09 +01:00
|
|
|
if (PgArchPID != 0)
|
|
|
|
|
signal_child(PgArchPID, SIGQUIT);
|
|
|
|
|
if (PgStatPID != 0)
|
|
|
|
|
signal_child(PgStatPID, SIGQUIT);
|
2007-08-09 03:18:43 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-15 10:19:10 +01:00
|
|
|
if (pmState == PM_SHUTDOWN_2)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* PM_SHUTDOWN_2 state ends when there's no other children than
|
|
|
|
|
* dead_end children left. There shouldn't be any regular backends
|
2010-02-26 03:01:40 +01:00
|
|
|
* left by now anyway; what we're really waiting for is walsenders and
|
|
|
|
|
* archiver.
|
2010-01-15 10:19:10 +01:00
|
|
|
*
|
|
|
|
|
* Walreceiver should normally be dead by now, but not when a fast
|
|
|
|
|
* shutdown is performed during recovery.
|
|
|
|
|
*/
|
|
|
|
|
if (PgArchPID == 0 && CountChildren(BACKEND_TYPE_ALL) == 0 &&
|
|
|
|
|
WalReceiverPID == 0)
|
|
|
|
|
{
|
|
|
|
|
pmState = PM_WAIT_DEAD_END;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
if (pmState == PM_WAIT_DEAD_END)
|
|
|
|
|
{
|
|
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* PM_WAIT_DEAD_END state ends when the BackendList is entirely empty
|
2008-01-11 01:54:09 +01:00
|
|
|
* (ie, no dead_end children remain), and the archiver and stats
|
|
|
|
|
* collector are gone too.
|
|
|
|
|
*
|
|
|
|
|
* The reason we wait for those two is to protect them against a new
|
|
|
|
|
* postmaster starting conflicting subprocesses; this isn't an
|
|
|
|
|
* ironclad protection, but it at least helps in the
|
|
|
|
|
* shutdown-and-immediately-restart scenario. Note that they have
|
|
|
|
|
* already been sent appropriate shutdown signals, either during a
|
|
|
|
|
* normal state transition leading up to PM_WAIT_DEAD_END, or during
|
|
|
|
|
* FatalError processing.
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
2008-01-11 01:54:09 +01:00
|
|
|
if (DLGetHead(BackendList) == NULL &&
|
|
|
|
|
PgArchPID == 0 && PgStatPID == 0)
|
2007-08-09 03:18:43 +02:00
|
|
|
{
|
|
|
|
|
/* These other guys should be dead already */
|
|
|
|
|
Assert(StartupPID == 0);
|
2010-01-15 10:19:10 +01:00
|
|
|
Assert(WalReceiverPID == 0);
|
2007-08-09 03:18:43 +02:00
|
|
|
Assert(BgWriterPID == 0);
|
|
|
|
|
Assert(WalWriterPID == 0);
|
|
|
|
|
Assert(AutoVacPID == 0);
|
2008-01-11 01:54:09 +01:00
|
|
|
/* syslogger is not considered here */
|
2007-08-09 03:18:43 +02:00
|
|
|
pmState = PM_NO_CHILDREN;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If we've been told to shut down, we exit as soon as there are no
|
2007-11-15 22:14:46 +01:00
|
|
|
* remaining children. If there was a crash, cleanup will occur at the
|
2007-08-09 03:18:43 +02:00
|
|
|
* next startup. (Before PostgreSQL 8.3, we tried to recover from the
|
|
|
|
|
* crash before exiting, but that seems unwise if we are quitting because
|
|
|
|
|
* we got SIGTERM from init --- there may well not be time for recovery
|
|
|
|
|
* before init decides to SIGKILL us.)
|
|
|
|
|
*
|
2008-01-11 01:54:09 +01:00
|
|
|
* Note that the syslogger continues to run. It will exit when it sees
|
|
|
|
|
* EOF on its input pipe, which happens when there are no more upstream
|
|
|
|
|
* processes.
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
|
|
|
|
if (Shutdown > NoShutdown && pmState == PM_NO_CHILDREN)
|
|
|
|
|
{
|
|
|
|
|
if (FatalError)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG, (errmsg("abnormal database system shutdown")));
|
|
|
|
|
ExitPostmaster(1);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2008-04-27 00:47:40 +02:00
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* Terminate backup mode to avoid recovery after a clean fast
|
2010-05-26 14:32:41 +02:00
|
|
|
* shutdown. Since a backup can only be taken during normal
|
|
|
|
|
* running (and not, for example, while running under Hot Standby)
|
2010-07-06 21:19:02 +02:00
|
|
|
* it only makes sense to do this if we reached normal running. If
|
|
|
|
|
* we're still in recovery, the backup file is one we're
|
2010-05-26 14:32:41 +02:00
|
|
|
* recovering *from*, and we must keep it around so that recovery
|
|
|
|
|
* restarts from the right place.
|
2008-04-27 00:47:40 +02:00
|
|
|
*/
|
2010-05-26 14:32:41 +02:00
|
|
|
if (ReachedNormalRunning)
|
|
|
|
|
CancelBackup();
|
2008-04-27 00:47:40 +02:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/* Normal exit from the postmaster is here */
|
|
|
|
|
ExitPostmaster(0);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
/*
|
2011-04-10 17:42:00 +02:00
|
|
|
* If recovery failed, or the user does not want an automatic restart
|
|
|
|
|
* after backend crashes, wait for all non-syslogger children to exit, and
|
|
|
|
|
* then exit postmaster. We don't try to reinitialize when recovery fails,
|
|
|
|
|
* because more than likely it will just fail again and we will keep
|
|
|
|
|
* trying forever.
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
*/
|
2010-07-20 02:47:53 +02:00
|
|
|
if (pmState == PM_NO_CHILDREN && (RecoveryError || !restart_after_crash))
|
2009-06-11 16:49:15 +02:00
|
|
|
ExitPostmaster(1);
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* If we need to recover from a crash, wait for all non-syslogger children
|
|
|
|
|
* to exit, then reset shmem and StartupDataBase.
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
|
|
|
|
if (FatalError && pmState == PM_NO_CHILDREN)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("all server processes terminated; reinitializing")));
|
|
|
|
|
|
2009-01-04 23:19:59 +01:00
|
|
|
shmem_exit(1);
|
2007-08-09 03:18:43 +02:00
|
|
|
reset_shared(PostPortNumber);
|
|
|
|
|
|
|
|
|
|
StartupPID = StartupDataBase();
|
|
|
|
|
Assert(StartupPID != 0);
|
|
|
|
|
pmState = PM_STARTUP;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2006-11-21 21:59:53 +01:00
|
|
|
/*
|
|
|
|
|
* Send a signal to a postmaster child process
|
|
|
|
|
*
|
|
|
|
|
* On systems that have setsid(), each child process sets itself up as a
|
|
|
|
|
* process group leader. For signals that are generally interpreted in the
|
|
|
|
|
* appropriate fashion, we signal the entire process group not just the
|
|
|
|
|
* direct child process. This allows us to, for example, SIGQUIT a blocked
|
|
|
|
|
* archive_recovery script, or SIGINT a script being run by a backend via
|
|
|
|
|
* system().
|
|
|
|
|
*
|
|
|
|
|
* There is a race condition for recently-forked children: they might not
|
2007-11-15 22:14:46 +01:00
|
|
|
* have executed setsid() yet. So we signal the child directly as well as
|
2006-11-21 21:59:53 +01:00
|
|
|
* the group. We assume such a child will handle the signal before trying
|
|
|
|
|
* to spawn any grandchild processes. We also assume that signaling the
|
|
|
|
|
* child twice will not cause any problems.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
signal_child(pid_t pid, int signal)
|
|
|
|
|
{
|
|
|
|
|
if (kill(pid, signal) < 0)
|
|
|
|
|
elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) pid, signal);
|
|
|
|
|
#ifdef HAVE_SETSID
|
|
|
|
|
switch (signal)
|
|
|
|
|
{
|
|
|
|
|
case SIGINT:
|
|
|
|
|
case SIGTERM:
|
|
|
|
|
case SIGQUIT:
|
|
|
|
|
case SIGSTOP:
|
|
|
|
|
if (kill(-pid, signal) < 0)
|
|
|
|
|
elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) (-pid), signal);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
1998-08-25 23:34:10 +02:00
|
|
|
/*
|
2010-01-15 10:19:10 +01:00
|
|
|
* Send a signal to the targeted children (but NOT special children;
|
|
|
|
|
* dead_end children are never signaled, either).
|
2007-02-16 00:23:23 +01:00
|
|
|
*/
|
2010-01-15 10:19:10 +01:00
|
|
|
static bool
|
|
|
|
|
SignalSomeChildren(int signal, int target)
|
1998-08-25 23:34:10 +02:00
|
|
|
{
|
2004-05-30 00:48:23 +02:00
|
|
|
Dlelem *curr;
|
2010-01-15 10:19:10 +01:00
|
|
|
bool signaled = false;
|
1998-08-25 23:34:10 +02:00
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
for (curr = DLGetHead(BackendList); curr; curr = DLGetSucc(curr))
|
1998-08-25 23:34:10 +02:00
|
|
|
{
|
2004-05-30 00:48:23 +02:00
|
|
|
Backend *bp = (Backend *) DLE_VAL(curr);
|
1998-08-25 23:34:10 +02:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
if (bp->dead_end)
|
|
|
|
|
continue;
|
2011-01-22 04:20:06 +01:00
|
|
|
|
|
|
|
|
/*
|
2011-04-10 17:42:00 +02:00
|
|
|
* Since target == BACKEND_TYPE_ALL is the most common case, we test
|
|
|
|
|
* it first and avoid touching shared memory for every child.
|
2011-01-22 04:20:06 +01:00
|
|
|
*/
|
|
|
|
|
if (target != BACKEND_TYPE_ALL)
|
|
|
|
|
{
|
|
|
|
|
int child;
|
|
|
|
|
|
|
|
|
|
if (bp->is_autovacuum)
|
|
|
|
|
child = BACKEND_TYPE_AUTOVAC;
|
|
|
|
|
else if (IsPostmasterChildWalSender(bp->child_slot))
|
|
|
|
|
child = BACKEND_TYPE_WALSND;
|
|
|
|
|
else
|
|
|
|
|
child = BACKEND_TYPE_NORMAL;
|
|
|
|
|
if (!(target & child))
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2007-02-16 00:23:23 +01:00
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
ereport(DEBUG4,
|
|
|
|
|
(errmsg_internal("sending signal %d to process %d",
|
|
|
|
|
signal, (int) bp->pid)));
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(bp->pid, signal);
|
2010-01-15 10:19:10 +01:00
|
|
|
signaled = true;
|
1998-08-25 23:34:10 +02:00
|
|
|
}
|
2010-01-15 10:19:10 +01:00
|
|
|
return signaled;
|
1998-08-25 23:34:10 +02:00
|
|
|
}
|
|
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/*
|
|
|
|
|
* BackendStartup -- start backend process
|
|
|
|
|
*
|
2002-03-02 21:46:12 +01:00
|
|
|
* returns: STATUS_ERROR if the fork failed, STATUS_OK otherwise.
|
2007-02-16 00:23:23 +01:00
|
|
|
*
|
|
|
|
|
* Note: if you change this code, also consider StartAutovacuumWorker.
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
1997-08-19 23:40:56 +02:00
|
|
|
static int
|
1998-01-26 02:42:53 +01:00
|
|
|
BackendStartup(Port *port)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
1997-09-08 04:41:22 +02:00
|
|
|
Backend *bn; /* for backend cleanup */
|
2001-06-20 20:07:56 +02:00
|
|
|
pid_t pid;
|
2002-09-04 22:31:48 +02:00
|
|
|
|
1998-06-09 06:06:12 +02:00
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* Create backend data structure. Better before the fork() so we can
|
|
|
|
|
* handle failure cleanly.
|
2001-10-21 05:25:36 +02:00
|
|
|
*/
|
|
|
|
|
bn = (Backend *) malloc(sizeof(Backend));
|
|
|
|
|
if (!bn)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
|
errmsg("out of memory")));
|
2001-10-21 05:25:36 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
/*
|
|
|
|
|
* Compute the cancel key that will be assigned to this backend. The
|
|
|
|
|
* backend will have its own copy in the forked-off process' value of
|
|
|
|
|
* MyCancelKey, so that it can transmit the key to the frontend.
|
|
|
|
|
*/
|
|
|
|
|
MyCancelKey = PostmasterRandom();
|
|
|
|
|
bn->cancel_key = MyCancelKey;
|
|
|
|
|
|
2008-04-27 00:47:40 +02:00
|
|
|
/* Pass down canAcceptConnections state */
|
2004-05-28 07:13:32 +02:00
|
|
|
port->canAcceptConnections = canAcceptConnections();
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
bn->dead_end = (port->canAcceptConnections != CAC_OK &&
|
|
|
|
|
port->canAcceptConnections != CAC_WAITBACKUP);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Unless it's a dead_end child, assign it a child slot number
|
|
|
|
|
*/
|
|
|
|
|
if (!bn->dead_end)
|
|
|
|
|
bn->child_slot = MyPMChildSlot = AssignPostmasterChildSlot();
|
|
|
|
|
else
|
|
|
|
|
bn->child_slot = 0;
|
2004-05-28 07:13:32 +02:00
|
|
|
|
|
|
|
|
#ifdef EXEC_BACKEND
|
|
|
|
|
pid = backend_forkexec(port);
|
2004-08-29 07:07:03 +02:00
|
|
|
#else /* !EXEC_BACKEND */
|
2005-03-10 08:14:03 +01:00
|
|
|
pid = fork_process();
|
2001-06-20 20:07:56 +02:00
|
|
|
if (pid == 0) /* child */
|
2003-05-28 21:36:28 +02:00
|
|
|
{
|
|
|
|
|
free(bn);
|
2006-01-04 22:06:32 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Let's clean up ourselves as the postmaster child, and close the
|
|
|
|
|
* postmaster's listen sockets. (In EXEC_BACKEND case this is all
|
|
|
|
|
* done in SubPostmasterMain.)
|
|
|
|
|
*/
|
2006-10-04 02:30:14 +02:00
|
|
|
IsUnderPostmaster = true; /* we are a postmaster subprocess now */
|
2006-01-04 22:06:32 +01:00
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
MyProcPid = getpid(); /* reset MyProcPid */
|
2006-01-04 22:06:32 +01:00
|
|
|
|
2007-08-03 01:39:45 +02:00
|
|
|
MyStartTime = time(NULL);
|
|
|
|
|
|
2006-01-04 22:06:32 +01:00
|
|
|
/* We don't want the postmaster's proc_exit() handlers */
|
|
|
|
|
on_exit_reset();
|
|
|
|
|
|
|
|
|
|
/* Close the postmaster's sockets */
|
|
|
|
|
ClosePostmasterPorts(false);
|
|
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
/* Perform additional initialization and collect startup packet */
|
2006-01-04 22:06:32 +01:00
|
|
|
BackendInitialize(port);
|
|
|
|
|
|
|
|
|
|
/* And run the backend */
|
2004-01-07 00:15:22 +01:00
|
|
|
proc_exit(BackendRun(port));
|
2003-05-28 21:36:28 +02:00
|
|
|
}
|
2004-08-29 07:07:03 +02:00
|
|
|
#endif /* EXEC_BACKEND */
|
2004-05-28 07:13:32 +02:00
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
if (pid < 0)
|
|
|
|
|
{
|
2004-05-28 07:13:32 +02:00
|
|
|
/* in parent, fork failed */
|
2002-01-06 22:40:02 +01:00
|
|
|
int save_errno = errno;
|
|
|
|
|
|
2009-08-24 20:09:37 +02:00
|
|
|
if (!bn->dead_end)
|
|
|
|
|
(void) ReleasePostmasterChildSlot(bn->child_slot);
|
2002-01-06 22:40:02 +01:00
|
|
|
free(bn);
|
2003-07-22 21:00:12 +02:00
|
|
|
errno = save_errno;
|
|
|
|
|
ereport(LOG,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errmsg("could not fork new process for connection: %m")));
|
2002-01-06 22:40:02 +01:00
|
|
|
report_fork_failure_to_client(port, save_errno);
|
1998-09-01 05:29:17 +02:00
|
|
|
return STATUS_ERROR;
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
|
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/* in parent, successful fork */
|
2003-08-12 20:23:21 +02:00
|
|
|
ereport(DEBUG2,
|
|
|
|
|
(errmsg_internal("forked new backend, pid=%d socket=%d",
|
|
|
|
|
(int) pid, port->sock)));
|
1997-09-07 07:04:48 +02:00
|
|
|
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Everything's been successful, it's safe to add this backend to our list
|
|
|
|
|
* of backends.
