PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
postmaster.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * postmaster.c
4  * This program acts as a clearing house for requests to the
5  * POSTGRES system. Frontend programs send a startup message
6  * to the Postmaster and the postmaster uses the info in the
7  * message to setup a backend process.
8  *
9  * The postmaster also manages system-wide operations such as
10  * startup and shutdown. The postmaster itself doesn't do those
11  * operations, mind you --- it just forks off a subprocess to do them
12  * at the right times. It also takes care of resetting the system
13  * if a backend crashes.
14  *
15  * The postmaster process creates the shared memory and semaphore
16  * pools during startup, but as a rule does not touch them itself.
17  * In particular, it is not a member of the PGPROC array of backends
18  * and so it cannot participate in lock-manager operations. Keeping
19  * the postmaster away from shared memory operations makes it simpler
20  * and more reliable. The postmaster is almost always able to recover
21  * from crashes of individual backends by resetting shared memory;
22  * if it did much with shared memory then it would be prone to crashing
23  * along with the backends.
24  *
25  * When a request message is received, we now fork() immediately.
26  * The child process performs authentication of the request, and
27  * then becomes a backend if successful. This allows the auth code
28  * to be written in a simple single-threaded style (as opposed to the
29  * crufty "poor man's multitasking" code that used to be needed).
30  * More importantly, it ensures that blockages in non-multithreaded
31  * libraries like SSL or PAM cannot cause denial of service to other
32  * clients.
33  *
34  *
35  * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
36  * Portions Copyright (c) 1994, Regents of the University of California
37  *
38  *
39  * IDENTIFICATION
40  * src/backend/postmaster/postmaster.c
41  *
42  * NOTES
43  *
44  * Initialization:
45  * The Postmaster sets up shared memory data structures
46  * for the backends.
47  *
48  * Synchronization:
49  * The Postmaster shares memory with the backends but should avoid
50  * touching shared memory, so as not to become stuck if a crashing
51  * backend screws up locks or shared memory. Likewise, the Postmaster
52  * should never block on messages from frontend clients.
53  *
54  * Garbage Collection:
55  * The Postmaster cleans up after backends if they have an emergency
56  * exit and/or core dump.
57  *
58  * Error Reporting:
59  * Use write_stderr() only for reporting "interactive" errors
60  * (essentially, bogus arguments on the command line). Once the
61  * postmaster is launched, use ereport().
62  *
63  *-------------------------------------------------------------------------
64  */
65 
66 #include "postgres.h"
67 
68 #include <unistd.h>
69 #include <signal.h>
70 #include <time.h>
71 #include <sys/wait.h>
72 #include <ctype.h>
73 #include <sys/stat.h>
74 #include <sys/socket.h>
75 #include <fcntl.h>
76 #include <sys/param.h>
77 #include <netinet/in.h>
78 #include <arpa/inet.h>
79 #include <netdb.h>
80 #include <limits.h>
81 
82 #ifdef HAVE_SYS_SELECT_H
83 #include <sys/select.h>
84 #endif
85 
86 #ifdef USE_BONJOUR
87 #include <dns_sd.h>
88 #endif
89 
90 #ifdef USE_SYSTEMD
91 #include <systemd/sd-daemon.h>
92 #endif
93 
94 #ifdef HAVE_PTHREAD_IS_THREADED_NP
95 #include <pthread.h>
96 #endif
97 
98 #include "access/transam.h"
99 #include "access/xlog.h"
100 #include "bootstrap/bootstrap.h"
101 #include "catalog/pg_control.h"
102 #include "common/ip.h"
103 #include "lib/ilist.h"
104 #include "libpq/auth.h"
105 #include "libpq/libpq.h"
106 #include "libpq/pqsignal.h"
107 #include "miscadmin.h"
108 #include "pg_getopt.h"
109 #include "pgstat.h"
110 #include "postmaster/autovacuum.h"
112 #include "postmaster/fork_process.h"
113 #include "postmaster/pgarch.h"
114 #include "postmaster/postmaster.h"
115 #include "postmaster/syslogger.h"
117 #include "replication/walsender.h"
118 #include "storage/fd.h"
119 #include "storage/ipc.h"
120 #include "storage/pg_shmem.h"
121 #include "storage/pmsignal.h"
122 #include "storage/proc.h"
123 #include "tcop/tcopprot.h"
124 #include "utils/builtins.h"
125 #include "utils/datetime.h"
126 #include "utils/dynamic_loader.h"
127 #include "utils/memutils.h"
128 #include "utils/ps_status.h"
129 #include "utils/timeout.h"
130 #include "utils/varlena.h"
131 
132 #ifdef EXEC_BACKEND
133 #include "storage/spin.h"
134 #endif
135 
136 
137 /*
138  * Possible types of a backend. Beyond being the possible bkend_type values in
139  * struct bkend, these are OR-able request flag bits for SignalSomeChildren()
140  * and CountChildren().
