PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
postmaster.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * postmaster.c
4  * This program acts as a clearing house for requests to the
5  * POSTGRES system. Frontend programs send a startup message
6  * to the Postmaster and the postmaster uses the info in the
7  * message to setup a backend process.
8  *
9  * The postmaster also manages system-wide operations such as
10  * startup and shutdown. The postmaster itself doesn't do those
11  * operations, mind you --- it just forks off a subprocess to do them
12  * at the right times. It also takes care of resetting the system
13  * if a backend crashes.
14  *
15  * The postmaster process creates the shared memory and semaphore
16  * pools during startup, but as a rule does not touch them itself.
17  * In particular, it is not a member of the PGPROC array of backends
18  * and so it cannot participate in lock-manager operations. Keeping
19  * the postmaster away from shared memory operations makes it simpler
20  * and more reliable. The postmaster is almost always able to recover
21  * from crashes of individual backends by resetting shared memory;
22  * if it did much with shared memory then it would be prone to crashing
23  * along with the backends.
24  *
25  * When a request message is received, we now fork() immediately.
26  * The child process performs authentication of the request, and
27  * then becomes a backend if successful. This allows the auth code
28  * to be written in a simple single-threaded style (as opposed to the
29  * crufty "poor man's multitasking" code that used to be needed).
30  * More importantly, it ensures that blockages in non-multithreaded
31  * libraries like SSL or PAM cannot cause denial of service to other
32  * clients.
33  *
34  *
35  * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
36  * Portions Copyright (c) 1994, Regents of the University of California
37  *
38  *
39  * IDENTIFICATION
40  * src/backend/postmaster/postmaster.c
41  *
42  * NOTES
43  *
44  * Initialization:
45  * The Postmaster sets up shared memory data structures
46  * for the backends.
47  *
48  * Synchronization:
49  * The Postmaster shares memory with the backends but should avoid
50  * touching shared memory, so as not to become stuck if a crashing
51  * backend screws up locks or shared memory. Likewise, the Postmaster
52  * should never block on messages from frontend clients.
53  *
54  * Garbage Collection:
55  * The Postmaster cleans up after backends if they have an emergency
56  * exit and/or core dump.
57  *
58  * Error Reporting:
59  * Use write_stderr() only for reporting "interactive" errors
60  * (essentially, bogus arguments on the command line). Once the
61  * postmaster is launched, use ereport().
62  *
63  *-------------------------------------------------------------------------
64  */
65 
66 #include "postgres.h"
67 
68 #include <unistd.h>
69 #include <signal.h>
70 #include <time.h>
71 #include <sys/wait.h>
72 #include <ctype.h>
73 #include <sys/stat.h>
74 #include <sys/socket.h>
75 #include <fcntl.h>
76 #include <sys/param.h>
77 #include <netinet/in.h>
78 #include <arpa/inet.h>
79 #include <netdb.h>
80 #include <limits.h>
81 
82 #ifdef HAVE_SYS_SELECT_H
83 #include <sys/select.h>
84 #endif
85 
86 #ifdef USE_BONJOUR
87 #include <dns_sd.h>
88 #endif
89 
90 #ifdef USE_SYSTEMD
91 #include <systemd/sd-daemon.h>
92 #endif
93 
94 #ifdef HAVE_PTHREAD_IS_THREADED_NP
95 #include <pthread.h>
96 #endif
97 
98 #include "access/transam.h"
99 #include "access/xlog.h"
100 #include "bootstrap/bootstrap.h"
101 #include "catalog/pg_control.h"
102 #include "common/ip.h"
103 #include "lib/ilist.h"
104 #include "libpq/auth.h"
105 #include "libpq/libpq.h"
106 #include "libpq/pqsignal.h"
107 #include "miscadmin.h"
108 #include "pg_getopt.h"
109 #include "pgstat.h"
110 #include "postmaster/autovacuum.h"
112 #include "postmaster/fork_process.h"
113 #include "postmaster/pgarch.h"
114 #include "postmaster/postmaster.h"
115 #include "postmaster/syslogger.h"
117 #include "replication/walsender.h"
118 #include "storage/fd.h"
119 #include "storage/ipc.h"
120 #include "storage/pg_shmem.h"
121 #include "storage/pmsignal.h"
122 #include "storage/proc.h"
123 #include "tcop/tcopprot.h"
124 #include "utils/builtins.h"
125 #include "utils/datetime.h"
126 #include "utils/dynamic_loader.h"
127 #include "utils/memutils.h"
128 #include "utils/ps_status.h"
129 #include "utils/timeout.h"
130 #include "utils/varlena.h"
131 
132 #ifdef EXEC_BACKEND
133 #include "storage/spin.h"
134 #endif
135 
136 
137 /*
138  * Possible types of a backend. Beyond being the possible bkend_type values in
139  * struct bkend, these are OR-able request flag bits for SignalSomeChildren()
140  * and CountChildren().
141  */
142 #define BACKEND_TYPE_NORMAL 0x0001 /* normal backend */
143 #define BACKEND_TYPE_AUTOVAC 0x0002 /* autovacuum worker process */
144 #define BACKEND_TYPE_WALSND 0x0004 /* walsender process */
145 #define BACKEND_TYPE_BGWORKER 0x0008 /* bgworker process */
146 #define BACKEND_TYPE_ALL 0x000F /* OR of all the above */
147 
148 #define BACKEND_TYPE_WORKER (BACKEND_TYPE_AUTOVAC | BACKEND_TYPE_BGWORKER)
149 
150 /*
151  * List of active backends (or child processes anyway; we don't actually
152  * know whether a given child has become a backend or is still in the
153  * authorization phase). This is used mainly to keep track of how many
154  * children we have and send them appropriate signals when necessary.
155  *
156  * "Special" children such as the startup, bgwriter and autovacuum launcher
157  * tasks are not in this list. Autovacuum worker and walsender are in it.
158  * Also, "dead_end" children are in it: these are children launched just for
159  * the purpose of sending a friendly rejection message to a would-be client.
160  * We must track them because they are attached to shared memory, but we know
161  * they will never become live backends. dead_end children are not assigned a
162  * PMChildSlot.
163  *
164  * Background workers are in this list, too.
165  */
166 typedef struct bkend
167 {
168  pid_t pid; /* process id of backend */
169  int32 cancel_key; /* cancel key for cancels for this backend */
170  int child_slot; /* PMChildSlot for this backend, if any */
171 
172  /*
173  * Flavor of backend or auxiliary process. Note that BACKEND_TYPE_WALSND
174  * backends initially announce themselves as BACKEND_TYPE_NORMAL, so if
175  * bkend_type is normal, you should check for a recent transition.
176  */
178  bool dead_end; /* is it going to send an error and quit? */
179  bool bgworker_notify; /* gets bgworker start/stop notifications */
180  dlist_node elem; /* list link in BackendList */
181 } Backend;
182 
184 
185 #ifdef EXEC_BACKEND
186 static Backend *ShmemBackendArray;
187 #endif
188 
190 
191 
192 
193 /* The socket number we are listening for connections on */
195 
196 /* The directory names for Unix socket(s) */
198 
199 /* The TCP listen address(es) */
201 
202 /*
203  * ReservedBackends is the number of backends reserved for superuser use.
204  * This number is taken out of the pool size given by MaxBackends so
205  * number of backend slots available to non-superusers is
206  * (MaxBackends - ReservedBackends). Note what this really means is
207  * "if there are <= ReservedBackends connections available, only superusers
208  * can make new connections" --- pre-existing superuser connections don't
209  * count against the limit.
210  */
212 
213 /* The socket(s) we're listening to. */
214 #define MAXLISTEN 64
216 
217 /*
218  * Set by the -o option
219  */
220 static char ExtraOptions[MAXPGPATH];
221 
222 /*
223  * These globals control the behavior of the postmaster in case some
224  * backend dumps core. Normally, it kills all peers of the dead backend
225  * and reinitializes shared memory. By specifying -s or -n, we can have
226  * the postmaster stop (rather than kill) peers and not reinitialize
227  * shared data structures. (Reinit is currently dead code, though.)
228  */
229 static bool Reinit = true;
230 static int SendStop = false;
231 
232 /* still more option variables */
233 bool EnableSSL = false;
234 
235 int PreAuthDelay = 0;
237 
238 bool log_hostname; /* for ps display and logging */
239 bool Log_connections = false;
240 bool Db_user_namespace = false;
241 
242 bool enable_bonjour = false;
245 
246 /* PIDs of special child processes; 0 when not running */
247 static pid_t StartupPID = 0,
256 
257 /* Startup process's status */
258 typedef enum
259 {
262  STARTUP_SIGNALED, /* we sent it a SIGQUIT or SIGKILL */
265 
267 
268 /* Startup/shutdown state */
269 #define NoShutdown 0
270 #define SmartShutdown 1
271 #define FastShutdown 2
272 #define ImmediateShutdown 3
273 
274 static int Shutdown = NoShutdown;
275 
276 static bool FatalError = false; /* T if recovering from backend crash */
277 
278 /*
279  * We use a simple state machine to control startup, shutdown, and
280  * crash recovery (which is rather like shutdown followed by startup).
281  *
282  * After doing all the postmaster initialization work, we enter PM_STARTUP
283  * state and the startup process is launched. The startup process begins by
284  * reading the control file and other preliminary initialization steps.
285  * In a normal startup, or after crash recovery, the startup process exits
286  * with exit code 0 and we switch to PM_RUN state. However, archive recovery
287  * is handled specially since it takes much longer and we would like to support
288  * hot standby during archive recovery.
289  *
290  * When the startup process is ready to start archive recovery, it signals the
291  * postmaster, and we switch to PM_RECOVERY state. The background writer and
292  * checkpointer are launched, while the startup process continues applying WAL.
293  * If Hot Standby is enabled, then, after reaching a consistent point in WAL
294  * redo, startup process signals us again, and we switch to PM_HOT_STANDBY
295  * state and begin accepting connections to perform read-only queries. When
296  * archive recovery is finished, the startup process exits with exit code 0
297  * and we switch to PM_RUN state.
298  *
299  * Normal child backends can only be launched when we are in PM_RUN or
300  * PM_HOT_STANDBY state. (We also allow launch of normal
301  * child backends in PM_WAIT_BACKUP state, but only for superusers.)
302  * In other states we handle connection requests by launching "dead_end"
303  * child processes, which will simply send the client an error message and
304  * quit. (We track these in the BackendList so that we can know when they
305  * are all gone; this is important because they're still connected to shared
306  * memory, and would interfere with an attempt to destroy the shmem segment,
307  * possibly leading to SHMALL failure when we try to make a new one.)
308  * In PM_WAIT_DEAD_END state we are waiting for all the dead_end children
309  * to drain out of the system, and therefore stop accepting connection
310  * requests at all until the last existing child has quit (which hopefully
311  * will not be very long).
312  *
313  * Notice that this state variable does not distinguish *why* we entered
314  * states later than PM_RUN --- Shutdown and FatalError must be consulted
315  * to find that out. FatalError is never true in PM_RECOVERY_* or PM_RUN
316  * states, nor in PM_SHUTDOWN states (because we don't enter those states
317  * when trying to recover from a crash). It can be true in PM_STARTUP state,
318  * because we don't clear it until we've successfully started WAL redo.
319  */
320 typedef enum
321 {
322  PM_INIT, /* postmaster starting */
323  PM_STARTUP, /* waiting for startup subprocess */
324  PM_RECOVERY, /* in archive recovery mode */
325  PM_HOT_STANDBY, /* in hot standby mode */
326  PM_RUN, /* normal "database is alive" state */
327  PM_WAIT_BACKUP, /* waiting for online backup mode to end */
328  PM_WAIT_READONLY, /* waiting for read only backends to exit */
329  PM_WAIT_BACKENDS, /* waiting for live backends to exit */
330  PM_SHUTDOWN, /* waiting for checkpointer to do shutdown
331  * ckpt */
332  PM_SHUTDOWN_2, /* waiting for archiver and walsenders to
333  * finish */
334  PM_WAIT_DEAD_END, /* waiting for dead_end children to exit */
335  PM_NO_CHILDREN /* all important children have exited */
336 } PMState;
337 
339 
340 /* Start time of SIGKILL timeout during immediate shutdown or child crash */
341 /* Zero means timeout is not running */
342 static time_t AbortStartTime = 0;
343 /* Length of said timeout */
344 #define SIGKILL_CHILDREN_AFTER_SECS 5
345 
346 static bool ReachedNormalRunning = false; /* T if we've reached PM_RUN */
347 
348 bool ClientAuthInProgress = false; /* T during new-client
349  * authentication */
350 
351 bool redirection_done = false; /* stderr redirected for syslogger? */
352 
353 /* received START_AUTOVAC_LAUNCHER signal */
354 static volatile sig_atomic_t start_autovac_launcher = false;
355 
356 /* the launcher needs to be signalled to communicate some condition */
357 static volatile bool avlauncher_needs_signal = false;
358 
359 /* set when there's a worker that needs to be started up */
360 static volatile bool StartWorkerNeeded = true;
361 static volatile bool HaveCrashedWorker = false;
362 
363 #ifndef HAVE_STRONG_RANDOM
364 /*
365  * State for assigning cancel keys.
366  * Also, the global MyCancelKey passes the cancel key assigned to a given
367  * backend from the postmaster to that backend (via fork).
368  */
369 static unsigned int random_seed = 0;
370 static struct timeval random_start_time;
371 #endif
372 
373 #ifdef USE_SSL
374 /* Set when and if SSL has been initialized properly */
375 static bool LoadedSSL = false;
376 #endif
377 
378 #ifdef USE_BONJOUR
379 static DNSServiceRef bonjour_sdref = NULL;
380 #endif
381 
382 /*
383  * postmaster.c - function prototypes
384  */
385 static void CloseServerPorts(int status, Datum arg);
386 static void unlink_external_pid_file(int status, Datum arg);
387 static void getInstallationPaths(const char *argv0);
388 static void checkDataDir(void);
389 static Port *ConnCreate(int serverFd);
390 static void ConnFree(Port *port);
391 static void reset_shared(int port);
392 static void SIGHUP_handler(SIGNAL_ARGS);
393 static void pmdie(SIGNAL_ARGS);
394 static void reaper(SIGNAL_ARGS);
395 static void sigusr1_handler(SIGNAL_ARGS);
396 static void startup_die(SIGNAL_ARGS);
397 static void dummy_handler(SIGNAL_ARGS);
398 static void StartupPacketTimeoutHandler(void);
399 static void CleanupBackend(int pid, int exitstatus);
400 static bool CleanupBackgroundWorker(int pid, int exitstatus);
401 static void HandleChildCrash(int pid, int exitstatus, const char *procname);
402 static void LogChildExit(int lev, const char *procname,
403  int pid, int exitstatus);
404 static void PostmasterStateMachine(void);
405 static void BackendInitialize(Port *port);
406 static void BackendRun(Port *port) pg_attribute_noreturn();
407 static void ExitPostmaster(int status) pg_attribute_noreturn();
408 static int ServerLoop(void);
409 static int BackendStartup(Port *port);
410 static int ProcessStartupPacket(Port *port, bool SSLdone);
411 static void processCancelRequest(Port *port, void *pkt);
412 static int initMasks(fd_set *rmask);
413 static void report_fork_failure_to_client(Port *port, int errnum);
414 static CAC_state canAcceptConnections(void);
415 static bool RandomCancelKey(int32 *cancel_key);
416 static void signal_child(pid_t pid, int signal);
417 static bool SignalSomeChildren(int signal, int targets);
418 static void TerminateChildren(int signal);
419 
420 #define SignalChildren(sig) SignalSomeChildren(sig, BACKEND_TYPE_ALL)
421 
422 static int CountChildren(int target);
424 static void maybe_start_bgworkers(void);
425 static bool CreateOptsFile(int argc, char *argv[], char *fullprogname);
426 static pid_t StartChildProcess(AuxProcType type);
427 static void StartAutovacuumWorker(void);
428 static void InitPostmasterDeathWatchHandle(void);
429 
430 /*
431  * Archiver is allowed to start up at the current postmaster state?
432  *
433  * If WAL archiving is enabled always, we are allowed to start archiver
434  * even during recovery.
435  */
436 #define PgArchStartupAllowed() \
437  ((XLogArchivingActive() && pmState == PM_RUN) || \
438  (XLogArchivingAlways() && \
439  (pmState == PM_RECOVERY || pmState == PM_HOT_STANDBY)))
440 
441 #ifdef EXEC_BACKEND
442 
443 #ifdef WIN32
444 #define WNOHANG 0 /* ignored, so any integer value will do */
445 
446 static pid_t waitpid(pid_t pid, int *exitstatus, int options);
447 static void WINAPI pgwin32_deadchild_callback(PVOID lpParameter, BOOLEAN TimerOrWaitFired);
448 
449 static HANDLE win32ChildQueue;
450 
451 typedef struct
452 {
453  HANDLE waitHandle;
454  HANDLE procHandle;
455  DWORD procId;
456 } win32_deadchild_waitinfo;
457 #endif /* WIN32 */
458 
459 static pid_t backend_forkexec(Port *port);
460 static pid_t internal_forkexec(int argc, char *argv[], Port *port);
461 
462 /* Type for a socket that can be inherited to a client process */
463 #ifdef WIN32
464 typedef struct
465 {
466  SOCKET origsocket; /* Original socket value, or PGINVALID_SOCKET
467  * if not a socket */
468  WSAPROTOCOL_INFO wsainfo;
469 } InheritableSocket;
470 #else
471 typedef int InheritableSocket;
472 #endif
473 
474 /*
475  * Structure contains all variables passed to exec:ed backends
476  */
477 typedef struct
478 {
479  Port port;
480  InheritableSocket portsocket;
481  char DataDir[MAXPGPATH];
484  int MyPMChildSlot;
485 #ifndef WIN32
486  unsigned long UsedShmemSegID;
487 #else
488  HANDLE UsedShmemSegID;
489 #endif
490  void *UsedShmemSegAddr;
493  Backend *ShmemBackendArray;
494 #ifndef HAVE_SPINLOCKS
496 #endif
505  InheritableSocket pgStatSock;
506  pid_t PostmasterPid;
510  bool redirection_done;
511  bool IsBinaryUpgrade;
512  int max_safe_fds;
513  int MaxBackends;
514 #ifdef WIN32
515  HANDLE PostmasterHandle;
516  HANDLE initial_signal_pipe;
517  HANDLE syslogPipe[2];
518 #else
519  int postmaster_alive_fds[2];
520  int syslogPipe[2];
521 #endif
522  char my_exec_path[MAXPGPATH];
523  char pkglib_path[MAXPGPATH];
524  char ExtraOptions[MAXPGPATH];
525 } BackendParameters;
526 
527 static void read_backend_variables(char *id, Port *port);
528 static void restore_backend_variables(BackendParameters *param, Port *port);
529 
530 #ifndef WIN32
531 static bool save_backend_variables(BackendParameters *param, Port *port);
532 #else
533 static bool save_backend_variables(BackendParameters *param, Port *port,
534  HANDLE childProcess, pid_t childPid);
535 #endif
536 
537 static void ShmemBackendArrayAdd(Backend *bn);
538 static void ShmemBackendArrayRemove(Backend *bn);
539 #endif /* EXEC_BACKEND */
540 
541 #define StartupDataBase() StartChildProcess(StartupProcess)
542 #define StartBackgroundWriter() StartChildProcess(BgWriterProcess)
543 #define StartCheckpointer() StartChildProcess(CheckpointerProcess)
544 #define StartWalWriter() StartChildProcess(WalWriterProcess)
545 #define StartWalReceiver() StartChildProcess(WalReceiverProcess)
546 
547 /* Macros to check exit status of a child process */
548 #define EXIT_STATUS_0(st) ((st) == 0)
549 #define EXIT_STATUS_1(st) (WIFEXITED(st) && WEXITSTATUS(st) == 1)
550 #define EXIT_STATUS_3(st) (WIFEXITED(st) && WEXITSTATUS(st) == 3)
551 
552 #ifndef WIN32
553 /*
554  * File descriptors for pipe used to monitor if postmaster is alive.
555  * First is POSTMASTER_FD_WATCH, second is POSTMASTER_FD_OWN.
556  */
557 int postmaster_alive_fds[2] = {-1, -1};
558 #else
559 /* Process handle of postmaster used for the same purpose on Windows */
560 HANDLE PostmasterHandle;
561 #endif
562 
563 /*
564  * Postmaster main entry point
565  */
566 void
567 PostmasterMain(int argc, char *argv[])
568 {
569  int opt;
570  int status;
571  char *userDoption = NULL;
572  bool listen_addr_saved = false;
573  int i;
574  char *output_config_variable = NULL;
575 
576  MyProcPid = PostmasterPid = getpid();
577 
578  MyStartTime = time(NULL);
579 
581 
582  /*
583  * for security, no dir or file created can be group or other accessible
584  */
585  umask(S_IRWXG | S_IRWXO);
586 
587  /*
588  * Initialize random(3) so we don't get the same values in every run.
589  *
590  * Note: the seed is pretty predictable from externally-visible facts such
591  * as postmaster start time, so avoid using random() for security-critical
592  * random values during postmaster startup. At the time of first
593  * connection, PostmasterRandom will select a hopefully-more-random seed.
594  */
595  srandom((unsigned int) (MyProcPid ^ MyStartTime));
596 
597  /*
598  * By default, palloc() requests in the postmaster will be allocated in
599  * the PostmasterContext, which is space that can be recycled by backends.
600  * Allocated data that needs to be available to backends should be
601  * allocated in TopMemoryContext.
602  */
604  "Postmaster",
607 
608  /* Initialize paths to installation files */
609  getInstallationPaths(argv[0]);
610 
611  /*
612  * Set up signal handlers for the postmaster process.
613  *
614  * In the postmaster, we want to install non-ignored handlers *without*
615  * SA_RESTART. This is because they'll be blocked at all times except
616  * when ServerLoop is waiting for something to happen, and during that
617  * window, we want signals to exit the select(2) wait so that ServerLoop
618  * can respond if anything interesting happened. On some platforms,
619  * signals marked SA_RESTART would not cause the select() wait to end.
620  * Child processes will generally want SA_RESTART, but we expect them to
621  * set up their own handlers before unblocking signals.
622  *
623  * CAUTION: when changing this list, check for side-effects on the signal
624  * handling setup of child processes. See tcop/postgres.c,
625  * bootstrap/bootstrap.c, postmaster/bgwriter.c, postmaster/walwriter.c,
626  * postmaster/autovacuum.c, postmaster/pgarch.c, postmaster/pgstat.c,
627  * postmaster/syslogger.c, postmaster/bgworker.c and
628  * postmaster/checkpointer.c.