|
1997-09-07 07:04:48 +02:00
|
|
|
*/
|
|
|
|
|
bn->pid = pid;
|
2007-08-03 22:06:50 +02:00
|
|
|
bn->is_autovacuum = false;
|
2009-05-04 04:24:17 +02:00
|
|
|
DLInitElem(&bn->elem, bn);
|
|
|
|
|
DLAddHead(BackendList, &bn->elem);
|
2004-01-26 23:59:54 +01:00
|
|
|
#ifdef EXEC_BACKEND
|
2007-08-09 03:18:43 +02:00
|
|
|
if (!bn->dead_end)
|
|
|
|
|
ShmemBackendArrayAdd(bn);
|
2004-01-26 23:59:54 +01:00
|
|
|
#endif
|
1997-09-07 07:04:48 +02:00
|
|
|
|
1998-09-01 05:29:17 +02:00
|
|
|
return STATUS_OK;
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
2002-01-06 22:40:02 +01:00
|
|
|
/*
|
|
|
|
|
* Try to report backend fork() failure to client before we close the
|
2002-09-04 22:31:48 +02:00
|
|
|
* connection. Since we do not care to risk blocking the postmaster on
|
2002-01-06 22:40:02 +01:00
|
|
|
* this connection, we set the connection to non-blocking and try only once.
|
|
|
|
|
*
|
|
|
|
|
* This is grungy special-purpose code; we cannot use backend libpq since
|
|
|
|
|
* it's not up and running.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
report_fork_failure_to_client(Port *port, int errnum)
|
|
|
|
|
{
|
|
|
|
|
char buffer[1000];
|
2006-07-16 20:17:14 +02:00
|
|
|
int rc;
|
2002-09-04 22:31:48 +02:00
|
|
|
|
2003-07-22 21:00:12 +02:00
|
|
|
/* Format the error message packet (always V2 protocol) */
|
2002-01-06 22:40:02 +01:00
|
|
|
snprintf(buffer, sizeof(buffer), "E%s%s\n",
|
2005-02-22 05:43:23 +01:00
|
|
|
_("could not fork new process for connection: "),
|
2002-01-06 22:40:02 +01:00
|
|
|
strerror(errnum));
|
|
|
|
|
|
|
|
|
|
/* Set port to non-blocking. Don't do send() if this fails */
|
2005-03-25 01:34:31 +01:00
|
|
|
if (!pg_set_noblock(port->sock))
|
2002-01-06 22:40:02 +01:00
|
|
|
return;
|
|
|
|
|
|
2006-07-16 20:17:14 +02:00
|
|
|
/* We'll retry after EINTR, but ignore all other failures */
|
|
|
|
|
do
|
|
|
|
|
{
|
|
|
|
|
rc = send(port->sock, buffer, strlen(buffer) + 1, 0);
|
|
|
|
|
} while (rc < 0 && errno == EINTR);
|
2002-01-06 22:40:02 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/*
|
2006-01-04 22:06:32 +01:00
|
|
|
* BackendInitialize -- initialize an interactive (postmaster-child)
|
2009-08-29 21:26:52 +02:00
|
|
|
* backend process, and collect the client's startup packet.
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
2006-01-04 22:06:32 +01:00
|
|
|
* returns: nothing. Will not return at all if there's any failure.
|
|
|
|
|
*
|
|
|
|
|
* Note: this code does not depend on having any access to shared memory.
|
|
|
|
|
* In the EXEC_BACKEND case, we are physically attached to shared memory
|
|
|
|
|
* but have not yet set up most of our local pointers to shmem structures.
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
2006-01-04 22:06:32 +01:00
|
|
|
static void
|
|
|
|
|
BackendInitialize(Port *port)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2003-08-04 02:43:34 +02:00
|
|
|
int status;
|
2003-06-12 09:36:51 +02:00
|
|
|
char remote_host[NI_MAXHOST];
|
|
|
|
|
char remote_port[NI_MAXSERV];
|
2004-03-15 16:56:28 +01:00
|
|
|
char remote_ps_data[NI_MAXHOST];
|
1998-05-29 19:00:34 +02:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/* Save port etc. for ps status */
|
|
|
|
|
MyProcPort = port;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* PreAuthDelay is a debugging aid for investigating problems in the
|
2005-10-15 04:49:52 +02:00
|
|
|
* authentication cycle: it can be set in postgresql.conf to allow time to
|
2010-02-26 03:01:40 +01:00
|
|
|
* attach to the newly-forked backend with a debugger. (See also
|
|
|
|
|
* PostAuthDelay, which we allow clients to pass through PGOPTIONS, but it
|
|
|
|
|
* is not honored until after authentication.)
|
2004-05-28 07:13:32 +02:00
|
|
|
*/
|
|
|
|
|
if (PreAuthDelay > 0)
|
|
|
|
|
pg_usleep(PreAuthDelay * 1000000L);
|
|
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
/* This flag will remain set until InitPostgres finishes authentication */
|
2004-05-28 07:13:32 +02:00
|
|
|
ClientAuthInProgress = true; /* limit visibility of log messages */
|
|
|
|
|
|
2006-06-21 00:52:00 +02:00
|
|
|
/* save process start time */
|
|
|
|
|
port->SessionStartTime = GetCurrentTimestamp();
|
2007-08-03 01:39:45 +02:00
|
|
|
MyStartTime = timestamptz_to_time_t(port->SessionStartTime);
|
2004-02-17 04:54:57 +01:00
|
|
|
|
|
|
|
|
/* set these to empty in case they are needed before we set them up */
|
|
|
|
|
port->remote_host = "";
|
|
|
|
|
port->remote_port = "";
|
|
|
|
|
|
2001-09-21 19:06:12 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Initialize libpq and enable reporting of ereport errors to the client.
|
|
|
|
|
* Must do this now because authentication uses libpq to send messages.
|
2001-09-21 19:06:12 +02:00
|
|
|
*/
|
|
|
|
|
pq_init(); /* initialize libpq to talk to client */
|
2005-11-22 19:17:34 +01:00
|
|
|
whereToSendOutput = DestRemote; /* now safe to ereport to client */
|
2001-09-21 19:06:12 +02:00
|
|
|
|
2001-09-07 18:12:49 +02:00
|
|
|
/*
|
2006-11-21 21:59:53 +01:00
|
|
|
* If possible, make this process a group leader, so that the postmaster
|
2007-11-15 22:14:46 +01:00
|
|
|
* can signal any child processes too. (We do this now on the off chance
|
2006-11-21 21:59:53 +01:00
|
|
|
* that something might spawn a child process during authentication.)
|
|
|
|
|
*/
|
|
|
|
|
#ifdef HAVE_SETSID
|
|
|
|
|
if (setsid() < 0)
|
|
|
|
|
elog(FATAL, "setsid() failed: %m");
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* We arrange for a simple exit(1) if we receive SIGTERM or SIGQUIT or
|
|
|
|
|
* timeout while trying to collect the startup packet. Otherwise the
|
2005-10-15 04:49:52 +02:00
|
|
|
* postmaster cannot shutdown the database FAST or IMMED cleanly if a
|
2009-08-29 21:26:52 +02:00
|
|
|
* buggy client fails to send the packet promptly.
|
2001-09-07 18:12:49 +02:00
|
|
|
*/
|
2009-08-29 21:26:52 +02:00
|
|
|
pqsignal(SIGTERM, startup_die);
|
|
|
|
|
pqsignal(SIGQUIT, startup_die);
|
|
|
|
|
pqsignal(SIGALRM, startup_die);
|
|
|
|
|
PG_SETMASK(&StartupBlockSig);
|
2001-09-07 18:12:49 +02:00
|
|
|
|
2001-08-01 00:55:45 +02:00
|
|
|
/*
|
2002-05-29 01:56:51 +02:00
|
|
|
* Get the remote host name and port for logging and status display.
|
2001-10-19 02:44:08 +02:00
|
|
|
*/
|
2003-06-12 09:36:51 +02:00
|
|
|
remote_host[0] = '\0';
|
|
|
|
|
remote_port[0] = '\0';
|
2005-10-17 18:24:20 +02:00
|
|
|
if (pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
|
|
|
|
|
remote_host, sizeof(remote_host),
|
|
|
|
|
remote_port, sizeof(remote_port),
|
2005-11-22 19:17:34 +01:00
|
|
|
(log_hostname ? 0 : NI_NUMERICHOST) | NI_NUMERICSERV))
|
2001-10-19 02:44:08 +02:00
|
|
|
{
|
2005-10-17 18:24:20 +02:00
|
|
|
int ret = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
|
|
|
|
|
remote_host, sizeof(remote_host),
|
|
|
|
|
remote_port, sizeof(remote_port),
|
|
|
|
|
NI_NUMERICHOST | NI_NUMERICSERV);
|
2004-05-27 17:07:41 +02:00
|
|
|
|
2004-05-26 20:35:51 +02:00
|
|
|
if (ret)
|
|
|
|
|
ereport(WARNING,
|
2005-10-17 18:24:20 +02:00
|
|
|
(errmsg_internal("pg_getnameinfo_all() failed: %s",
|
|
|
|
|
gai_strerror(ret))));
|
2001-10-19 02:44:08 +02:00
|
|
|
}
|
2010-06-16 02:54:16 +02:00
|
|
|
if (remote_port[0] == '\0')
|
|
|
|
|
snprintf(remote_ps_data, sizeof(remote_ps_data), "%s", remote_host);
|
|
|
|
|
else
|
|
|
|
|
snprintf(remote_ps_data, sizeof(remote_ps_data), "%s(%s)", remote_host, remote_port);
|
2003-06-12 09:36:51 +02:00
|
|
|
|
|
|
|
|
if (Log_connections)
|
2010-03-25 21:40:17 +01:00
|
|
|
{
|
|
|
|
|
if (remote_port[0])
|
|
|
|
|
ereport(LOG,
|
2010-07-06 21:19:02 +02:00
|
|
|
(errmsg("connection received: host=%s port=%s",
|
|
|
|
|
remote_host,
|
|
|
|
|
remote_port)));
|
2010-03-25 21:40:17 +01:00
|
|
|
else
|
|
|
|
|
ereport(LOG,
|
2010-07-06 21:19:02 +02:00
|
|
|
(errmsg("connection received: host=%s",
|
|
|
|
|
remote_host)));
|
2010-03-25 21:40:17 +01:00
|
|
|
}
|
2002-05-29 01:56:51 +02:00
|
|
|
|
2004-02-17 04:54:57 +01:00
|
|
|
/*
|
2006-01-04 22:06:32 +01:00
|
|
|
* save remote_host and remote_port in port structure
|
2004-02-17 04:54:57 +01:00
|
|
|
*/
|
|
|
|
|
port->remote_host = strdup(remote_host);
|
|
|
|
|
port->remote_port = strdup(remote_port);
|
2010-10-15 21:53:39 +02:00
|
|
|
if (log_hostname)
|
|
|
|
|
port->remote_hostname = port->remote_host;
|
2004-02-17 04:54:57 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/*
|
2009-08-29 21:26:52 +02:00
|
|
|
* Ready to begin client interaction. We will give up and exit(1) after a
|
2005-10-15 04:49:52 +02:00
|
|
|
* time delay, so that a broken client can't hog a connection
|
2009-08-29 21:26:52 +02:00
|
|
|
* indefinitely. PreAuthDelay and any DNS interactions above don't count
|
|
|
|
|
* against the time limit.
|
2002-05-29 01:56:51 +02:00
|
|
|
*/
|
2002-07-13 03:02:14 +02:00
|
|
|
if (!enable_sig_alarm(AuthenticationTimeout * 1000, false))
|
2009-08-29 21:26:52 +02:00
|
|
|
elog(FATAL, "could not set timer for startup packet timeout");
|
2002-05-29 01:56:51 +02:00
|
|
|
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Receive the startup packet (which might turn out to be a cancel request
|
|
|
|
|
* packet).
|
2002-05-29 01:56:51 +02:00
|
|
|
*/
|
|
|
|
|
status = ProcessStartupPacket(port, false);
|
|
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* Stop here if it was bad or a cancel packet. ProcessStartupPacket
|
2009-08-29 21:26:52 +02:00
|
|
|
* already did any appropriate error reporting.
|
|
|
|
|
*/
|
2002-05-29 01:56:51 +02:00
|
|
|
if (status != STATUS_OK)
|
2004-01-10 00:11:39 +01:00
|
|
|
proc_exit(0);
|
2002-05-29 01:56:51 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now that we have the user and database name, we can set the process
|
2005-10-15 04:49:52 +02:00
|
|
|
* title for ps. It's good to do this as early as possible in startup.
|
2010-01-15 10:19:10 +01:00
|
|
|
*
|
|
|
|
|
* For a walsender, the ps display is set in the following form:
|
|
|
|
|
*
|
2010-02-26 03:01:40 +01:00
|
|
|
* postgres: wal sender process <user> <host> <activity>
|
2010-01-15 10:19:10 +01:00
|
|
|
*
|
|
|
|
|
* To achieve that, we pass "wal sender process" as username and username
|
|
|
|
|
* as dbname to init_ps_display(). XXX: should add a new variant of
|
|
|
|
|
* init_ps_display() to avoid abusing the parameters like this.
|
2001-10-19 02:44:08 +02:00
|
|
|
*/
|
2010-01-15 10:19:10 +01:00
|
|
|
if (am_walsender)
|
|
|
|
|
init_ps_display("wal sender process", port->user_name, remote_ps_data,
|
|
|
|
|
update_process_title ? "authentication" : "");
|
|
|
|
|
else
|
|
|
|
|
init_ps_display(port->user_name, port->database_name, remote_ps_data,
|
|
|
|
|
update_process_title ? "authentication" : "");
|
2006-10-04 02:30:14 +02:00
|
|
|
|
2001-10-19 02:44:08 +02:00
|
|
|
/*
|
2009-08-29 21:26:52 +02:00
|
|
|
* Disable the timeout, and prevent SIGTERM/SIGQUIT again.
|
2001-09-08 03:10:21 +02:00
|
|
|
*/
|
2002-07-13 03:02:14 +02:00
|
|
|
if (!disable_sig_alarm(false))
|
2009-08-29 21:26:52 +02:00
|
|
|
elog(FATAL, "could not disable timer for startup packet timeout");
|
2001-09-07 18:12:49 +02:00
|
|
|
PG_SETMASK(&BlockSig);
|
2006-01-04 22:06:32 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* BackendRun -- set up the backend's argument list and invoke PostgresMain()
|
|
|
|
|
*
|
|
|
|
|
* returns:
|
|
|
|
|
* Shouldn't return at all.
|
|
|
|
|
* If PostgresMain() fails, return status.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
BackendRun(Port *port)
|
|
|
|
|
{
|
|
|
|
|
char **av;
|
|
|
|
|
int maxac;
|
|
|
|
|
int ac;
|
2006-06-21 00:52:00 +02:00
|
|
|
long secs;
|
|
|
|
|
int usecs;
|
2006-01-04 22:06:32 +01:00
|
|
|
int i;
|
2001-10-19 02:44:08 +02:00
|
|
|
|
1998-07-09 05:29:11 +02:00
|
|
|
/*
|
|
|
|
|
* Don't want backend to be able to see the postmaster random number
|
2005-10-15 04:49:52 +02:00
|
|
|
* generator state. We have to clobber the static random_seed *and* start
|
|
|
|
|
* a new random sequence in the random() library function.
|
1998-07-09 05:29:11 +02:00
|
|
|
*/
|
|
|
|
|
random_seed = 0;
|
2007-08-04 05:15:49 +02:00
|
|
|
random_start_time.tv_usec = 0;
|
2006-06-21 00:52:00 +02:00
|
|
|
/* slightly hacky way to get integer microseconds part of timestamptz */
|
|
|
|
|
TimestampDifference(0, port->SessionStartTime, &secs, &usecs);
|
|
|
|
|
srandom((unsigned int) (MyProcPid ^ usecs));
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
/*
|
1999-05-22 19:47:54 +02:00
|
|
|
* Now, build the argv vector that will be given to PostgresMain.
|
|
|
|
|
*
|
2003-04-18 00:26:02 +02:00
|
|
|
* The maximum possible number of commandline arguments that could come
|
2009-08-29 21:26:52 +02:00
|
|
|
* from ExtraOptions is (strlen(ExtraOptions) + 1) / 2; see
|
|
|
|
|
* pg_split_opts().
|
1999-05-22 19:47:54 +02:00
|
|
|
*/
|
2009-08-29 21:26:52 +02:00
|
|
|
maxac = 5; /* for fixed args supplied below */
|
2003-04-18 00:26:02 +02:00
|
|
|
maxac += (strlen(ExtraOptions) + 1) / 2;
|
|
|
|
|
|
|
|
|
|
av = (char **) MemoryContextAlloc(TopMemoryContext,
|
|
|
|
|
maxac * sizeof(char *));
|
|
|
|
|
ac = 0;
|
1998-05-29 19:00:34 +02:00
|
|
|
|
2000-06-04 03:44:38 +02:00
|
|
|
av[ac++] = "postgres";
|
1998-05-29 19:00:34 +02:00
|
|
|
|
1999-05-22 19:47:54 +02:00
|
|
|
/*
|
2009-08-29 21:26:52 +02:00
|
|
|
* Pass any backend switches specified with -o on the postmaster's own
|
2004-05-28 07:13:32 +02:00
|
|
|
* command line. We assume these are secure. (It's OK to mangle
|
|
|
|
|
* ExtraOptions now, since we're safely inside a subprocess.)
|
1999-05-22 19:47:54 +02:00
|
|
|
*/
|
2009-08-29 21:26:52 +02:00
|
|
|
pg_split_opts(av, &ac, ExtraOptions);
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2003-12-20 18:31:21 +01:00
|
|
|
/*
|
2009-08-29 21:26:52 +02:00
|
|
|
* Tell the backend which database to use.
|
2003-12-20 18:31:21 +01:00
|
|
|
*/
|
2003-04-18 00:26:02 +02:00
|
|
|
av[ac++] = port->database_name;
|
2003-08-04 02:43:34 +02:00
|
|
|
|
2004-01-07 19:56:30 +01:00
|
|
|
av[ac] = NULL;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
Assert(ac < maxac);
|
|
|
|
|
|
2000-06-28 05:33:33 +02:00
|
|
|
/*
|
|
|
|
|
* Debug: print arguments being passed to backend
|
|
|
|
|
*/
|
2003-08-12 20:23:21 +02:00
|
|
|
ereport(DEBUG3,
|
|
|
|
|
(errmsg_internal("%s child[%d]: starting with (",
|
2005-10-15 04:49:52 +02:00
|
|
|
progname, (int) getpid())));
|
Commit to match discussed elog() changes. Only update is that LOG is
now just below FATAL in server_min_messages. Added more text to
highlight ordering difference between it and client_min_messages.