141  */
142 #define BACKEND_TYPE_NORMAL 0x0001 /* normal backend */
143 #define BACKEND_TYPE_AUTOVAC 0x0002 /* autovacuum worker process */
144 #define BACKEND_TYPE_WALSND 0x0004 /* walsender process */
145 #define BACKEND_TYPE_BGWORKER 0x0008 /* bgworker process */
146 #define BACKEND_TYPE_ALL 0x000F /* OR of all the above */
147 
148 #define BACKEND_TYPE_WORKER (BACKEND_TYPE_AUTOVAC | BACKEND_TYPE_BGWORKER)
149 
150 /*
151  * List of active backends (or child processes anyway; we don't actually
152  * know whether a given child has become a backend or is still in the
153  * authorization phase). This is used mainly to keep track of how many
154  * children we have and send them appropriate signals when necessary.
155  *
156  * "Special" children such as the startup, bgwriter and autovacuum launcher
157  * tasks are not in this list. Autovacuum worker and walsender are in it.
158  * Also, "dead_end" children are in it: these are children launched just for
159  * the purpose of sending a friendly rejection message to a would-be client.
160  * We must track them because they are attached to shared memory, but we know
161  * they will never become live backends. dead_end children are not assigned a
162  * PMChildSlot.
163  *
164  * Background workers are in this list, too.
165  */
166 typedef struct bkend
167 {
168  pid_t pid; /* process id of backend */
169  int32 cancel_key; /* cancel key for cancels for this backend */
170  int child_slot; /* PMChildSlot for this backend, if any */
171 
172  /*
173  * Flavor of backend or auxiliary process. Note that BACKEND_TYPE_WALSND
174  * backends initially announce themselves as BACKEND_TYPE_NORMAL, so if
175  * bkend_type is normal, you should check for a recent transition.
176  */
178  bool dead_end; /* is it going to send an error and quit? */
179  bool bgworker_notify; /* gets bgworker start/stop notifications */
180  dlist_node elem; /* list link in BackendList */
181 } Backend;
182 
184 
185 #ifdef EXEC_BACKEND
186 static Backend *ShmemBackendArray;
187 #endif
188 
190 
191 
192 
193 /* The socket number we are listening for connections on */
195 
196 /* The directory names for Unix socket(s) */
198 
199 /* The TCP listen address(es) */
201 
202 /*
203  * ReservedBackends is the number of backends reserved for superuser use.
204  * This number is taken out of the pool size given by MaxBackends so
205  * number of backend slots available to non-superusers is
206  * (MaxBackends - ReservedBackends). Note what this really means is
207  * "if there are <= ReservedBackends connections available, only superusers
208  * can make new connections" --- pre-existing superuser connections don't
209  * count against the limit.
210  */
212 
213 /* The socket(s) we're listening to. */
214 #define MAXLISTEN 64
216 
217 /*
218  * Set by the -o option
219  */
220 static char ExtraOptions[MAXPGPATH];
221 
222 /*
223  * These globals control the behavior of the postmaster in case some
224  * backend dumps core. Normally, it kills all peers of the dead backend
225  * and reinitializes shared memory. By specifying -s or -n, we can have
226  * the postmaster stop (rather than kill) peers and not reinitialize
227  * shared data structures. (Reinit is currently dead code, though.)