629  */
630  pqinitmask();
632 
633  pqsignal_no_restart(SIGHUP, SIGHUP_handler); /* reread config file
634  * and have children do
635  * same */
636  pqsignal_no_restart(SIGINT, pmdie); /* send SIGTERM and shut down */
637  pqsignal_no_restart(SIGQUIT, pmdie); /* send SIGQUIT and die */
638  pqsignal_no_restart(SIGTERM, pmdie); /* wait for children and shut
639  * down */
640  pqsignal(SIGALRM, SIG_IGN); /* ignored */
641  pqsignal(SIGPIPE, SIG_IGN); /* ignored */
642  pqsignal_no_restart(SIGUSR1, sigusr1_handler); /* message from child
643  * process */
644  pqsignal_no_restart(SIGUSR2, dummy_handler); /* unused, reserve for
645  * children */
646  pqsignal_no_restart(SIGCHLD, reaper); /* handle child termination */
647  pqsignal(SIGTTIN, SIG_IGN); /* ignored */
648  pqsignal(SIGTTOU, SIG_IGN); /* ignored */
649  /* ignore SIGXFSZ, so that ulimit violations work like disk full */
650 #ifdef SIGXFSZ
651  pqsignal(SIGXFSZ, SIG_IGN); /* ignored */
652 #endif
653 
654  /*
655  * Options setup
656  */
658 
659  opterr = 1;
660 
661  /*
662  * Parse command-line options. CAUTION: keep this in sync with
663  * tcop/postgres.c (the option sets should not conflict) and with the
664  * common help() function in main/main.c.
665  */
666  while ((opt = getopt(argc, argv, "B:bc:C:D:d:EeFf:h:ijk:lN:nOo:Pp:r:S:sTt:W:-:")) != -1)
667  {
668  switch (opt)
669  {
670  case 'B':
671  SetConfigOption("shared_buffers", optarg, PGC_POSTMASTER, PGC_S_ARGV);
672  break;
673 
674  case 'b':
675  /* Undocumented flag used for binary upgrades */
676  IsBinaryUpgrade = true;
677  break;
678 
679  case 'C':
680  output_config_variable = strdup(optarg);
681  break;
682 
683  case 'D':
684  userDoption = strdup(optarg);
685  break;
686 
687  case 'd':
689  break;
690 
691  case 'E':
692  SetConfigOption("log_statement", "all", PGC_POSTMASTER, PGC_S_ARGV);
693  break;
694 
695  case 'e':
696  SetConfigOption("datestyle", "euro", PGC_POSTMASTER, PGC_S_ARGV);
697  break;
698 
699  case 'F':
700  SetConfigOption("fsync", "false", PGC_POSTMASTER, PGC_S_ARGV);
701  break;
702 
703  case 'f':
705  {
706  write_stderr("%s: invalid argument for option -f: \"%s\"\n",
707  progname, optarg);
708  ExitPostmaster(1);
709  }
710  break;
711 
712  case 'h':
713  SetConfigOption("listen_addresses", optarg, PGC_POSTMASTER, PGC_S_ARGV);
714  break;
715 
716  case 'i':
717  SetConfigOption("listen_addresses", "*", PGC_POSTMASTER, PGC_S_ARGV);
718  break;
719 
720  case 'j':
721  /* only used by interactive backend */
722  break;
723 
724  case 'k':
725  SetConfigOption("unix_socket_directories", optarg, PGC_POSTMASTER, PGC_S_ARGV);
726  break;
727 
728  case 'l':
729  SetConfigOption("ssl", "true", PGC_POSTMASTER, PGC_S_ARGV);
730  break;
731 
732  case 'N':
733  SetConfigOption("max_connections", optarg, PGC_POSTMASTER, PGC_S_ARGV);
734  break;
735 
736  case 'n':
737  /* Don't reinit shared mem after abnormal exit */
738  Reinit = false;
739  break;
740 
741  case 'O':
742  SetConfigOption("allow_system_table_mods", "true", PGC_POSTMASTER, PGC_S_ARGV);
743  break;
744 
745  case 'o':
746  /* Other options to pass to the backend on the command line */
748  sizeof(ExtraOptions) - strlen(ExtraOptions),
749  " %s", optarg);
750  break;
751 
752  case 'P':
753  SetConfigOption("ignore_system_indexes", "true", PGC_POSTMASTER, PGC_S_ARGV);
754  break;
755 
756  case 'p':
758  break;
759 
760  case 'r':
761  /* only used by single-user backend */
762  break;
763 
764  case 'S':
766  break;
767 
768  case 's':
769  SetConfigOption("log_statement_stats", "true", PGC_POSTMASTER, PGC_S_ARGV);
770  break;
771 
772  case 'T':
773 
774  /*
775  * In the event that some backend dumps core, send SIGSTOP,
776  * rather than SIGQUIT, to all its peers. This lets the wily
777  * post_hacker collect core dumps from everyone.
778  */
779  SendStop = true;
780  break;
781 
782  case 't':
783  {
784  const char *tmp = get_stats_option_name(optarg);
785 
786  if (tmp)
787  {
789  }
790  else
791  {
792  write_stderr("%s: invalid argument for option -t: \"%s\"\n",
793  progname, optarg);
794  ExitPostmaster(1);
795  }
796  break;
797  }
798 
799  case 'W':
800  SetConfigOption("post_auth_delay", optarg, PGC_POSTMASTER, PGC_S_ARGV);
801  break;
802 
803  case 'c':
804  case '-':
805  {
806  char *name,
807  *value;
808 
809  ParseLongOption(optarg, &name, &value);
810  if (!value)
811  {
812  if (opt == '-')
813  ereport(ERROR,
814  (errcode(ERRCODE_SYNTAX_ERROR),
815  errmsg("--%s requires a value",
816  optarg)));
817  else
818  ereport(ERROR,
819  (errcode(ERRCODE_SYNTAX_ERROR),
820  errmsg("-c %s requires a value",
821  optarg)));
822  }
823 
825  free(name);
826  if (value)
827  free(value);
828  break;
829  }
830 
831  default:
832  write_stderr("Try \"%s --help\" for more information.\n",
833  progname);
834  ExitPostmaster(1);
835  }
836  }
837 
838  /*
839  * Postmaster accepts no non-option switch arguments.
840  */
841  if (optind < argc)
842  {
843  write_stderr("%s: invalid argument: \"%s\"\n",
844  progname, argv[optind]);
845  write_stderr("Try \"%s --help\" for more information.\n",
846  progname);
847  ExitPostmaster(1);
848  }
849 
850  /*
851  * Locate the proper configuration files and data directory, and read
852  * postgresql.conf for the first time.
853  */
854  if (!SelectConfigFiles(userDoption, progname))
855  ExitPostmaster(2);
856 
857  if (output_config_variable != NULL)
858  {
859  /*
860  * "-C guc" was specified, so print GUC's value and exit. No extra
861  * permission check is needed because the user is reading inside the
862  * data dir.
863  */
864  const char *config_val = GetConfigOption(output_config_variable,
865  false, false);
866 
867  puts(config_val ? config_val : "");
868  ExitPostmaster(0);
869  }
870 
871  /* Verify that DataDir looks reasonable */
872  checkDataDir();
873 
874  /* And switch working directory into it */
875  ChangeToDataDir();
876 
877  /*
878  * Check for invalid combinations of GUC settings.
879  */
881  {
882  write_stderr("%s: superuser_reserved_connections must be less than max_connections\n", progname);
883  ExitPostmaster(1);
884  }
886  {
887  write_stderr("%s: max_wal_senders must be less than max_connections\n", progname);
888  ExitPostmaster(1);
889  }
891  ereport(ERROR,
892  (errmsg("WAL archival cannot be enabled when wal_level is \"minimal\"")));
894  ereport(ERROR,
895  (errmsg("WAL streaming (max_wal_senders > 0) requires wal_level \"replica\" or \"logical\"")));
896 
897  /*
898  * Other one-time internal sanity checks can go here, if they are fast.
899  * (Put any slow processing further down, after postmaster.pid creation.)
900  */
901  if (!CheckDateTokenTables())
902  {
903  write_stderr("%s: invalid datetoken tables, please fix\n", progname);
904  ExitPostmaster(1);
905  }
906 
907  /*
908  * Now that we are done processing the postmaster arguments, reset
909  * getopt(3) library so that it will work correctly in subprocesses.
910  */
911  optind = 1;
912 #ifdef HAVE_INT_OPTRESET
913  optreset = 1; /* some systems need this too */
914 #endif
915 
916  /* For debugging: display postmaster environment */
917  {
918  extern char **environ;
919  char **p;
920 
921  ereport(DEBUG3,
922  (errmsg_internal("%s: PostmasterMain: initial environment dump:",
923  progname)));
924  ereport(DEBUG3,
925  (errmsg_internal("-----------------------------------------")));
926  for (p = environ; *p; ++p)
927  ereport(DEBUG3,
928  (errmsg_internal("\t%s", *p)));
929  ereport(DEBUG3,
930  (errmsg_internal("-----------------------------------------")));
931  }
932 
933  /*
934  * Create lockfile for data directory.
935  *
936  * We want to do this before we try to grab the input sockets, because the
937  * data directory interlock is more reliable than the socket-file
938  * interlock (thanks to whoever decided to put socket files in /tmp :-().
939  * For the same reason, it's best to grab the TCP socket(s) before the
940  * Unix socket(s).
941  *
942  * Also note that this internally sets up the on_proc_exit function that
943  * is responsible for removing both data directory and socket lockfiles;
944  * so it must happen before opening sockets so that at exit, the socket
945  * lockfiles go away after CloseServerPorts runs.
946  */
947  CreateDataDirLockFile(true);
948 
949  /*
950  * Initialize SSL library, if specified.
951  */
952 #ifdef USE_SSL
953  if (EnableSSL)
954  {
955  (void) secure_initialize(true);
956  LoadedSSL = true;
957  }
958 #endif
959 
960  /*
961  * Register the apply launcher. Since it registers a background worker,
962  * it needs to be called before InitializeMaxBackends(), and it's probably
963  * a good idea to call it before any modules had chance to take the
964  * background worker slots.
965  */
967 
968  /*
969  * process any libraries that should be preloaded at postmaster start
970  */
972 
973  /*
974  * Now that loadable modules have had their chance to register background
975  * workers, calculate MaxBackends.
976  */
978 
979  /*
980  * Establish input sockets.
981  *
982  * First, mark them all closed, and set up an on_proc_exit function that's
983  * charged with closing the sockets again at postmaster shutdown.
984  */
985  for (i = 0; i < MAXLISTEN; i++)
987 
989 
990  if (ListenAddresses)
991  {
992  char *rawstring;
993  List *elemlist;
994  ListCell *l;
995  int success = 0;
996 
997  /* Need a modifiable copy of ListenAddresses */
998  rawstring = pstrdup(ListenAddresses);
999 
1000  /* Parse string into list of hostnames */
1001  if (!SplitIdentifierString(rawstring, ',', &elemlist))
1002  {
1003  /* syntax error in list */
1004  ereport(FATAL,
1005  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1006  errmsg("invalid list syntax in parameter \"%s\"",
1007  "listen_addresses")));
1008  }
1009 
1010  foreach(l, elemlist)
1011  {
1012  char *curhost = (char *) lfirst(l);
1013 
1014  if (strcmp(curhost, "*") == 0)
1015  status = StreamServerPort(AF_UNSPEC, NULL,
1016  (unsigned short) PostPortNumber,
1017  NULL,
1019  else
1020  status = StreamServerPort(AF_UNSPEC, curhost,
1021  (unsigned short) PostPortNumber,
1022  NULL,
1023  ListenSocket, MAXLISTEN);
1024 
1025  if (status == STATUS_OK)
1026  {
1027  success++;
1028  /* record the first successful host addr in lockfile */
1029  if (!listen_addr_saved)
1030  {
1032  listen_addr_saved = true;
1033  }
1034  }
1035  else
1036  ereport(WARNING,
1037  (errmsg("could not create listen socket for \"%s\"",
1038  curhost)));
1039  }
1040 
1041  if (!success && elemlist != NIL)
1042  ereport(FATAL,
1043  (errmsg("could not create any TCP/IP sockets")));
1044 
1045  list_free(elemlist);
1046  pfree(rawstring);
1047  }
1048 
1049 #ifdef USE_BONJOUR
1050  /* Register for Bonjour only if we opened TCP socket(s) */
1052  {
1053  DNSServiceErrorType err;
1054 
1055  /*
1056  * We pass 0 for interface_index, which will result in registering on
1057  * all "applicable" interfaces. It's not entirely clear from the
1058  * DNS-SD docs whether this would be appropriate if we have bound to
1059  * just a subset of the available network interfaces.
1060  */
1061  err = DNSServiceRegister(&bonjour_sdref,
1062  0,
1063  0,
1064  bonjour_name,
1065  "_postgresql._tcp.",
1066  NULL,
1067  NULL,
1068  htons(PostPortNumber),
1069  0,
1070  NULL,
1071  NULL,
1072  NULL);
1073  if (err != kDNSServiceErr_NoError)
1074  elog(LOG, "DNSServiceRegister() failed: error code %ld",
1075  (long) err);
1076 
1077  /*
1078  * We don't bother to read the mDNS daemon's reply, and we expect that
1079  * it will automatically terminate our registration when the socket is
1080  * closed at postmaster termination. So there's nothing more to be
1081  * done here. However, the bonjour_sdref is kept around so that
1082  * forked children can close their copies of the socket.
1083  */
1084  }
1085 #endif
1086 
1087 #ifdef HAVE_UNIX_SOCKETS
1089  {
1090  char *rawstring;
1091  List *elemlist;
1092  ListCell *l;
1093  int success = 0;
1094 
1095  /* Need a modifiable copy of Unix_socket_directories */
1096  rawstring = pstrdup(Unix_socket_directories);
1097 
1098  /* Parse string into list of directories */
1099  if (!SplitDirectoriesString(rawstring, ',', &elemlist))
1100  {
1101  /* syntax error in list */
1102  ereport(FATAL,
1103  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1104  errmsg("invalid list syntax in parameter \"%s\"",
1105  "unix_socket_directories")));
1106  }
1107 
1108  foreach(l, elemlist)
1109  {
1110  char *socketdir = (char *) lfirst(l);
1111 
1112  status = StreamServerPort(AF_UNIX, NULL,
1113  (unsigned short) PostPortNumber,
1114  socketdir,
1115  ListenSocket, MAXLISTEN);
1116 
1117  if (status == STATUS_OK)
1118  {
1119  success++;
1120  /* record the first successful Unix socket in lockfile */
1121  if (success == 1)
1123  }
1124  else
1125  ereport(WARNING,
1126  (errmsg("could not create Unix-domain socket in directory \"%s\"",
1127  socketdir)));
1128  }
1129 
1130  if (!success && elemlist != NIL)
1131  ereport(FATAL,
1132  (errmsg("could not create any Unix-domain sockets")));
1133 
1134  list_free_deep(elemlist);
1135  pfree(rawstring);
1136  }
1137 #endif
1138 
1139  /*
1140  * check that we have some socket to listen on
1141  */
1142  if (ListenSocket[0] == PGINVALID_SOCKET)
1143  ereport(FATAL,
1144  (errmsg("no socket created for listening")));
1145 
1146  /*
1147  * If no valid TCP ports, write an empty line for listen address,
1148  * indicating the Unix socket must be used. Note that this line is not
1149  * added to the lock file until there is a socket backing it.
1150  */
1151  if (!listen_addr_saved)
1153 
1154  /*
1155  * Set up shared memory and semaphores.
1156  */
1158 
1159  /*
1160  * Estimate number of openable files. This must happen after setting up
1161  * semaphores, because on some platforms semaphores count as open files.
1162  */
1163  set_max_safe_fds();
1164 
1165  /*
1166  * Set reference point for stack-depth checking.
1167  */
1168  set_stack_base();
1169 
1170  /*
1171  * Initialize pipe (or process handle on Windows) that allows children to
1172  * wake up from sleep on postmaster death.
1173  */
1175 
1176 #ifdef WIN32
1177 
1178  /*
1179  * Initialize I/O completion port used to deliver list of dead children.
1180  */
1181  win32ChildQueue = CreateIoCompletionPort(INVALID_HANDLE_VALUE, NULL, 0, 1);
1182  if (win32ChildQueue == NULL)
1183  ereport(FATAL,
1184  (errmsg("could not create I/O completion port for child queue")));
1185 #endif
1186 
1187  /*
1188  * Record postmaster options. We delay this till now to avoid recording
1189  * bogus options (eg, NBuffers too high for available memory).
1190  */
1191  if (!CreateOptsFile(argc, argv, my_exec_path))
1192  ExitPostmaster(1);
1193 
1194 #ifdef EXEC_BACKEND
1195  /* Write out nondefault GUC settings for child processes to use */
1196  write_nondefault_variables(PGC_POSTMASTER);
1197 #endif
1198 
1199  /*
1200  * Write the external PID file if requested
1201  */
1202  if (external_pid_file)
1203  {
1204  FILE *fpidfile = fopen(external_pid_file, "w");
1205 
1206  if (fpidfile)
1207  {
1208  fprintf(fpidfile, "%d\n", MyProcPid);
1209  fclose(fpidfile);
1210 
1211  /* Make PID file world readable */
1212  if (chmod(external_pid_file, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) != 0)
1213  write_stderr("%s: could not change permissions of external PID file \"%s\": %s\n",
1215  }
1216  else
1217  write_stderr("%s: could not write external PID file \"%s\": %s\n",
1219 
1221  }
1222 
1223  /*
1224  * Remove old temporary files. At this point there can be no other
1225  * Postgres processes running in this directory, so this should be safe.
1226  */
1228 
1229  /*
1230  * Forcibly remove the files signaling a standby promotion request.
1231  * Otherwise, the existence of those files triggers a promotion too early,
1232  * whether a user wants that or not.
1233  *
1234  * This removal of files is usually unnecessary because they can exist
1235  * only during a few moments during a standby promotion. However there is
1236  * a race condition: if pg_ctl promote is executed and creates the files
1237  * during a promotion, the files can stay around even after the server is
1238  * brought up to new master. Then, if new standby starts by using the
1239  * backup taken from that master, the files can exist at the server
1240  * startup and should be removed in order to avoid an unexpected
1241  * promotion.
1242  *
1243  * Note that promotion signal files need to be removed before the startup
1244  * process is invoked. Because, after that, they can be used by
1245  * postmaster's SIGUSR1 signal handler.
1246  */
1248 
1249  /* Remove any outdated file holding the current log filenames. */
1250  if (unlink(LOG_METAINFO_DATAFILE) < 0 && errno != ENOENT)
1251  ereport(LOG,
1253  errmsg("could not remove file \"%s\": %m",
1255 
1256  /*
1257  * If enabled, start up syslogger collection subprocess
1258  */
1260 
1261  /*
1262  * Reset whereToSendOutput from DestDebug (its starting state) to
1263  * DestNone. This stops ereport from sending log messages to stderr unless
1264  * Log_destination permits. We don't do this until the postmaster is
1265  * fully launched, since startup failures may as well be reported to
1266  * stderr.
1267  *
1268  * If we are in fact disabling logging to stderr, first emit a log message
1269  * saying so, to provide a breadcrumb trail for users who may not remember
1270  * that their logging is configured to go somewhere else.
1271  */
1273  ereport(LOG,
1274  (errmsg("ending log output to stderr"),
1275  errhint("Future log output will go to log destination \"%s\".",
1277 
1279 
1280  /*
1281  * Initialize stats collection subsystem (this does NOT start the
1282  * collector process!)
1283  */
1284  pgstat_init();
1285 
1286  /*
1287  * Initialize the autovacuum subsystem (again, no process start yet)
1288  */
1289  autovac_init();
1290 
1291  /*
1292  * Load configuration files for client authentication.
1293  */
1294  if (!load_hba())
1295  {
1296  /*
1297  * It makes no sense to continue if we fail to load the HBA file,
1298  * since there is no way to connect to the database in this case.
1299  */
1300  ereport(FATAL,
1301  (errmsg("could not load pg_hba.conf")));
1302  }
1303  if (!load_ident())
1304  {
1305  /*
1306  * We can start up without the IDENT file, although it means that you
1307  * cannot log in using any of the authentication methods that need a
1308  * user name mapping. load_ident() already logged the details of error
1309  * to the log.
1310  */
1311  }
1312 
1313 #ifdef HAVE_PTHREAD_IS_THREADED_NP
1314 
1315  /*
1316  * On macOS, libintl replaces setlocale() with a version that calls
1317  * CFLocaleCopyCurrent() when its second argument is "" and every relevant
1318  * environment variable is unset or empty. CFLocaleCopyCurrent() makes
1319  * the process multithreaded. The postmaster calls sigprocmask() and
1320  * calls fork() without an immediate exec(), both of which have undefined
1321  * behavior in a multithreaded program. A multithreaded postmaster is the
1322  * normal case on Windows, which offers neither fork() nor sigprocmask().
1323  */
1324  if (pthread_is_threaded_np() != 0)
1325  ereport(FATAL,
1326  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1327  errmsg("postmaster became multithreaded during startup"),
1328  errhint("Set the LC_ALL environment variable to a valid locale.")));
1329 #endif
1330 
1331  /*
1332  * Remember postmaster startup time
1333  */
1335 #ifndef HAVE_STRONG_RANDOM
1336  /* RandomCancelKey wants its own copy */
1338 #endif
1339 
1340  /*
1341  * We're ready to rock and roll...
1342  */
1344  Assert(StartupPID != 0);
1346  pmState = PM_STARTUP;
1347 
1348  /* Some workers may be scheduled to start now */
1350 
1351  status = ServerLoop();
1352 
1353  /*
1354  * ServerLoop probably shouldn't ever return, but if it does, close down.
1355  */
1356  ExitPostmaster(status != STATUS_OK);
1357 
1358  abort(); /* not reached */
1359 }
1360 
1361 
1362 /*
1363  * on_proc_exit callback to close server's listen sockets
1364  */
1365 static void
1367 {
1368  int i;
1369 
1370  /*
1371  * First, explicitly close all the socket FDs. We used to just let this
1372  * happen implicitly at postmaster exit, but it's better to close them
1373  * before we remove the postmaster.pid lockfile; otherwise there's a race
1374  * condition if a new postmaster wants to re-use the TCP port number.
1375  */
1376  for (i = 0; i < MAXLISTEN; i++)
1377  {
1378  if (ListenSocket[i] != PGINVALID_SOCKET)
1379  {
1382  }
1383  }
1384 
1385  /*
1386  * Next, remove any filesystem entries for Unix sockets. To avoid race
1387  * conditions against incoming postmasters, this must happen after closing
1388  * the sockets and before removing lock files.
1389  */
1391 
1392  /*
1393  * We don't do anything about socket lock files here; those will be
1394  * removed in a later on_proc_exit callback.