---------------------------------------------------------------------------
REALLYFATAL => PANIC
STOP => PANIC
New INFO level the prints to client by default
New LOG level the prints to server log by default
Cause VACUUM information to print only to the client
NOTICE => INFO where purely information messages are sent
DEBUG => LOG for purely server status messages
DEBUG removed, kept as backward compatible
DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1 added
DebugLvl removed in favor of new DEBUG[1-5] symbols
New server_min_messages GUC parameter with values:
DEBUG[5-1], INFO, NOTICE, ERROR, LOG, FATAL, PANIC
New client_min_messages GUC parameter with values:
DEBUG[5-1], LOG, INFO, NOTICE, ERROR, FATAL, PANIC
Server startup now logged with LOG instead of DEBUG
Remove debug_level GUC parameter
elog() numbers now start at 10
Add test to print error message if older elog() values are passed to elog()
Bootstrap mode now has a -d that requires an argument, like postmaster
2002-03-02 22:39:36 +01:00
|
|
|
for (i = 0; i < ac; ++i)
|
2003-08-12 20:23:21 +02:00
|
|
|
ereport(DEBUG3,
|
|
|
|
|
(errmsg_internal("\t%s", av[i])));
|
|
|
|
|
ereport(DEBUG3,
|
|
|
|
|
(errmsg_internal(")")));
|
2002-03-04 02:46:04 +01:00
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
/*
|
|
|
|
|
* Make sure we aren't in PostmasterContext anymore. (We can't delete it
|
|
|
|
|
* just yet, though, because InitPostgres will need the HBA data.)
|
|
|
|
|
*/
|
|
|
|
|
MemoryContextSwitchTo(TopMemoryContext);
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2003-04-18 00:26:02 +02:00
|
|
|
return (PostgresMain(ac, av, port->user_name));
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
2004-01-07 00:15:22 +01:00
|
|
|
|
|
|
|
|
#ifdef EXEC_BACKEND
|
|
|
|
|
|
|
|
|
|
/*
|
2004-05-28 07:13:32 +02:00
|
|
|
* postmaster_forkexec -- fork and exec a postmaster subprocess
|
2004-01-07 00:15:22 +01:00
|
|
|
*
|
2004-05-28 07:13:32 +02:00
|
|
|
* The caller must have set up the argv array already, except for argv[2]
|
|
|
|
|
* which will be filled with the name of the temp variable file.
|
|
|
|
|
*
|
|
|
|
|
* Returns the child process PID, or -1 on fork failure (a suitable error
|
|
|
|
|
* message has been logged on failure).
|
|
|
|
|
*
|
|
|
|
|
* All uses of this routine will dispatch to SubPostmasterMain in the
|
|
|
|
|
* child process.
|
2004-01-07 00:15:22 +01:00
|
|
|
*/
|
2004-05-28 07:13:32 +02:00
|
|
|
pid_t
|
|
|
|
|
postmaster_forkexec(int argc, char *argv[])
|
2004-01-07 00:15:22 +01:00
|
|
|
{
|
2004-05-27 17:07:41 +02:00
|
|
|
Port port;
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/* This entry point passes dummy values for the Port variables */
|
|
|
|
|
memset(&port, 0, sizeof(port));
|
|
|
|
|
return internal_forkexec(argc, argv, &port);
|
|
|
|
|
}
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/*
|
|
|
|
|
* backend_forkexec -- fork/exec off a backend process
|
|
|
|
|
*
|
2008-09-23 22:35:38 +02:00
|
|
|
* Some operating systems (WIN32) don't have fork() so we have to simulate
|
|
|
|
|
* it by storing parameters that need to be passed to the child and
|
|
|
|
|
* then create a new child process.
|
|
|
|
|
*
|
2004-05-28 07:13:32 +02:00
|
|
|
* returns the pid of the fork/exec'd process, or -1 on failure
|
|
|
|
|
*/
|
|
|
|
|
static pid_t
|
|
|
|
|
backend_forkexec(Port *port)
|
|
|
|
|
{
|
|
|
|
|
char *av[4];
|
|
|
|
|
int ac = 0;
|
2004-01-26 23:59:54 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
av[ac++] = "postgres";
|
2006-06-18 17:38:37 +02:00
|
|
|
av[ac++] = "--forkbackend";
|
2004-05-28 07:13:32 +02:00
|
|
|
av[ac++] = NULL; /* filled in by internal_forkexec */
|
2004-01-28 22:02:40 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
av[ac] = NULL;
|
|
|
|
|
Assert(ac < lengthof(av));
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
return internal_forkexec(ac, av, port);
|
|
|
|
|
}
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
#ifndef WIN32
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* internal_forkexec non-win32 implementation
|
|
|
|
|
*
|
|
|
|
|
* - writes out backend variables to the parameter file
|
|
|
|
|
* - fork():s, and then exec():s the child process
|
|
|
|
|
*/
|
2004-05-28 07:13:32 +02:00
|
|
|
static pid_t
|
|
|
|
|
internal_forkexec(int argc, char *argv[], Port *port)
|
|
|
|
|
{
|
2004-11-17 01:14:14 +01:00
|
|
|
static unsigned long tmpBackendFileNum = 0;
|
2004-05-28 07:13:32 +02:00
|
|
|
pid_t pid;
|
|
|
|
|
char tmpfilename[MAXPGPATH];
|
2004-11-17 01:14:14 +01:00
|
|
|
BackendParameters param;
|
2005-10-15 04:49:52 +02:00
|
|
|
FILE *fp;
|
2004-11-17 01:14:14 +01:00
|
|
|
|
|
|
|
|
if (!save_backend_variables(¶m, port))
|
|
|
|
|
return -1; /* log made by save_backend_variables */
|
|
|
|
|
|
|
|
|
|
/* Calculate name for temp file */
|
2005-07-04 06:51:52 +02:00
|
|
|
snprintf(tmpfilename, MAXPGPATH, "%s/%s.backend_var.%d.%lu",
|
|
|
|
|
PG_TEMP_FILES_DIR, PG_TEMP_FILE_PREFIX,
|
2004-11-17 01:14:14 +01:00
|
|
|
MyProcPid, ++tmpBackendFileNum);
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
/* Open file */
|
|
|
|
|
fp = AllocateFile(tmpfilename, PG_BINARY_W);
|
|
|
|
|
if (!fp)
|
|
|
|
|
{
|
2005-07-04 06:51:52 +02:00
|
|
|
/* As in OpenTemporaryFile, try to make the temp-file directory */
|
|
|
|
|
mkdir(PG_TEMP_FILES_DIR, S_IRWXU);
|
2004-11-17 01:14:14 +01:00
|
|
|
|
|
|
|
|
fp = AllocateFile(tmpfilename, PG_BINARY_W);
|
|
|
|
|
if (!fp)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_file_access(),
|
|
|
|
|
errmsg("could not create file \"%s\": %m",
|
|
|
|
|
tmpfilename)));
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (fwrite(¶m, sizeof(param), 1, fp) != 1)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_file_access(),
|
|
|
|
|
errmsg("could not write to file \"%s\": %m", tmpfilename)));
|
|
|
|
|
FreeFile(fp);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Release file */
|
|
|
|
|
if (FreeFile(fp))
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_file_access(),
|
|
|
|
|
errmsg("could not write to file \"%s\": %m", tmpfilename)));
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2004-03-09 06:11:53 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/* Make sure caller set up argv properly */
|
|
|
|
|
Assert(argc >= 3);
|
|
|
|
|
Assert(argv[argc] == NULL);
|
2006-06-18 17:38:37 +02:00
|
|
|
Assert(strncmp(argv[1], "--fork", 6) == 0);
|
2004-05-28 07:13:32 +02:00
|
|
|
Assert(argv[2] == NULL);
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2006-06-18 17:38:37 +02:00
|
|
|
/* Insert temp file name after --fork argument */
|
2004-05-28 07:13:32 +02:00
|
|
|
argv[2] = tmpfilename;
|
2004-01-26 23:59:54 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/* Fire off execv in child */
|
2005-03-10 08:14:03 +01:00
|
|
|
if ((pid = fork_process()) == 0)
|
2004-05-28 07:13:32 +02:00
|
|
|
{
|
|
|
|
|
if (execv(postgres_exec_path, argv) < 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2004-11-09 14:01:27 +01:00
|
|
|
(errmsg("could not execute server process \"%s\": %m",
|
2004-05-28 07:13:32 +02:00
|
|
|
postgres_exec_path)));
|
|
|
|
|
/* We're already in the child process here, can't return */
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2005-10-15 04:49:52 +02:00
|
|
|
return pid; /* Parent returns pid, or -1 on fork failure */
|
2004-05-28 07:13:32 +02:00
|
|
|
}
|
2005-10-15 04:49:52 +02:00
|
|
|
#else /* WIN32 */
|
2004-11-17 01:14:14 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* internal_forkexec win32 implementation
|
|
|
|
|
*
|
|
|
|
|
* - starts backend using CreateProcess(), in suspended state
|
|
|
|
|
* - writes out backend variables to the parameter file
|
2005-10-15 04:49:52 +02:00
|
|
|
* - during this, duplicates handles and sockets required for
|
|
|
|
|
* inheritance into the new process
|
2004-11-17 01:14:14 +01:00
|
|
|
* - resumes execution of the new process once the backend parameter
|
2005-10-15 04:49:52 +02:00
|
|
|
* file is complete.
|
2004-11-17 01:14:14 +01:00
|
|
|
*/
|
|
|
|
|
static pid_t
|
|
|
|
|
internal_forkexec(int argc, char *argv[], Port *port)
|
|
|
|
|
{
|
|
|
|
|
STARTUPINFO si;
|
|
|
|
|
PROCESS_INFORMATION pi;
|
|
|
|
|
int i;
|
|
|
|
|
int j;
|
|
|
|
|
char cmdLine[MAXPGPATH * 2];
|
2005-10-15 04:49:52 +02:00
|
|
|
HANDLE paramHandle;
|
2004-11-17 01:14:14 +01:00
|
|
|
BackendParameters *param;
|
|
|
|
|
SECURITY_ATTRIBUTES sa;
|
2005-10-15 04:49:52 +02:00
|
|
|
char paramHandleStr[32];
|
2007-10-26 23:50:10 +02:00
|
|
|
win32_deadchild_waitinfo *childinfo;
|
2004-11-17 01:14:14 +01:00
|
|
|
|
|
|
|
|
/* Make sure caller set up argv properly */
|
|
|
|
|
Assert(argc >= 3);
|
|
|
|
|
Assert(argv[argc] == NULL);
|
2006-06-18 17:38:37 +02:00
|
|
|
Assert(strncmp(argv[1], "--fork", 6) == 0);
|
2004-11-17 01:14:14 +01:00
|
|
|
Assert(argv[2] == NULL);
|
|
|
|
|
|
|
|
|
|
/* Set up shared memory for parameter passing */
|
2005-10-15 04:49:52 +02:00
|
|
|
ZeroMemory(&sa, sizeof(sa));
|
2004-11-17 01:14:14 +01:00
|
|
|
sa.nLength = sizeof(sa);
|
|
|
|
|
sa.bInheritHandle = TRUE;
|
|
|
|
|
paramHandle = CreateFileMapping(INVALID_HANDLE_VALUE,
|
|
|
|
|
&sa,
|
|
|
|
|
PAGE_READWRITE,
|
|
|
|
|
0,
|
|
|
|
|
sizeof(BackendParameters),
|
|
|
|
|
NULL);
|
|
|
|
|
if (paramHandle == INVALID_HANDLE_VALUE)
|
|
|
|
|
{
|
|
|
|
|
elog(LOG, "could not create backend parameter file mapping: error code %d",
|
|
|
|
|
(int) GetLastError());
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
param = MapViewOfFile(paramHandle, FILE_MAP_WRITE, 0, 0, sizeof(BackendParameters));
|
|
|
|
|
if (!param)
|
|
|
|
|
{
|
|
|
|
|
elog(LOG, "could not map backend parameter memory: error code %d",
|
|
|
|
|
(int) GetLastError());
|
|
|
|
|
CloseHandle(paramHandle);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2006-06-18 17:38:37 +02:00
|
|
|
/* Insert temp file name after --fork argument */
|
2010-11-16 12:40:56 +01:00
|
|
|
#ifdef _WIN64
|
2011-04-27 17:28:14 +02:00
|
|
|
sprintf(paramHandleStr, "%llu", (LONG_PTR) paramHandle);
|
2010-11-16 12:40:56 +01:00
|
|
|
#else
|
2005-10-15 04:49:52 +02:00
|
|
|
sprintf(paramHandleStr, "%lu", (DWORD) paramHandle);
|
2010-11-16 12:40:56 +01:00
|
|
|
#endif
|
2004-11-17 01:14:14 +01:00
|
|
|
argv[2] = paramHandleStr;
|
|
|
|
|
|
|
|
|
|
/* Format the cmd line */
|
|
|
|
|
cmdLine[sizeof(cmdLine) - 1] = '\0';
|
|
|
|
|
cmdLine[sizeof(cmdLine) - 2] = '\0';
|
|
|
|
|
snprintf(cmdLine, sizeof(cmdLine) - 1, "\"%s\"", postgres_exec_path);
|
|
|
|
|
i = 0;
|
|
|
|
|
while (argv[++i] != NULL)
|
|
|
|
|
{
|
|
|
|
|
j = strlen(cmdLine);
|
|
|
|
|
snprintf(cmdLine + j, sizeof(cmdLine) - 1 - j, " \"%s\"", argv[i]);
|
|
|
|
|
}
|
|
|
|
|
if (cmdLine[sizeof(cmdLine) - 2] != '\0')
|
|
|
|
|
{
|
|
|
|
|
elog(LOG, "subprocess command line too long");
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memset(&pi, 0, sizeof(pi));
|
|
|
|
|
memset(&si, 0, sizeof(si));
|
|
|
|
|
si.cb = sizeof(si);
|
2005-10-15 04:49:52 +02:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Create the subprocess in a suspended state. This will be resumed later,
|
|
|
|
|
* once we have written out the parameter file.