228  */
229 static bool Reinit = true;
230 static int SendStop = false;
231 
232 /* still more option variables */
233 bool EnableSSL = false;
234 
235 int PreAuthDelay = 0;
237 
238 bool log_hostname; /* for ps display and logging */
239 bool Log_connections = false;
240 bool Db_user_namespace = false;
241 
242 bool enable_bonjour = false;
245 
246 /* PIDs of special child processes; 0 when not running */
247 static pid_t StartupPID = 0,
256 
257 /* Startup process's status */
258 typedef enum
259 {
262  STARTUP_SIGNALED, /* we sent it a SIGQUIT or SIGKILL */
265 
267 
268 /* Startup/shutdown state */
269 #define NoShutdown 0
270 #define SmartShutdown 1
271 #define FastShutdown 2
272 #define ImmediateShutdown 3
273 
274 static int Shutdown = NoShutdown;
275 
276 static bool FatalError = false; /* T if recovering from backend crash */
277 
278 /*
279  * We use a simple state machine to control startup, shutdown, and
280  * crash recovery (which is rather like shutdown followed by startup).
281  *
282  * After doing all the postmaster initialization work, we enter PM_STARTUP
283  * state and the startup process is launched. The startup process begins by
284  * reading the control file and other preliminary initialization steps.
285  * In a normal startup, or after crash recovery, the startup process exits
286  * with exit code 0 and we switch to PM_RUN state. However, archive recovery
287  * is handled specially since it takes much longer and we would like to support
288  * hot standby during archive recovery.
289  *
290  * When the startup process is ready to start archive recovery, it signals the
291  * postmaster, and we switch to PM_RECOVERY state. The background writer and
292  * checkpointer are launched, while the startup process continues applying WAL.
293  * If Hot Standby is enabled, then, after reaching a consistent point in WAL
294  * redo, startup process signals us again, and we switch to PM_HOT_STANDBY
295  * state and begin accepting connections to perform read-only queries. When
296  * archive recovery is finished, the startup process exits with exit code 0
297  * and we switch to PM_RUN state.
298  *
299  * Normal child backends can only be launched when we are in PM_RUN or
300  * PM_HOT_STANDBY state. (We also allow launch of normal
301  * child backends in PM_WAIT_BACKUP state, but only for superusers.)
302  * In other states we handle connection requests by launching "dead_end"
303  * child processes, which will simply send the client an error message and
304  * quit. (We track these in the BackendList so that we can know when they
305  * are all gone; this is important because they're still connected to shared
306  * memory, and would interfere with an attempt to destroy the shmem segment,
307  * possibly leading to SHMALL failure when we try to make a new one.)
308  * In PM_WAIT_DEAD_END state we are waiting for all the dead_end children
309  * to drain out of the system, and therefore stop accepting connection
310  * requests at all until the last existing child has quit (which hopefully
311  * will not be very long).
312  *
313  * Notice that this state variable does not distinguish *why* we entered
314  * states later than PM_RUN --- Shutdown and FatalError must be consulted
315  * to find that out. FatalError is never true in PM_RECOVERY_* or PM_RUN
316  * states, nor in PM_SHUTDOWN states (because we don't enter those states
317  * when trying to recover from a crash). It can be true in PM_STARTUP state,
318  * because we don't clear it until we've successfully started WAL redo.
319  */
320 typedef enum
321 {
322  PM_INIT, /* postmaster starting */
323  PM_STARTUP, /* waiting for startup subprocess */
324  PM_RECOVERY, /* in archive recovery mode */
325  PM_HOT_STANDBY, /* in hot standby mode */
326  PM_RUN, /* normal "database is alive" state */
327  PM_WAIT_BACKUP, /* waiting for online backup mode to end */
328  PM_WAIT_READONLY, /* waiting for read only backends to exit */
329  PM_WAIT_BACKENDS, /* waiting for live backends to exit */
330  PM_SHUTDOWN, /* waiting for checkpointer to do shutdown
331  * ckpt */
332  PM_SHUTDOWN_2, /* waiting for archiver and walsenders to
333  * finish */
334  PM_WAIT_DEAD_END, /* waiting for dead_end children to exit */
335  PM_NO_CHILDREN /* all important children have exited */
336 } PMState;
337 
339 
340 /* Start time of SIGKILL timeout during immediate shutdown or child crash */
341 /* Zero means timeout is not running */
342 static time_t AbortStartTime = 0;
343 
344 /* Length of said timeout */
345 #define SIGKILL_CHILDREN_AFTER_SECS 5
346 
347 static bool ReachedNormalRunning = false; /* T if we've reached PM_RUN */
348 
349 bool ClientAuthInProgress = false; /* T during new-client
350  * authentication */
351 
352 bool redirection_done = false; /* stderr redirected for syslogger? */
353 
354 /* received START_AUTOVAC_LAUNCHER signal */
355 static volatile sig_atomic_t start_autovac_launcher = false;
356 
357 /* the launcher needs to be signalled to communicate some condition */
358 static volatile bool avlauncher_needs_signal = false;
359 
360 /* received START_WALRECEIVER signal */
361 static volatile sig_atomic_t WalReceiverRequested = false;
362 
363 /* set when there's a worker that needs to be started up */
364 static volatile bool StartWorkerNeeded = true;
365 static volatile bool HaveCrashedWorker = false;
366 
367 #ifndef HAVE_STRONG_RANDOM
368 /*
369  * State for assigning cancel keys.