1395  */
1396 }
1397 
1398 /*
1399  * on_proc_exit callback to delete external_pid_file
1400  */
1401 static void
1403 {
1404  if (external_pid_file)
1406 }
1407 
1408 
1409 /*
1410  * Compute and check the directory paths to files that are part of the
1411  * installation (as deduced from the postgres executable's own location)
1412  */
1413 static void
1415 {
1416  DIR *pdir;
1417 
1418  /* Locate the postgres executable itself */
1419  if (find_my_exec(argv0, my_exec_path) < 0)
1420  elog(FATAL, "%s: could not locate my own executable path", argv0);
1421 
1422 #ifdef EXEC_BACKEND
1423  /* Locate executable backend before we change working directory */
1424  if (find_other_exec(argv0, "postgres", PG_BACKEND_VERSIONSTR,
1425  postgres_exec_path) < 0)
1426  ereport(FATAL,
1427  (errmsg("%s: could not locate matching postgres executable",
1428  argv0)));
1429 #endif
1430 
1431  /*
1432  * Locate the pkglib directory --- this has to be set early in case we try
1433  * to load any modules from it in response to postgresql.conf entries.
1434  */
1436 
1437  /*
1438  * Verify that there's a readable directory there; otherwise the Postgres
1439  * installation is incomplete or corrupt. (A typical cause of this
1440  * failure is that the postgres executable has been moved or hardlinked to
1441  * some directory that's not a sibling of the installation lib/
1442  * directory.)
1443  */
1444  pdir = AllocateDir(pkglib_path);
1445  if (pdir == NULL)
1446  ereport(ERROR,
1448  errmsg("could not open directory \"%s\": %m",
1449  pkglib_path),
1450  errhint("This may indicate an incomplete PostgreSQL installation, or that the file \"%s\" has been moved away from its proper location.",
1451  my_exec_path)));
1452  FreeDir(pdir);
1453 
1454  /*
1455  * XXX is it worth similarly checking the share/ directory? If the lib/
1456  * directory is there, then share/ probably is too.
1457  */
1458 }
1459 
1460 
1461 /*
1462  * Validate the proposed data directory
1463  */
1464 static void
1466 {
1467  char path[MAXPGPATH];
1468  FILE *fp;
1469  struct stat stat_buf;
1470 
1471  Assert(DataDir);
1472 
1473  if (stat(DataDir, &stat_buf) != 0)
1474  {
1475  if (errno == ENOENT)
1476  ereport(FATAL,
1478  errmsg("data directory \"%s\" does not exist",
1479  DataDir)));
1480  else
1481  ereport(FATAL,
1483  errmsg("could not read permissions of directory \"%s\": %m",
1484  DataDir)));
1485  }
1486 
1487  /* eventual chdir would fail anyway, but let's test ... */
1488  if (!S_ISDIR(stat_buf.st_mode))
1489  ereport(FATAL,
1490  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1491  errmsg("specified data directory \"%s\" is not a directory",
1492  DataDir)));
1493 
1494  /*
1495  * Check that the directory belongs to my userid; if not, reject.
1496  *
1497  * This check is an essential part of the interlock that prevents two
1498  * postmasters from starting in the same directory (see CreateLockFile()).
1499  * Do not remove or weaken it.
1500  *
1501  * XXX can we safely enable this check on Windows?
1502  */
1503 #if !defined(WIN32) && !defined(__CYGWIN__)
1504  if (stat_buf.st_uid != geteuid())
1505  ereport(FATAL,
1506  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1507  errmsg("data directory \"%s\" has wrong ownership",
1508  DataDir),
1509  errhint("The server must be started by the user that owns the data directory.")));
1510 #endif
1511 
1512  /*
1513  * Check if the directory has group or world access. If so, reject.
1514  *
1515  * It would be possible to allow weaker constraints (for example, allow
1516  * group access) but we cannot make a general assumption that that is
1517  * okay; for example there are platforms where nearly all users
1518  * customarily belong to the same group. Perhaps this test should be
1519  * configurable.
1520  *
1521  * XXX temporarily suppress check when on Windows, because there may not
1522  * be proper support for Unix-y file permissions. Need to think of a
1523  * reasonable check to apply on Windows.
1524  */
1525 #if !defined(WIN32) && !defined(__CYGWIN__)
1526  if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
1527  ereport(FATAL,
1528  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1529  errmsg("data directory \"%s\" has group or world access",
1530  DataDir),
1531  errdetail("Permissions should be u=rwx (0700).")));
1532 #endif
1533 
1534  /* Look for PG_VERSION before looking for pg_control */
1536 
1537  snprintf(path, sizeof(path), "%s/global/pg_control", DataDir);
1538 
1539  fp = AllocateFile(path, PG_BINARY_R);
1540  if (fp == NULL)
1541  {
1542  write_stderr("%s: could not find the database system\n"
1543  "Expected to find it in the directory \"%s\",\n"
1544  "but could not open file \"%s\": %s\n",
1545  progname, DataDir, path, strerror(errno));
1546  ExitPostmaster(2);
1547  }
1548  FreeFile(fp);
1549 }
1550 
1551 /*
1552  * Determine how long should we let ServerLoop sleep.
1553  *
1554  * In normal conditions we wait at most one minute, to ensure that the other
1555  * background tasks handled by ServerLoop get done even when no requests are
1556  * arriving. However, if there are background workers waiting to be started,
1557  * we don't actually sleep so that they are quickly serviced. Other exception
1558  * cases are as shown in the code.
1559  */
1560 static void
1561 DetermineSleepTime(struct timeval * timeout)
1562 {
1563  TimestampTz next_wakeup = 0;
1564 
1565  /*
1566  * Normal case: either there are no background workers at all, or we're in
1567  * a shutdown sequence (during which we ignore bgworkers altogether).
1568  */
1569  if (Shutdown > NoShutdown ||
1571  {
1572  if (AbortStartTime != 0)
1573  {
1574  /* time left to abort; clamp to 0 in case it already expired */
1575  timeout->tv_sec = SIGKILL_CHILDREN_AFTER_SECS -
1576  (time(NULL) - AbortStartTime);
1577  timeout->tv_sec = Max(timeout->tv_sec, 0);
1578  timeout->tv_usec = 0;
1579  }
1580  else
1581  {
1582  timeout->tv_sec = 60;
1583  timeout->tv_usec = 0;
1584  }
1585  return;
1586  }
1587 
1588  if (StartWorkerNeeded)
1589  {
1590  timeout->tv_sec = 0;
1591  timeout->tv_usec = 0;
1592  return;
1593  }
1594 
1595  if (HaveCrashedWorker)
1596  {
1597  slist_mutable_iter siter;
1598 
1599  /*
1600  * When there are crashed bgworkers, we sleep just long enough that
1601  * they are restarted when they request to be. Scan the list to
1602  * determine the minimum of all wakeup times according to most recent
1603  * crash time and requested restart interval.
1604  */
1606  {
1607  RegisteredBgWorker *rw;
1608  TimestampTz this_wakeup;
1609 
1610  rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
1611 
1612  if (rw->rw_crashed_at == 0)
1613  continue;
1614 
1616  || rw->rw_terminate)
1617  {
1618  ForgetBackgroundWorker(&siter);
1619  continue;
1620  }
1621 
1622  this_wakeup = TimestampTzPlusMilliseconds(rw->rw_crashed_at,
1623  1000L * rw->rw_worker.bgw_restart_time);
1624  if (next_wakeup == 0 || this_wakeup < next_wakeup)
1625  next_wakeup = this_wakeup;
1626  }
1627  }
1628 
1629  if (next_wakeup != 0)
1630  {
1631  long secs;
1632  int microsecs;
1633 
1635  &secs, &microsecs);
1636  timeout->tv_sec = secs;
1637  timeout->tv_usec = microsecs;
1638 
1639  /* Ensure we don't exceed one minute */
1640  if (timeout->tv_sec > 60)
1641  {
1642  timeout->tv_sec = 60;
1643  timeout->tv_usec = 0;
1644  }
1645  }
1646  else
1647  {
1648  timeout->tv_sec = 60;
1649  timeout->tv_usec = 0;
1650  }
1651 }
1652 
1653 /*
1654  * Main idle loop of postmaster
1655  *
1656  * NB: Needs to be called with signals blocked
1657  */
1658 static int
1660 {
1661  fd_set readmask;
1662  int nSockets;
1663  time_t last_lockfile_recheck_time,
1664  last_touch_time;
1665 
1666  last_lockfile_recheck_time = last_touch_time = time(NULL);
1667 
1668  nSockets = initMasks(&readmask);
1669 
1670  for (;;)
1671  {
1672  fd_set rmask;
1673  int selres;
1674  time_t now;
1675 
1676  /*
1677  * Wait for a connection request to arrive.
1678  *
1679  * We block all signals except while sleeping. That makes it safe for
1680  * signal handlers, which again block all signals while executing, to
1681  * do nontrivial work.
1682  *
1683  * If we are in PM_WAIT_DEAD_END state, then we don't want to accept
1684  * any new connections, so we don't call select(), and just sleep.
1685  */
1686  memcpy((char *) &rmask, (char *) &readmask, sizeof(fd_set));
1687 
1688  if (pmState == PM_WAIT_DEAD_END)
1689  {
1691 
1692  pg_usleep(100000L); /* 100 msec seems reasonable */
1693  selres = 0;
1694 
1695  PG_SETMASK(&BlockSig);
1696  }
1697  else
1698  {
1699  /* must set timeout each time; some OSes change it! */
1700  struct timeval timeout;
1701 
1702  /* Needs to run with blocked signals! */
1703  DetermineSleepTime(&timeout);
1704 
1706 
1707  selres = select(nSockets, &rmask, NULL, NULL, &timeout);
1708 
1709  PG_SETMASK(&BlockSig);
1710  }
1711 
1712  /* Now check the select() result */
1713  if (selres < 0)
1714  {
1715  if (errno != EINTR && errno != EWOULDBLOCK)
1716  {
1717  ereport(LOG,
1719  errmsg("select() failed in postmaster: %m")));
1720  return STATUS_ERROR;
1721  }
1722  }
1723 
1724  /*
1725  * New connection pending on any of our sockets? If so, fork a child
1726  * process to deal with it.
1727  */
1728  if (selres > 0)
1729  {
1730  int i;
1731 
1732  for (i = 0; i < MAXLISTEN; i++)
1733  {
1734  if (ListenSocket[i] == PGINVALID_SOCKET)
1735  break;
1736  if (FD_ISSET(ListenSocket[i], &rmask))
1737  {
1738  Port *port;
1739 
1740  port = ConnCreate(ListenSocket[i]);
1741  if (port)
1742  {
1743  BackendStartup(port);
1744 
1745  /*
1746  * We no longer need the open socket or port structure
1747  * in this process
1748  */
1749  StreamClose(port->sock);
1750  ConnFree(port);
1751  }
1752  }
1753  }
1754  }
1755 
1756  /* If we have lost the log collector, try to start a new one */
1757  if (SysLoggerPID == 0 && Logging_collector)
1759 
1760  /*
1761  * If no background writer process is running, and we are not in a
1762  * state that prevents it, start one. It doesn't matter if this
1763  * fails, we'll just try again later. Likewise for the checkpointer.
1764  */
1765  if (pmState == PM_RUN || pmState == PM_RECOVERY ||
1767  {
1768  if (CheckpointerPID == 0)
1770  if (BgWriterPID == 0)
1772  }
1773 
1774  /*
1775  * Likewise, if we have lost the walwriter process, try to start a new
1776  * one. But this is needed only in normal operation (else we cannot
1777  * be writing any new WAL).
1778  */
1779  if (WalWriterPID == 0 && pmState == PM_RUN)
1781 
1782  /*
1783  * If we have lost the autovacuum launcher, try to start a new one. We
1784  * don't want autovacuum to run in binary upgrade mode because
1785  * autovacuum might update relfrozenxid for empty tables before the
1786  * physical files are put in place.
1787  */
1788  if (!IsBinaryUpgrade && AutoVacPID == 0 &&
1790  pmState == PM_RUN)
1791  {
1793  if (AutoVacPID != 0)
1794  start_autovac_launcher = false; /* signal processed */
1795  }
1796 
1797  /* If we have lost the stats collector, try to start a new one */
1798  if (PgStatPID == 0 &&
1799  (pmState == PM_RUN || pmState == PM_HOT_STANDBY))
1800  PgStatPID = pgstat_start();
1801 
1802  /* If we have lost the archiver, try to start a new one. */
1803  if (PgArchPID == 0 && PgArchStartupAllowed())
1804  PgArchPID = pgarch_start();
1805 
1806  /* If we need to signal the autovacuum launcher, do so now */
1808  {
1809  avlauncher_needs_signal = false;
1810  if (AutoVacPID != 0)
1811  kill(AutoVacPID, SIGUSR2);
1812  }
1813 
1814  /* Get other worker processes running, if needed */
1817 
1818 #ifdef HAVE_PTHREAD_IS_THREADED_NP
1819 
1820  /*
1821  * With assertions enabled, check regularly for appearance of
1822  * additional threads. All builds check at start and exit.
1823  */
1824  Assert(pthread_is_threaded_np() == 0);
1825 #endif
1826 
1827  /*
1828  * Lastly, check to see if it's time to do some things that we don't
1829  * want to do every single time through the loop, because they're a
1830  * bit expensive. Note that there's up to a minute of slop in when
1831  * these tasks will be performed, since DetermineSleepTime() will let
1832  * us sleep at most that long; except for SIGKILL timeout which has
1833  * special-case logic there.
1834  */
1835  now = time(NULL);
1836 
1837  /*
1838  * If we already sent SIGQUIT to children and they are slow to shut
1839  * down, it's time to send them SIGKILL. This doesn't happen
1840  * normally, but under certain conditions backends can get stuck while
1841  * shutting down. This is a last measure to get them unwedged.
1842  *
1843  * Note we also do this during recovery from a process crash.
1844  */
1845  if ((Shutdown >= ImmediateShutdown || (FatalError && !SendStop)) &&
1846  AbortStartTime != 0 &&
1848  {
1849  /* We were gentle with them before. Not anymore */
1851  /* reset flag so we don't SIGKILL again */
1852  AbortStartTime = 0;
1853  }
1854 
1855  /*
1856  * Once a minute, verify that postmaster.pid hasn't been removed or
1857  * overwritten. If it has, we force a shutdown. This avoids having
1858  * postmasters and child processes hanging around after their database
1859  * is gone, and maybe causing problems if a new database cluster is
1860  * created in the same place. It also provides some protection
1861  * against a DBA foolishly removing postmaster.pid and manually
1862  * starting a new postmaster. Data corruption is likely to ensue from
1863  * that anyway, but we can minimize the damage by aborting ASAP.
1864  */
1865  if (now - last_lockfile_recheck_time >= 1 * SECS_PER_MINUTE)
1866  {
1867  if (!RecheckDataDirLockFile())
1868  {
1869  ereport(LOG,
1870  (errmsg("performing immediate shutdown because data directory lock file is invalid")));
1871  kill(MyProcPid, SIGQUIT);
1872  }
1873  last_lockfile_recheck_time = now;
1874  }
1875 
1876  /*
1877  * Touch Unix socket and lock files every 58 minutes, to ensure that
1878  * they are not removed by overzealous /tmp-cleaning tasks. We assume
1879  * no one runs cleaners with cutoff times of less than an hour ...
1880  */
1881  if (now - last_touch_time >= 58 * SECS_PER_MINUTE)
1882  {
1883  TouchSocketFiles();
1885  last_touch_time = now;
1886  }
1887  }
1888 }
1889 
1890 /*
1891  * Initialise the masks for select() for the ports we are listening on.
1892  * Return the number of sockets to listen on.
1893  */
1894 static int
1895 initMasks(fd_set *rmask)
1896 {
1897  int maxsock = -1;
1898  int i;
1899 
1900  FD_ZERO(rmask);
1901 
1902  for (i = 0; i < MAXLISTEN; i++)
1903  {
1904  int fd = ListenSocket[i];
1905 
1906  if (fd == PGINVALID_SOCKET)
1907  break;
1908  FD_SET(fd, rmask);
1909 
1910  if (fd > maxsock)
1911  maxsock = fd;
1912  }
1913 
1914  return maxsock + 1;
1915 }
1916 
1917 
1918 /*
1919  * Read a client's startup packet and do something according to it.
1920  *
1921  * Returns STATUS_OK or STATUS_ERROR, or might call ereport(FATAL) and
1922  * not return at all.
1923  *
1924  * (Note that ereport(FATAL) stuff is sent to the client, so only use it
1925  * if that's what you want. Return STATUS_ERROR if you don't want to
1926  * send anything to the client, which would typically be appropriate
1927  * if we detect a communications failure.)
1928  */
1929 static int
1931 {
1932  int32 len;
1933  void *buf;
1934  ProtocolVersion proto;
1935  MemoryContext oldcontext;
1936 
1937  pq_startmsgread();
1938  if (pq_getbytes((char *) &len, 4) == EOF)
1939  {
1940  /*
1941  * EOF after SSLdone probably means the client didn't like our
1942  * response to NEGOTIATE_SSL_CODE. That's not an error condition, so
1943  * don't clutter the log with a complaint.
1944  */
1945  if (!SSLdone)
1947  (errcode(ERRCODE_PROTOCOL_VIOLATION),
1948  errmsg("incomplete startup packet")));
1949  return STATUS_ERROR;
1950  }
1951 
1952  len = ntohl(len);
1953  len -= 4;
1954 
1955  if (len < (int32) sizeof(ProtocolVersion) ||
1957  {
1959  (errcode(ERRCODE_PROTOCOL_VIOLATION),
1960  errmsg("invalid length of startup packet")));
1961  return STATUS_ERROR;
1962  }
1963 
1964  /*
1965  * Allocate at least the size of an old-style startup packet, plus one
1966  * extra byte, and make sure all are zeroes. This ensures we will have
1967  * null termination of all strings, in both fixed- and variable-length
1968  * packet layouts.
1969  */
1970  if (len <= (int32) sizeof(StartupPacket))
1971  buf = palloc0(sizeof(StartupPacket) + 1);
1972  else
1973  buf = palloc0(len + 1);
1974 
1975  if (pq_getbytes(buf, len) == EOF)
1976  {
1978  (errcode(ERRCODE_PROTOCOL_VIOLATION),
1979  errmsg("incomplete startup packet")));
1980  return STATUS_ERROR;
1981  }
1982  pq_endmsgread();
1983 
1984  /*
1985  * The first field is either a protocol version number or a special
1986  * request code.
1987  */
1988  port->proto = proto = ntohl(*((ProtocolVersion *) buf));
1989 
1990  if (proto == CANCEL_REQUEST_CODE)
1991  {
1992  processCancelRequest(port, buf);
1993  /* Not really an error, but we don't want to proceed further */
1994  return STATUS_ERROR;
1995  }
1996 
1997  if (proto == NEGOTIATE_SSL_CODE && !SSLdone)
1998  {
1999  char SSLok;
2000 
2001 #ifdef USE_SSL
2002  /* No SSL when disabled or on Unix sockets */
2003  if (!LoadedSSL || IS_AF_UNIX(port->laddr.addr.ss_family))
2004  SSLok = 'N';
2005  else
2006  SSLok = 'S'; /* Support for SSL */
2007 #else
2008  SSLok = 'N'; /* No support for SSL */
2009 #endif
2010 
2011 retry1:
2012  if (send(port->sock, &SSLok, 1, 0) != 1)
2013  {
2014  if (errno == EINTR)
2015  goto retry1; /* if interrupted, just retry */
2018  errmsg("failed to send SSL negotiation response: %m")));
2019  return STATUS_ERROR; /* close the connection */
2020  }
2021 
2022 #ifdef USE_SSL
2023  if (SSLok == 'S' && secure_open_server(port) == -1)
2024  return STATUS_ERROR;
2025 #endif
2026  /* regular startup packet, cancel, etc packet should follow... */
2027  /* but not another SSL negotiation request */
2028  return ProcessStartupPacket(port, true);
2029  }
2030 
2031  /* Could add additional special packet types here */
2032 
2033  /*
2034  * Set FrontendProtocol now so that ereport() knows what format to send if
2035  * we fail during startup.
2036  */
2037  FrontendProtocol = proto;
2038 
2039  /* Check we can handle the protocol the frontend is using. */
2040 
2045  ereport(FATAL,
2046  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2047  errmsg("unsupported frontend protocol %u.%u: server supports %u.0 to %u.%u",
2048  PG_PROTOCOL_MAJOR(proto), PG_PROTOCOL_MINOR(proto),
2052 
2053  /*
2054  * Now fetch parameters out of startup packet and save them into the Port
2055  * structure. All data structures attached to the Port struct must be
2056  * allocated in TopMemoryContext so that they will remain available in a
2057  * running backend (even after PostmasterContext is destroyed). We need
2058  * not worry about leaking this storage on failure, since we aren't in the
2059  * postmaster process anymore.
2060  */
2062 
2063  if (PG_PROTOCOL_MAJOR(proto) >= 3)
2064  {
2065  int32 offset = sizeof(ProtocolVersion);
2066 
2067  /*
2068  * Scan packet body for name/option pairs. We can assume any string
2069  * beginning within the packet body is null-terminated, thanks to
2070  * zeroing extra byte above.
2071  */
2072  port->guc_options = NIL;
2073 
2074  while (offset < len)
2075  {
2076  char *nameptr = ((char *) buf) + offset;
2077  int32 valoffset;
2078  char *valptr;
2079 
2080  if (*nameptr == '\0')
2081  break; /* found packet terminator */
2082  valoffset = offset + strlen(nameptr) + 1;
2083  if (valoffset >= len)
2084  break; /* missing value, will complain below */
2085  valptr = ((char *) buf) + valoffset;
2086 
2087  if (strcmp(nameptr, "database") == 0)
2088  port->database_name = pstrdup(valptr);
2089  else if (strcmp(nameptr, "user") == 0)
2090  port->user_name = pstrdup(valptr);
2091  else if (strcmp(nameptr, "options") == 0)
2092  port->cmdline_options = pstrdup(valptr);
2093  else if (strcmp(nameptr, "replication") == 0)
2094  {
2095  /*
2096  * Due to backward compatibility concerns the replication
2097  * parameter is a hybrid beast which allows the value to be
2098  * either boolean or the string 'database'. The latter
2099  * connects to a specific database which is e.g. required for
2100  * logical decoding while.
2101  */
2102  if (strcmp(valptr, "database") == 0)
2103  {
2104  am_walsender = true;
2105  am_db_walsender = true;
2106  }
2107  else if (!parse_bool(valptr, &am_walsender))
2108  ereport(FATAL,
2109  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
2110  errmsg("invalid value for parameter \"%s\": \"%s\"",
2111  "replication",
2112  valptr),
2113  errhint("Valid values are: \"false\", 0, \"true\", 1, \"database\".")));
2114  }
2115  else
2116  {
2117  /* Assume it's a generic GUC option */
2118  port->guc_options = lappend(port->guc_options,
2119  pstrdup(nameptr));
2120  port->guc_options = lappend(port->guc_options,
2121  pstrdup(valptr));
2122  }
2123  offset = valoffset + strlen(valptr) + 1;
2124  }
2125 
2126  /*
2127  * If we didn't find a packet terminator exactly at the end of the
2128  * given packet length, complain.
2129  */
2130  if (offset != len - 1)
2131  ereport(FATAL,
2132  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2133  errmsg("invalid startup packet layout: expected terminator as last byte")));
2134  }
2135  else
2136  {
2137  /*
2138  * Get the parameters from the old-style, fixed-width-fields startup
2139  * packet as C strings. The packet destination was cleared first so a
2140  * short packet has zeros silently added. We have to be prepared to
2141  * truncate the pstrdup result for oversize fields, though.