|
2004-11-17 01:14:14 +01:00
|
|
|
*/
|
|
|
|
|
if (!CreateProcess(NULL, cmdLine, NULL, NULL, TRUE, CREATE_SUSPENDED,
|
|
|
|
|
NULL, NULL, &si, &pi))
|
|
|
|
|
{
|
|
|
|
|
elog(LOG, "CreateProcess call failed: %m (error code %d)",
|
|
|
|
|
(int) GetLastError());
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!save_backend_variables(param, port, pi.hProcess, pi.dwProcessId))
|
|
|
|
|
{
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* log made by save_backend_variables, but we have to clean up the
|
|
|
|
|
* mess with the half-started process
|
2004-11-17 01:14:14 +01:00
|
|
|
*/
|
|
|
|
|
if (!TerminateProcess(pi.hProcess, 255))
|
2009-08-06 11:50:22 +02:00
|
|
|
ereport(LOG,
|
2004-11-17 01:14:14 +01:00
|
|
|
(errmsg_internal("could not terminate unstarted process: error code %d",
|
|
|
|
|
(int) GetLastError())));
|
|
|
|
|
CloseHandle(pi.hProcess);
|
|
|
|
|
CloseHandle(pi.hThread);
|
|
|
|
|
return -1; /* log made by save_backend_variables */
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-24 22:12:42 +02:00
|
|
|
/* Drop the parameter shared memory that is now inherited to the backend */
|
2004-11-17 01:14:14 +01:00
|
|
|
if (!UnmapViewOfFile(param))
|
|
|
|
|
elog(LOG, "could not unmap view of backend parameter file: error code %d",
|
|
|
|
|
(int) GetLastError());
|
|
|
|
|
if (!CloseHandle(paramHandle))
|
|
|
|
|
elog(LOG, "could not close handle to backend parameter file: error code %d",
|
|
|
|
|
(int) GetLastError());
|
|
|
|
|
|
2009-07-24 22:12:42 +02:00
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* Reserve the memory region used by our main shared memory segment before
|
|
|
|
|
* we resume the child process.
|
2009-07-24 22:12:42 +02:00
|
|
|
*/
|
|
|
|
|
if (!pgwin32_ReserveSharedMemoryRegion(pi.hProcess))
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Failed to reserve the memory, so terminate the newly created
|
|
|
|
|
* process and give up.
|
|
|
|
|
*/
|
|
|
|
|
if (!TerminateProcess(pi.hProcess, 255))
|
2009-08-06 11:50:22 +02:00
|
|
|
ereport(LOG,
|
2009-07-24 22:12:42 +02:00
|
|
|
(errmsg_internal("could not terminate process that failed to reserve memory: error code %d",
|
|
|
|
|
(int) GetLastError())));
|
|
|
|
|
CloseHandle(pi.hProcess);
|
|
|
|
|
CloseHandle(pi.hThread);
|
2010-02-26 03:01:40 +01:00
|
|
|
return -1; /* logging done made by
|
|
|
|
|
* pgwin32_ReserveSharedMemoryRegion() */
|
2009-07-24 22:12:42 +02:00
|
|
|
}
|
|
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Now that the backend variables are written out, we start the child
|
|
|
|
|
* thread so it can start initializing while we set up the rest of the
|
|
|
|
|
* parent state.
|
2004-11-17 01:14:14 +01:00
|
|
|
*/
|
|
|
|
|
if (ResumeThread(pi.hThread) == -1)
|
|
|
|
|
{
|
|
|
|
|
if (!TerminateProcess(pi.hProcess, 255))
|
|
|
|
|
{
|
2009-08-06 11:50:22 +02:00
|
|
|
ereport(LOG,
|
2004-11-17 01:14:14 +01:00
|
|
|
(errmsg_internal("could not terminate unstartable process: error code %d",
|
|
|
|
|
(int) GetLastError())));
|
|
|
|
|
CloseHandle(pi.hProcess);
|
|
|
|
|
CloseHandle(pi.hThread);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
CloseHandle(pi.hProcess);
|
|
|
|
|
CloseHandle(pi.hThread);
|
2009-08-06 11:50:22 +02:00
|
|
|
ereport(LOG,
|
2004-11-17 01:14:14 +01:00
|
|
|
(errmsg_internal("could not resume thread of unstarted process: error code %d",
|
|
|
|
|
(int) GetLastError())));
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-26 23:50:10 +02:00
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Queue a waiter for to signal when this child dies. The wait will be
|
|
|
|
|
* handled automatically by an operating system thread pool.
|
2007-10-26 23:50:10 +02:00
|
|
|
*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Note: use malloc instead of palloc, since it needs to be thread-safe.
|
|
|
|
|
* Struct will be free():d from the callback function that runs on a
|
|
|
|
|
* different thread.
|
2007-10-26 23:50:10 +02:00
|
|
|
*/
|
|
|
|
|
childinfo = malloc(sizeof(win32_deadchild_waitinfo));
|
|
|
|
|
if (!childinfo)
|
2004-11-17 01:14:14 +01:00
|
|
|
ereport(FATAL,
|
2007-11-15 22:14:46 +01:00
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
|
errmsg("out of memory")));
|
2007-10-26 23:50:10 +02:00
|
|
|
|
|
|
|
|
childinfo->procHandle = pi.hProcess;
|
|
|
|
|
childinfo->procId = pi.dwProcessId;
|
|
|
|
|
|
|
|
|
|
if (!RegisterWaitForSingleObject(&childinfo->waitHandle,
|
|
|
|
|
pi.hProcess,
|
|
|
|
|
pgwin32_deadchild_callback,
|
|
|
|
|
childinfo,
|
|
|
|
|
INFINITE,
|
2007-11-15 22:14:46 +01:00
|
|
|
WT_EXECUTEONLYONCE | WT_EXECUTEINWAITTHREAD))
|
2007-10-26 23:50:10 +02:00
|
|
|
ereport(FATAL,
|
2007-11-15 22:14:46 +01:00
|
|
|
(errmsg_internal("could not register process for wait: error code %d",
|
|
|
|
|
(int) GetLastError())));
|
2004-11-17 01:14:14 +01:00
|
|
|
|
2007-10-26 23:50:10 +02:00
|
|
|
/* Don't close pi.hProcess here - the wait thread needs access to it */
|
2004-11-17 01:14:14 +01:00
|
|
|
|
|
|
|
|
CloseHandle(pi.hThread);
|
|
|
|
|
|
|
|
|
|
return pi.dwProcessId;
|
|
|
|
|
}
|
2005-10-15 04:49:52 +02:00
|
|
|
#endif /* WIN32 */
|
2004-11-17 01:14:14 +01:00
|
|
|
|
|
|
|
|
|
2004-01-07 00:15:22 +01:00
|
|
|
/*
|
2004-05-28 07:13:32 +02:00
|
|
|
* SubPostmasterMain -- Get the fork/exec'd process into a state equivalent
|
|
|
|
|
* to what it would be if we'd simply forked on Unix, and then
|
|
|
|
|
* dispatch to the appropriate place.
|
2004-01-07 00:15:22 +01:00
|
|
|
*
|
2006-06-18 17:38:37 +02:00
|
|
|
* The first two command line arguments are expected to be "--forkFOO"
|
2004-05-28 07:13:32 +02:00
|
|
|
* (where FOO indicates which postmaster child we are to become), and
|
|
|
|
|
* the name of a variables file that we can read to load data that would
|
|
|
|
|
* have been inherited by fork() on Unix. Remaining arguments go to the
|
|
|
|
|
* subprocess FooMain() routine.
|
2004-01-07 00:15:22 +01:00
|
|
|
*/
|
2004-05-28 07:13:32 +02:00
|
|
|
int
|
|
|
|
|
SubPostmasterMain(int argc, char *argv[])
|
2004-01-07 00:15:22 +01:00
|
|
|
{
|
2004-05-28 07:13:32 +02:00
|
|
|
Port port;
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/* Do this sooner rather than later... */
|
|
|
|
|
IsUnderPostmaster = true; /* we are a postmaster subprocess now */
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
MyProcPid = getpid(); /* reset MyProcPid */
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2007-08-03 01:39:45 +02:00
|
|
|
MyStartTime = time(NULL);
|
|
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
/*
|
|
|
|
|
* make sure stderr is in binary mode before anything can possibly be
|
|
|
|
|
* written to it, in case it's actually the syslogger pipe, so the pipe
|
|
|
|
|
* chunking protocol isn't disturbed. Non-logpipe data gets translated on
|
|
|
|
|
* redirection (e.g. via pg_ctl -l) anyway.
|
2007-08-03 01:15:27 +02:00
|
|
|
*/
|
|
|
|
|
#ifdef WIN32
|
2007-11-15 22:14:46 +01:00
|
|
|
_setmode(fileno(stderr), _O_BINARY);
|
2007-08-03 01:15:27 +02:00
|
|
|
#endif
|
|
|
|
|
|
2006-01-04 22:06:32 +01:00
|
|
|
/* Lose the postmaster's on-exit routines (really a no-op) */
|
|
|
|
|
on_exit_reset();
|
|
|
|
|
|
2004-12-29 22:36:09 +01:00
|
|
|
/* In EXEC_BACKEND case we will not have inherited these settings */
|
|
|
|
|
IsPostmasterEnvironment = true;
|
2005-11-03 21:02:50 +01:00
|
|
|
whereToSendOutput = DestNone;
|
2004-12-29 22:36:09 +01:00
|
|
|
|
|
|
|
|
/* Setup essential subsystems (to ensure elog() behaves sanely) */
|
|
|
|
|
MemoryContextInit();
|
|
|
|
|
InitializeGUCOptions();
|
|
|
|
|
|
|
|
|
|
/* Read in the variables file */
|
2004-11-17 01:14:14 +01:00
|
|
|
memset(&port, 0, sizeof(Port));
|
|
|
|
|
read_backend_variables(argv[2], &port);
|
|
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
/*
|
|
|
|
|
* Set up memory area for GSS information. Mirrors the code in ConnCreate
|
|
|
|
|
* for the non-exec case.
|
2007-07-23 12:16:54 +02:00
|
|
|
*/
|
|
|
|
|
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
|
2007-11-15 22:14:46 +01:00
|
|
|
port.gss = (pg_gssinfo *) calloc(1, sizeof(pg_gssinfo));
|
2007-07-23 12:16:54 +02:00
|
|
|
if (!port.gss)
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
|
errmsg("out of memory")));
|
|
|
|
|
#endif
|
|
|
|
|
|
2004-12-29 22:36:09 +01:00
|
|
|
/* Check we got appropriate args */
|
|
|
|
|
if (argc < 3)
|
|
|
|
|
elog(FATAL, "invalid subpostmaster invocation");
|
|
|
|
|
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* If appropriate, physically re-attach to shared memory segment. We want
|
|
|
|
|
* to do this before going any further to ensure that we can attach at the
|
|
|
|
|
* same address the postmaster used.
|
2004-12-29 22:36:09 +01:00
|
|
|
*/
|
2006-06-18 17:38:37 +02:00
|
|
|
if (strcmp(argv[1], "--forkbackend") == 0 ||
|
2007-02-16 00:23:23 +01:00
|
|
|
strcmp(argv[1], "--forkavlauncher") == 0 ||
|
|
|
|
|
strcmp(argv[1], "--forkavworker") == 0 ||
|
2006-06-18 17:38:37 +02:00
|
|
|
strcmp(argv[1], "--forkboot") == 0)
|
2004-12-29 22:36:09 +01:00
|
|
|
PGSharedMemoryReAttach();
|
|
|
|
|
|
2007-01-16 14:28:57 +01:00
|
|
|
/* autovacuum needs this set before calling InitProcess */
|
2007-02-16 00:23:23 +01:00
|
|
|
if (strcmp(argv[1], "--forkavlauncher") == 0)
|
|
|
|
|
AutovacuumLauncherIAm();
|
|
|
|
|
if (strcmp(argv[1], "--forkavworker") == 0)
|
|
|
|
|
AutovacuumWorkerIAm();
|
2007-01-16 14:28:57 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Start our win32 signal implementation. This has to be done after we
|
|
|
|
|
* read the backend variables, because we need to pick up the signal pipe
|
|
|
|
|
* from the parent process.
|
2004-11-17 01:14:14 +01:00
|
|
|
*/
|
|
|
|
|
#ifdef WIN32
|
|
|
|
|
pgwin32_signal_initialize();
|
|
|
|
|
#endif
|
|
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/* In EXEC_BACKEND case we will not have inherited these settings */
|
|
|
|
|
pqinitmask();
|
|
|
|
|
PG_SETMASK(&BlockSig);
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
/* Read in remaining GUC variables */
|
2004-05-28 07:13:32 +02:00
|
|
|
read_nondefault_variables();
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2009-01-03 18:08:39 +01:00
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* Reload any libraries that were preloaded by the postmaster. Since we
|
|
|
|
|
* exec'd this process, those libraries didn't come along with us; but we
|
|
|
|
|
* should load them into all child processes to be consistent with the
|
|
|
|
|
* non-EXEC_BACKEND behavior.
|
2009-01-03 18:08:39 +01:00
|
|
|
*/
|
|
|
|
|
process_shared_preload_libraries();
|
|
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/* Run backend or appropriate child */
|
2006-06-18 17:38:37 +02:00
|
|
|
if (strcmp(argv[1], "--forkbackend") == 0)
|
2004-05-28 07:13:32 +02:00
|
|
|
{
|
2006-01-04 22:06:32 +01:00
|
|
|
Assert(argc == 3); /* shouldn't be any more args */
|
2004-05-27 17:07:41 +02:00
|
|
|
|
2006-01-04 22:06:32 +01:00
|
|
|
/* Close the postmaster's sockets */
|
|
|
|
|
ClosePostmasterPorts(false);
|
2005-10-15 04:49:52 +02:00
|
|
|
|
2004-10-06 11:35:23 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Need to reinitialize the SSL library in the backend, since the
|
|
|
|
|
* context structures contain function pointers and cannot be passed
|
|
|
|
|
* through the parameter file.
|
2009-01-03 18:08:39 +01:00
|
|
|
*
|
|
|
|
|
* XXX should we do this in all child processes? For the moment it's
|
|
|
|
|
* enough to do it in backend children.
|
2004-10-06 11:35:23 +02:00
|
|
|
*/
|
2006-01-04 22:06:32 +01:00
|
|
|
#ifdef USE_SSL
|
2004-10-06 11:35:23 +02:00
|
|
|
if (EnableSSL)
|
|
|
|
|
secure_initialize();
|
|
|
|
|
#endif
|
|
|
|
|
|
2006-01-04 22:06:32 +01:00
|
|
|
/*
|
2009-08-29 21:26:52 +02:00
|
|
|
* Perform additional initialization and collect startup packet.
|
2006-01-04 22:06:32 +01:00
|
|
|
*
|
2006-10-04 02:30:14 +02:00
|
|
|
* We want to do this before InitProcess() for a couple of reasons: 1.
|
|
|
|
|
* so that we aren't eating up a PGPROC slot while waiting on the
|
|
|
|
|
* client. 2. so that if InitProcess() fails due to being out of
|
|
|
|
|
* PGPROC slots, we have already initialized libpq and are able to
|
|
|
|
|
* report the error to the client.
|
2006-01-04 22:06:32 +01:00
|
|
|
*/
|
|
|
|
|
BackendInitialize(&port);
|
|
|
|
|
|
|
|
|
|
/* Restore basic shared memory pointers */
|
|
|
|
|
InitShmemAccess(UsedShmemSegAddr);
|
|
|
|
|
|
|
|
|
|
/* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
|
|
|
|
|
InitProcess();
|
|
|
|
|
|
2006-02-01 17:00:06 +01:00
|
|
|
/*
|
2006-10-04 02:30:14 +02:00
|
|
|
* Attach process to shared data structures. If testing EXEC_BACKEND
|
|
|
|
|
* on Linux, you must run this as root before starting the postmaster:
|
2006-02-01 17:00:06 +01:00
|
|
|
*
|
2006-10-04 02:30:14 +02:00
|
|
|
* echo 0 >/proc/sys/kernel/randomize_va_space
|
2006-02-01 17:00:06 +01:00
|
|
|
*
|
2006-10-04 02:30:14 +02:00
|
|
|
* This prevents a randomized stack base address that causes child
|
|
|
|
|
* shared memory to be at a different address than the parent, making
|
|
|
|
|
* it impossible to attached to shared memory. Return the value to
|
|
|
|
|
* '1' when finished.