370  * Also, the global MyCancelKey passes the cancel key assigned to a given
371  * backend from the postmaster to that backend (via fork).
372  */
373 static unsigned int random_seed = 0;
374 static struct timeval random_start_time;
375 #endif
376 
377 #ifdef USE_SSL
378 /* Set when and if SSL has been initialized properly */
379 static bool LoadedSSL = false;
380 #endif
381 
382 #ifdef USE_BONJOUR
383 static DNSServiceRef bonjour_sdref = NULL;
384 #endif
385 
386 /*
387  * postmaster.c - function prototypes
388  */
389 static void CloseServerPorts(int status, Datum arg);
390 static void unlink_external_pid_file(int status, Datum arg);
391 static void getInstallationPaths(const char *argv0);
392 static void checkDataDir(void);
393 static Port *ConnCreate(int serverFd);
394 static void ConnFree(Port *port);
395 static void reset_shared(int port);
396 static void SIGHUP_handler(SIGNAL_ARGS);
397 static void pmdie(SIGNAL_ARGS);
398 static void reaper(SIGNAL_ARGS);
399 static void sigusr1_handler(SIGNAL_ARGS);
400 static void startup_die(SIGNAL_ARGS);
401 static void dummy_handler(SIGNAL_ARGS);
402 static void StartupPacketTimeoutHandler(void);
403 static void CleanupBackend(int pid, int exitstatus);
404 static bool CleanupBackgroundWorker(int pid, int exitstatus);
405 static void HandleChildCrash(int pid, int exitstatus, const char *procname);
406 static void LogChildExit(int lev, const char *procname,
407  int pid, int exitstatus);
408 static void PostmasterStateMachine(void);
409 static void BackendInitialize(Port *port);
410 static void BackendRun(Port *port) pg_attribute_noreturn();
411 static void ExitPostmaster(int status) pg_attribute_noreturn();
412 static int ServerLoop(void);
413 static int BackendStartup(Port *port);
414 static int ProcessStartupPacket(Port *port, bool SSLdone);
415 static void processCancelRequest(Port *port, void *pkt);
416 static int initMasks(fd_set *rmask);
417 static void report_fork_failure_to_client(Port *port, int errnum);
418 static CAC_state canAcceptConnections(void);
419 static bool RandomCancelKey(int32 *cancel_key);
420 static void signal_child(pid_t pid, int signal);
421 static bool SignalSomeChildren(int signal, int targets);
422 static void TerminateChildren(int signal);
423 
424 #define SignalChildren(sig) SignalSomeChildren(sig, BACKEND_TYPE_ALL)
425 
426 static int CountChildren(int target);
428 static void maybe_start_bgworkers(void);
429 static bool CreateOptsFile(int argc, char *argv[], char *fullprogname);
430 static pid_t StartChildProcess(AuxProcType type);
431 static void StartAutovacuumWorker(void);
432 static void MaybeStartWalReceiver(void);
433 static void InitPostmasterDeathWatchHandle(void);
434 
435 /*
436  * Archiver is allowed to start up at the current postmaster state?
437  *
438  * If WAL archiving is enabled always, we are allowed to start archiver
439  * even during recovery.