2142  */
2143  StartupPacket *packet = (StartupPacket *) buf;
2144 
2145  port->database_name = pstrdup(packet->database);
2146  if (strlen(port->database_name) > sizeof(packet->database))
2147  port->database_name[sizeof(packet->database)] = '\0';
2148  port->user_name = pstrdup(packet->user);
2149  if (strlen(port->user_name) > sizeof(packet->user))
2150  port->user_name[sizeof(packet->user)] = '\0';
2151  port->cmdline_options = pstrdup(packet->options);
2152  if (strlen(port->cmdline_options) > sizeof(packet->options))
2153  port->cmdline_options[sizeof(packet->options)] = '\0';
2154  port->guc_options = NIL;
2155  }
2156 
2157  /* Check a user name was given. */
2158  if (port->user_name == NULL || port->user_name[0] == '\0')
2159  ereport(FATAL,
2160  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
2161  errmsg("no PostgreSQL user name specified in startup packet")));
2162 
2163  /* The database defaults to the user name. */
2164  if (port->database_name == NULL || port->database_name[0] == '\0')
2165  port->database_name = pstrdup(port->user_name);
2166 
2167  if (Db_user_namespace)
2168  {
2169  /*
2170  * If user@, it is a global user, remove '@'. We only want to do this
2171  * if there is an '@' at the end and no earlier in the user string or
2172  * they may fake as a local user of another database attaching to this
2173  * database.
2174  */
2175  if (strchr(port->user_name, '@') ==
2176  port->user_name + strlen(port->user_name) - 1)
2177  *strchr(port->user_name, '@') = '\0';
2178  else
2179  {
2180  /* Append '@' and dbname */
2181  port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
2182  }
2183  }
2184 
2185  /*
2186  * Truncate given database and user names to length of a Postgres name.
2187  * This avoids lookup failures when overlength names are given.
2188  */
2189  if (strlen(port->database_name) >= NAMEDATALEN)
2190  port->database_name[NAMEDATALEN - 1] = '\0';
2191  if (strlen(port->user_name) >= NAMEDATALEN)
2192  port->user_name[NAMEDATALEN - 1] = '\0';
2193 
2194  /*
2195  * Normal walsender backends, e.g. for streaming replication, are not
2196  * connected to a particular database. But walsenders used for logical
2197  * replication need to connect to a specific database. We allow streaming
2198  * replication commands to be issued even if connected to a database as it
2199  * can make sense to first make a basebackup and then stream changes
2200  * starting from that.
2201  */
2202  if (am_walsender && !am_db_walsender)
2203  port->database_name[0] = '\0';
2204 
2205  /*
2206  * Done putting stuff in TopMemoryContext.
2207  */
2208  MemoryContextSwitchTo(oldcontext);
2209 
2210  /*
2211  * If we're going to reject the connection due to database state, say so
2212  * now instead of wasting cycles on an authentication exchange. (This also
2213  * allows a pg_ping utility to be written.)
2214  */
2215  switch (port->canAcceptConnections)
2216  {
2217  case CAC_STARTUP:
2218  ereport(FATAL,
2220  errmsg("the database system is starting up")));
2221  break;
2222  case CAC_SHUTDOWN:
2223  ereport(FATAL,
2225  errmsg("the database system is shutting down")));
2226  break;
2227  case CAC_RECOVERY:
2228  ereport(FATAL,
2230  errmsg("the database system is in recovery mode")));
2231  break;
2232  case CAC_TOOMANY:
2233  ereport(FATAL,
2234  (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
2235  errmsg("sorry, too many clients already")));
2236  break;
2237  case CAC_WAITBACKUP:
2238  /* OK for now, will check in InitPostgres */
2239  break;
2240  case CAC_OK:
2241  break;
2242  }
2243 
2244  return STATUS_OK;
2245 }
2246 
2247 
2248 /*
2249  * The client has sent a cancel request packet, not a normal
2250  * start-a-new-connection packet. Perform the necessary processing.
2251  * Nothing is sent back to the client.
2252  */
2253 static void
2255 {
2256  CancelRequestPacket *canc = (CancelRequestPacket *) pkt;
2257  int backendPID;
2258  int32 cancelAuthCode;
2259  Backend *bp;
2260 
2261 #ifndef EXEC_BACKEND
2262  dlist_iter iter;
2263 #else
2264  int i;
2265 #endif
2266 
2267  backendPID = (int) ntohl(canc->backendPID);
2268  cancelAuthCode = (int32) ntohl(canc->cancelAuthCode);
2269 
2270  /*
2271  * See if we have a matching backend. In the EXEC_BACKEND case, we can no
2272  * longer access the postmaster's own backend list, and must rely on the
2273  * duplicate array in shared memory.
2274  */
2275 #ifndef EXEC_BACKEND
2276  dlist_foreach(iter, &BackendList)
2277  {
2278  bp = dlist_container(Backend, elem, iter.cur);
2279 #else
2280  for (i = MaxLivePostmasterChildren() - 1; i >= 0; i--)
2281  {
2282  bp = (Backend *) &ShmemBackendArray[i];
2283 #endif
2284  if (bp->pid == backendPID)
2285  {
2286  if (bp->cancel_key == cancelAuthCode)
2287  {
2288  /* Found a match; signal that backend to cancel current op */
2289  ereport(DEBUG2,
2290  (errmsg_internal("processing cancel request: sending SIGINT to process %d",
2291  backendPID)));
2292  signal_child(bp->pid, SIGINT);
2293  }
2294  else
2295  /* Right PID, wrong key: no way, Jose */
2296  ereport(LOG,
2297  (errmsg("wrong key in cancel request for process %d",
2298  backendPID)));
2299  return;
2300  }
2301  }
2302 
2303  /* No matching backend */
2304  ereport(LOG,
2305  (errmsg("PID %d in cancel request did not match any process",
2306  backendPID)));
2307 }
2308 
2309 /*
2310  * canAcceptConnections --- check to see if database state allows connections.
2311  */
2312 static CAC_state
2314 {
2316 
2317  /*
2318  * Can't start backends when in startup/shutdown/inconsistent recovery
2319  * state.
2320  *
2321  * In state PM_WAIT_BACKUP only superusers can connect (this must be
2322  * allowed so that a superuser can end online backup mode); we return
2323  * CAC_WAITBACKUP code to indicate that this must be checked later. Note
2324  * that neither CAC_OK nor CAC_WAITBACKUP can safely be returned until we
2325  * have checked for too many children.
2326  */
2327  if (pmState != PM_RUN)
2328  {
2329  if (pmState == PM_WAIT_BACKUP)
2330  result = CAC_WAITBACKUP; /* allow superusers only */
2331  else if (Shutdown > NoShutdown)
2332  return CAC_SHUTDOWN; /* shutdown is pending */
2333  else if (!FatalError &&
2334  (pmState == PM_STARTUP ||
2335  pmState == PM_RECOVERY))
2336  return CAC_STARTUP; /* normal startup */
2337  else if (!FatalError &&
2339  result = CAC_OK; /* connection OK during hot standby */
2340  else
2341  return CAC_RECOVERY; /* else must be crash recovery */
2342  }
2343 
2344  /*
2345  * Don't start too many children.
2346  *
2347  * We allow more connections than we can have backends here because some
2348  * might still be authenticating; they might fail auth, or some existing
2349  * backend might exit before the auth cycle is completed. The exact
2350  * MaxBackends limit is enforced when a new backend tries to join the
2351  * shared-inval backend array.
2352  *
2353  * The limit here must match the sizes of the per-child-process arrays;
2354  * see comments for MaxLivePostmasterChildren().
2355  */
2357  result = CAC_TOOMANY;
2358 
2359  return result;
2360 }
2361 
2362 
2363 /*
2364  * ConnCreate -- create a local connection data structure
2365  *
2366  * Returns NULL on failure, other than out-of-memory which is fatal.
2367  */
2368 static Port *
2369 ConnCreate(int serverFd)
2370 {
2371  Port *port;
2372 
2373  if (!(port = (Port *) calloc(1, sizeof(Port))))
2374  {
2375  ereport(LOG,
2376  (errcode(ERRCODE_OUT_OF_MEMORY),
2377  errmsg("out of memory")));
2378  ExitPostmaster(1);
2379  }
2380 
2381  if (StreamConnection(serverFd, port) != STATUS_OK)
2382  {
2383  if (port->sock != PGINVALID_SOCKET)
2384  StreamClose(port->sock);
2385  ConnFree(port);
2386  return NULL;
2387  }
2388 
2389  /*
2390  * Allocate GSSAPI specific state struct
2391  */
2392 #ifndef EXEC_BACKEND
2393 #if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
2394  port->gss = (pg_gssinfo *) calloc(1, sizeof(pg_gssinfo));
2395  if (!port->gss)
2396  {
2397  ereport(LOG,
2398  (errcode(ERRCODE_OUT_OF_MEMORY),
2399  errmsg("out of memory")));
2400  ExitPostmaster(1);
2401  }
2402 #endif
2403 #endif
2404 
2405  return port;
2406 }
2407 
2408 
2409 /*
2410  * ConnFree -- free a local connection data structure
2411  */
2412 static void
2414 {
2415 #ifdef USE_SSL
2416  secure_close(conn);
2417 #endif
2418  if (conn->gss)
2419  free(conn->gss);
2420  free(conn);
2421 }
2422 
2423 
2424 /*
2425  * ClosePostmasterPorts -- close all the postmaster's open sockets
2426  *
2427  * This is called during child process startup to release file descriptors
2428  * that are not needed by that child process. The postmaster still has
2429  * them open, of course.
2430  *
2431  * Note: we pass am_syslogger as a boolean because we don't want to set
2432  * the global variable yet when this is called.
2433  */
2434 void
2436 {
2437  int i;
2438 
2439 #ifndef WIN32
2440 
2441  /*
2442  * Close the write end of postmaster death watch pipe. It's important to
2443  * do this as early as possible, so that if postmaster dies, others won't
2444  * think that it's still running because we're holding the pipe open.
2445  */
2447  ereport(FATAL,
2449  errmsg_internal("could not close postmaster death monitoring pipe in child process: %m")));
2451 #endif
2452 
2453  /* Close the listen sockets */
2454  for (i = 0; i < MAXLISTEN; i++)
2455  {
2456  if (ListenSocket[i] != PGINVALID_SOCKET)
2457  {
2460  }
2461  }
2462 
2463  /* If using syslogger, close the read side of the pipe */
2464  if (!am_syslogger)
2465  {
2466 #ifndef WIN32
2467  if (syslogPipe[0] >= 0)
2468  close(syslogPipe[0]);
2469  syslogPipe[0] = -1;
2470 #else
2471  if (syslogPipe[0])
2472  CloseHandle(syslogPipe[0]);
2473  syslogPipe[0] = 0;
2474 #endif
2475  }
2476 
2477 #ifdef USE_BONJOUR
2478  /* If using Bonjour, close the connection to the mDNS daemon */
2479  if (bonjour_sdref)
2480  close(DNSServiceRefSockFD(bonjour_sdref));
2481 #endif
2482 }
2483 
2484 
2485 /*
2486  * reset_shared -- reset shared memory and semaphores
2487  */
2488 static void
2489 reset_shared(int port)
2490 {
2491  /*
2492  * Create or re-create shared memory and semaphores.
2493  *
2494  * Note: in each "cycle of life" we will normally assign the same IPC keys
2495  * (if using SysV shmem and/or semas), since the port number is used to
2496  * determine IPC keys. This helps ensure that we will clean up dead IPC
2497  * objects if the postmaster crashes and is restarted.
2498  */
2499  CreateSharedMemoryAndSemaphores(false, port);
2500 }
2501 
2502 
2503 /*
2504  * SIGHUP -- reread config files, and tell children to do same
2505  */
2506 static void
2508 {
2509  int save_errno = errno;
2510 
2511  PG_SETMASK(&BlockSig);
2512 
2513  if (Shutdown <= SmartShutdown)
2514  {
2515  ereport(LOG,
2516  (errmsg("received SIGHUP, reloading configuration files")));
2519  if (StartupPID != 0)
2521  if (BgWriterPID != 0)
2523  if (CheckpointerPID != 0)
2525  if (WalWriterPID != 0)
2527  if (WalReceiverPID != 0)
2529  if (AutoVacPID != 0)
2531  if (PgArchPID != 0)
2533  if (SysLoggerPID != 0)
2535  if (PgStatPID != 0)
2537 
2538  /* Reload authentication config files too */
2539  if (!load_hba())
2540  ereport(LOG,
2541  (errmsg("pg_hba.conf was not reloaded")));
2542 
2543  if (!load_ident())
2544  ereport(LOG,
2545  (errmsg("pg_ident.conf was not reloaded")));
2546 
2547 #ifdef USE_SSL
2548  /* Reload SSL configuration as well */
2549  if (EnableSSL)
2550  {
2551  if (secure_initialize(false) == 0)
2552  LoadedSSL = true;
2553  else
2554  ereport(LOG,
2555  (errmsg("SSL configuration was not reloaded")));
2556  }
2557  else
2558  {
2559  secure_destroy();
2560  LoadedSSL = false;
2561  }
2562 #endif
2563 
2564 #ifdef EXEC_BACKEND
2565  /* Update the starting-point file for future children */
2566  write_nondefault_variables(PGC_SIGHUP);
2567 #endif
2568  }
2569 
2571 
2572  errno = save_errno;
2573 }
2574 
2575 
2576 /*
2577  * pmdie -- signal handler for processing various postmaster signals.
2578  */
2579 static void
2581 {
2582  int save_errno = errno;
2583 
2584  PG_SETMASK(&BlockSig);
2585 
2586  ereport(DEBUG2,
2587  (errmsg_internal("postmaster received signal %d",
2588  postgres_signal_arg)));
2589 
2590  switch (postgres_signal_arg)
2591  {
2592  case SIGTERM:
2593 
2594  /*
2595  * Smart Shutdown:
2596  *
2597  * Wait for children to end their work, then shut down.
2598  */
2599  if (Shutdown >= SmartShutdown)
2600  break;
2602  ereport(LOG,
2603  (errmsg("received smart shutdown request")));
2604 #ifdef USE_SYSTEMD
2605  sd_notify(0, "STOPPING=1");
2606 #endif
2607 
2608  if (pmState == PM_RUN || pmState == PM_RECOVERY ||
2610  {
2611  /* autovac workers are told to shut down immediately */
2612  /* and bgworkers too; does this need tweaking? */
2613  SignalSomeChildren(SIGTERM,
2615  /* and the autovac launcher too */
2616  if (AutoVacPID != 0)
2617  signal_child(AutoVacPID, SIGTERM);
2618  /* and the bgwriter too */
2619  if (BgWriterPID != 0)
2620  signal_child(BgWriterPID, SIGTERM);
2621  /* and the walwriter too */
2622  if (WalWriterPID != 0)
2623  signal_child(WalWriterPID, SIGTERM);
2624 
2625  /*
2626  * If we're in recovery, we can't kill the startup process
2627  * right away, because at present doing so does not release
2628  * its locks. We might want to change this in a future
2629  * release. For the time being, the PM_WAIT_READONLY state
2630  * indicates that we're waiting for the regular (read only)
2631  * backends to die off; once they do, we'll kill the startup
2632  * and walreceiver processes.
2633  */
2634  pmState = (pmState == PM_RUN) ?
2636  }
2637 
2638  /*
2639  * Now wait for online backup mode to end and backends to exit. If
2640  * that is already the case, PostmasterStateMachine will take the
2641  * next step.
2642  */
2644  break;
2645 
2646  case SIGINT:
2647 
2648  /*
2649  * Fast Shutdown:
2650  *
2651  * Abort all children with SIGTERM (rollback active transactions
2652  * and exit) and shut down when they are gone.
2653  */
2654  if (Shutdown >= FastShutdown)
2655  break;
2657  ereport(LOG,
2658  (errmsg("received fast shutdown request")));
2659 #ifdef USE_SYSTEMD
2660  sd_notify(0, "STOPPING=1");
2661 #endif
2662 
2663  if (StartupPID != 0)
2664  signal_child(StartupPID, SIGTERM);
2665  if (BgWriterPID != 0)
2666  signal_child(BgWriterPID, SIGTERM);
2667  if (WalReceiverPID != 0)
2668  signal_child(WalReceiverPID, SIGTERM);
2669  if (pmState == PM_RECOVERY)
2670  {
2672 
2673  /*
2674  * Only startup, bgwriter, walreceiver, possibly bgworkers,
2675  * and/or checkpointer should be active in this state; we just
2676  * signaled the first four, and we don't want to kill
2677  * checkpointer yet.
2678  */
2680  }
2681  else if (pmState == PM_RUN ||
2682  pmState == PM_WAIT_BACKUP ||
2686  {
2687  ereport(LOG,
2688  (errmsg("aborting any active transactions")));
2689  /* shut down all backends and workers */
2690  SignalSomeChildren(SIGTERM,
2693  /* and the autovac launcher too */
2694  if (AutoVacPID != 0)
2695  signal_child(AutoVacPID, SIGTERM);
2696  /* and the walwriter too */
2697  if (WalWriterPID != 0)
2698  signal_child(WalWriterPID, SIGTERM);
2700  }
2701 
2702  /*
2703  * Now wait for backends to exit. If there are none,
2704  * PostmasterStateMachine will take the next step.
2705  */
2707  break;
2708 
2709  case SIGQUIT:
2710 
2711  /*
2712  * Immediate Shutdown:
2713  *
2714  * abort all children with SIGQUIT, wait for them to exit,
2715  * terminate remaining ones with SIGKILL, then exit without
2716  * attempt to properly shut down the data base system.
2717  */
2718  if (Shutdown >= ImmediateShutdown)
2719  break;
2721  ereport(LOG,
2722  (errmsg("received immediate shutdown request")));
2723 #ifdef USE_SYSTEMD
2724  sd_notify(0, "STOPPING=1");
2725 #endif
2726 
2729 
2730  /* set stopwatch for them to die */
2731  AbortStartTime = time(NULL);
2732 
2733  /*
2734  * Now wait for backends to exit. If there are none,
2735  * PostmasterStateMachine will take the next step.
2736  */
2738  break;
2739  }
2740 
2742 
2743  errno = save_errno;
2744 }
2745 
2746 /*
2747  * Reaper -- signal handler to cleanup after a child process dies.
2748  */
2749 static void
2751 {
2752  int save_errno = errno;
2753  int pid; /* process id of dead child process */
2754  int exitstatus; /* its exit status */
2755 
2756  PG_SETMASK(&BlockSig);
2757 
2758  ereport(DEBUG4,
2759  (errmsg_internal("reaping dead processes")));
2760 
2761  while ((pid = waitpid(-1, &exitstatus, WNOHANG)) > 0)
2762  {
2763  /*
2764  * Check if this child was a startup process.
2765  */
2766  if (pid == StartupPID)
2767  {
2768  StartupPID = 0;
2769 
2770  /*
2771  * Startup process exited in response to a shutdown request (or it
2772  * completed normally regardless of the shutdown request).
2773  */
2774  if (Shutdown > NoShutdown &&
2775  (EXIT_STATUS_0(exitstatus) || EXIT_STATUS_1(exitstatus)))
2776  {
2779  /* PostmasterStateMachine logic does the rest */
2780  continue;
2781  }
2782 
2783  if (EXIT_STATUS_3(exitstatus))
2784  {
2785  ereport(LOG,
2786  (errmsg("shutdown at recovery target")));
2789  TerminateChildren(SIGTERM);
2791  /* PostmasterStateMachine logic does the rest */
2792  continue;
2793  }
2794 
2795  /*
2796  * Unexpected exit of startup process (including FATAL exit)
2797  * during PM_STARTUP is treated as catastrophic. There are no
2798  * other processes running yet, so we can just exit.
2799  */
2800  if (pmState == PM_STARTUP && !EXIT_STATUS_0(exitstatus))
2801  {
2802  LogChildExit(LOG, _("startup process"),
2803  pid, exitstatus);
2804  ereport(LOG,
2805  (errmsg("aborting startup due to startup process failure")));
2806  ExitPostmaster(1);
2807  }
2808 
2809  /*
2810  * After PM_STARTUP, any unexpected exit (including FATAL exit) of
2811  * the startup process is catastrophic, so kill other children,
2812  * and set StartupStatus so we don't try to reinitialize after
2813  * they're gone. Exception: if StartupStatus is STARTUP_SIGNALED,
2814  * then we previously sent the startup process a SIGQUIT; so
2815  * that's probably the reason it died, and we do want to try to
2816  * restart in that case.
2817  */
2818  if (!EXIT_STATUS_0(exitstatus))
2819  {
2822  else
2824  HandleChildCrash(pid, exitstatus,
2825  _("startup process"));
2826  continue;
2827  }
2828 
2829  /*
2830  * Startup succeeded, commence normal operations
2831  */
2833  FatalError = false;
2834  Assert(AbortStartTime == 0);
2835  ReachedNormalRunning = true;
2836  pmState = PM_RUN;
2837 
2838  /*
2839  * Crank up the background tasks, if we didn't do that already
2840  * when we entered consistent recovery state. It doesn't matter
2841  * if this fails, we'll just try again later.
2842  */
2843  if (CheckpointerPID == 0)
2845  if (BgWriterPID == 0)
2847  if (WalWriterPID == 0)
2849 
2850  /*
2851  * Likewise, start other special children as needed. In a restart
2852  * situation, some of them may be alive already.
2853  */
2856  if (PgArchStartupAllowed() && PgArchPID == 0)
2857  PgArchPID = pgarch_start();
2858  if (PgStatPID == 0)
2859  PgStatPID = pgstat_start();
2860 
2861  /* workers may be scheduled to start now */
2863 
2864  /* at this point we are really open for business */
2865  ereport(LOG,
2866  (errmsg("database system is ready to accept connections")));
2867 
2868 #ifdef USE_SYSTEMD
2869  sd_notify(0, "READY=1");
2870 #endif
2871 
2872  continue;
2873  }
2874 
2875  /*
2876  * Was it the bgwriter? Normal exit can be ignored; we'll start a new
2877  * one at the next iteration of the postmaster's main loop, if
2878  * necessary. Any other exit condition is treated as a crash.
2879  */
2880  if (pid == BgWriterPID)
2881  {
2882  BgWriterPID = 0;
2883  if (!EXIT_STATUS_0(exitstatus))
2884  HandleChildCrash(pid, exitstatus,
2885  _("background writer process"));
2886  continue;
2887  }
2888 
2889  /*
2890  * Was it the checkpointer?
2891  */
2892  if (pid == CheckpointerPID)
2893  {
2894  CheckpointerPID = 0;
2895  if (EXIT_STATUS_0(exitstatus) && pmState == PM_SHUTDOWN)
2896  {
2897  /*
2898  * OK, we saw normal exit of the checkpointer after it's been
2899  * told to shut down. We expect that it wrote a shutdown
2900  * checkpoint. (If for some reason it didn't, recovery will
2901  * occur on next postmaster start.)