|
2006-02-01 17:00:06 +01:00
|
|
|
*/
|
2006-01-04 22:06:32 +01:00
|
|
|
CreateSharedMemoryAndSemaphores(false, 0);
|
|
|
|
|
|
|
|
|
|
/* And run the backend */
|
2004-05-28 07:13:32 +02:00
|
|
|
proc_exit(BackendRun(&port));
|
|
|
|
|
}
|
2006-06-18 17:38:37 +02:00
|
|
|
if (strcmp(argv[1], "--forkboot") == 0)
|
2004-05-28 07:13:32 +02:00
|
|
|
{
|
|
|
|
|
/* Close the postmaster's sockets */
|
2004-08-06 01:32:13 +02:00
|
|
|
ClosePostmasterPorts(false);
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2006-01-04 22:06:32 +01:00
|
|
|
/* Restore basic shared memory pointers */
|
|
|
|
|
InitShmemAccess(UsedShmemSegAddr);
|
|
|
|
|
|
|
|
|
|
/* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
|
2007-03-07 14:35:03 +01:00
|
|
|
InitAuxiliaryProcess();
|
2006-01-04 22:06:32 +01:00
|
|
|
|
2004-12-29 22:36:09 +01:00
|
|
|
/* Attach process to shared data structures */
|
2005-06-18 00:32:51 +02:00
|
|
|
CreateSharedMemoryAndSemaphores(false, 0);
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2007-03-07 14:35:03 +01:00
|
|
|
AuxiliaryProcessMain(argc - 2, argv + 2);
|
2004-05-30 00:48:23 +02:00
|
|
|
proc_exit(0);
|
2004-05-28 07:13:32 +02:00
|
|
|
}
|
2007-02-16 00:23:23 +01:00
|
|
|
if (strcmp(argv[1], "--forkavlauncher") == 0)
|
|
|
|
|
{
|
|
|
|
|
/* Close the postmaster's sockets */
|
|
|
|
|
ClosePostmasterPorts(false);
|
|
|
|
|
|
|
|
|
|
/* Restore basic shared memory pointers */
|
|
|
|
|
InitShmemAccess(UsedShmemSegAddr);
|
|
|
|
|
|
|
|
|
|
/* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
|
2009-08-31 21:41:00 +02:00
|
|
|
InitProcess();
|
2007-02-16 00:23:23 +01:00
|
|
|
|
|
|
|
|
/* Attach process to shared data structures */
|
|
|
|
|
CreateSharedMemoryAndSemaphores(false, 0);
|
|
|
|
|
|
|
|
|
|
AutoVacLauncherMain(argc - 2, argv + 2);
|
|
|
|
|
proc_exit(0);
|
|
|
|
|
}
|
|
|
|
|
if (strcmp(argv[1], "--forkavworker") == 0)
|
2005-07-14 07:13:45 +02:00
|
|
|
{
|
|
|
|
|
/* Close the postmaster's sockets */
|
|
|
|
|
ClosePostmasterPorts(false);
|
|
|
|
|
|
2006-01-04 22:06:32 +01:00
|
|
|
/* Restore basic shared memory pointers */
|
|
|
|
|
InitShmemAccess(UsedShmemSegAddr);
|
|
|
|
|
|
|
|
|
|
/* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
|
|
|
|
|
InitProcess();
|
|
|
|
|
|
2005-07-29 21:30:09 +02:00
|
|
|
/* Attach process to shared data structures */
|
2005-07-14 07:13:45 +02:00
|
|
|
CreateSharedMemoryAndSemaphores(false, 0);
|
|
|
|
|
|
2007-02-16 00:23:23 +01:00
|
|
|
AutoVacWorkerMain(argc - 2, argv + 2);
|
2005-07-14 07:13:45 +02:00
|
|
|
proc_exit(0);
|
|
|
|
|
}
|
2006-06-18 17:38:37 +02:00
|
|
|
if (strcmp(argv[1], "--forkarch") == 0)
|
2004-07-19 04:47:16 +02:00
|
|
|
{
|
|
|
|
|
/* Close the postmaster's sockets */
|
2004-08-06 01:32:13 +02:00
|
|
|
ClosePostmasterPorts(false);
|
2004-07-19 04:47:16 +02:00
|
|
|
|
|
|
|
|
/* Do not want to attach to shared memory */
|
|
|
|
|
|
|
|
|
|
PgArchiverMain(argc, argv);
|
|
|
|
|
proc_exit(0);
|
|
|
|
|
}
|
2006-06-29 22:00:08 +02:00
|
|
|
if (strcmp(argv[1], "--forkcol") == 0)
|
2004-05-28 07:13:32 +02:00
|
|
|
{
|
|
|
|
|
/* Close the postmaster's sockets */
|
2004-08-06 01:32:13 +02:00
|
|
|
ClosePostmasterPorts(false);
|
2004-05-28 07:13:32 +02:00
|
|
|
|
|
|
|
|
/* Do not want to attach to shared memory */
|
|
|
|
|
|
|
|
|
|
PgstatCollectorMain(argc, argv);
|
2004-05-30 00:48:23 +02:00
|
|
|
proc_exit(0);
|
2004-05-28 07:13:32 +02:00
|
|
|
}
|
2006-06-18 17:38:37 +02:00
|
|
|
if (strcmp(argv[1], "--forklog") == 0)
|
2004-08-06 01:32:13 +02:00
|
|
|
{
|
|
|
|
|
/* Close the postmaster's sockets */
|
|
|
|
|
ClosePostmasterPorts(true);
|
|
|
|
|
|
|
|
|
|
/* Do not want to attach to shared memory */
|
|
|
|
|
|
|
|
|
|
SysLoggerMain(argc, argv);
|
|
|
|
|
proc_exit(0);
|
|
|
|
|
}
|
2004-05-28 07:13:32 +02:00
|
|
|
|
|
|
|
|
return 1; /* shouldn't get here */
|
2004-01-07 00:15:22 +01:00
|
|
|
}
|
2004-08-29 07:07:03 +02:00
|
|
|
#endif /* EXEC_BACKEND */
|
2004-01-07 00:15:22 +01:00
|
|
|
|
|
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/*
|
|
|
|
|
* ExitPostmaster -- cleanup
|
2000-11-29 21:59:54 +01:00
|
|
|
*
|
|
|
|
|
* Do NOT call exit() directly --- always go through here!
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
2003-07-27 23:49:55 +02:00
|
|
|
static void
|
1996-07-09 08:22:35 +02:00
|
|
|
ExitPostmaster(int status)
|
|
|
|
|
{
|
1997-09-07 07:04:48 +02:00
|
|
|
/* should cleanup shared memory and kill all backends */
|
|
|
|
|
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Not sure of the semantics here. When the Postmaster dies, should the
|
|
|
|
|
* backends all be killed? probably not.
|
1999-10-06 23:58:18 +02:00
|
|
|
*
|
|
|
|
|
* MUST -- vadim 05-10-1999
|
1997-09-07 07:04:48 +02:00
|
|
|
*/
|
2000-05-26 03:38:08 +02:00
|
|
|
|
1998-06-27 06:53:49 +02:00
|
|
|
proc_exit(status);
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
/*
|
2009-02-23 10:28:50 +01:00
|
|
|
* sigusr1_handler - handle signal conditions from child processes
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
*/
|
|
|
|
|
static void
|
2009-02-23 10:28:50 +01:00
|
|
|
sigusr1_handler(SIGNAL_ARGS)
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
{
|
2009-02-23 10:28:50 +01:00
|
|
|
int save_errno = errno;
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
|
2009-02-23 10:28:50 +01:00
|
|
|
PG_SETMASK(&BlockSig);
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
|
2009-02-23 10:28:50 +01:00
|
|
|
/*
|
2010-05-15 22:01:32 +02:00
|
|
|
* RECOVERY_STARTED and BEGIN_HOT_STANDBY signals are ignored in
|
2009-02-23 10:28:50 +01:00
|
|
|
* unexpected states. If the startup process quickly starts up, completes
|
|
|
|
|
* recovery, exits, we might process the death of the startup process
|
|
|
|
|
* first. We don't want to go back to recovery in that case.
|
|
|
|
|
*/
|
|
|
|
|
if (CheckPostmasterSignal(PMSIGNAL_RECOVERY_STARTED) &&
|
|
|
|
|
pmState == PM_STARTUP)
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
{
|
2009-02-23 10:28:50 +01:00
|
|
|
/* WAL redo has started. We're out of reinitialization. */
|
|
|
|
|
FatalError = false;
|
|
|
|
|
|
|
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* Crank up the background writer. It doesn't matter if this fails,
|
|
|
|
|
* we'll just try again later.
|
2009-02-23 10:28:50 +01:00
|
|
|
*/
|
|
|
|
|
Assert(BgWriterPID == 0);
|
|
|
|
|
BgWriterPID = StartBackgroundWriter();
|
|
|
|
|
|
|
|
|
|
pmState = PM_RECOVERY;
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
}
|
2010-05-15 22:01:32 +02:00
|
|
|
if (CheckPostmasterSignal(PMSIGNAL_BEGIN_HOT_STANDBY) &&
|
2009-02-23 10:28:50 +01:00
|
|
|
pmState == PM_RECOVERY)
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
{
|
2009-02-23 10:28:50 +01:00
|
|
|
/*
|
|
|
|
|
* Likewise, start other special children as needed.
|
|
|
|
|
*/
|
|
|
|
|
Assert(PgStatPID == 0);
|
|
|
|
|
PgStatPID = pgstat_start();
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
|
Allow read only connections during recovery, known as Hot Standby.
Enabled by recovery_connections = on (default) and forcing archive recovery using a recovery.conf. Recovery processing now emulates the original transactions as they are replayed, providing full locking and MVCC behaviour for read only queries. Recovery must enter consistent state before connections are allowed, so there is a delay, typically short, before connections succeed. Replay of recovering transactions can conflict and in some cases deadlock with queries during recovery; these result in query cancellation after max_standby_delay seconds have expired. Infrastructure changes have minor effects on normal running, though introduce four new types of WAL record.
New test mode "make standbycheck" allows regression tests of static command behaviour on a standby server while in recovery. Typical and extreme dynamic behaviours have been checked via code inspection and manual testing. Few port specific behaviours have been utilised, though primary testing has been on Linux only so far.
This commit is the basic patch. Additional changes will follow in this release to enhance some aspects of behaviour, notably improved handling of conflicts, deadlock detection and query cancellation. Changes to VACUUM FULL are also required.
Simon Riggs, with significant and lengthy review by Heikki Linnakangas, including streamlined redesign of snapshot creation and two-phase commit.
Important contributions from Florian Pflug, Mark Kirkwood, Merlin Moncure, Greg Stark, Gianni Ciolli, Gabriele Bartolini, Hannu Krosing, Robert Haas, Tatsuo Ishii, Hiroyuki Yamada plus support and feedback from many other community members.
2009-12-19 02:32:45 +01:00
|
|
|
ereport(LOG,
|
2010-02-26 03:01:40 +01:00
|
|
|
(errmsg("database system is ready to accept read only connections")));
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
|
2010-05-15 22:01:32 +02:00
|
|
|
pmState = PM_HOT_STANDBY;
|
2009-02-23 10:28:50 +01:00
|
|
|
}
|
Start background writer during archive recovery. Background writer now performs
its usual buffer cleaning duties during archive recovery, and it's responsible
for performing restartpoints.
This requires some changes in postmaster. When the startup process has done
all the initialization and is ready to start WAL redo, it signals the
postmaster to launch the background writer. The postmaster is signaled again
when the point in recovery is reached where we know that the database is in
consistent state. Postmaster isn't interested in that at the moment, but
that's the point where we could let other backends in to perform read-only
queries. The postmaster is signaled third time when the recovery has ended,
so that postmaster knows that it's safe to start accepting connections.
The startup process now traps SIGTERM, and performs a "clean" shutdown. If
you do a fast shutdown during recovery, a shutdown restartpoint is performed,
like a shutdown checkpoint, and postmaster kills the processes cleanly. You
still have to continue the recovery at next startup, though.
Currently, the background writer is only launched during archive recovery.
We could launch it during crash recovery as well, but it seems better to keep
that codepath as simple as possible, for the sake of robustness. And it
couldn't do any restartpoints during crash recovery anyway, so it wouldn't be
that useful.
log_restartpoints is gone. Use log_checkpoints instead. This is yet to be
documented.
This whole operation is a pre-requisite for Hot Standby, but has some value of
its own whether the hot standby patch makes 8.4 or not.
Simon Riggs, with lots of modifications by me.
2009-02-18 16:58:41 +01:00
|
|
|
|
2005-08-12 20:23:56 +02:00
|
|
|
if (CheckPostmasterSignal(PMSIGNAL_WAKEN_ARCHIVER) &&
|
2008-01-11 01:54:09 +01:00
|
|
|
PgArchPID != 0)
|
2004-07-19 04:47:16 +02:00
|
|
|
{
|
2005-08-12 20:23:56 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Send SIGUSR1 to archiver process, to wake it up and begin archiving
|
|
|
|
|
* next transaction log file.
|
2005-08-12 20:23:56 +02:00
|
|
|
*/
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(PgArchPID, SIGUSR1);
|
2004-08-29 07:07:03 +02:00
|
|
|
}
|
2001-11-04 20:55:31 +01:00
|
|
|
|
2005-08-12 20:23:56 +02:00
|
|
|
if (CheckPostmasterSignal(PMSIGNAL_ROTATE_LOGFILE) &&
|
|
|
|
|
SysLoggerPID != 0)
|
|
|
|
|
{
|
|
|
|
|
/* Tell syslogger to rotate logfile */
|
2006-11-21 21:59:53 +01:00
|
|
|
signal_child(SysLoggerPID, SIGUSR1);
|
2005-08-12 20:23:56 +02:00
|
|
|
}
|
2005-08-12 05:25:13 +02:00
|
|
|
|
2007-02-16 00:23:23 +01:00
|
|
|
if (CheckPostmasterSignal(PMSIGNAL_START_AUTOVAC_LAUNCHER))
|
2006-07-10 18:20:52 +02:00
|
|
|
{
|
Fix recently-understood problems with handling of XID freezing, particularly
in PITR scenarios. We now WAL-log the replacement of old XIDs with
FrozenTransactionId, so that such replacement is guaranteed to propagate to
PITR slave databases. Also, rather than relying on hint-bit updates to be
preserved, pg_clog is not truncated until all instances of an XID are known to
have been replaced by FrozenTransactionId. Add new GUC variables and
pg_autovacuum columns to allow management of the freezing policy, so that
users can trade off the size of pg_clog against the amount of freezing work
done. Revise the already-existing code that forces autovacuum of tables
approaching the wraparound point to make it more bulletproof; also, revise the
autovacuum logic so that anti-wraparound vacuuming is done per-table rather
than per-database. initdb forced because of changes in pg_class, pg_database,
and pg_autovacuum catalogs. Heikki Linnakangas, Simon Riggs, and Tom Lane.