440  */
441 #define PgArchStartupAllowed() \
442  ((XLogArchivingActive() && pmState == PM_RUN) || \
443  (XLogArchivingAlways() && \
444  (pmState == PM_RECOVERY || pmState == PM_HOT_STANDBY)))
445 
446 #ifdef EXEC_BACKEND
447 
448 #ifdef WIN32
449 #define WNOHANG 0 /* ignored, so any integer value will do */
450 
451 static pid_t waitpid(pid_t pid, int *exitstatus, int options);
452 static void WINAPI pgwin32_deadchild_callback(PVOID lpParameter, BOOLEAN TimerOrWaitFired);
453 
454 static HANDLE win32ChildQueue;
455 
456 typedef struct
457 {
458  HANDLE waitHandle;
459  HANDLE procHandle;
460  DWORD procId;
461 } win32_deadchild_waitinfo;
462 #endif /* WIN32 */
463 
464 static pid_t backend_forkexec(Port *port);
465 static pid_t internal_forkexec(int argc, char *argv[], Port *port);
466 
467 /* Type for a socket that can be inherited to a client process */
468 #ifdef WIN32
469 typedef struct
470 {
471  SOCKET origsocket; /* Original socket value, or PGINVALID_SOCKET
472  * if not a socket */
473  WSAPROTOCOL_INFO wsainfo;
474 } InheritableSocket;
475 #else
476 typedef int InheritableSocket;
477 #endif
478 
479 /*
480  * Structure contains all variables passed to exec:ed backends
481  */
482 typedef struct
483 {
484  Port port;
485  InheritableSocket portsocket;
486  char DataDir[MAXPGPATH];
489  int MyPMChildSlot;
490 #ifndef WIN32
491  unsigned long UsedShmemSegID;
492 #else
493  HANDLE UsedShmemSegID;
494 #endif
495  void *UsedShmemSegAddr;
498  Backend *ShmemBackendArray;
499 #ifndef HAVE_SPINLOCKS
501 #endif
510  InheritableSocket pgStatSock;
511  pid_t PostmasterPid;
515  bool redirection_done;
516  bool IsBinaryUpgrade;
517  int max_safe_fds;
518  int MaxBackends;
519 #ifdef WIN32
520  HANDLE PostmasterHandle;
521  HANDLE initial_signal_pipe;
522  HANDLE syslogPipe[2];
523 #else
524  int postmaster_alive_fds[2];
525  int syslogPipe[2];
526 #endif
527  char my_exec_path[MAXPGPATH];
528  char pkglib_path[MAXPGPATH];
529  char ExtraOptions[MAXPGPATH];
530 } BackendParameters;
531 
532 static void read_backend_variables(char *id, Port *port);
533 static void restore_backend_variables(BackendParameters *param, Port *port);
534 
535 #ifndef WIN32
536 static bool save_backend_variables(BackendParameters *param, Port *port);
537 #else
538 static bool save_backend_variables(BackendParameters *param, Port *port,
539  HANDLE childProcess, pid_t childPid);
540 #endif
541 
542 static void ShmemBackendArrayAdd(Backend *bn);
543 static void ShmemBackendArrayRemove(Backend *bn);
544 #endif /* EXEC_BACKEND */
545 
546 #define StartupDataBase() StartChildProcess(StartupProcess)
547 #define StartBackgroundWriter() StartChildProcess(BgWriterProcess)
548 #define StartCheckpointer() StartChildProcess(CheckpointerProcess)
549 #define StartWalWriter() StartChildProcess(WalWriterProcess)
550 #define StartWalReceiver() StartChildProcess(WalReceiverProcess)
551 
552 /* Macros to check exit status of a child process */
553 #define EXIT_STATUS_0(st) ((st) == 0)
554 #define EXIT_STATUS_1(st) (WIFEXITED(st) && WEXITSTATUS(st) == 1)
555 #define EXIT_STATUS_3(st) (WIFEXITED(st) && WEXITSTATUS(st) == 3)
556 
557 #ifndef WIN32
558 /*
559  * File descriptors for pipe used to monitor if postmaster is alive.
560  * First is POSTMASTER_FD_WATCH, second is POSTMASTER_FD_OWN.