2902  *
2903  * At this point we should have no normal backend children
2904  * left (else we'd not be in PM_SHUTDOWN state) but we might
2905  * have dead_end children to wait for.
2906  *
2907  * If we have an archiver subprocess, tell it to do a last
2908  * archive cycle and quit. Likewise, if we have walsender
2909  * processes, tell them to send any remaining WAL and quit.
2910  */
2912 
2913  /* Waken archiver for the last time */
2914  if (PgArchPID != 0)
2916 
2917  /*
2918  * Waken walsenders for the last time. No regular backends
2919  * should be around anymore.
2920  */
2922 
2924 
2925  /*
2926  * We can also shut down the stats collector now; there's
2927  * nothing left for it to do.
2928  */
2929  if (PgStatPID != 0)
2931  }
2932  else
2933  {
2934  /*
2935  * Any unexpected exit of the checkpointer (including FATAL
2936  * exit) is treated as a crash.
2937  */
2938  HandleChildCrash(pid, exitstatus,
2939  _("checkpointer process"));
2940  }
2941 
2942  continue;
2943  }
2944 
2945  /*
2946  * Was it the wal writer? Normal exit can be ignored; we'll start a
2947  * new one at the next iteration of the postmaster's main loop, if
2948  * necessary. Any other exit condition is treated as a crash.
2949  */
2950  if (pid == WalWriterPID)
2951  {
2952  WalWriterPID = 0;
2953  if (!EXIT_STATUS_0(exitstatus))
2954  HandleChildCrash(pid, exitstatus,
2955  _("WAL writer process"));
2956  continue;
2957  }
2958 
2959  /*
2960  * Was it the wal receiver? If exit status is zero (normal) or one
2961  * (FATAL exit), we assume everything is all right just like normal
2962  * backends.
2963  */
2964  if (pid == WalReceiverPID)
2965  {
2966  WalReceiverPID = 0;
2967  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
2968  HandleChildCrash(pid, exitstatus,
2969  _("WAL receiver process"));
2970  continue;
2971  }
2972 
2973  /*
2974  * Was it the autovacuum launcher? Normal exit can be ignored; we'll
2975  * start a new one at the next iteration of the postmaster's main
2976  * loop, if necessary. Any other exit condition is treated as a
2977  * crash.
2978  */
2979  if (pid == AutoVacPID)
2980  {
2981  AutoVacPID = 0;
2982  if (!EXIT_STATUS_0(exitstatus))
2983  HandleChildCrash(pid, exitstatus,
2984  _("autovacuum launcher process"));
2985  continue;
2986  }
2987 
2988  /*
2989  * Was it the archiver? If so, just try to start a new one; no need
2990  * to force reset of the rest of the system. (If fail, we'll try
2991  * again in future cycles of the main loop.). Unless we were waiting
2992  * for it to shut down; don't restart it in that case, and
2993  * PostmasterStateMachine() will advance to the next shutdown step.
2994  */
2995  if (pid == PgArchPID)
2996  {
2997  PgArchPID = 0;
2998  if (!EXIT_STATUS_0(exitstatus))
2999  LogChildExit(LOG, _("archiver process"),
3000  pid, exitstatus);
3001  if (PgArchStartupAllowed())
3002  PgArchPID = pgarch_start();
3003  continue;
3004  }
3005 
3006  /*
3007  * Was it the statistics collector? If so, just try to start a new
3008  * one; no need to force reset of the rest of the system. (If fail,
3009  * we'll try again in future cycles of the main loop.)
3010  */
3011  if (pid == PgStatPID)
3012  {
3013  PgStatPID = 0;
3014  if (!EXIT_STATUS_0(exitstatus))
3015  LogChildExit(LOG, _("statistics collector process"),
3016  pid, exitstatus);
3017  if (pmState == PM_RUN || pmState == PM_HOT_STANDBY)
3018  PgStatPID = pgstat_start();
3019  continue;
3020  }
3021 
3022  /* Was it the system logger? If so, try to start a new one */
3023  if (pid == SysLoggerPID)
3024  {
3025  SysLoggerPID = 0;
3026  /* for safety's sake, launch new logger *first* */
3028  if (!EXIT_STATUS_0(exitstatus))
3029  LogChildExit(LOG, _("system logger process"),
3030  pid, exitstatus);
3031  continue;
3032  }
3033 
3034  /* Was it one of our background workers? */
3035  if (CleanupBackgroundWorker(pid, exitstatus))
3036  {
3037  /* have it be restarted */
3038  HaveCrashedWorker = true;
3039  continue;
3040  }
3041 
3042  /*
3043  * Else do standard backend child cleanup.
3044  */
3045  CleanupBackend(pid, exitstatus);
3046  } /* loop over pending child-death reports */
3047 
3048  /*
3049  * After cleaning out the SIGCHLD queue, see if we have any state changes
3050  * or actions to make.
3051  */
3053 
3054  /* Done with signal handler */
3056 
3057  errno = save_errno;
3058 }
3059 
3060 /*
3061  * Scan the bgworkers list and see if the given PID (which has just stopped
3062  * or crashed) is in it. Handle its shutdown if so, and return true. If not a
3063  * bgworker, return false.
3064  *
3065  * This is heavily based on CleanupBackend. One important difference is that
3066  * we don't know yet that the dying process is a bgworker, so we must be silent
3067  * until we're sure it is.
3068  */
3069 static bool
3071  int exitstatus) /* child's exit status */
3072 {
3073  char namebuf[MAXPGPATH];
3074  slist_mutable_iter iter;
3075 
3077  {
3078  RegisteredBgWorker *rw;
3079 
3080  rw = slist_container(RegisteredBgWorker, rw_lnode, iter.cur);
3081 
3082  if (rw->rw_pid != pid)
3083  continue;
3084 
3085 #ifdef WIN32
3086  /* see CleanupBackend */
3087  if (exitstatus == ERROR_WAIT_NO_CHILDREN)
3088  exitstatus = 0;
3089 #endif
3090 
3091  snprintf(namebuf, MAXPGPATH, "%s: %s", _("worker process"),
3092  rw->rw_worker.bgw_name);
3093 
3094  if (!EXIT_STATUS_0(exitstatus))
3095  {
3096  /* Record timestamp, so we know when to restart the worker. */
3098  }
3099  else
3100  {
3101  /* Zero exit status means terminate */
3102  rw->rw_crashed_at = 0;
3103  rw->rw_terminate = true;
3104  }
3105 
3106  /*
3107  * Additionally, for shared-memory-connected workers, just like a
3108  * backend, any exit status other than 0 or 1 is considered a crash
3109  * and causes a system-wide restart.
3110  */
3111  if ((rw->rw_worker.bgw_flags & BGWORKER_SHMEM_ACCESS) != 0)
3112  {
3113  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3114  {
3115  HandleChildCrash(pid, exitstatus, namebuf);
3116  return true;
3117  }
3118  }
3119 
3120  /*
3121  * We must release the postmaster child slot whether this worker is
3122  * connected to shared memory or not, but we only treat it as a crash
3123  * if it is in fact connected.
3124  */
3127  {
3128  HandleChildCrash(pid, exitstatus, namebuf);
3129  return true;
3130  }
3131 
3132  /* Get it out of the BackendList and clear out remaining data */
3133  dlist_delete(&rw->rw_backend->elem);
3134 #ifdef EXEC_BACKEND
3135  ShmemBackendArrayRemove(rw->rw_backend);
3136 #endif
3137 
3138  /*
3139  * It's possible that this background worker started some OTHER
3140  * background worker and asked to be notified when that worker started
3141  * or stopped. If so, cancel any notifications destined for the
3142  * now-dead backend.
3143  */
3144  if (rw->rw_backend->bgworker_notify)
3146  free(rw->rw_backend);
3147  rw->rw_backend = NULL;
3148  rw->rw_pid = 0;
3149  rw->rw_child_slot = 0;
3150  ReportBackgroundWorkerExit(&iter); /* report child death */
3151 
3152  LogChildExit(EXIT_STATUS_0(exitstatus) ? DEBUG1 : LOG,
3153  namebuf, pid, exitstatus);
3154 
3155  return true;
3156  }
3157 
3158  return false;
3159 }
3160 
3161 /*
3162  * CleanupBackend -- cleanup after terminated backend.
3163  *
3164  * Remove all local state associated with backend.
3165  *
3166  * If you change this, see also CleanupBackgroundWorker.
3167  */
3168 static void
3170  int exitstatus) /* child's exit status. */
3171 {
3172  dlist_mutable_iter iter;
3173 
3174  LogChildExit(DEBUG2, _("server process"), pid, exitstatus);
3175 
3176  /*
3177  * If a backend dies in an ugly way then we must signal all other backends
3178  * to quickdie. If exit status is zero (normal) or one (FATAL exit), we
3179  * assume everything is all right and proceed to remove the backend from
3180  * the active backend list.
3181  */
3182 
3183 #ifdef WIN32
3184 
3185  /*
3186  * On win32, also treat ERROR_WAIT_NO_CHILDREN (128) as nonfatal case,
3187  * since that sometimes happens under load when the process fails to start
3188  * properly (long before it starts using shared memory). Microsoft reports
3189  * it is related to mutex failure:
3190  * http://archives.postgresql.org/pgsql-hackers/2010-09/msg00790.php
3191  */
3192  if (exitstatus == ERROR_WAIT_NO_CHILDREN)
3193  {
3194  LogChildExit(LOG, _("server process"), pid, exitstatus);
3195  exitstatus = 0;
3196  }
3197 #endif
3198 
3199  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3200  {
3201  HandleChildCrash(pid, exitstatus, _("server process"));
3202  return;
3203  }
3204 
3205  dlist_foreach_modify(iter, &BackendList)
3206  {
3207  Backend *bp = dlist_container(Backend, elem, iter.cur);
3208 
3209  if (bp->pid == pid)
3210  {
3211  if (!bp->dead_end)
3212  {
3214  {
3215  /*
3216  * Uh-oh, the child failed to clean itself up. Treat as a
3217  * crash after all.
3218  */
3219  HandleChildCrash(pid, exitstatus, _("server process"));
3220  return;
3221  }
3222 #ifdef EXEC_BACKEND
3223  ShmemBackendArrayRemove(bp);
3224 #endif
3225  }
3226  if (bp->bgworker_notify)
3227  {
3228  /*
3229  * This backend may have been slated to receive SIGUSR1 when
3230  * some background worker started or stopped. Cancel those
3231  * notifications, as we don't want to signal PIDs that are not
3232  * PostgreSQL backends. This gets skipped in the (probably
3233  * very common) case where the backend has never requested any
3234  * such notifications.
3235  */
3237  }
3238  dlist_delete(iter.cur);
3239  free(bp);
3240  break;
3241  }
3242  }
3243 }
3244 
3245 /*
3246  * HandleChildCrash -- cleanup after failed backend, bgwriter, checkpointer,
3247  * walwriter, autovacuum, or background worker.
3248  *
3249  * The objectives here are to clean up our local state about the child
3250  * process, and to signal all other remaining children to quickdie.
3251  */
3252 static void
3253 HandleChildCrash(int pid, int exitstatus, const char *procname)
3254 {
3255  dlist_mutable_iter iter;
3256  slist_iter siter;
3257  Backend *bp;
3258  bool take_action;
3259 
3260  /*
3261  * We only log messages and send signals if this is the first process
3262  * crash and we're not doing an immediate shutdown; otherwise, we're only
3263  * here to update postmaster's idea of live processes. If we have already
3264  * signalled children, nonzero exit status is to be expected, so don't
3265  * clutter log.
3266  */
3267  take_action = !FatalError && Shutdown != ImmediateShutdown;
3268 
3269  if (take_action)
3270  {
3271  LogChildExit(LOG, procname, pid, exitstatus);
3272  ereport(LOG,
3273  (errmsg("terminating any other active server processes")));
3274  }
3275 
3276  /* Process background workers. */
3278  {
3279  RegisteredBgWorker *rw;
3280 
3281  rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
3282  if (rw->rw_pid == 0)
3283  continue; /* not running */
3284  if (rw->rw_pid == pid)
3285  {
3286  /*
3287  * Found entry for freshly-dead worker, so remove it.
3288  */
3290  dlist_delete(&rw->rw_backend->elem);
3291 #ifdef EXEC_BACKEND
3292  ShmemBackendArrayRemove(rw->rw_backend);
3293 #endif
3294  free(rw->rw_backend);
3295  rw->rw_backend = NULL;
3296  rw->rw_pid = 0;
3297  rw->rw_child_slot = 0;
3298  /* don't reset crashed_at */
3299  /* don't report child stop, either */
3300  /* Keep looping so we can signal remaining workers */
3301  }
3302  else
3303  {
3304  /*
3305  * This worker is still alive. Unless we did so already, tell it
3306  * to commit hara-kiri.
3307  *
3308  * SIGQUIT is the special signal that says exit without proc_exit
3309  * and let the user know what's going on. But if SendStop is set
3310  * (-s on command line), then we send SIGSTOP instead, so that we
3311  * can get core dumps from all backends by hand.
3312  */
3313  if (take_action)
3314  {
3315  ereport(DEBUG2,
3316  (errmsg_internal("sending %s to process %d",
3317  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3318  (int) rw->rw_pid)));
3320  }
3321  }
3322  }
3323 
3324  /* Process regular backends */
3325  dlist_foreach_modify(iter, &BackendList)
3326  {
3327  bp = dlist_container(Backend, elem, iter.cur);
3328 
3329  if (bp->pid == pid)
3330  {
3331  /*
3332  * Found entry for freshly-dead backend, so remove it.
3333  */
3334  if (!bp->dead_end)
3335  {
3337 #ifdef EXEC_BACKEND
3338  ShmemBackendArrayRemove(bp);
3339 #endif
3340  }
3341  dlist_delete(iter.cur);
3342  free(bp);
3343  /* Keep looping so we can signal remaining backends */
3344  }
3345  else
3346  {
3347  /*
3348  * This backend is still alive. Unless we did so already, tell it
3349  * to commit hara-kiri.
3350  *
3351  * SIGQUIT is the special signal that says exit without proc_exit
3352  * and let the user know what's going on. But if SendStop is set
3353  * (-s on command line), then we send SIGSTOP instead, so that we
3354  * can get core dumps from all backends by hand.
3355  *
3356  * We could exclude dead_end children here, but at least in the
3357  * SIGSTOP case it seems better to include them.
3358  *
3359  * Background workers were already processed above; ignore them
3360  * here.
3361  */
3362  if (bp->bkend_type == BACKEND_TYPE_BGWORKER)
3363  continue;
3364 
3365  if (take_action)
3366  {
3367  ereport(DEBUG2,
3368  (errmsg_internal("sending %s to process %d",
3369  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3370  (int) bp->pid)));
3371  signal_child(bp->pid, (SendStop ? SIGSTOP : SIGQUIT));
3372  }
3373  }
3374  }
3375 
3376  /* Take care of the startup process too */
3377  if (pid == StartupPID)
3378  {
3379  StartupPID = 0;
3381  }
3382  else if (StartupPID != 0 && take_action)
3383  {
3384  ereport(DEBUG2,
3385  (errmsg_internal("sending %s to process %d",
3386  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3387  (int) StartupPID)));
3388  signal_child(StartupPID, (SendStop ? SIGSTOP : SIGQUIT));
3390  }
3391 
3392  /* Take care of the bgwriter too */
3393  if (pid == BgWriterPID)
3394  BgWriterPID = 0;
3395  else if (BgWriterPID != 0 && take_action)
3396  {
3397  ereport(DEBUG2,
3398  (errmsg_internal("sending %s to process %d",
3399  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3400  (int) BgWriterPID)));
3401  signal_child(BgWriterPID, (SendStop ? SIGSTOP : SIGQUIT));
3402  }
3403 
3404  /* Take care of the checkpointer too */
3405  if (pid == CheckpointerPID)
3406  CheckpointerPID = 0;
3407  else if (CheckpointerPID != 0 && take_action)
3408  {
3409  ereport(DEBUG2,
3410  (errmsg_internal("sending %s to process %d",
3411  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3412  (int) CheckpointerPID)));
3413  signal_child(CheckpointerPID, (SendStop ? SIGSTOP : SIGQUIT));
3414  }
3415 
3416  /* Take care of the walwriter too */
3417  if (pid == WalWriterPID)
3418  WalWriterPID = 0;
3419  else if (WalWriterPID != 0 && take_action)
3420  {
3421  ereport(DEBUG2,
3422  (errmsg_internal("sending %s to process %d",
3423  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3424  (int) WalWriterPID)));
3425  signal_child(WalWriterPID, (SendStop ? SIGSTOP : SIGQUIT));
3426  }
3427 
3428  /* Take care of the walreceiver too */
3429  if (pid == WalReceiverPID)
3430  WalReceiverPID = 0;
3431  else if (WalReceiverPID != 0 && take_action)
3432  {
3433  ereport(DEBUG2,
3434  (errmsg_internal("sending %s to process %d",
3435  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3436  (int) WalReceiverPID)));
3437  signal_child(WalReceiverPID, (SendStop ? SIGSTOP : SIGQUIT));
3438  }
3439 
3440  /* Take care of the autovacuum launcher too */
3441  if (pid == AutoVacPID)
3442  AutoVacPID = 0;
3443  else if (AutoVacPID != 0 && take_action)
3444  {
3445  ereport(DEBUG2,
3446  (errmsg_internal("sending %s to process %d",
3447  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3448  (int) AutoVacPID)));
3449  signal_child(AutoVacPID, (SendStop ? SIGSTOP : SIGQUIT));
3450  }
3451 
3452  /*
3453  * Force a power-cycle of the pgarch process too. (This isn't absolutely
3454  * necessary, but it seems like a good idea for robustness, and it
3455  * simplifies the state-machine logic in the case where a shutdown request
3456  * arrives during crash processing.)
3457  */
3458  if (PgArchPID != 0 && take_action)
3459  {
3460  ereport(DEBUG2,
3461  (errmsg_internal("sending %s to process %d",
3462  "SIGQUIT",
3463  (int) PgArchPID)));
3464  signal_child(PgArchPID, SIGQUIT);
3465  }
3466 
3467  /*
3468  * Force a power-cycle of the pgstat process too. (This isn't absolutely
3469  * necessary, but it seems like a good idea for robustness, and it
3470  * simplifies the state-machine logic in the case where a shutdown request
3471  * arrives during crash processing.)
3472  */
3473  if (PgStatPID != 0 && take_action)
3474  {
3475  ereport(DEBUG2,
3476  (errmsg_internal("sending %s to process %d",
3477  "SIGQUIT",
3478  (int) PgStatPID)));
3479  signal_child(PgStatPID, SIGQUIT);
3481  }
3482 
3483  /* We do NOT restart the syslogger */
3484 
3485  if (Shutdown != ImmediateShutdown)
3486  FatalError = true;
3487 
3488  /* We now transit into a state of waiting for children to die */
3489  if (pmState == PM_RECOVERY ||
3490  pmState == PM_HOT_STANDBY ||
3491  pmState == PM_RUN ||
3492  pmState == PM_WAIT_BACKUP ||
3494  pmState == PM_SHUTDOWN)
3496 
3497  /*
3498  * .. and if this doesn't happen quickly enough, now the clock is ticking
3499  * for us to kill them without mercy.
3500  */
3501  if (AbortStartTime == 0)
3502  AbortStartTime = time(NULL);
3503 }
3504 
3505 /*
3506  * Log the death of a child process.
3507  */
3508 static void
3509 LogChildExit(int lev, const char *procname, int pid, int exitstatus)
3510 {
3511  /*
3512  * size of activity_buffer is arbitrary, but set equal to default
3513  * track_activity_query_size
3514  */
3515  char activity_buffer[1024];
3516  const char *activity = NULL;
3517 
3518  if (!EXIT_STATUS_0(exitstatus))
3519  activity = pgstat_get_crashed_backend_activity(pid,
3520  activity_buffer,
3521  sizeof(activity_buffer));
3522 
3523  if (WIFEXITED(exitstatus))
3524  ereport(lev,
3525 
3526  /*------
3527  translator: %s is a noun phrase describing a child process, such as
3528  "server process" */
3529  (errmsg("%s (PID %d) exited with exit code %d",
3530  procname, pid, WEXITSTATUS(exitstatus)),
3531  activity ? errdetail("Failed process was running: %s", activity) : 0));
3532  else if (WIFSIGNALED(exitstatus))
3533 #if defined(WIN32)
3534  ereport(lev,
3535 
3536  /*------
3537  translator: %s is a noun phrase describing a child process, such as
3538  "server process" */
3539  (errmsg("%s (PID %d) was terminated by exception 0x%X",
3540  procname, pid, WTERMSIG(exitstatus)),
3541  errhint("See C include file \"ntstatus.h\" for a description of the hexadecimal value."),
3542  activity ? errdetail("Failed process was running: %s", activity) : 0));
3543 #elif defined(HAVE_DECL_SYS_SIGLIST) && HAVE_DECL_SYS_SIGLIST
3544  ereport(lev,
3545 
3546  /*------
3547  translator: %s is a noun phrase describing a child process, such as
3548  "server process" */
3549  (errmsg("%s (PID %d) was terminated by signal %d: %s",
3550  procname, pid, WTERMSIG(exitstatus),
3551  WTERMSIG(exitstatus) < NSIG ?
3552  sys_siglist[WTERMSIG(exitstatus)] : "(unknown)"),
3553  activity ? errdetail("Failed process was running: %s", activity) : 0));
3554 #else
3555  ereport(lev,
3556 
3557  /*------
3558  translator: %s is a noun phrase describing a child process, such as
3559  "server process" */
3560  (errmsg("%s (PID %d) was terminated by signal %d",
3561  procname, pid, WTERMSIG(exitstatus)),
3562  activity ? errdetail("Failed process was running: %s", activity) : 0));
3563 #endif
3564  else
3565  ereport(lev,
3566 
3567  /*------
3568  translator: %s is a noun phrase describing a child process, such as
3569  "server process" */
3570  (errmsg("%s (PID %d) exited with unrecognized status %d",
3571  procname, pid, exitstatus),
3572  activity ? errdetail("Failed process was running: %s", activity) : 0));
3573 }
3574 
3575 /*
3576  * Advance the postmaster's state machine and take actions as appropriate
3577  *
3578  * This is common code for pmdie(), reaper() and sigusr1_handler(), which
3579  * receive the signals that might mean we need to change state.
3580  */
3581 static void
3583 {
3584  if (pmState == PM_WAIT_BACKUP)
3585  {
3586  /*
3587  * PM_WAIT_BACKUP state ends when online backup mode is not active.
3588  */
3589  if (!BackupInProgress())
3591  }
3592 
3593  if (pmState == PM_WAIT_READONLY)
3594  {
3595  /*
3596  * PM_WAIT_READONLY state ends when we have no regular backends that
3597  * have been started during recovery. We kill the startup and
3598  * walreceiver processes and transition to PM_WAIT_BACKENDS. Ideally,
3599  * we might like to kill these processes first and then wait for
3600  * backends to die off, but that doesn't work at present because
3601  * killing the startup process doesn't release its locks.