2006-11-05 23:42:10 +01:00
|
|
|
/*
|
|
|
|
|
* Start one iteration of the autovacuum daemon, even if autovacuuming
|
|
|
|
|
* is nominally not enabled. This is so we can have an active defense
|
|
|
|
|
* against transaction ID wraparound. We set a flag for the main loop
|
|
|
|
|
* to do it rather than trying to do it here --- this is because the
|
|
|
|
|
* autovac process itself may send the signal, and we want to handle
|
|
|
|
|
* that by launching another iteration as soon as the current one
|
|
|
|
|
* completes.
|
|
|
|
|
*/
|
2007-02-16 00:23:23 +01:00
|
|
|
start_autovac_launcher = true;
|
2006-07-10 18:20:52 +02:00
|
|
|
}
|
|
|
|
|
|
2007-02-16 00:23:23 +01:00
|
|
|
if (CheckPostmasterSignal(PMSIGNAL_START_AUTOVAC_WORKER))
|
2007-07-24 06:54:09 +02:00
|
|
|
{
|
|
|
|
|
/* The autovacuum launcher wants us to start a worker process. */
|
2007-02-16 00:23:23 +01:00
|
|
|
StartAutovacuumWorker();
|
2007-07-24 06:54:09 +02:00
|
|
|
}
|
2007-02-16 00:23:23 +01:00
|
|
|
|
2010-01-15 10:19:10 +01:00
|
|
|
if (CheckPostmasterSignal(PMSIGNAL_START_WALRECEIVER) &&
|
2010-05-27 04:01:37 +02:00
|
|
|
WalReceiverPID == 0 &&
|
|
|
|
|
(pmState == PM_STARTUP || pmState == PM_RECOVERY ||
|
|
|
|
|
pmState == PM_HOT_STANDBY || pmState == PM_WAIT_READONLY))
|
2010-01-15 10:19:10 +01:00
|
|
|
{
|
|
|
|
|
/* Startup Process wants us to start the walreceiver process. */
|
|
|
|
|
WalReceiverPID = StartWalReceiver();
|
|
|
|
|
}
|
|
|
|
|
|
2011-04-04 01:42:00 +02:00
|
|
|
if (CheckPostmasterSignal(PMSIGNAL_ADVANCE_STATE_MACHINE) &&
|
|
|
|
|
(pmState == PM_WAIT_BACKUP || pmState == PM_WAIT_BACKENDS))
|
|
|
|
|
{
|
|
|
|
|
/* Advance postmaster's state machine */
|
|
|
|
|
PostmasterStateMachine();
|
|
|
|
|
}
|
|
|
|
|
|
2011-02-16 03:28:48 +01:00
|
|
|
if (CheckPromoteSignal() && StartupPID != 0 &&
|
|
|
|
|
(pmState == PM_STARTUP || pmState == PM_RECOVERY ||
|
|
|
|
|
pmState == PM_HOT_STANDBY || pmState == PM_WAIT_READONLY))
|
|
|
|
|
{
|
|
|
|
|
/* Tell startup process to finish recovery */
|
|
|
|
|
signal_child(StartupPID, SIGUSR2);
|
|
|
|
|
}
|
|
|
|
|
|
2001-11-04 20:55:31 +01:00
|
|
|
PG_SETMASK(&UnBlockSig);
|
|
|
|
|
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
errno = save_errno;
|
|
|
|
|
}
|
|
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
/*
|
|
|
|
|
* Timeout or shutdown signal from postmaster while processing startup packet.
|
|
|
|
|
* Cleanup and exit(1).
|
|
|
|
|
*
|
|
|
|
|
* XXX: possible future improvement: try to send a message indicating
|
|
|
|
|
* why we are disconnecting. Problem is to be sure we don't block while
|
|
|
|
|
* doing so, nor mess up SSL initialization. In practice, if the client
|
|
|
|
|
* has wedged here, it probably couldn't do anything with the message anyway.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
startup_die(SIGNAL_ARGS)
|
|
|
|
|
{
|
|
|
|
|
proc_exit(1);
|
|
|
|
|
}
|
1997-12-04 01:28:15 +01:00
|
|
|
|
2001-11-04 20:55:31 +01:00
|
|
|
/*
|
|
|
|
|
* Dummy signal handler
|
|
|
|
|
*
|
|
|
|
|
* We use this for signals that we don't actually use in the postmaster,
|
2004-05-30 00:48:23 +02:00
|
|
|
* but we do use in backends. If we were to SIG_IGN such signals in the
|
|
|
|
|
* postmaster, then a newly started backend might drop a signal that arrives
|
|
|
|
|
* before it's able to reconfigure its signal processing. (See notes in
|
|
|
|
|
* tcop/postgres.c.)
|
2001-11-04 20:55:31 +01:00
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
dummy_handler(SIGNAL_ARGS)
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
1997-12-04 01:28:15 +01:00
|
|
|
/*
|
|
|
|
|
* RandomSalt
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2008-10-28 13:10:44 +01:00
|
|
|
RandomSalt(char *md5Salt)
|
1998-06-08 06:27:59 +02:00
|
|
|
{
|
2008-10-28 13:10:44 +01:00
|
|
|
long rand;
|
2001-10-25 07:50:21 +02:00
|
|
|
|
2001-09-21 22:31:49 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* We use % 255, sacrificing one possible byte value, so as to ensure that
|
|
|
|
|
* all bits of the random() value participate in the result. While at it,
|
|
|
|
|
* add one to avoid generating any null bytes.
|
2001-09-21 22:31:49 +02:00
|
|
|
*/
|
2008-10-28 13:10:44 +01:00
|
|
|
rand = PostmasterRandom();
|
2001-09-21 22:31:49 +02:00
|
|
|
md5Salt[0] = (rand % 255) + 1;
|
|
|
|
|
rand = PostmasterRandom();
|
|
|
|
|
md5Salt[1] = (rand % 255) + 1;
|
|
|
|
|
rand = PostmasterRandom();
|
|
|
|
|
md5Salt[2] = (rand % 255) + 1;
|
2001-08-17 04:59:20 +02:00
|
|
|
rand = PostmasterRandom();
|
2001-09-21 22:31:49 +02:00
|
|
|
md5Salt[3] = (rand % 255) + 1;
|
1998-06-08 06:27:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* PostmasterRandom
|
|
|
|
|
*/
|
|
|
|
|
static long
|
|
|
|
|
PostmasterRandom(void)
|
1998-02-26 05:46:47 +01:00
|
|
|
{
|
2007-08-04 05:15:49 +02:00
|
|
|
/*
|
|
|
|
|
* Select a random seed at the time of first receiving a request.
|
|
|
|
|
*/
|
|
|
|
|
if (random_seed == 0)
|
1998-02-26 05:46:47 +01:00
|
|
|
{
|
2007-08-04 05:15:49 +02:00
|
|
|
do
|
|
|
|
|
{
|
|
|
|
|
struct timeval random_stop_time;
|
|
|
|
|
|
|
|
|
|
gettimeofday(&random_stop_time, NULL);
|
2007-11-15 22:14:46 +01:00
|
|
|
|
2007-08-04 05:15:49 +02:00
|
|
|
/*
|
|
|
|
|
* We are not sure how much precision is in tv_usec, so we swap
|
|
|
|
|
* the high and low 16 bits of 'random_stop_time' and XOR them
|
|
|
|
|
* with 'random_start_time'. On the off chance that the result is
|
|
|
|
|
* 0, we loop until it isn't.
|
|
|
|
|
*/
|
|
|
|
|
random_seed = random_start_time.tv_usec ^
|
|
|
|
|
((random_stop_time.tv_usec << 16) |
|
|
|
|
|
((random_stop_time.tv_usec >> 16) & 0xffff));
|
|
|
|
|
}
|
|
|
|
|
while (random_seed == 0);
|
|
|
|
|
|
1998-06-08 06:27:59 +02:00
|
|
|
srandom(random_seed);
|
1998-02-26 05:46:47 +01:00
|
|
|
}
|
1997-12-04 01:28:15 +01:00
|
|
|
|
2001-09-21 22:31:49 +02:00
|
|
|
return random();
|
1997-12-04 01:28:15 +01:00
|
|
|
}
|
1999-01-30 21:04:37 +01:00
|
|
|
|
|
|
|
|
/*
|
2010-01-15 10:19:10 +01:00
|
|
|
* Count up number of child processes of specified types (dead_end chidren
|
|
|
|
|
* are always excluded).
|
1999-01-30 21:04:37 +01:00
|
|
|
*/
|
|
|
|
|
static int
|
2010-01-15 10:19:10 +01:00
|
|
|
CountChildren(int target)
|
1999-01-30 21:04:37 +01:00
|
|
|
{
|
|
|
|
|
Dlelem *curr;
|
|
|
|
|
int cnt = 0;
|
|
|
|
|
|
|
|
|
|
for (curr = DLGetHead(BackendList); curr; curr = DLGetSucc(curr))
|
2007-08-09 03:18:43 +02:00
|
|
|
{
|
|
|
|
|
Backend *bp = (Backend *) DLE_VAL(curr);
|
|
|
|
|
|
2010-01-15 10:19:10 +01:00
|
|
|
if (bp->dead_end)
|
|
|
|
|
continue;
|
2011-01-22 04:20:06 +01:00
|
|
|
|
|
|
|
|
/*
|
2011-04-10 17:42:00 +02:00
|
|
|
* Since target == BACKEND_TYPE_ALL is the most common case, we test
|
|
|
|
|
* it first and avoid touching shared memory for every child.
|
2011-01-22 04:20:06 +01:00
|
|
|
*/
|
|
|
|
|
if (target != BACKEND_TYPE_ALL)
|
|
|
|
|
{
|
|
|
|
|
int child;
|
|
|
|
|
|
|
|
|
|
if (bp->is_autovacuum)
|
|
|
|
|
child = BACKEND_TYPE_AUTOVAC;
|
|
|
|
|
else if (IsPostmasterChildWalSender(bp->child_slot))
|
|
|
|
|
child = BACKEND_TYPE_WALSND;
|
|
|
|
|
else
|
|
|
|
|
child = BACKEND_TYPE_NORMAL;
|
|
|
|
|
if (!(target & child))
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-15 10:19:10 +01:00
|
|
|
|
|
|
|
|
cnt++;
|
2007-08-09 03:18:43 +02:00
|
|
|
}
|
1999-01-30 21:04:37 +01:00
|
|
|
return cnt;
|
|
|
|
|
}
|
1999-09-27 05:13:16 +02:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
/*
|
2007-03-07 14:35:03 +01:00
|
|
|
* StartChildProcess -- start an auxiliary process for the postmaster
|
2001-03-14 18:58:46 +01:00
|
|
|
*
|
2005-10-15 04:49:52 +02:00
|
|
|
* xlop determines what kind of child will be started. All child types
|
2007-03-07 14:35:03 +01:00
|
|
|
* initially go to AuxiliaryProcessMain, which will handle common setup.
|
2004-01-07 00:15:22 +01:00
|
|
|
*
|
2004-05-30 00:48:23 +02:00
|
|
|
* Return value of StartChildProcess is subprocess' PID, or 0 if failed
|
|
|
|
|
* to start subprocess.
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
*/
|
2004-05-28 07:13:32 +02:00
|
|
|
static pid_t
|
2007-03-07 14:35:03 +01:00
|
|
|
StartChildProcess(AuxProcType type)
|
2003-12-25 04:52:51 +01:00
|
|
|
{
|
2004-05-28 07:13:32 +02:00
|
|
|
pid_t pid;
|
|
|
|
|
char *av[10];
|
|
|
|
|
int ac = 0;
|
2007-03-07 14:35:03 +01:00
|
|
|
char typebuf[32];
|
2004-08-29 07:07:03 +02:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/*
|
|
|
|
|
* Set up command-line arguments for subprocess
|
|
|
|
|
*/
|
|
|
|
|
av[ac++] = "postgres";
|
2003-12-25 04:52:51 +01:00
|
|
|
|
2004-01-28 22:02:40 +01:00
|
|
|
#ifdef EXEC_BACKEND
|
2006-06-18 17:38:37 +02:00
|
|
|
av[ac++] = "--forkboot";
|
2004-05-28 07:13:32 +02:00
|
|
|
av[ac++] = NULL; /* filled in by postmaster_forkexec */
|
2004-01-28 22:02:40 +01:00
|
|
|
#endif
|
|
|
|
|
|
2007-03-07 14:35:03 +01:00
|
|
|
snprintf(typebuf, sizeof(typebuf), "-x%d", type);
|
|
|
|
|
av[ac++] = typebuf;
|
2004-01-28 22:02:40 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
av[ac] = NULL;
|
|
|
|
|
Assert(ac < lengthof(av));
|
2003-12-25 04:52:51 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
#ifdef EXEC_BACKEND
|
|
|
|
|
pid = postmaster_forkexec(ac, av);
|
2004-08-29 07:07:03 +02:00
|
|
|
#else /* !EXEC_BACKEND */
|
2005-03-10 08:14:03 +01:00
|
|
|
pid = fork_process();
|
2003-08-04 02:43:34 +02:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
if (pid == 0) /* child */
|
|
|
|
|
{
|
2005-10-15 04:49:52 +02:00
|
|
|
IsUnderPostmaster = true; /* we are a postmaster subprocess now */
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2001-02-08 01:35:10 +01:00
|
|
|
/* Close the postmaster's sockets */
|
2004-08-06 01:32:13 +02:00
|
|
|
ClosePostmasterPorts(false);
|
2001-02-08 01:35:10 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
/* Lose the postmaster's on-exit routines and port connections */
|
|
|
|
|
on_exit_reset();
|
1999-10-06 23:58:18 +02:00
|
|
|
|
2004-07-31 02:45:57 +02:00
|
|
|
/* Release postmaster's working memory context */
|
|
|
|
|
MemoryContextSwitchTo(TopMemoryContext);
|
|
|
|
|
MemoryContextDelete(PostmasterContext);
|
|
|
|
|
PostmasterContext = NULL;
|
|
|
|
|
|
2007-03-07 14:35:03 +01:00
|
|
|
AuxiliaryProcessMain(ac, av);
|
2000-11-29 21:59:54 +01:00
|
|
|
ExitPostmaster(0);
|
1999-10-06 23:58:18 +02:00
|
|
|
}
|
2004-08-29 07:07:03 +02:00
|
|
|
#endif /* EXEC_BACKEND */
|
2004-05-28 07:13:32 +02:00
|
|
|
|
1999-10-06 23:58:18 +02:00
|
|
|
if (pid < 0)
|
|
|
|
|
{
|
2004-05-28 07:13:32 +02:00
|
|
|
/* in parent, fork failed */
|
|
|
|
|
int save_errno = errno;
|
2005-10-15 04:49:52 +02:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
errno = save_errno;
|
2007-03-07 14:35:03 +01:00
|
|
|
switch (type)
|
2001-08-30 21:02:42 +02:00
|
|
|
{
|
2007-03-07 14:35:03 +01:00
|
|
|
case StartupProcess:
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not fork startup process: %m")));
|
2001-08-30 21:02:42 +02:00
|
|
|
break;
|
2007-03-07 14:35:03 +01:00
|
|
|
case BgWriterProcess:
|
2003-11-19 16:55:08 +01:00
|
|
|
ereport(LOG,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errmsg("could not fork background writer process: %m")));
|
2002-03-04 02:46:04 +01:00
|
|
|
break;
|
2007-07-24 06:54:09 +02:00
|
|
|
case WalWriterProcess:
|
|
|
|
|
ereport(LOG,
|
2007-11-15 22:14:46 +01:00
|
|
|
(errmsg("could not fork WAL writer process: %m")));
|
2007-07-24 06:54:09 +02:00
|
|
|
break;
|
2010-01-15 10:19:10 +01:00
|
|
|
case WalReceiverProcess:
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not fork WAL receiver process: %m")));
|
|
|
|
|
break;
|
2001-08-30 21:02:42 +02:00
|
|
|
default:
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not fork process: %m")));
|
2001-08-30 21:02:42 +02:00
|
|
|
break;
|
|
|
|
|
}
|
2001-03-22 05:01:46 +01:00
|
|
|
|
2001-03-14 18:58:46 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* fork failure is fatal during startup, but there's no need to choke
|
|
|
|
|
* immediately if starting other child types fails.
|
2001-03-14 18:58:46 +01:00
|
|
|
*/
|
2007-03-07 14:35:03 +01:00
|
|
|
if (type == StartupProcess)
|
2004-05-30 00:48:23 +02:00
|
|
|
ExitPostmaster(1);
|
|
|
|
|
return 0;
|
1999-10-06 23:58:18 +02:00
|
|
|
}
|
|
|
|
|
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
/*
|
2004-05-28 07:13:32 +02:00
|
|
|
* in parent, successful fork
|
XLOG (and related) changes:
* Store two past checkpoint locations, not just one, in pg_control.
On startup, we fall back to the older checkpoint if the newer one
is unreadable. Also, a physical copy of the newest checkpoint record
is kept in pg_control for possible use in disaster recovery (ie,
complete loss of pg_xlog). Also add a version number for pg_control
itself. Remove archdir from pg_control; it ought to be a GUC
parameter, not a special case (not that it's implemented yet anyway).
* Suppress successive checkpoint records when nothing has been entered
in the WAL log since the last one. This is not so much to avoid I/O
as to make it actually useful to keep track of the last two
checkpoints. If the things are right next to each other then there's
not a lot of redundancy gained...
* Change CRC scheme to a true 64-bit CRC, not a pair of 32-bit CRCs
on alternate bytes. Polynomial borrowed from ECMA DLT1 standard.
* Fix XLOG record length handling so that it will work at BLCKSZ = 32k.
* Change XID allocation to work more like OID allocation. (This is of
dubious necessity, but I think it's a good idea anyway.)
* Fix a number of minor bugs, such as off-by-one logic for XLOG file
wraparound at the 4 gig mark.
* Add documentation and clean up some coding infelicities; move file
format declarations out to include files where planned contrib
utilities can get at them.
* Checkpoint will now occur every CHECKPOINT_SEGMENTS log segments or
every CHECKPOINT_TIMEOUT seconds, whichever comes first. It is also
possible to force a checkpoint by sending SIGUSR1 to the postmaster
(undocumented feature...)
* Defend against kill -9 postmaster by storing shmem block's key and ID
in postmaster.pid lockfile, and checking at startup to ensure that no
processes are still connected to old shmem block (if it still exists).
* Switch backends to accept SIGQUIT rather than SIGUSR1 for emergency
stop, for symmetry with postmaster and xlog utilities. Clean up signal
handling in bootstrap.c so that xlog utilities launched by postmaster
will react to signals better.
* Standalone bootstrap now grabs lockfile in target directory, as added
insurance against running it in parallel with live postmaster.