561  */
562 int postmaster_alive_fds[2] = {-1, -1};
563 #else
564 /* Process handle of postmaster used for the same purpose on Windows */
565 HANDLE PostmasterHandle;
566 #endif
567 
568 /*
569  * Postmaster main entry point
570  */
571 void
572 PostmasterMain(int argc, char *argv[])
573 {
574  int opt;
575  int status;
576  char *userDoption = NULL;
577  bool listen_addr_saved = false;
578  int i;
579  char *output_config_variable = NULL;
580 
581  MyProcPid = PostmasterPid = getpid();
582 
583  MyStartTime = time(NULL);
584 
586 
587  /*
588  * for security, no dir or file created can be group or other accessible
589  */
590  umask(S_IRWXG | S_IRWXO);
591 
592  /*
593  * Initialize random(3) so we don't get the same values in every run.
594  *
595  * Note: the seed is pretty predictable from externally-visible facts such
596  * as postmaster start time, so avoid using random() for security-critical
597  * random values during postmaster startup. At the time of first
598  * connection, PostmasterRandom will select a hopefully-more-random seed.
599  */
600  srandom((unsigned int) (MyProcPid ^ MyStartTime));
601 
602  /*
603  * By default, palloc() requests in the postmaster will be allocated in
604  * the PostmasterContext, which is space that can be recycled by backends.
605  * Allocated data that needs to be available to backends should be
606  * allocated in TopMemoryContext.
607  */
609  "Postmaster",
612 
613  /* Initialize paths to installation files */
614  getInstallationPaths(argv[0]);
615 
616  /*
617  * Set up signal handlers for the postmaster process.
618  *
619  * In the postmaster, we want to install non-ignored handlers *without*
620  * SA_RESTART. This is because they'll be blocked at all times except
621  * when ServerLoop is waiting for something to happen, and during that
622  * window, we want signals to exit the select(2) wait so that ServerLoop
623  * can respond if anything interesting happened. On some platforms,
624  * signals marked SA_RESTART would not cause the select() wait to end.
625  * Child processes will generally want SA_RESTART, but we expect them to
626  * set up their own handlers before unblocking signals.
627  *
628  * CAUTION: when changing this list, check for side-effects on the signal
629  * handling setup of child processes. See tcop/postgres.c,
630  * bootstrap/bootstrap.c, postmaster/bgwriter.c, postmaster/walwriter.c,
631  * postmaster/autovacuum.c, postmaster/pgarch.c, postmaster/pgstat.c,
632  * postmaster/syslogger.c, postmaster/bgworker.c and
633  * postmaster/checkpointer.c.
634  */
635  pqinitmask();
637 
638  pqsignal_no_restart(SIGHUP, SIGHUP_handler); /* reread config file and
639  * have children do same */
640  pqsignal_no_restart(SIGINT, pmdie); /* send SIGTERM and shut down */
641  pqsignal_no_restart(SIGQUIT, pmdie); /* send SIGQUIT and die */
642  pqsignal_no_restart(SIGTERM, pmdie); /* wait for children and shut down */
643  pqsignal(SIGALRM, SIG_IGN); /* ignored */
644  pqsignal(SIGPIPE, SIG_IGN); /* ignored */
645  pqsignal_no_restart(SIGUSR1, sigusr1_handler); /* message from child
646  * process */
647  pqsignal_no_restart(SIGUSR2, dummy_handler); /* unused, reserve for
648  * children */
649  pqsignal_no_restart(SIGCHLD, reaper); /* handle child termination */
650  pqsignal(SIGTTIN, SIG_IGN); /* ignored */
651  pqsignal(SIGTTOU, SIG_IGN); /* ignored */
652  /* ignore SIGXFSZ, so that ulimit violations work like disk full */
653 #ifdef SIGXFSZ
654  pqsignal(SIGXFSZ, SIG_IGN); /* ignored */
655 #endif
656 
657  /*
658  * Options setup
659  */
661 
662  opterr = 1;
663 
664  /*
665  * Parse command-line options. CAUTION: keep this in sync with
666  * tcop/postgres.c (the option sets should not conflict) and with the
667  * common help() function in main/main.c.