3602  */
3604  {
3605  if (StartupPID != 0)
3606  signal_child(StartupPID, SIGTERM);
3607  if (WalReceiverPID != 0)
3608  signal_child(WalReceiverPID, SIGTERM);
3610  }
3611  }
3612 
3613  /*
3614  * If we are in a state-machine state that implies waiting for backends to
3615  * exit, see if they're all gone, and change state if so.
3616  */
3617  if (pmState == PM_WAIT_BACKENDS)
3618  {
3619  /*
3620  * PM_WAIT_BACKENDS state ends when we have no regular backends
3621  * (including autovac workers), no bgworkers (including unconnected
3622  * ones), and no walwriter, autovac launcher or bgwriter. If we are
3623  * doing crash recovery or an immediate shutdown then we expect the
3624  * checkpointer to exit as well, otherwise not. The archiver, stats,
3625  * and syslogger processes are disregarded since they are not
3626  * connected to shared memory; we also disregard dead_end children
3627  * here. Walsenders are also disregarded, they will be terminated
3628  * later after writing the checkpoint record, like the archiver
3629  * process.
3630  */
3632  StartupPID == 0 &&
3633  WalReceiverPID == 0 &&
3634  BgWriterPID == 0 &&
3635  (CheckpointerPID == 0 ||
3637  WalWriterPID == 0 &&
3638  AutoVacPID == 0)
3639  {
3641  {
3642  /*
3643  * Start waiting for dead_end children to die. This state
3644  * change causes ServerLoop to stop creating new ones.
3645  */
3647 
3648  /*
3649  * We already SIGQUIT'd the archiver and stats processes, if
3650  * any, when we started immediate shutdown or entered
3651  * FatalError state.
3652  */
3653  }
3654  else
3655  {
3656  /*
3657  * If we get here, we are proceeding with normal shutdown. All
3658  * the regular children are gone, and it's time to tell the
3659  * checkpointer to do a shutdown checkpoint.
3660  */
3662  /* Start the checkpointer if not running */
3663  if (CheckpointerPID == 0)
3665  /* And tell it to shut down */
3666  if (CheckpointerPID != 0)
3667  {
3669  pmState = PM_SHUTDOWN;
3670  }
3671  else
3672  {
3673  /*
3674  * If we failed to fork a checkpointer, just shut down.
3675  * Any required cleanup will happen at next restart. We
3676  * set FatalError so that an "abnormal shutdown" message
3677  * gets logged when we exit.
3678  */
3679  FatalError = true;
3681 
3682  /* Kill the walsenders, archiver and stats collector too */
3684  if (PgArchPID != 0)
3686  if (PgStatPID != 0)
3688  }
3689  }
3690  }
3691  }
3692 
3693  if (pmState == PM_SHUTDOWN_2)
3694  {
3695  /*
3696  * PM_SHUTDOWN_2 state ends when there's no other children than
3697  * dead_end children left. There shouldn't be any regular backends
3698  * left by now anyway; what we're really waiting for is walsenders and
3699  * archiver.
3700  *
3701  * Walreceiver should normally be dead by now, but not when a fast
3702  * shutdown is performed during recovery.
3703  */
3704  if (PgArchPID == 0 && CountChildren(BACKEND_TYPE_ALL) == 0 &&
3705  WalReceiverPID == 0)
3706  {
3708  }
3709  }
3710 
3711  if (pmState == PM_WAIT_DEAD_END)
3712  {
3713  /*
3714  * PM_WAIT_DEAD_END state ends when the BackendList is entirely empty
3715  * (ie, no dead_end children remain), and the archiver and stats
3716  * collector are gone too.
3717  *
3718  * The reason we wait for those two is to protect them against a new
3719  * postmaster starting conflicting subprocesses; this isn't an
3720  * ironclad protection, but it at least helps in the
3721  * shutdown-and-immediately-restart scenario. Note that they have
3722  * already been sent appropriate shutdown signals, either during a
3723  * normal state transition leading up to PM_WAIT_DEAD_END, or during
3724  * FatalError processing.
3725  */
3726  if (dlist_is_empty(&BackendList) &&
3727  PgArchPID == 0 && PgStatPID == 0)
3728  {
3729  /* These other guys should be dead already */
3730  Assert(StartupPID == 0);
3731  Assert(WalReceiverPID == 0);
3732  Assert(BgWriterPID == 0);
3733  Assert(CheckpointerPID == 0);
3734  Assert(WalWriterPID == 0);
3735  Assert(AutoVacPID == 0);
3736  /* syslogger is not considered here */
3738  }
3739  }
3740 
3741  /*
3742  * If we've been told to shut down, we exit as soon as there are no
3743  * remaining children. If there was a crash, cleanup will occur at the
3744  * next startup. (Before PostgreSQL 8.3, we tried to recover from the
3745  * crash before exiting, but that seems unwise if we are quitting because
3746  * we got SIGTERM from init --- there may well not be time for recovery
3747  * before init decides to SIGKILL us.)
3748  *
3749  * Note that the syslogger continues to run. It will exit when it sees
3750  * EOF on its input pipe, which happens when there are no more upstream
3751  * processes.
3752  */
3754  {
3755  if (FatalError)
3756  {
3757  ereport(LOG, (errmsg("abnormal database system shutdown")));
3758  ExitPostmaster(1);
3759  }
3760  else
3761  {
3762  /*
3763  * Terminate exclusive backup mode to avoid recovery after a clean
3764  * fast shutdown. Since an exclusive backup can only be taken
3765  * during normal running (and not, for example, while running
3766  * under Hot Standby) it only makes sense to do this if we reached
3767  * normal running. If we're still in recovery, the backup file is
3768  * one we're recovering *from*, and we must keep it around so that
3769  * recovery restarts from the right place.
3770  */
3772  CancelBackup();
3773 
3774  /* Normal exit from the postmaster is here */
3775  ExitPostmaster(0);
3776  }
3777  }
3778 
3779  /*
3780  * If the startup process failed, or the user does not want an automatic
3781  * restart after backend crashes, wait for all non-syslogger children to
3782  * exit, and then exit postmaster. We don't try to reinitialize when the
3783  * startup process fails, because more than likely it will just fail again
3784  * and we will keep trying forever.
3785  */
3786  if (pmState == PM_NO_CHILDREN &&
3788  ExitPostmaster(1);
3789 
3790  /*
3791  * If we need to recover from a crash, wait for all non-syslogger children
3792  * to exit, then reset shmem and StartupDataBase.
3793  */
3794  if (FatalError && pmState == PM_NO_CHILDREN)
3795  {
3796  ereport(LOG,
3797  (errmsg("all server processes terminated; reinitializing")));
3798 
3799  /* allow background workers to immediately restart */
3801 
3802  shmem_exit(1);
3804 
3806  Assert(StartupPID != 0);
3808  pmState = PM_STARTUP;
3809  /* crash recovery started, reset SIGKILL flag */
3810  AbortStartTime = 0;
3811  }
3812 }
3813 
3814 
3815 /*
3816  * Send a signal to a postmaster child process
3817  *
3818  * On systems that have setsid(), each child process sets itself up as a
3819  * process group leader. For signals that are generally interpreted in the
3820  * appropriate fashion, we signal the entire process group not just the
3821  * direct child process. This allows us to, for example, SIGQUIT a blocked
3822  * archive_recovery script, or SIGINT a script being run by a backend via
3823  * system().
3824  *
3825  * There is a race condition for recently-forked children: they might not
3826  * have executed setsid() yet. So we signal the child directly as well as
3827  * the group. We assume such a child will handle the signal before trying
3828  * to spawn any grandchild processes. We also assume that signaling the
3829  * child twice will not cause any problems.
3830  */
3831 static void
3832 signal_child(pid_t pid, int signal)
3833 {
3834  if (kill(pid, signal) < 0)
3835  elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) pid, signal);
3836 #ifdef HAVE_SETSID
3837  switch (signal)
3838  {
3839  case SIGINT:
3840  case SIGTERM:
3841  case SIGQUIT:
3842  case SIGSTOP:
3843  case SIGKILL:
3844  if (kill(-pid, signal) < 0)
3845  elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) (-pid), signal);
3846  break;
3847  default:
3848  break;
3849  }
3850 #endif
3851 }
3852 
3853 /*
3854  * Send a signal to the targeted children (but NOT special children;
3855  * dead_end children are never signaled, either).
3856  */
3857 static bool
3858 SignalSomeChildren(int signal, int target)
3859 {
3860  dlist_iter iter;
3861  bool signaled = false;
3862 
3863  dlist_foreach(iter, &BackendList)
3864  {
3865  Backend *bp = dlist_container(Backend, elem, iter.cur);
3866 
3867  if (bp->dead_end)
3868  continue;
3869 
3870  /*
3871  * Since target == BACKEND_TYPE_ALL is the most common case, we test
3872  * it first and avoid touching shared memory for every child.
3873  */
3874  if (target != BACKEND_TYPE_ALL)
3875  {
3876  /*
3877  * Assign bkend_type for any recently announced WAL Sender
3878  * processes.
3879  */
3880  if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
3883 
3884  if (!(target & bp->bkend_type))
3885  continue;
3886  }
3887 
3888  ereport(DEBUG4,
3889  (errmsg_internal("sending signal %d to process %d",
3890  signal, (int) bp->pid)));
3891  signal_child(bp->pid, signal);
3892  signaled = true;
3893  }
3894  return signaled;
3895 }
3896 
3897 /*
3898  * Send a termination signal to children. This considers all of our children
3899  * processes, except syslogger and dead_end backends.
3900  */
3901 static void
3903 {
3904  SignalChildren(signal);
3905  if (StartupPID != 0)
3906  {
3907  signal_child(StartupPID, signal);
3908  if (signal == SIGQUIT || signal == SIGKILL)
3910  }
3911  if (BgWriterPID != 0)
3912  signal_child(BgWriterPID, signal);
3913  if (CheckpointerPID != 0)
3914  signal_child(CheckpointerPID, signal);
3915  if (WalWriterPID != 0)
3916  signal_child(WalWriterPID, signal);
3917  if (WalReceiverPID != 0)
3918  signal_child(WalReceiverPID, signal);
3919  if (AutoVacPID != 0)
3920  signal_child(AutoVacPID, signal);
3921  if (PgArchPID != 0)
3922  signal_child(PgArchPID, signal);
3923  if (PgStatPID != 0)
3924  signal_child(PgStatPID, signal);
3925 }
3926 
3927 /*
3928  * BackendStartup -- start backend process
3929  *
3930  * returns: STATUS_ERROR if the fork failed, STATUS_OK otherwise.
3931  *
3932  * Note: if you change this code, also consider StartAutovacuumWorker.
3933  */
3934 static int
3936 {
3937  Backend *bn; /* for backend cleanup */
3938  pid_t pid;
3939 
3940  /*
3941  * Create backend data structure. Better before the fork() so we can
3942  * handle failure cleanly.
3943  */
3944  bn = (Backend *) malloc(sizeof(Backend));
3945  if (!bn)
3946  {
3947  ereport(LOG,
3948  (errcode(ERRCODE_OUT_OF_MEMORY),
3949  errmsg("out of memory")));
3950  return STATUS_ERROR;
3951  }
3952 
3953  /*
3954  * Compute the cancel key that will be assigned to this backend. The
3955  * backend will have its own copy in the forked-off process' value of
3956  * MyCancelKey, so that it can transmit the key to the frontend.
3957  */
3959  {
3960  free(bn);
3961  ereport(LOG,
3962  (errcode(ERRCODE_INTERNAL_ERROR),
3963  errmsg("could not generate random cancel key")));
3964  return STATUS_ERROR;
3965  }
3966 
3967  bn->cancel_key = MyCancelKey;
3968 
3969  /* Pass down canAcceptConnections state */
3971  bn->dead_end = (port->canAcceptConnections != CAC_OK &&
3973 
3974  /*
3975  * Unless it's a dead_end child, assign it a child slot number
3976  */
3977  if (!bn->dead_end)
3979  else
3980  bn->child_slot = 0;
3981 
3982  /* Hasn't asked to be notified about any bgworkers yet */
3983  bn->bgworker_notify = false;
3984 
3985 #ifdef EXEC_BACKEND
3986  pid = backend_forkexec(port);
3987 #else /* !EXEC_BACKEND */
3988  pid = fork_process();
3989  if (pid == 0) /* child */
3990  {
3991  free(bn);
3992 
3993  /* Detangle from postmaster */
3995 
3996  /* Close the postmaster's sockets */
3997  ClosePostmasterPorts(false);
3998 
3999  /* Perform additional initialization and collect startup packet */
4000  BackendInitialize(port);
4001 
4002  /* And run the backend */
4003  BackendRun(port);
4004  }
4005 #endif /* EXEC_BACKEND */
4006 
4007  if (pid < 0)
4008  {
4009  /* in parent, fork failed */
4010  int save_errno = errno;
4011 
4012  if (!bn->dead_end)
4014  free(bn);
4015  errno = save_errno;
4016  ereport(LOG,
4017  (errmsg("could not fork new process for connection: %m")));
4018  report_fork_failure_to_client(port, save_errno);
4019  return STATUS_ERROR;
4020  }
4021 
4022  /* in parent, successful fork */
4023  ereport(DEBUG2,
4024  (errmsg_internal("forked new backend, pid=%d socket=%d",
4025  (int) pid, (int) port->sock)));
4026 
4027  /*
4028  * Everything's been successful, it's safe to add this backend to our list
4029  * of backends.
4030  */
4031  bn->pid = pid;
4032  bn->bkend_type = BACKEND_TYPE_NORMAL; /* Can change later to WALSND */
4033  dlist_push_head(&BackendList, &bn->elem);
4034 
4035 #ifdef EXEC_BACKEND
4036  if (!bn->dead_end)
4037  ShmemBackendArrayAdd(bn);
4038 #endif
4039 
4040  return STATUS_OK;
4041 }
4042 
4043 /*
4044  * Try to report backend fork() failure to client before we close the
4045  * connection. Since we do not care to risk blocking the postmaster on
4046  * this connection, we set the connection to non-blocking and try only once.
4047  *
4048  * This is grungy special-purpose code; we cannot use backend libpq since
4049  * it's not up and running.
4050  */
4051 static void
4053 {
4054  char buffer[1000];
4055  int rc;
4056 
4057  /* Format the error message packet (always V2 protocol) */
4058  snprintf(buffer, sizeof(buffer), "E%s%s\n",
4059  _("could not fork new process for connection: "),
4060  strerror(errnum));
4061 
4062  /* Set port to non-blocking. Don't do send() if this fails */
4063  if (!pg_set_noblock(port->sock))
4064  return;
4065 
4066  /* We'll retry after EINTR, but ignore all other failures */
4067  do
4068  {
4069  rc = send(port->sock, buffer, strlen(buffer) + 1, 0);
4070  } while (rc < 0 && errno == EINTR);
4071 }
4072 
4073 
4074 /*
4075  * BackendInitialize -- initialize an interactive (postmaster-child)
4076  * backend process, and collect the client's startup packet.
4077  *
4078  * returns: nothing. Will not return at all if there's any failure.
4079  *
4080  * Note: this code does not depend on having any access to shared memory.
4081  * In the EXEC_BACKEND case, we are physically attached to shared memory
4082  * but have not yet set up most of our local pointers to shmem structures.
4083  */
4084 static void
4086 {
4087  int status;
4088  int ret;
4089  char remote_host[NI_MAXHOST];
4090  char remote_port[NI_MAXSERV];
4091  char remote_ps_data[NI_MAXHOST];
4092 
4093  /* Save port etc. for ps status */
4094  MyProcPort = port;
4095 
4096  /*
4097  * PreAuthDelay is a debugging aid for investigating problems in the
4098  * authentication cycle: it can be set in postgresql.conf to allow time to
4099  * attach to the newly-forked backend with a debugger. (See also
4100  * PostAuthDelay, which we allow clients to pass through PGOPTIONS, but it
4101  * is not honored until after authentication.)
4102  */
4103  if (PreAuthDelay > 0)
4104  pg_usleep(PreAuthDelay * 1000000L);
4105 
4106  /* This flag will remain set until InitPostgres finishes authentication */
4107  ClientAuthInProgress = true; /* limit visibility of log messages */
4108 
4109  /* save process start time */
4112 
4113  /* set these to empty in case they are needed before we set them up */
4114  port->remote_host = "";
4115  port->remote_port = "";
4116 
4117  /*
4118  * Initialize libpq and enable reporting of ereport errors to the client.
4119  * Must do this now because authentication uses libpq to send messages.
4120  */
4121  pq_init(); /* initialize libpq to talk to client */
4122  whereToSendOutput = DestRemote; /* now safe to ereport to client */
4123 
4124  /*
4125  * We arrange for a simple exit(1) if we receive SIGTERM or SIGQUIT or
4126  * timeout while trying to collect the startup packet. Otherwise the
4127  * postmaster cannot shutdown the database FAST or IMMED cleanly if a
4128  * buggy client fails to send the packet promptly. XXX it follows that
4129  * the remainder of this function must tolerate losing control at any
4130  * instant. Likewise, any pg_on_exit_callback registered before or during
4131  * this function must be prepared to execute at any instant between here
4132  * and the end of this function. Furthermore, affected callbacks execute
4133  * partially or not at all when a second exit-inducing signal arrives
4134  * after proc_exit_prepare() decrements on_proc_exit_index. (Thanks to
4135  * that mechanic, callbacks need not anticipate more than one call.) This
4136  * is fragile; it ought to instead follow the norm of handling interrupts
4137  * at selected, safe opportunities.
4138  */
4139  pqsignal(SIGTERM, startup_die);
4141  InitializeTimeouts(); /* establishes SIGALRM handler */
4143 
4144  /*
4145  * Get the remote host name and port for logging and status display.
4146  */
4147  remote_host[0] = '\0';
4148  remote_port[0] = '\0';
4149  if ((ret = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
4150  remote_host, sizeof(remote_host),
4151  remote_port, sizeof(remote_port),
4152  (log_hostname ? 0 : NI_NUMERICHOST) | NI_NUMERICSERV)) != 0)
4153  ereport(WARNING,
4154  (errmsg_internal("pg_getnameinfo_all() failed: %s",
4155  gai_strerror(ret))));
4156  if (remote_port[0] == '\0')
4157  snprintf(remote_ps_data, sizeof(remote_ps_data), "%s", remote_host);
4158  else
4159  snprintf(remote_ps_data, sizeof(remote_ps_data), "%s(%s)", remote_host, remote_port);
4160 
4161  /*
4162  * Save remote_host and remote_port in port structure (after this, they
4163  * will appear in log_line_prefix data for log messages).
4164  */
4165  port->remote_host = strdup(remote_host);
4166  port->remote_port = strdup(remote_port);
4167 
4168  /* And now we can issue the Log_connections message, if wanted */
4169  if (Log_connections)
4170  {
4171  if (remote_port[0])
4172  ereport(LOG,
4173  (errmsg("connection received: host=%s port=%s",
4174  remote_host,
4175  remote_port)));
4176  else
4177  ereport(LOG,
4178  (errmsg("connection received: host=%s",
4179  remote_host)));
4180  }
4181 
4182  /*
4183  * If we did a reverse lookup to name, we might as well save the results
4184  * rather than possibly repeating the lookup during authentication.
4185  *
4186  * Note that we don't want to specify NI_NAMEREQD above, because then we'd
4187  * get nothing useful for a client without an rDNS entry. Therefore, we
4188  * must check whether we got a numeric IPv4 or IPv6 address, and not save
4189  * it into remote_hostname if so. (This test is conservative and might
4190  * sometimes classify a hostname as numeric, but an error in that
4191  * direction is safe; it only results in a possible extra lookup.)
4192  */
4193  if (log_hostname &&
4194  ret == 0 &&
4195  strspn(remote_host, "0123456789.") < strlen(remote_host) &&
4196  strspn(remote_host, "0123456789ABCDEFabcdef:") < strlen(remote_host))
4197  port->remote_hostname = strdup(remote_host);
4198 
4199  /*
4200  * Ready to begin client interaction. We will give up and exit(1) after a
4201  * time delay, so that a broken client can't hog a connection
4202  * indefinitely. PreAuthDelay and any DNS interactions above don't count
4203  * against the time limit.
4204  *
4205  * Note: AuthenticationTimeout is applied here while waiting for the
4206  * startup packet, and then again in InitPostgres for the duration of any
4207  * authentication operations. So a hostile client could tie up the
4208  * process for nearly twice AuthenticationTimeout before we kick him off.
4209  *
4210  * Note: because PostgresMain will call InitializeTimeouts again, the
4211  * registration of STARTUP_PACKET_TIMEOUT will be lost. This is okay
4212  * since we never use it again after this function.
4213  */
4216 
4217  /*
4218  * Receive the startup packet (which might turn out to be a cancel request
4219  * packet).
4220  */
4221  status = ProcessStartupPacket(port, false);
4222 
4223  /*
4224  * Stop here if it was bad or a cancel packet. ProcessStartupPacket
4225  * already did any appropriate error reporting.
4226  */
4227  if (status != STATUS_OK)
4228  proc_exit(0);
4229 
4230  /*
4231  * Now that we have the user and database name, we can set the process
4232  * title for ps. It's good to do this as early as possible in startup.
4233  *
4234  * For a walsender, the ps display is set in the following form:
4235  *
4236  * postgres: wal sender process <user> <host> <activity>
4237  *
4238  * To achieve that, we pass "wal sender process" as username and username
4239  * as dbname to init_ps_display(). XXX: should add a new variant of
4240  * init_ps_display() to avoid abusing the parameters like this.
4241  */
4242  if (am_walsender)
4243  init_ps_display("wal sender process", port->user_name, remote_ps_data,
4244  update_process_title ? "authentication" : "");
4245  else
4246  init_ps_display(port->user_name, port->database_name, remote_ps_data,
4247  update_process_title ? "authentication" : "");
4248 
4249  /*
4250  * Disable the timeout, and prevent SIGTERM/SIGQUIT again.
4251  */
4253  PG_SETMASK(&BlockSig);
4254 }
4255 
4256 
4257 /*
4258  * BackendRun -- set up the backend's argument list and invoke PostgresMain()
4259  *
4260  * returns:
4261  * Shouldn't return at all.
4262  * If PostgresMain() fails, return status.
4263  */
4264 static void
4266 {
4267  char **av;
4268  int maxac;
4269  int ac;
4270  long secs;
4271  int usecs;
4272  int i;
4273 
4274  /*
4275  * Don't want backend to be able to see the postmaster random number
4276  * generator state. We have to clobber the static random_seed *and* start
4277  * a new random sequence in the random() library function.
4278  */
4279 #ifndef HAVE_STRONG_RANDOM
4280  random_seed = 0;
4281  random_start_time.tv_usec = 0;
4282 #endif
4283  /* slightly hacky way to convert timestamptz into integers */
4284  TimestampDifference(0, port->SessionStartTime, &secs, &usecs);
4285  srandom((unsigned int) (MyProcPid ^ (usecs << 12) ^ secs));
4286 
4287  /*
4288  * Now, build the argv vector that will be given to PostgresMain.