2001-03-13 02:17:06 +01:00
|
|
|
*/
|
2001-03-14 18:58:46 +01:00
|
|
|
return pid;
|
1999-10-06 23:58:18 +02:00
|
|
|
}
|
1999-12-03 07:26:34 +01:00
|
|
|
|
2007-02-16 00:23:23 +01:00
|
|
|
/*
|
|
|
|
|
* StartAutovacuumWorker
|
|
|
|
|
* Start an autovac worker process.
|
|
|
|
|
*
|
|
|
|
|
* This function is here because it enters the resulting PID into the
|
|
|
|
|
* postmaster's private backends list.
|
|
|
|
|
*
|
|
|
|
|
* NB -- this code very roughly matches BackendStartup.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
StartAutovacuumWorker(void)
|
|
|
|
|
{
|
2007-11-15 22:14:46 +01:00
|
|
|
Backend *bn;
|
2007-02-16 00:23:23 +01:00
|
|
|
|
|
|
|
|
/*
|
2007-08-09 03:18:43 +02:00
|
|
|
* If not in condition to run a process, don't try, but handle it like a
|
|
|
|
|
* fork failure. This does not normally happen, since the signal is only
|
|
|
|
|
* supposed to be sent by autovacuum launcher when it's OK to do it, but
|
|
|
|
|
* we have to check to avoid race-condition problems during DB state
|
|
|
|
|
* changes.
|
2007-02-16 00:23:23 +01:00
|
|
|
*/
|
2007-08-09 03:18:43 +02:00
|
|
|
if (canAcceptConnections() == CAC_OK)
|
2007-02-16 00:23:23 +01:00
|
|
|
{
|
2007-08-09 03:18:43 +02:00
|
|
|
bn = (Backend *) malloc(sizeof(Backend));
|
|
|
|
|
if (bn)
|
2007-06-25 18:09:03 +02:00
|
|
|
{
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* Compute the cancel key that will be assigned to this session.
|
|
|
|
|
* We probably don't need cancel keys for autovac workers, but
|
|
|
|
|
* we'd better have something random in the field to prevent
|
|
|
|
|
* unfriendly people from sending cancels to them.
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
*/
|
|
|
|
|
MyCancelKey = PostmasterRandom();
|
|
|
|
|
bn->cancel_key = MyCancelKey;
|
|
|
|
|
|
|
|
|
|
/* Autovac workers are not dead_end and need a child slot */
|
|
|
|
|
bn->dead_end = false;
|
|
|
|
|
bn->child_slot = MyPMChildSlot = AssignPostmasterChildSlot();
|
|
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
bn->pid = StartAutoVacWorker();
|
|
|
|
|
if (bn->pid > 0)
|
|
|
|
|
{
|
|
|
|
|
bn->is_autovacuum = true;
|
2009-05-04 04:46:36 +02:00
|
|
|
DLInitElem(&bn->elem, bn);
|
|
|
|
|
DLAddHead(BackendList, &bn->elem);
|
2007-02-16 00:23:23 +01:00
|
|
|
#ifdef EXEC_BACKEND
|
2007-08-09 03:18:43 +02:00
|
|
|
ShmemBackendArrayAdd(bn);
|
2007-02-16 00:23:23 +01:00
|
|
|
#endif
|
2007-08-09 03:18:43 +02:00
|
|
|
/* all OK */
|
|
|
|
|
return;
|
|
|
|
|
}
|
2007-06-25 18:09:03 +02:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
|
|
|
|
* fork failed, fall through to report -- actual error message was
|
|
|
|
|
* logged by StartAutoVacWorker
|
|
|
|
|
*/
|
2009-08-24 19:23:02 +02:00
|
|
|
(void) ReleasePostmasterChildSlot(bn->child_slot);
|
2007-08-09 03:18:43 +02:00
|
|
|
free(bn);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
|
errmsg("out of memory")));
|
2007-02-16 00:23:23 +01:00
|
|
|
}
|
2007-06-25 18:09:03 +02:00
|
|
|
|
2007-08-09 03:18:43 +02:00
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Report the failure to the launcher, if it's running. (If it's not, we
|
|
|
|
|
* might not even be connected to shared memory, so don't try to call
|
2009-08-24 19:23:02 +02:00
|
|
|
* AutoVacWorkerFailed.) Note that we also need to signal it so that it
|
|
|
|
|
* responds to the condition, but we don't do that here, instead waiting
|
|
|
|
|
* for ServerLoop to do it. This way we avoid a ping-pong signalling in
|
|
|
|
|
* quick succession between the autovac launcher and postmaster in case
|
|
|
|
|
* things get ugly.
|
2007-08-09 03:18:43 +02:00
|
|
|
*/
|
2007-06-25 18:09:03 +02:00
|
|
|
if (AutoVacPID != 0)
|
2007-08-09 03:18:43 +02:00
|
|
|
{
|
|
|
|
|
AutoVacWorkerFailed();
|
2009-08-24 19:23:02 +02:00
|
|
|
avlauncher_needs_signal = true;
|
2007-08-09 03:18:43 +02:00
|
|
|
}
|
2007-02-16 00:23:23 +01:00
|
|
|
}
|
2000-07-09 15:14:19 +02:00
|
|
|
|
1999-12-06 08:21:12 +01:00
|
|
|
/*
|
2000-01-09 13:13:24 +01:00
|
|
|
* Create the opts file
|
1999-12-06 08:21:12 +01:00
|
|
|
*/
|
2000-07-09 15:14:19 +02:00
|
|
|
static bool
|
2004-05-14 00:45:04 +02:00
|
|
|
CreateOptsFile(int argc, char *argv[], char *fullprogname)
|
1999-12-03 07:26:34 +01:00
|
|
|
{
|
2001-03-22 05:01:46 +01:00
|
|
|
FILE *fp;
|
2003-07-27 23:49:55 +02:00
|
|
|
int i;
|
1999-12-03 07:26:34 +01:00
|
|
|
|
2005-07-04 06:51:52 +02:00
|
|
|
#define OPTS_FILE "postmaster.opts"
|
1999-12-03 07:26:34 +01:00
|
|
|
|
2005-07-04 06:51:52 +02:00
|
|
|
if ((fp = fopen(OPTS_FILE, "w")) == NULL)
|
2000-04-12 19:17:23 +02:00
|
|
|
{
|
2005-07-04 06:51:52 +02:00
|
|
|
elog(LOG, "could not create file \"%s\": %m", OPTS_FILE);
|
2000-07-09 15:14:19 +02:00
|
|
|
return false;
|
1999-12-03 07:26:34 +01:00
|
|
|
}
|
|
|
|
|
|
2000-07-09 15:14:19 +02:00
|
|
|
fprintf(fp, "%s", fullprogname);
|
|
|
|
|
for (i = 1; i < argc; i++)
|
2008-06-26 04:47:19 +02:00
|
|
|
fprintf(fp, " \"%s\"", argv[i]);
|
2000-07-09 15:14:19 +02:00
|
|
|
fputs("\n", fp);
|
1999-12-03 07:26:34 +01:00
|
|
|
|
2004-01-26 23:35:32 +01:00
|
|
|
if (fclose(fp))
|
2000-04-12 19:17:23 +02:00
|
|
|
{
|
2005-07-04 06:51:52 +02:00
|
|
|
elog(LOG, "could not write file \"%s\": %m", OPTS_FILE);
|
2000-07-09 15:14:19 +02:00
|
|
|
return false;
|
1999-12-03 07:26:34 +01:00
|
|
|
}
|
|
|
|
|
|
2000-07-09 15:14:19 +02:00
|
|
|
return true;
|
1999-12-03 07:26:34 +01:00
|
|
|
}
|
2001-06-03 16:53:56 +02:00
|
|
|
|
2003-12-20 18:31:21 +01:00
|
|
|
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
/*
|
|
|
|
|
* MaxLivePostmasterChildren
|
|
|
|
|
*
|
|
|
|
|
* This reports the number of entries needed in per-child-process arrays
|
|
|
|
|
* (the PMChildFlags array, and if EXEC_BACKEND the ShmemBackendArray).
|
2010-01-15 10:19:10 +01:00
|
|
|
* These arrays include regular backends, autovac workers and walsenders,
|
|
|
|
|
* but not special children nor dead_end children. This allows the arrays
|
|
|
|
|
* to have a fixed maximum size, to wit the same too-many-children limit
|
|
|
|
|
* enforced by canAcceptConnections(). The exact value isn't too critical
|
|
|
|
|
* as long as it's more than MaxBackends.
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
MaxLivePostmasterChildren(void)
|
|
|
|
|
{
|
|
|
|
|
return 2 * MaxBackends;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-12-20 18:31:21 +01:00
|
|
|
#ifdef EXEC_BACKEND
|
|
|
|
|
|
|
|
|
|
/*
|
2004-11-17 01:14:14 +01:00
|
|
|
* The following need to be available to the save/restore_backend_variables
|
2003-12-20 18:31:21 +01:00
|
|
|
* functions
|
|
|
|
|
*/
|
|
|
|
|
extern slock_t *ShmemLock;
|
|
|
|
|
extern LWLock *LWLockArray;
|
2004-05-27 17:07:41 +02:00
|
|
|
extern slock_t *ProcStructLock;
|
2006-01-04 22:06:32 +01:00
|
|
|
extern PROC_HDR *ProcGlobal;
|
2007-03-07 14:35:03 +01:00
|
|
|
extern PGPROC *AuxiliaryProcs;
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
extern PMSignalData *PMSignalState;
|
2010-01-10 15:16:08 +01:00
|
|
|
extern pgsocket pgStatSock;
|
2004-11-17 01:14:14 +01:00
|
|
|
|
|
|
|
|
#ifndef WIN32
|
2009-08-28 19:42:54 +02:00
|
|
|
#define write_inheritable_socket(dest, src, childpid) ((*(dest) = (src)), true)
|
2004-11-17 01:14:14 +01:00
|
|
|
#define read_inheritable_socket(dest, src) (*(dest) = *(src))
|
|
|
|
|
#else
|
2009-08-06 11:50:22 +02:00
|
|
|
static bool write_duplicated_handle(HANDLE *dest, HANDLE src, HANDLE child);
|
2011-04-10 17:42:00 +02:00
|
|
|
static bool write_inheritable_socket(InheritableSocket *dest, SOCKET src,
|
2005-10-15 04:49:52 +02:00
|
|
|
pid_t childPid);
|
2011-04-10 17:42:00 +02:00
|
|
|
static void read_inheritable_socket(SOCKET *dest, InheritableSocket *src);
|
2004-11-17 01:14:14 +01:00
|
|
|
#endif
|
2003-12-20 18:31:21 +01:00
|
|
|
|
|
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
/* Save critical backend variables into the BackendParameters struct */
|
|
|
|
|
#ifndef WIN32
|
2004-01-07 00:15:22 +01:00
|
|
|
static bool
|
2011-04-10 17:42:00 +02:00
|
|
|
save_backend_variables(BackendParameters *param, Port *port)
|
2004-11-17 01:14:14 +01:00
|
|
|
#else
|
|
|
|
|
static bool
|
2011-04-10 17:42:00 +02:00
|
|
|
save_backend_variables(BackendParameters *param, Port *port,
|
2004-11-17 01:14:14 +01:00
|
|
|
HANDLE childProcess, pid_t childPid)
|
|
|
|
|
#endif
|
2003-12-20 18:31:21 +01:00
|
|
|
{
|
2004-11-17 01:14:14 +01:00
|
|
|
memcpy(¶m->port, port, sizeof(Port));
|
2009-08-06 11:50:22 +02:00
|
|
|
if (!write_inheritable_socket(¶m->portsocket, port->sock, childPid))
|
|
|
|
|
return false;
|
2004-05-27 17:07:41 +02:00
|
|
|
|
2007-02-10 15:58:55 +01:00
|
|
|
strlcpy(param->DataDir, DataDir, MAXPGPATH);
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
memcpy(¶m->ListenSocket, &ListenSocket, sizeof(ListenSocket));
|
2004-05-27 17:07:41 +02:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
param->MyCancelKey = MyCancelKey;
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
param->MyPMChildSlot = MyPMChildSlot;
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
param->UsedShmemSegID = UsedShmemSegID;
|
|
|
|
|
param->UsedShmemSegAddr = UsedShmemSegAddr;
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
param->ShmemLock = ShmemLock;
|
|
|
|
|
param->ShmemVariableCache = ShmemVariableCache;
|
|
|
|
|
param->ShmemBackendArray = ShmemBackendArray;
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
param->LWLockArray = LWLockArray;
|
|
|
|
|
param->ProcStructLock = ProcStructLock;
|
2006-01-04 22:06:32 +01:00
|
|
|
param->ProcGlobal = ProcGlobal;
|
2007-03-07 14:35:03 +01:00
|
|
|
param->AuxiliaryProcs = AuxiliaryProcs;
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
param->PMSignalState = PMSignalState;
|
2009-08-06 11:50:22 +02:00
|
|
|
if (!write_inheritable_socket(¶m->pgStatSock, pgStatSock, childPid))
|
|
|
|
|
return false;
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
param->PostmasterPid = PostmasterPid;
|
2005-06-30 00:51:57 +02:00
|
|
|
param->PgStartTime = PgStartTime;
|
2008-05-04 23:13:36 +02:00
|
|
|
param->PgReloadTime = PgReloadTime;
|
2004-05-30 00:48:23 +02:00
|
|
|
|
2007-07-19 21:13:43 +02:00
|
|
|
param->redirection_done = redirection_done;
|
|
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
#ifdef WIN32
|
|
|
|
|
param->PostmasterHandle = PostmasterHandle;
|
2009-08-06 11:50:22 +02:00
|
|
|
if (!write_duplicated_handle(¶m->initial_signal_pipe,
|
2010-02-26 03:01:40 +01:00
|
|
|
pgwin32_create_signal_listener(childPid),
|
|
|
|
|
childProcess))
|
2009-08-06 11:50:22 +02:00
|
|
|
return false;
|
2004-11-17 01:14:14 +01:00
|
|
|
#endif
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
memcpy(¶m->syslogPipe, &syslogPipe, sizeof(syslogPipe));
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2007-02-10 15:58:55 +01:00
|
|
|
strlcpy(param->my_exec_path, my_exec_path, MAXPGPATH);
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2007-02-10 15:58:55 +01:00
|
|
|
strlcpy(param->pkglib_path, pkglib_path, MAXPGPATH);
|
2005-08-11 23:11:50 +02:00
|
|
|
|
2007-02-10 15:58:55 +01:00
|
|
|
strlcpy(param->ExtraOptions, ExtraOptions, MAXPGPATH);
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
return true;
|
|
|
|
|
}
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2004-08-06 01:32:13 +02:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
#ifdef WIN32
|
|
|
|
|
/*
|
|
|
|
|
* Duplicate a handle for usage in a child process, and write the child
|
|
|
|
|
* process instance of the handle to the parameter file.
|
|
|
|
|
*/
|
2009-08-06 11:50:22 +02:00
|
|
|
static bool
|
2009-06-11 16:49:15 +02:00
|
|
|
write_duplicated_handle(HANDLE *dest, HANDLE src, HANDLE childProcess)
|
2004-11-17 01:14:14 +01:00
|
|
|
{
|
2005-10-15 04:49:52 +02:00
|
|
|
HANDLE hChild = INVALID_HANDLE_VALUE;
|
2004-11-17 01:14:14 +01:00
|
|
|
|
|
|
|
|
if (!DuplicateHandle(GetCurrentProcess(),
|
|
|
|
|
src,
|
|
|
|
|
childProcess,
|
|
|
|
|
&hChild,
|
|
|
|
|
0,
|
|
|
|
|
TRUE,
|
|
|
|
|
DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
|
2009-08-06 11:50:22 +02:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2004-11-17 01:14:14 +01:00
|
|
|
(errmsg_internal("could not duplicate handle to be written to backend parameter file: error code %d",
|
|
|
|
|
(int) GetLastError())));
|
2009-08-06 11:50:22 +02:00
|
|
|
return false;
|
|
|
|
|
}
|
2004-11-17 01:14:14 +01:00
|
|
|
|
|
|
|
|
*dest = hChild;
|
2009-08-06 11:50:22 +02:00
|
|
|
return true;
|
2004-11-17 01:14:14 +01:00
|
|
|
}
|
2004-05-21 07:08:06 +02:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
/*
|
|
|
|
|
* Duplicate a socket for usage in a child process, and write the resulting
|
|
|
|
|
* structure to the parameter file.
|
|
|
|
|
* This is required because a number of LSPs (Layered Service Providers) very
|
|
|
|
|
* common on Windows (antivirus, firewalls, download managers etc) break
|
|
|
|
|
* straight socket inheritance.