4289  *
4290  * The maximum possible number of commandline arguments that could come
4291  * from ExtraOptions is (strlen(ExtraOptions) + 1) / 2; see
4292  * pg_split_opts().
4293  */
4294  maxac = 2; /* for fixed args supplied below */
4295  maxac += (strlen(ExtraOptions) + 1) / 2;
4296 
4297  av = (char **) MemoryContextAlloc(TopMemoryContext,
4298  maxac * sizeof(char *));
4299  ac = 0;
4300 
4301  av[ac++] = "postgres";
4302 
4303  /*
4304  * Pass any backend switches specified with -o on the postmaster's own
4305  * command line. We assume these are secure.
4306  */
4307  pg_split_opts(av, &ac, ExtraOptions);
4308 
4309  av[ac] = NULL;
4310 
4311  Assert(ac < maxac);
4312 
4313  /*
4314  * Debug: print arguments being passed to backend
4315  */
4316  ereport(DEBUG3,
4317  (errmsg_internal("%s child[%d]: starting with (",
4318  progname, (int) getpid())));
4319  for (i = 0; i < ac; ++i)
4320  ereport(DEBUG3,
4321  (errmsg_internal("\t%s", av[i])));
4322  ereport(DEBUG3,
4323  (errmsg_internal(")")));
4324 
4325  /*
4326  * Make sure we aren't in PostmasterContext anymore. (We can't delete it
4327  * just yet, though, because InitPostgres will need the HBA data.)
4328  */
4330 
4331  PostgresMain(ac, av, port->database_name, port->user_name);
4332 }
4333 
4334 
4335 #ifdef EXEC_BACKEND
4336 
4337 /*
4338  * postmaster_forkexec -- fork and exec a postmaster subprocess
4339  *
4340  * The caller must have set up the argv array already, except for argv[2]
4341  * which will be filled with the name of the temp variable file.
4342  *
4343  * Returns the child process PID, or -1 on fork failure (a suitable error
4344  * message has been logged on failure).
4345  *
4346  * All uses of this routine will dispatch to SubPostmasterMain in the
4347  * child process.
4348  */
4349 pid_t
4350 postmaster_forkexec(int argc, char *argv[])
4351 {
4352  Port port;
4353 
4354  /* This entry point passes dummy values for the Port variables */
4355  memset(&port, 0, sizeof(port));
4356  return internal_forkexec(argc, argv, &port);
4357 }
4358 
4359 /*
4360  * backend_forkexec -- fork/exec off a backend process
4361  *
4362  * Some operating systems (WIN32) don't have fork() so we have to simulate
4363  * it by storing parameters that need to be passed to the child and
4364  * then create a new child process.
4365  *
4366  * returns the pid of the fork/exec'd process, or -1 on failure
4367  */
4368 static pid_t
4369 backend_forkexec(Port *port)
4370 {
4371  char *av[4];
4372  int ac = 0;
4373 
4374  av[ac++] = "postgres";
4375  av[ac++] = "--forkbackend";
4376  av[ac++] = NULL; /* filled in by internal_forkexec */
4377 
4378  av[ac] = NULL;
4379  Assert(ac < lengthof(av));
4380 
4381  return internal_forkexec(ac, av, port);
4382 }
4383 
4384 #ifndef WIN32
4385 
4386 /*
4387  * internal_forkexec non-win32 implementation
4388  *
4389  * - writes out backend variables to the parameter file
4390  * - fork():s, and then exec():s the child process
4391  */
4392 static pid_t
4393 internal_forkexec(int argc, char *argv[], Port *port)
4394 {
4395  static unsigned long tmpBackendFileNum = 0;
4396  pid_t pid;
4397  char tmpfilename[MAXPGPATH];
4398  BackendParameters param;
4399  FILE *fp;
4400 
4401  if (!save_backend_variables(&param, port))
4402  return -1; /* log made by save_backend_variables */
4403 
4404  /* Calculate name for temp file */
4405  snprintf(tmpfilename, MAXPGPATH, "%s/%s.backend_var.%d.%lu",
4407  MyProcPid, ++tmpBackendFileNum);
4408 
4409  /* Open file */
4410  fp = AllocateFile(tmpfilename, PG_BINARY_W);
4411  if (!fp)
4412  {
4413  /*
4414  * As in OpenTemporaryFileInTablespace, try to make the temp-file
4415  * directory
4416  */
4417  mkdir(PG_TEMP_FILES_DIR, S_IRWXU);
4418 
4419  fp = AllocateFile(tmpfilename, PG_BINARY_W);
4420  if (!fp)
4421  {
4422  ereport(LOG,
4424  errmsg("could not create file \"%s\": %m",
4425  tmpfilename)));
4426  return -1;
4427  }
4428  }
4429 
4430  if (fwrite(&param, sizeof(param), 1, fp) != 1)
4431  {
4432  ereport(LOG,
4434  errmsg("could not write to file \"%s\": %m", tmpfilename)));
4435  FreeFile(fp);
4436  return -1;
4437  }
4438 
4439  /* Release file */
4440  if (FreeFile(fp))
4441  {
4442  ereport(LOG,
4444  errmsg("could not write to file \"%s\": %m", tmpfilename)));
4445  return -1;
4446  }
4447 
4448  /* Make sure caller set up argv properly */
4449  Assert(argc >= 3);
4450  Assert(argv[argc] == NULL);
4451  Assert(strncmp(argv[1], "--fork", 6) == 0);
4452  Assert(argv[2] == NULL);
4453 
4454  /* Insert temp file name after --fork argument */
4455  argv[2] = tmpfilename;
4456 
4457  /* Fire off execv in child */
4458  if ((pid = fork_process()) == 0)
4459  {
4460  if (execv(postgres_exec_path, argv) < 0)
4461  {
4462  ereport(LOG,
4463  (errmsg("could not execute server process \"%s\": %m",
4464  postgres_exec_path)));
4465  /* We're already in the child process here, can't return */
4466  exit(1);
4467  }
4468  }
4469 
4470  return pid; /* Parent returns pid, or -1 on fork failure */
4471 }
4472 #else /* WIN32 */
4473 
4474 /*
4475  * internal_forkexec win32 implementation
4476  *
4477  * - starts backend using CreateProcess(), in suspended state
4478  * - writes out backend variables to the parameter file
4479  * - during this, duplicates handles and sockets required for
4480  * inheritance into the new process
4481  * - resumes execution of the new process once the backend parameter
4482  * file is complete.
4483  */
4484 static pid_t
4485 internal_forkexec(int argc, char *argv[], Port *port)
4486 {
4487  STARTUPINFO si;
4488  PROCESS_INFORMATION pi;
4489  int i;
4490  int j;
4491  char cmdLine[MAXPGPATH * 2];
4492  HANDLE paramHandle;
4493  BackendParameters *param;
4494  SECURITY_ATTRIBUTES sa;
4495  char paramHandleStr[32];
4496  win32_deadchild_waitinfo *childinfo;
4497 
4498  /* Make sure caller set up argv properly */
4499  Assert(argc >= 3);
4500  Assert(argv[argc] == NULL);
4501  Assert(strncmp(argv[1], "--fork", 6) == 0);
4502  Assert(argv[2] == NULL);
4503 
4504  /* Set up shared memory for parameter passing */
4505  ZeroMemory(&sa, sizeof(sa));
4506  sa.nLength = sizeof(sa);
4507  sa.bInheritHandle = TRUE;
4508  paramHandle = CreateFileMapping(INVALID_HANDLE_VALUE,
4509  &sa,
4510  PAGE_READWRITE,
4511  0,
4512  sizeof(BackendParameters),
4513  NULL);
4514  if (paramHandle == INVALID_HANDLE_VALUE)
4515  {
4516  elog(LOG, "could not create backend parameter file mapping: error code %lu",
4517  GetLastError());
4518  return -1;
4519  }
4520 
4521  param = MapViewOfFile(paramHandle, FILE_MAP_WRITE, 0, 0, sizeof(BackendParameters));
4522  if (!param)
4523  {
4524  elog(LOG, "could not map backend parameter memory: error code %lu",
4525  GetLastError());
4526  CloseHandle(paramHandle);
4527  return -1;
4528  }
4529 
4530  /* Insert temp file name after --fork argument */
4531 #ifdef _WIN64
4532  sprintf(paramHandleStr, "%llu", (LONG_PTR) paramHandle);
4533 #else
4534  sprintf(paramHandleStr, "%lu", (DWORD) paramHandle);
4535 #endif
4536  argv[2] = paramHandleStr;
4537 
4538  /* Format the cmd line */
4539  cmdLine[sizeof(cmdLine) - 1] = '\0';
4540  cmdLine[sizeof(cmdLine) - 2] = '\0';
4541  snprintf(cmdLine, sizeof(cmdLine) - 1, "\"%s\"", postgres_exec_path);
4542  i = 0;
4543  while (argv[++i] != NULL)
4544  {
4545  j = strlen(cmdLine);
4546  snprintf(cmdLine + j, sizeof(cmdLine) - 1 - j, " \"%s\"", argv[i]);
4547  }
4548  if (cmdLine[sizeof(cmdLine) - 2] != '\0')
4549  {
4550  elog(LOG, "subprocess command line too long");
4551  return -1;
4552  }
4553 
4554  memset(&pi, 0, sizeof(pi));
4555  memset(&si, 0, sizeof(si));
4556  si.cb = sizeof(si);
4557 
4558  /*
4559  * Create the subprocess in a suspended state. This will be resumed later,
4560  * once we have written out the parameter file.
4561  */
4562  if (!CreateProcess(NULL, cmdLine, NULL, NULL, TRUE, CREATE_SUSPENDED,
4563  NULL, NULL, &si, &pi))
4564  {
4565  elog(LOG, "CreateProcess call failed: %m (error code %lu)",
4566  GetLastError());
4567  return -1;
4568  }
4569 
4570  if (!save_backend_variables(param, port, pi.hProcess, pi.dwProcessId))
4571  {
4572  /*
4573  * log made by save_backend_variables, but we have to clean up the
4574  * mess with the half-started process
4575  */
4576  if (!TerminateProcess(pi.hProcess, 255))
4577  ereport(LOG,
4578  (errmsg_internal("could not terminate unstarted process: error code %lu",
4579  GetLastError())));
4580  CloseHandle(pi.hProcess);
4581  CloseHandle(pi.hThread);
4582  return -1; /* log made by save_backend_variables */
4583  }
4584 
4585  /* Drop the parameter shared memory that is now inherited to the backend */
4586  if (!UnmapViewOfFile(param))
4587  elog(LOG, "could not unmap view of backend parameter file: error code %lu",
4588  GetLastError());
4589  if (!CloseHandle(paramHandle))
4590  elog(LOG, "could not close handle to backend parameter file: error code %lu",
4591  GetLastError());
4592 
4593  /*
4594  * Reserve the memory region used by our main shared memory segment before
4595  * we resume the child process.
4596  */
4597  if (!pgwin32_ReserveSharedMemoryRegion(pi.hProcess))
4598  {
4599  /*
4600  * Failed to reserve the memory, so terminate the newly created
4601  * process and give up.
4602  */
4603  if (!TerminateProcess(pi.hProcess, 255))
4604  ereport(LOG,
4605  (errmsg_internal("could not terminate process that failed to reserve memory: error code %lu",
4606  GetLastError())));
4607  CloseHandle(pi.hProcess);
4608  CloseHandle(pi.hThread);
4609  return -1; /* logging done made by
4610  * pgwin32_ReserveSharedMemoryRegion() */
4611  }
4612 
4613  /*
4614  * Now that the backend variables are written out, we start the child
4615  * thread so it can start initializing while we set up the rest of the
4616  * parent state.
4617  */
4618  if (ResumeThread(pi.hThread) == -1)
4619  {
4620  if (!TerminateProcess(pi.hProcess, 255))
4621  {
4622  ereport(LOG,
4623  (errmsg_internal("could not terminate unstartable process: error code %lu",
4624  GetLastError())));
4625  CloseHandle(pi.hProcess);
4626  CloseHandle(pi.hThread);
4627  return -1;
4628  }
4629  CloseHandle(pi.hProcess);
4630  CloseHandle(pi.hThread);
4631  ereport(LOG,
4632  (errmsg_internal("could not resume thread of unstarted process: error code %lu",
4633  GetLastError())));
4634  return -1;
4635  }
4636 
4637  /*
4638  * Queue a waiter for to signal when this child dies. The wait will be
4639  * handled automatically by an operating system thread pool.
4640  *
4641  * Note: use malloc instead of palloc, since it needs to be thread-safe.
4642  * Struct will be free():d from the callback function that runs on a
4643  * different thread.
4644  */
4645  childinfo = malloc(sizeof(win32_deadchild_waitinfo));
4646  if (!childinfo)
4647  ereport(FATAL,
4648  (errcode(ERRCODE_OUT_OF_MEMORY),
4649  errmsg("out of memory")));
4650 
4651  childinfo->procHandle = pi.hProcess;
4652  childinfo->procId = pi.dwProcessId;
4653 
4654  if (!RegisterWaitForSingleObject(&childinfo->waitHandle,
4655  pi.hProcess,
4656  pgwin32_deadchild_callback,
4657  childinfo,
4658  INFINITE,
4659  WT_EXECUTEONLYONCE | WT_EXECUTEINWAITTHREAD))
4660  ereport(FATAL,
4661  (errmsg_internal("could not register process for wait: error code %lu",
4662  GetLastError())));
4663 
4664  /* Don't close pi.hProcess here - the wait thread needs access to it */
4665 
4666  CloseHandle(pi.hThread);
4667 
4668  return pi.dwProcessId;
4669 }
4670 #endif /* WIN32 */
4671 
4672 
4673 /*
4674  * SubPostmasterMain -- Get the fork/exec'd process into a state equivalent
4675  * to what it would be if we'd simply forked on Unix, and then
4676  * dispatch to the appropriate place.
4677  *
4678  * The first two command line arguments are expected to be "--forkFOO"
4679  * (where FOO indicates which postmaster child we are to become), and
4680  * the name of a variables file that we can read to load data that would
4681  * have been inherited by fork() on Unix. Remaining arguments go to the
4682  * subprocess FooMain() routine.
4683  */
4684 void
4685 SubPostmasterMain(int argc, char *argv[])
4686 {
4687  Port port;
4688 
4689  /* In EXEC_BACKEND case we will not have inherited these settings */
4690  IsPostmasterEnvironment = true;
4692 
4693  /* Setup as postmaster child */
4695 
4696  /* Setup essential subsystems (to ensure elog() behaves sanely) */
4698 
4699  /* Check we got appropriate args */
4700  if (argc < 3)
4701  elog(FATAL, "invalid subpostmaster invocation");
4702 
4703  /* Read in the variables file */
4704  memset(&port, 0, sizeof(Port));
4705  read_backend_variables(argv[2], &port);
4706 
4707  /* Close the postmaster's sockets (as soon as we know them) */
4708  ClosePostmasterPorts(strcmp(argv[1], "--forklog") == 0);
4709 
4710  /*
4711  * Set reference point for stack-depth checking
4712  */
4713  set_stack_base();
4714 
4715  /*
4716  * Set up memory area for GSS information. Mirrors the code in ConnCreate
4717  * for the non-exec case.
4718  */
4719 #if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
4720  port.gss = (pg_gssinfo *) calloc(1, sizeof(pg_gssinfo));
4721  if (!port.gss)
4722  ereport(FATAL,
4723  (errcode(ERRCODE_OUT_OF_MEMORY),
4724  errmsg("out of memory")));
4725 #endif
4726 
4727  /*
4728  * If appropriate, physically re-attach to shared memory segment. We want
4729  * to do this before going any further to ensure that we can attach at the
4730  * same address the postmaster used. On the other hand, if we choose not
4731  * to re-attach, we may have other cleanup to do.
4732  *
4733  * If testing EXEC_BACKEND on Linux, you should run this as root before
4734  * starting the postmaster:
4735  *
4736  * echo 0 >/proc/sys/kernel/randomize_va_space
4737  *
4738  * This prevents using randomized stack and code addresses that cause the
4739  * child process's memory map to be different from the parent's, making it
4740  * sometimes impossible to attach to shared memory at the desired address.
4741  * Return the setting to its old value (usually '1' or '2') when finished.
4742  */
4743  if (strcmp(argv[1], "--forkbackend") == 0 ||
4744  strcmp(argv[1], "--forkavlauncher") == 0 ||
4745  strcmp(argv[1], "--forkavworker") == 0 ||
4746  strcmp(argv[1], "--forkboot") == 0 ||
4747  strncmp(argv[1], "--forkbgworker=", 15) == 0)
4749  else
4751 
4752  /* autovacuum needs this set before calling InitProcess */
4753  if (strcmp(argv[1], "--forkavlauncher") == 0)
4754  AutovacuumLauncherIAm();
4755  if (strcmp(argv[1], "--forkavworker") == 0)
4756  AutovacuumWorkerIAm();
4757 
4758  /*
4759  * Start our win32 signal implementation. This has to be done after we
4760  * read the backend variables, because we need to pick up the signal pipe
4761  * from the parent process.
4762  */
4763 #ifdef WIN32
4765 #endif
4766 
4767  /* In EXEC_BACKEND case we will not have inherited these settings */
4768  pqinitmask();
4769  PG_SETMASK(&BlockSig);
4770 
4771  /* Read in remaining GUC variables */
4772  read_nondefault_variables();
4773 
4774  /*
4775  * Reload any libraries that were preloaded by the postmaster. Since we
4776  * exec'd this process, those libraries didn't come along with us; but we
4777  * should load them into all child processes to be consistent with the
4778  * non-EXEC_BACKEND behavior.
4779  */
4781 
4782  /* Run backend or appropriate child */
4783  if (strcmp(argv[1], "--forkbackend") == 0)
4784  {
4785  Assert(argc == 3); /* shouldn't be any more args */
4786 
4787  /*
4788  * Need to reinitialize the SSL library in the backend, since the
4789  * context structures contain function pointers and cannot be passed
4790  * through the parameter file.
4791  *
4792  * If for some reason reload fails (maybe the user installed broken
4793  * key files), soldier on without SSL; that's better than all
4794  * connections becoming impossible.
4795  *
4796  * XXX should we do this in all child processes? For the moment it's
4797  * enough to do it in backend children.
4798  */
4799 #ifdef USE_SSL
4800  if (EnableSSL)
4801  {
4802  if (secure_initialize(false) == 0)
4803  LoadedSSL = true;
4804  else
4805  ereport(LOG,
4806  (errmsg("SSL configuration could not be loaded in child process")));
4807  }
4808 #endif
4809 
4810  /*
4811  * Perform additional initialization and collect startup packet.
4812  *
4813  * We want to do this before InitProcess() for a couple of reasons: 1.
4814  * so that we aren't eating up a PGPROC slot while waiting on the
4815  * client. 2. so that if InitProcess() fails due to being out of
4816  * PGPROC slots, we have already initialized libpq and are able to
4817  * report the error to the client.
4818  */
4819  BackendInitialize(&port);
4820 
4821  /* Restore basic shared memory pointers */
4823 
4824  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4825  InitProcess();
4826 
4827  /* Attach process to shared data structures */
4829 
4830  /* And run the backend */
4831  BackendRun(&port); /* does not return */
4832  }
4833  if (strcmp(argv[1], "--forkboot") == 0)
4834  {
4835  /* Restore basic shared memory pointers */
4837 
4838  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4840 
4841  /* Attach process to shared data structures */
4843 
4844  AuxiliaryProcessMain(argc - 2, argv + 2); /* does not return */
4845  }
4846  if (strcmp(argv[1], "--forkavlauncher") == 0)
4847  {
4848  /* Restore basic shared memory pointers */
4850 
4851  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4852  InitProcess();
4853 
4854  /* Attach process to shared data structures */
4856 
4857  AutoVacLauncherMain(argc - 2, argv + 2); /* does not return */
4858  }
4859  if (strcmp(argv[1], "--forkavworker") == 0)
4860  {
4861  /* Restore basic shared memory pointers */
4863 
4864  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4865  InitProcess();
4866 
4867  /* Attach process to shared data structures */
4869 
4870  AutoVacWorkerMain(argc - 2, argv + 2); /* does not return */
4871  }
4872  if (strncmp(argv[1], "--forkbgworker=", 15) == 0)
4873  {
4874  int shmem_slot;
4875 
4876  /* do this as early as possible; in particular, before InitProcess() */
4877  IsBackgroundWorker = true;
4878 
4879  /* Restore basic shared memory pointers */
4881 
4882  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4883  InitProcess();
4884 
4885  /* Attach process to shared data structures */
4887 
4888  /* Fetch MyBgworkerEntry from shared memory */
4889  shmem_slot = atoi(argv[1] + 15);
4890  MyBgworkerEntry = BackgroundWorkerEntry(shmem_slot);
4891 
4893  }
4894  if (strcmp(argv[1], "--forkarch") == 0)
4895  {
4896  /* Do not want to attach to shared memory */
4897 
4898  PgArchiverMain(argc, argv); /* does not return */
4899  }
4900  if (strcmp(argv[1], "--forkcol") == 0)
4901  {
4902  /* Do not want to attach to shared memory */
4903 
4904  PgstatCollectorMain(argc, argv); /* does not return */
4905  }
4906  if (strcmp(argv[1], "--forklog") == 0)
4907  {
4908  /* Do not want to attach to shared memory */
4909 
4910  SysLoggerMain(argc, argv); /* does not return */
4911  }
4912 
4913  abort(); /* shouldn't get here */
4914 }
4915 #endif /* EXEC_BACKEND */
4916 
4917 
4918 /*
4919  * ExitPostmaster -- cleanup
4920  *
4921  * Do NOT call exit() directly --- always go through here!
4922  */
4923 static void
4925 {
4926 #ifdef HAVE_PTHREAD_IS_THREADED_NP
4927 
4928  /*
4929  * There is no known cause for a postmaster to become multithreaded after
4930  * startup. Recheck to account for the possibility of unknown causes.
4931  * This message uses LOG level, because an unclean shutdown at this point
4932  * would usually not look much different from a clean shutdown.
4933  */
4934  if (pthread_is_threaded_np() != 0)
4935  ereport(LOG,
4936  (errcode(ERRCODE_INTERNAL_ERROR),
4937  errmsg_internal("postmaster became multithreaded"),
4938  errdetail("Please report this to <pgsql-bugs@postgresql.org>.")));
4939 #endif
4940 
4941  /* should cleanup shared memory and kill all backends */
4942 
4943  /*
4944  * Not sure of the semantics here. When the Postmaster dies, should the
4945  * backends all be killed? probably not.
4946  *
4947  * MUST -- vadim 05-10-1999
4948  */
4949 
4950  proc_exit(status);
4951 }
4952 
4953 /*
4954  * sigusr1_handler - handle signal conditions from child processes
4955  */
4956 static void
4958 {
4959  int save_errno = errno;
4960 
4961  PG_SETMASK(&BlockSig);
4962 
4963  /* Process background worker state change. */
4965  {
4967  StartWorkerNeeded = true;
4968  }
4969 
4970  /*
4971  * RECOVERY_STARTED and BEGIN_HOT_STANDBY signals are ignored in
4972  * unexpected states. If the startup process quickly starts up, completes
4973  * recovery, exits, we might process the death of the startup process
4974  * first. We don't want to go back to recovery in that case.
4975  */
4978  {
4979  /* WAL redo has started. We're out of reinitialization. */
4980  FatalError = false;
4981  Assert(AbortStartTime == 0);
4982 
4983  /*
4984  * Crank up the background tasks. It doesn't matter if this fails,
4985  * we'll just try again later.
4986  */
4987  Assert(CheckpointerPID == 0);
4989  Assert(BgWriterPID == 0);
4991 
4992  /*
4993  * Start the archiver if we're responsible for (re-)archiving received
4994  * files.
4995  */
4996  Assert(PgArchPID == 0);
4997  if (XLogArchivingAlways())
4998  PgArchPID = pgarch_start();
4999 
5000 #ifdef USE_SYSTEMD
5001  if (!EnableHotStandby)
5002  sd_notify(0, "READY=1");
5003 #endif
5004 
5005  pmState = PM_RECOVERY;
5006  }
5009  {
5010  /*
5011  * Likewise, start other special children as needed.
5012  */
5013  Assert(PgStatPID == 0);
5014  PgStatPID = pgstat_start();
5015 
5016  ereport(LOG,
5017  (errmsg("database system is ready to accept read only connections")));
5018 
5019 #ifdef USE_SYSTEMD
5020  sd_notify(0, "READY=1");
5021 #endif
5022 
5024  /* Some workers may be scheduled to start now */
5025  StartWorkerNeeded = true;
5026  }
5027 
5030 
5032  PgArchPID != 0)
5033  {
5034  /*
5035  * Send SIGUSR1 to archiver process, to wake it up and begin archiving
5036  * next transaction log file.
5037  */
5039  }
5040 
5042  SysLoggerPID != 0)
5043  {
5044  /* Tell syslogger to rotate logfile */
5046  }
5047 
5049  Shutdown == NoShutdown)
5050  {
5051  /*
5052  * Start one iteration of the autovacuum daemon, even if autovacuuming
5053  * is nominally not enabled. This is so we can have an active defense
5054  * against transaction ID wraparound. We set a flag for the main loop
5055  * to do it rather than trying to do it here --- this is because the
5056  * autovac process itself may send the signal, and we want to handle
5057  * that by launching another iteration as soon as the current one
5058  * completes.
5059  */
5060  start_autovac_launcher = true;
5061  }
5062 
5064  Shutdown == NoShutdown)
5065  {
5066  /* The autovacuum launcher wants us to start a worker process. */
5068  }
5069 
5071  WalReceiverPID == 0 &&
5072  (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
5074  Shutdown == NoShutdown)
5075  {
5076  /* Startup Process wants us to start the walreceiver process. */
5078  }
5079 
5082  {
5083  /* Advance postmaster's state machine */
5085  }
5086 
5087  if (CheckPromoteSignal() && StartupPID != 0 &&
5088  (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
5090  {
5091  /* Tell startup process to finish recovery */
5093  }
5094 
5096 
5097  errno = save_errno;
5098 }
5099 
5100 /*
5101  * SIGTERM or SIGQUIT while processing startup packet.
5102  * Clean up and exit(1).
5103  *
5104  * XXX: possible future improvement: try to send a message indicating
5105  * why we are disconnecting. Problem is to be sure we don't block while
5106  * doing so, nor mess up SSL initialization. In practice, if the client
5107  * has wedged here, it probably couldn't do anything with the message anyway.
5108  */
5109 static void
5111 {
5112  proc_exit(1);
5113 }
5114 
5115 /*
5116  * Dummy signal handler
5117  *
5118  * We use this for signals that we don't actually use in the postmaster,
5119  * but we do use in backends. If we were to SIG_IGN such signals in the
5120  * postmaster, then a newly started backend might drop a signal that arrives
5121  * before it's able to reconfigure its signal processing. (See notes in
5122  * tcop/postgres.c.)
5123  */
5124 static void
5126 {
5127 }
5128 
5129 /*
5130  * Timeout while processing startup packet.
5131  * As for startup_die(), we clean up and exit(1).
5132  */
5133 static void
5135 {
5136  proc_exit(1);
5137 }
5138 
5139 
5140 /*
5141  * Generate a random cancel key.
5142  */
5143 static bool
5145 {
5146 #ifdef HAVE_STRONG_RANDOM
5147  return pg_strong_random((char *) cancel_key, sizeof(int32));
5148 #else
5149  /*
5150  * If built with --disable-strong-random, use plain old erand48.
5151  *
5152  * We cannot use pg_backend_random() in postmaster, because it stores
5153  * its state in shared memory.
5154  */
5155  static unsigned short seed[3];
5156 
5157  /*
5158  * Select a random seed at the time of first receiving a request.
5159  */
5160  if (random_seed == 0)
5161  {
5162  struct timeval random_stop_time;
5163 
5164  gettimeofday(&random_stop_time, NULL);
5165 
5166  seed[0] = (unsigned short) random_start_time.tv_usec;
5167  seed[1] = (unsigned short) (random_stop_time.tv_usec) ^ (random_start_time.tv_usec >> 16);
5168  seed[2] = (unsigned short) (random_stop_time.tv_usec >> 16);
5169 
5170  random_seed = 1;
5171  }
5172 
5173  *cancel_key = pg_jrand48(seed);
5174 
5175  return true;
5176 #endif
5177 }
5178 
5179 /*
5180  * Count up number of child processes of specified types (dead_end children
5181  * are always excluded).
5182  */
5183 static int
5184 CountChildren(int target)
5185 {
5186  dlist_iter iter;
5187  int cnt = 0;
5188 
5189  dlist_foreach(iter, &BackendList)
5190  {
5191  Backend *bp = dlist_container(Backend, elem, iter.cur);
5192 
5193  if (bp->dead_end)
5194  continue;
5195 
5196  /*
5197  * Since target == BACKEND_TYPE_ALL is the most common case, we test
5198  * it first and avoid touching shared memory for every child.
5199  */
5200  if (target != BACKEND_TYPE_ALL)
5201  {
5202  /*
5203  * Assign bkend_type for any recently announced WAL Sender
5204  * processes.
5205  */
5206  if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
5209 
5210  if (!(target & bp->bkend_type))
5211  continue;
5212  }
5213 
5214  cnt++;
5215  }
5216  return cnt;
5217 }
5218 
5219 
5220 /*
5221  * StartChildProcess -- start an auxiliary process for the postmaster
5222  *
5223  * "type" determines what kind of child will be started. All child types
5224  * initially go to AuxiliaryProcessMain, which will handle common setup.
5225  *
5226  * Return value of StartChildProcess is subprocess' PID, or 0 if failed
5227  * to start subprocess.
5228  */
5229 static pid_t
5231 {
5232  pid_t pid;
5233  char *av[10];
5234  int ac = 0;
5235  char typebuf[32];
5236 
5237  /*
5238  * Set up command-line arguments for subprocess
5239  */
5240  av[ac++] = "postgres";
5241 
5242 #ifdef EXEC_BACKEND
5243  av[ac++] = "--forkboot";
5244  av[ac++] = NULL; /* filled in by postmaster_forkexec */
5245 #endif
5246 
5247  snprintf(typebuf, sizeof(typebuf), "-x%d", type);
5248  av[ac++] = typebuf;
5249 
5250  av[ac] = NULL;
5251  Assert(ac < lengthof(av));
5252 
5253 #ifdef EXEC_BACKEND
5254  pid = postmaster_forkexec(ac, av);
5255 #else /* !EXEC_BACKEND */
5256  pid = fork_process();
5257 
5258  if (pid == 0) /* child */
5259  {
5261 
5262  /* Close the postmaster's sockets */
5263  ClosePostmasterPorts(false);
5264 
5265  /* Release postmaster's working memory context */
5269 
5270  AuxiliaryProcessMain(ac, av);
5271  ExitPostmaster(0);
5272  }
5273 #endif /* EXEC_BACKEND */
5274 
5275  if (pid < 0)
5276  {
5277  /* in parent, fork failed */
5278  int save_errno = errno;
5279 
5280  errno = save_errno;
5281  switch (type)
5282  {
5283  case StartupProcess:
5284  ereport(LOG,
5285  (errmsg("could not fork startup process: %m")));
5286  break;
5287  case BgWriterProcess:
5288  ereport(LOG,
5289  (errmsg("could not fork background writer process: %m")));
5290  break;
5291  case CheckpointerProcess:
5292  ereport(LOG,
5293  (errmsg("could not fork checkpointer process: %m")));
5294  break;
5295  case WalWriterProcess:
5296  ereport(LOG,
5297  (errmsg("could not fork WAL writer process: %m")));
5298  break;
5299  case WalReceiverProcess:
5300  ereport(LOG,
5301  (errmsg("could not fork WAL receiver process: %m")));
5302  break;
5303  default:
5304  ereport(LOG,
5305  (errmsg("could not fork process: %m")));
5306  break;
5307  }
5308 
5309  /*
5310  * fork failure is fatal during startup, but there's no need to choke
5311  * immediately if starting other child types fails.
5312  */
5313  if (type == StartupProcess)
5314  ExitPostmaster(1);
5315  return 0;
5316  }
5317 
5318  /*
5319  * in parent, successful fork
5320  */
5321  return pid;
5322 }
5323 
5324 /*
5325  * StartAutovacuumWorker
5326  * Start an autovac worker process.
5327  *
5328  * This function is here because it enters the resulting PID into the
5329  * postmaster's private backends list.
5330  *
5331  * NB -- this code very roughly matches BackendStartup.
5332  */
5333 static void
5335 {
5336  Backend *bn;
5337 
5338  /*
5339  * If not in condition to run a process, don't try, but handle it like a
5340  * fork failure. This does not normally happen, since the signal is only
5341  * supposed to be sent by autovacuum launcher when it's OK to do it, but
5342  * we have to check to avoid race-condition problems during DB state
5343  * changes.
5344  */
5345  if (canAcceptConnections() == CAC_OK)
5346  {
5347  /*
5348  * Compute the cancel key that will be assigned to this session.
5349  * We probably don't need cancel keys for autovac workers, but
5350  * we'd better have something random in the field to prevent
5351  * unfriendly people from sending cancels to them.
5352  */
5354  {
5355  ereport(LOG,
5356  (errcode(ERRCODE_INTERNAL_ERROR),
5357  errmsg("could not generate random cancel key")));
5358  return;
5359  }
5360 
5361  bn = (Backend *) malloc(sizeof(Backend));
5362  if (bn)
5363  {
5364  bn->cancel_key = MyCancelKey;
5365 
5366  /* Autovac workers are not dead_end and need a child slot */
5367  bn->dead_end = false;
5369  bn->bgworker_notify = false;
5370 
5371  bn->pid = StartAutoVacWorker();
5372  if (bn->pid > 0)
5373  {
5375  dlist_push_head(&BackendList, &bn->elem);
5376 #ifdef EXEC_BACKEND
5377  ShmemBackendArrayAdd(bn);
5378 #endif
5379  /* all OK */
5380  return;
5381  }
5382 
5383  /*
5384  * fork failed, fall through to report -- actual error message was
5385  * logged by StartAutoVacWorker
5386  */
5388  free(bn);
5389  }
5390  else
5391  ereport(LOG,
5392  (errcode(ERRCODE_OUT_OF_MEMORY),
5393  errmsg("out of memory")));
5394  }
5395 
5396  /*
5397  * Report the failure to the launcher, if it's running. (If it's not, we
5398  * might not even be connected to shared memory, so don't try to call
5399  * AutoVacWorkerFailed.) Note that we also need to signal it so that it
5400  * responds to the condition, but we don't do that here, instead waiting
5401  * for ServerLoop to do it. This way we avoid a ping-pong signalling in
5402  * quick succession between the autovac launcher and postmaster in case
5403  * things get ugly.
5404  */
5405  if (AutoVacPID != 0)
5406  {
5408  avlauncher_needs_signal = true;
5409  }
5410 }
5411 
5412 /*
5413  * Create the opts file
5414  */
5415 static bool
5416 CreateOptsFile(int argc, char *argv[], char *fullprogname)
5417 {
5418  FILE *fp;
5419  int i;
5420 
5421 #define OPTS_FILE "postmaster.opts"
5422 
5423  if ((fp = fopen(OPTS_FILE, "w")) == NULL)
5424  {
5425  elog(LOG, "could not create file \"%s\": %m", OPTS_FILE);
5426  return false;
5427  }
5428 
5429  fprintf(fp, "%s", fullprogname);
5430  for (i = 1; i < argc; i++)
5431  fprintf(fp, " \"%s\"", argv[i]);
5432  fputs("\n", fp);
5433 
5434  if (fclose(fp))
5435  {
5436  elog(LOG, "could not write file \"%s\": %m", OPTS_FILE);
5437  return false;
5438  }
5439 
5440  return true;
5441 }
5442 
5443 
5444 /*
5445  * MaxLivePostmasterChildren
5446  *
5447  * This reports the number of entries needed in per-child-process arrays
5448  * (the PMChildFlags array, and if EXEC_BACKEND the ShmemBackendArray).
5449  * These arrays include regular backends, autovac workers, walsenders
5450  * and background workers, but not special children nor dead_end children.
5451  * This allows the arrays to have a fixed maximum size, to wit the same
5452  * too-many-children limit enforced by canAcceptConnections(). The exact value
5453  * isn't too critical as long as it's more than MaxBackends.
5454  */
5455 int
5457 {
5458  return 2 * (MaxConnections + autovacuum_max_workers + 1 +
5460 }
5461 
5462 /*
5463  * Connect background worker to a database.
5464  */
5465 void
5467 {
5469 
5470  /* XXX is this the right errcode? */
5472  ereport(FATAL,
5473  (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
5474  errmsg("database connection requirement not indicated during registration")));
5475 
5476  InitPostgres(dbname, InvalidOid, username, InvalidOid, NULL);
5477 
5478  /* it had better not gotten out of "init" mode yet */
5479  if (!IsInitProcessingMode())
5480  ereport(ERROR,
5481  (errmsg("invalid processing mode in background worker")));
5483 }
5484 
5485 /*
5486  * Connect background worker to a database using OIDs.
5487  */
5488 void
5490 {
5492 
5493  /* XXX is this the right errcode? */
5495  ereport(FATAL,
5496  (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
5497  errmsg("database connection requirement not indicated during registration")));
5498 
5499  InitPostgres(NULL, dboid, NULL, useroid, NULL);
5500 
5501  /* it had better not gotten out of "init" mode yet */
5502  if (!IsInitProcessingMode())
5503  ereport(ERROR,
5504  (errmsg("invalid processing mode in background worker")));
5506 }
5507 
5508 /*
5509  * Block/unblock signals in a background worker
5510  */
5511 void
5513 {
5514  PG_SETMASK(&BlockSig);
5515 }
5516 
5517 void
5519 {
5521 }
5522 
5523 #ifdef EXEC_BACKEND
5524 static pid_t
5525 bgworker_forkexec(int shmem_slot)
5526 {
5527  char *av[10];
5528  int ac = 0;
5529  char forkav[MAXPGPATH];
5530 
5531  snprintf(forkav, MAXPGPATH, "--forkbgworker=%d", shmem_slot);
5532 
5533  av[ac++] = "postgres";
5534  av[ac++] = forkav;
5535  av[ac++] = NULL; /* filled in by postmaster_forkexec */
5536  av[ac] = NULL;
5537 
5538  Assert(ac < lengthof(av));
5539 
5540  return postmaster_forkexec(ac, av);
5541 }
5542 #endif
5543 
5544 /*
5545  * Start a new bgworker.
5546  * Starting time conditions must have been checked already.
5547  *
5548  * Returns true on success, false on failure.
5549  * In either case, update the RegisteredBgWorker's state appropriately.
5550  *
5551  * This code is heavily based on autovacuum.c, q.v.
5552  */
5553 static bool
5555 {
5556  pid_t worker_pid;
5557 
5558  Assert(rw->rw_pid == 0);
5559 
5560  /*
5561  * Allocate and assign the Backend element. Note we must do this before
5562  * forking, so that we can handle out of memory properly.
5563  *
5564  * Treat failure as though the worker had crashed. That way, the
5565  * postmaster will wait a bit before attempting to start it again; if it
5566  * tried again right away, most likely it'd find itself repeating the
5567  * out-of-memory or fork failure condition.
5568  */
5569  if (!assign_backendlist_entry(rw))
5570  {
5572  return false;
5573  }
5574 
5575  ereport(DEBUG1,
5576  (errmsg("starting background worker process \"%s\"",
5577  rw->rw_worker.bgw_name)));
5578 
5579 #ifdef EXEC_BACKEND
5580  switch ((worker_pid = bgworker_forkexec(rw->rw_shmem_slot)))
5581 #else
5582  switch ((worker_pid = fork_process()))
5583 #endif
5584  {
5585  case -1:
5586  /* in postmaster, fork failed ... */
5587  ereport(LOG,
5588  (errmsg("could not fork worker process: %m")));
5589  /* undo what assign_backendlist_entry did */
5591  rw->rw_child_slot = 0;
5592  free(rw->rw_backend);
5593  rw->rw_backend = NULL;
5594  /* mark entry as crashed, so we'll try again later */
5596  break;
5597 
5598 #ifndef EXEC_BACKEND
5599  case 0:
5600  /* in postmaster child ... */
5602 
5603  /* Close the postmaster's sockets */
5604  ClosePostmasterPorts(false);
5605 
5606  /*
5607  * Before blowing away PostmasterContext, save this bgworker's
5608  * data where it can find it.
5609  */
5610  MyBgworkerEntry = (BackgroundWorker *)
5612  memcpy(MyBgworkerEntry, &rw->rw_worker, sizeof(BackgroundWorker));
5613 
5614  /* Release postmaster's working memory context */
5618 
5620 
5621  exit(1); /* should not get here */
5622  break;
5623 #endif
5624  default:
5625  /* in postmaster, fork successful ... */
5626  rw->rw_pid = worker_pid;
5627  rw->rw_backend->pid = rw->rw_pid;
5629  /* add new worker to lists of backends */
5630  dlist_push_head(&BackendList, &rw->rw_backend->elem);
5631 #ifdef EXEC_BACKEND
5632  ShmemBackendArrayAdd(rw->rw_backend);
5633 #endif
5634  return true;
5635  }
5636 
5637  return false;
5638 }
5639 
5640 /*
5641  * Does the current postmaster state require starting a worker with the
5642  * specified start_time?
5643  */
5644 static bool
5646 {
5647  switch (pmState)
5648  {
5649  case PM_NO_CHILDREN:
5650  case PM_WAIT_DEAD_END:
5651  case PM_SHUTDOWN_2:
5652  case PM_SHUTDOWN:
5653  case PM_WAIT_BACKENDS:
5654  case PM_WAIT_READONLY:
5655  case PM_WAIT_BACKUP:
5656  break;
5657 
5658  case PM_RUN:
5659  if (start_time == BgWorkerStart_RecoveryFinished)
5660  return true;
5661  /* fall through */
5662 
5663  case PM_HOT_STANDBY:
5664  if (start_time == BgWorkerStart_ConsistentState)
5665  return true;
5666  /* fall through */
5667 
5668  case PM_RECOVERY:
5669  case PM_STARTUP:
5670  case PM_INIT:
5671  if (start_time == BgWorkerStart_PostmasterStart)
5672  return true;
5673  /* fall through */
5674 
5675  }
5676 
5677  return false;
5678 }
5679 
5680 /*
5681  * Allocate the Backend struct for a connected background worker, but don't
5682  * add it to the list of backends just yet.
5683  *
5684  * On failure, return false without changing any worker state.
5685  *
5686  * Some info from the Backend is copied into the passed rw.
5687  */
5688 static bool
5690 {
5691  Backend *bn;
5692 
5693  /*
5694  * Compute the cancel key that will be assigned to this session. We
5695  * probably don't need cancel keys for background workers, but we'd better
5696  * have something random in the field to prevent unfriendly people from
5697  * sending cancels to them.
5698  */
5700  {
5701  ereport(LOG,
5702  (errcode(ERRCODE_INTERNAL_ERROR),
5703  errmsg("could not generate random cancel key")));
5704  return false;
5705  }
5706 
5707  bn = malloc(sizeof(Backend));
5708  if (bn == NULL)
5709  {
5710  ereport(LOG,
5711  (errcode(ERRCODE_OUT_OF_MEMORY),
5712  errmsg("out of memory")));
5713  return false;
5714  }
5715 
5716  bn->cancel_key = MyCancelKey;
5719  bn->dead_end = false;
5720  bn->bgworker_notify = false;
5721 
5722  rw->rw_backend = bn;
5723  rw->rw_child_slot = bn->child_slot;
5724 
5725  return true;
5726 }
5727 
5728 /*
5729  * If the time is right, start background worker(s).
5730  *
5731  * As a side effect, the bgworker control variables are set or reset
5732  * depending on whether more workers may need to be started.
5733  *
5734  * We limit the number of workers started per call, to avoid consuming the
5735  * postmaster's attention for too long when many such requests are pending.
5736  * As long as StartWorkerNeeded is true, ServerLoop will not block and will
5737  * call this function again after dealing with any other issues.
5738  */
5739 static void
5741 {
5742 #define MAX_BGWORKERS_TO_LAUNCH 100
5743  int num_launched = 0;
5744  TimestampTz now = 0;
5745  slist_mutable_iter iter;
5746 
5747  /*
5748  * During crash recovery, we have no need to be called until the state
5749  * transition out of recovery.
5750  */
5751  if (FatalError)
5752  {
5753  StartWorkerNeeded = false;
5754  HaveCrashedWorker = false;
5755  return;
5756  }
5757 
5758  /* Don't need to be called again unless we find a reason for it below */
5759  StartWorkerNeeded = false;
5760  HaveCrashedWorker = false;
5761 
5763  {
5764  RegisteredBgWorker *rw;
5765 
5766  rw = slist_container(RegisteredBgWorker, rw_lnode, iter.cur);
5767 
5768  /* ignore if already running */
5769  if (rw->rw_pid != 0)
5770  continue;
5771 
5772  /* if marked for death, clean up and remove from list */
5773  if (rw->rw_terminate)
5774  {
5775  ForgetBackgroundWorker(&iter);
5776  continue;
5777  }
5778 
5779  /*
5780  * If this worker has crashed previously, maybe it needs to be
5781  * restarted (unless on registration it specified it doesn't want to
5782  * be restarted at all). Check how long ago did a crash last happen.
5783  * If the last crash is too recent, don't start it right away; let it
5784  * be restarted once enough time has passed.
5785  */
5786  if (rw->rw_crashed_at != 0)
5787  {
5789  {
5790  ForgetBackgroundWorker(&iter);
5791  continue;
5792