|
|
|
|
|
*/
|
2009-08-06 11:50:22 +02:00
|
|
|
static bool
|
2011-04-10 17:42:00 +02:00
|
|
|
write_inheritable_socket(InheritableSocket *dest, SOCKET src, pid_t childpid)
|
2004-11-17 01:14:14 +01:00
|
|
|
{
|
|
|
|
|
dest->origsocket = src;
|
2010-01-10 15:16:08 +01:00
|
|
|
if (src != 0 && src != PGINVALID_SOCKET)
|
2004-11-17 01:14:14 +01:00
|
|
|
{
|
|
|
|
|
/* Actual socket */
|
|
|
|
|
if (WSADuplicateSocket(src, childpid, &dest->wsainfo) != 0)
|
2009-08-06 11:50:22 +02:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2004-11-17 01:14:14 +01:00
|
|
|
(errmsg("could not duplicate socket %d for use in backend: error code %d",
|
|
|
|
|
src, WSAGetLastError())));
|
2009-08-06 11:50:22 +02:00
|
|
|
return false;
|
|
|
|
|
}
|
2004-11-17 01:14:14 +01:00
|
|
|
}
|
2009-08-06 11:50:22 +02:00
|
|
|
return true;
|
2004-11-17 01:14:14 +01:00
|
|
|
}
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
/*
|
|
|
|
|
* Read a duplicate socket structure back, and get the socket descriptor.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2011-04-10 17:42:00 +02:00
|
|
|
read_inheritable_socket(SOCKET *dest, InheritableSocket *src)
|
2004-11-17 01:14:14 +01:00
|
|
|
{
|
2005-10-15 04:49:52 +02:00
|
|
|
SOCKET s;
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2010-01-10 15:16:08 +01:00
|
|
|
if (src->origsocket == PGINVALID_SOCKET || src->origsocket == 0)
|
2004-01-26 23:35:32 +01:00
|
|
|
{
|
2004-11-17 01:14:14 +01:00
|
|
|
/* Not a real socket! */
|
|
|
|
|
*dest = src->origsocket;
|
2004-01-26 23:35:32 +01:00
|
|
|
}
|
2004-11-17 01:14:14 +01:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* Actual socket, so create from structure */
|
|
|
|
|
s = WSASocket(FROM_PROTOCOL_INFO,
|
|
|
|
|
FROM_PROTOCOL_INFO,
|
|
|
|
|
FROM_PROTOCOL_INFO,
|
|
|
|
|
&src->wsainfo,
|
|
|
|
|
0,
|
|
|
|
|
0);
|
|
|
|
|
if (s == INVALID_SOCKET)
|
|
|
|
|
{
|
|
|
|
|
write_stderr("could not create inherited socket: error code %d\n",
|
|
|
|
|
WSAGetLastError());
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
*dest = s;
|
2004-01-26 23:35:32 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* To make sure we don't get two references to the same socket, close
|
|
|
|
|
* the original one. (This would happen when inheritance actually
|
|
|
|
|
* works..
|
2004-11-17 01:14:14 +01:00
|
|
|
*/
|
|
|
|
|
closesocket(src->origsocket);
|
|
|
|
|
}
|
2003-12-20 18:31:21 +01:00
|
|
|
}
|
2004-11-17 01:14:14 +01:00
|
|
|
#endif
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
static void
|
2004-11-17 01:14:14 +01:00
|
|
|
read_backend_variables(char *id, Port *port)
|
2003-12-20 18:31:21 +01:00
|
|
|
{
|
2004-12-29 22:36:09 +01:00
|
|
|
BackendParameters param;
|
|
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
#ifndef WIN32
|
|
|
|
|
/* Non-win32 implementation reads from file */
|
2005-10-15 04:49:52 +02:00
|
|
|
FILE *fp;
|
2003-12-20 18:31:21 +01:00
|
|
|
|
|
|
|
|
/* Open file */
|
2004-11-17 01:14:14 +01:00
|
|
|
fp = AllocateFile(id, PG_BINARY_R);
|
2003-12-20 18:31:21 +01:00
|
|
|
if (!fp)
|
2004-11-17 01:14:14 +01:00
|
|
|
{
|
|
|
|
|
write_stderr("could not read from backend variables file \"%s\": %s\n",
|
|
|
|
|
id, strerror(errno));
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (fread(¶m, sizeof(param), 1, fp) != 1)
|
|
|
|
|
{
|
|
|
|
|
write_stderr("could not read from backend variables file \"%s\": %s\n",
|
|
|
|
|
id, strerror(errno));
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Release file */
|
|
|
|
|
FreeFile(fp);
|
|
|
|
|
if (unlink(id) != 0)
|
|
|
|
|
{
|
|
|
|
|
write_stderr("could not remove file \"%s\": %s\n",
|
|
|
|
|
id, strerror(errno));
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
/* Win32 version uses mapped file */
|
2005-10-15 04:49:52 +02:00
|
|
|
HANDLE paramHandle;
|
2004-12-29 22:36:09 +01:00
|
|
|
BackendParameters *paramp;
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2010-11-16 12:40:56 +01:00
|
|
|
#ifdef _WIN64
|
|
|
|
|
paramHandle = (HANDLE) _atoi64(id);
|
|
|
|
|
#else
|
2005-10-15 04:49:52 +02:00
|
|
|
paramHandle = (HANDLE) atol(id);
|
2010-11-16 12:40:56 +01:00
|
|
|
#endif
|
2004-12-29 22:36:09 +01:00
|
|
|
paramp = MapViewOfFile(paramHandle, FILE_MAP_READ, 0, 0, 0);
|
|
|
|
|
if (!paramp)
|
2004-11-17 01:14:14 +01:00
|
|
|
{
|
|
|
|
|
write_stderr("could not map view of backend variables: error code %d\n",
|
|
|
|
|
(int) GetLastError());
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2004-12-29 22:36:09 +01:00
|
|
|
memcpy(¶m, paramp, sizeof(BackendParameters));
|
2004-05-30 00:48:23 +02:00
|
|
|
|
2004-12-29 22:36:09 +01:00
|
|
|
if (!UnmapViewOfFile(paramp))
|
2004-11-17 01:14:14 +01:00
|
|
|
{
|
|
|
|
|
write_stderr("could not unmap view of backend variables: error code %d\n",
|
|
|
|
|
(int) GetLastError());
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
if (!CloseHandle(paramHandle))
|
|
|
|
|
{
|
|
|
|
|
write_stderr("could not close handle to backend parameter variables: error code %d\n",
|
|
|
|
|
(int) GetLastError());
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2004-12-29 22:36:09 +01:00
|
|
|
|
|
|
|
|
restore_backend_variables(¶m, port);
|
2004-11-17 01:14:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Restore critical backend variables from the BackendParameters struct */
|
|
|
|
|
static void
|
2011-04-10 17:42:00 +02:00
|
|
|
restore_backend_variables(BackendParameters *param, Port *port)
|
2004-11-17 01:14:14 +01:00
|
|
|
{
|
|
|
|
|
memcpy(port, ¶m->port, sizeof(Port));
|
|
|
|
|
read_inheritable_socket(&port->sock, ¶m->portsocket);
|
|
|
|
|
|
|
|
|
|
SetDataDir(param->DataDir);
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
memcpy(&ListenSocket, ¶m->ListenSocket, sizeof(ListenSocket));
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
MyCancelKey = param->MyCancelKey;
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
MyPMChildSlot = param->MyPMChildSlot;
|
2004-11-17 01:14:14 +01:00
|
|
|
|
|
|
|
|
UsedShmemSegID = param->UsedShmemSegID;
|
|
|
|
|
UsedShmemSegAddr = param->UsedShmemSegAddr;
|
|
|
|
|
|
|
|
|
|
ShmemLock = param->ShmemLock;
|
|
|
|
|
ShmemVariableCache = param->ShmemVariableCache;
|
|
|
|
|
ShmemBackendArray = param->ShmemBackendArray;
|
|
|
|
|
|
|
|
|
|
LWLockArray = param->LWLockArray;
|
|
|
|
|
ProcStructLock = param->ProcStructLock;
|
2006-01-04 22:06:32 +01:00
|
|
|
ProcGlobal = param->ProcGlobal;
|
2007-03-07 14:35:03 +01:00
|
|
|
AuxiliaryProcs = param->AuxiliaryProcs;
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
PMSignalState = param->PMSignalState;
|
2004-11-17 01:14:14 +01:00
|
|
|
read_inheritable_socket(&pgStatSock, ¶m->pgStatSock);
|
|
|
|
|
|
|
|
|
|
PostmasterPid = param->PostmasterPid;
|
2005-06-30 00:51:57 +02:00
|
|
|
PgStartTime = param->PgStartTime;
|
2008-05-04 23:13:36 +02:00
|
|
|
PgReloadTime = param->PgReloadTime;
|
2003-12-20 18:31:21 +01:00
|
|
|
|
2007-07-19 21:13:43 +02:00
|
|
|
redirection_done = param->redirection_done;
|
|
|
|
|
|
2004-05-30 05:50:15 +02:00
|
|
|
#ifdef WIN32
|
2004-11-17 01:14:14 +01:00
|
|
|
PostmasterHandle = param->PostmasterHandle;
|
|
|
|
|
pgwin32_initial_signal_pipe = param->initial_signal_pipe;
|
2004-05-30 05:50:15 +02:00
|
|
|
#endif
|
2004-01-07 00:15:22 +01:00
|
|
|
|
2004-11-17 01:14:14 +01:00
|
|
|
memcpy(&syslogPipe, ¶m->syslogPipe, sizeof(syslogPipe));
|
2004-05-21 07:08:06 +02:00
|
|
|
|
2007-02-10 15:58:55 +01:00
|
|
|
strlcpy(my_exec_path, param->my_exec_path, MAXPGPATH);
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2007-02-10 15:58:55 +01:00
|
|
|
strlcpy(pkglib_path, param->pkglib_path, MAXPGPATH);
|
2005-08-11 23:11:50 +02:00
|
|
|
|
2007-02-10 15:58:55 +01:00
|
|
|
strlcpy(ExtraOptions, param->ExtraOptions, MAXPGPATH);
|
2003-12-20 18:31:21 +01:00
|
|
|
}
|
|
|
|
|
|
2004-01-26 23:59:54 +01:00
|
|
|
|
2005-08-21 01:26:37 +02:00
|
|
|
Size
|
2004-05-27 17:07:41 +02:00
|
|
|
ShmemBackendArraySize(void)
|
2004-01-26 23:59:54 +01:00
|
|
|
{
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
return mul_size(MaxLivePostmasterChildren(), sizeof(Backend));
|
2004-01-26 23:59:54 +01:00
|
|
|
}
|
|
|
|
|
|
2004-05-27 17:07:41 +02:00
|
|
|
void
|
|
|
|
|
ShmemBackendArrayAllocation(void)
|
2004-01-26 23:59:54 +01:00
|
|
|
{
|
2005-08-21 01:26:37 +02:00
|
|
|
Size size = ShmemBackendArraySize();
|
2004-05-27 17:07:41 +02:00
|
|
|
|
|
|
|
|
ShmemBackendArray = (Backend *) ShmemAlloc(size);
|
2004-05-30 00:48:23 +02:00
|
|
|
/* Mark all slots as empty */
|
2004-01-26 23:59:54 +01:00
|
|
|
memset(ShmemBackendArray, 0, size);
|
|
|
|
|
}
|
|
|
|
|
|
2004-05-27 17:07:41 +02:00
|
|
|
static void
|
|
|
|
|
ShmemBackendArrayAdd(Backend *bn)
|
2004-01-26 23:59:54 +01:00
|
|
|
{
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
/* The array slot corresponding to my PMChildSlot should be free */
|
|
|
|
|
int i = bn->child_slot - 1;
|
2004-01-26 23:59:54 +01:00
|
|
|
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
Assert(ShmemBackendArray[i].pid == 0);
|
|
|
|
|
ShmemBackendArray[i] = *bn;
|
2004-01-26 23:59:54 +01:00
|
|
|
}
|
|
|
|
|
|
2004-05-27 17:07:41 +02:00
|
|
|
static void
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
ShmemBackendArrayRemove(Backend *bn)
|
2004-01-26 23:59:54 +01:00
|
|
|
{
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
int i = bn->child_slot - 1;
|
2004-01-26 23:59:54 +01:00
|
|
|
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
Assert(ShmemBackendArray[i].pid == bn->pid);
|
|
|
|
|
/* Mark the slot as empty */
|
|
|
|
|
ShmemBackendArray[i].pid = 0;
|
2004-01-26 23:59:54 +01:00
|
|
|
}
|
2004-08-29 07:07:03 +02:00
|
|
|
#endif /* EXEC_BACKEND */
|
2004-05-28 07:13:32 +02:00
|
|
|
|
2004-01-11 04:49:31 +01:00
|
|
|
|
|
|
|
|
#ifdef WIN32
|
|
|
|
|
|
2004-05-27 17:07:41 +02:00
|
|
|
static pid_t
|
|
|
|
|
win32_waitpid(int *exitstatus)
|
2004-01-26 23:59:54 +01:00
|
|
|
{
|
2007-11-15 22:14:46 +01:00
|
|
|
DWORD dwd;
|
|
|
|
|
ULONG_PTR key;
|
|
|
|
|
OVERLAPPED *ovl;
|
2007-10-26 23:50:10 +02:00
|
|
|
|
2004-08-29 07:07:03 +02:00
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Check if there are any dead children. If there are, return the pid of
|
|
|
|
|
* the first one that died.
|
2004-08-29 07:07:03 +02:00
|
|
|
*/
|
2007-10-26 23:50:10 +02:00
|
|
|
if (GetQueuedCompletionStatus(win32ChildQueue, &dwd, &key, &ovl, 0))
|
2004-08-29 05:16:30 +02:00
|
|
|
{
|
2007-11-15 22:14:46 +01:00
|
|
|
*exitstatus = (int) key;
|
2007-10-26 23:50:10 +02:00
|
|
|
return dwd;
|
2004-01-26 23:59:54 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2004-05-30 00:48:23 +02:00
|
|
|
/*
|
2007-10-26 23:50:10 +02:00
|
|
|
* Note! Code below executes on a thread pool! All operations must
|
|
|
|
|
* be thread safe! Note that elog() and friends must *not* be used.
|
2004-05-30 00:48:23 +02:00
|
|
|
*/
|
2007-10-26 23:50:10 +02:00
|
|
|
static void WINAPI
|
|
|
|
|
pgwin32_deadchild_callback(PVOID lpParameter, BOOLEAN TimerOrWaitFired)
|
2004-05-27 17:07:41 +02:00
|
|
|
{
|
2007-11-15 22:14:46 +01:00
|
|
|
win32_deadchild_waitinfo *childinfo = (win32_deadchild_waitinfo *) lpParameter;
|
2007-10-26 23:50:10 +02:00
|
|
|
DWORD exitcode;
|
2004-05-27 17:07:41 +02:00
|
|
|
|
2007-10-26 23:50:10 +02:00
|
|
|
if (TimerOrWaitFired)
|
2007-11-15 22:14:46 +01:00
|
|
|
return; /* timeout. Should never happen, since we use
|
|
|
|
|
* INFINITE as timeout value. */
|
2004-02-08 23:28:57 +01:00
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
/*
|
|
|
|
|
* Remove handle from wait - required even though it's set to wait only
|
|
|
|
|
* once
|
|
|
|
|
*/
|
2007-10-26 23:50:10 +02:00
|
|
|
UnregisterWaitEx(childinfo->waitHandle, NULL);
|
|
|
|
|
|
|
|
|
|
if (!GetExitCodeProcess(childinfo->procHandle, &exitcode))
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Should never happen. Inform user and set a fixed exitcode.
|
|
|
|
|
*/
|
2007-11-15 21:04:38 +01:00
|
|
|
write_stderr("could not read exit code for process\n");
|
2007-10-26 23:50:10 +02:00
|
|
|
exitcode = 255;
|
|
|
|
|
}
|
|
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
if (!PostQueuedCompletionStatus(win32ChildQueue, childinfo->procId, (ULONG_PTR) exitcode, NULL))
|
2007-10-26 23:50:10 +02:00
|
|
|
write_stderr("could not post child completion status\n");
|
|
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
/*
|
|
|
|
|
* Handle is per-process, so we close it here instead of in the
|
|
|
|
|
* originating thread
|
|
|
|
|
*/
|
2007-10-26 23:50:10 +02:00
|
|
|
CloseHandle(childinfo->procHandle);
|
|
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
/*
|
|
|
|
|
* Free struct that was allocated before the call to
|
|
|
|
|
* RegisterWaitForSingleObject()
|
|
|
|
|
*/
|
2007-10-26 23:50:10 +02:00
|
|
|
free(childinfo);
|
|
|
|
|
|
|
|
|
|
/* Queue SIGCHLD signal */
|
|
|
|
|
pg_queue_signal(SIGCHLD);
|
2004-02-08 23:28:57 +01:00
|
|
|
}
|
|
|
|
|
|
2004-08-29 07:07:03 +02:00
|
|
|
#endif /* WIN32 */
|