668  */
669  while ((opt = getopt(argc, argv, "B:bc:C:D:d:EeFf:h:ijk:lN:nOo:Pp:r:S:sTt:W:-:")) != -1)
670  {
671  switch (opt)
672  {
673  case 'B':
674  SetConfigOption("shared_buffers", optarg, PGC_POSTMASTER, PGC_S_ARGV);
675  break;
676 
677  case 'b':
678  /* Undocumented flag used for binary upgrades */
679  IsBinaryUpgrade = true;
680  break;
681 
682  case 'C':
683  output_config_variable = strdup(optarg);
684  break;
685 
686  case 'D':
687  userDoption = strdup(optarg);
688  break;
689 
690  case 'd':
692  break;
693 
694  case 'E':
695  SetConfigOption("log_statement", "all", PGC_POSTMASTER, PGC_S_ARGV);
696  break;
697 
698  case 'e':
699  SetConfigOption("datestyle", "euro", PGC_POSTMASTER, PGC_S_ARGV);
700  break;
701 
702  case 'F':
703  SetConfigOption("fsync", "false", PGC_POSTMASTER, PGC_S_ARGV);
704  break;
705 
706  case 'f':
708  {
709  write_stderr("%s: invalid argument for option -f: \"%s\"\n",
710  progname, optarg);
711  ExitPostmaster(1);
712  }
713  break;
714 
715  case 'h':
716  SetConfigOption("listen_addresses", optarg, PGC_POSTMASTER, PGC_S_ARGV);
717  break;
718 
719  case 'i':
720  SetConfigOption("listen_addresses", "*", PGC_POSTMASTER, PGC_S_ARGV);
721  break;
722 
723  case 'j':
724  /* only used by interactive backend */
725  break;
726 
727  case 'k':
728  SetConfigOption("unix_socket_directories", optarg, PGC_POSTMASTER, PGC_S_ARGV);
729  break;
730 
731  case 'l':
732  SetConfigOption("ssl", "true", PGC_POSTMASTER, PGC_S_ARGV);
733  break;
734 
735  case 'N':
736  SetConfigOption("max_connections", optarg, PGC_POSTMASTER, PGC_S_ARGV);
737  break;
738 
739  case 'n':
740  /* Don't reinit shared mem after abnormal exit */
741  Reinit = false;
742  break;
743 
744  case 'O':
745  SetConfigOption("allow_system_table_mods", "true", PGC_POSTMASTER, PGC_S_ARGV);
746  break;
747 
748  case 'o':
749  /* Other options to pass to the backend on the command line */
751  sizeof(ExtraOptions) - strlen(ExtraOptions),
752  " %s", optarg);
753  break;
754 
755  case 'P':
756  SetConfigOption("ignore_system_indexes", "true", PGC_POSTMASTER, PGC_S_ARGV);
757  break;
758 
759  case 'p':
761  break;
762 
763  case 'r':
764  /* only used by single-user backend */
765  break;
766 
767  case 'S':
769  break;
770 
771  case 's':
772  SetConfigOption("log_statement_stats", "true", PGC_POSTMASTER, PGC_S_ARGV);
773  break;
774 
775  case 'T':
776 
777  /*
778  * In the event that some backend dumps core, send SIGSTOP,
779  * rather than SIGQUIT, to all its peers. This lets the wily
780  * post_hacker collect core dumps from everyone.
781  */
782  SendStop = true;
783  break;
784 
785  case 't':
786  {
787  const char *tmp = get_stats_option_name(optarg);
788 
789  if (tmp)
790  {
792  }
793  else
794  {
795  write_stderr("%s: invalid argument for option -t: \"%s\"\n",
796  progname, optarg);
797  ExitPostmaster(1);
798  }
799  break;
800  }
801 
802  case 'W':
803  SetConfigOption("post_auth_delay", optarg, PGC_POSTMASTER, PGC_S_ARGV);
804  break;
805 
806  case 'c':
807  case '-':
808  {
809  char *name,
810  *value;
811 
812  ParseLongOption(optarg, &name, &value);
813  if (!value)
814  {
815  if (opt == '-')
816  ereport(ERROR,
817  (errcode(ERRCODE_SYNTAX_ERROR),
818  errmsg("--%s requires a value",
819  optarg)));
820  else
821  ereport(ERROR,
822  (errcode(ERRCODE_SYNTAX_ERROR),
823  errmsg("-c %s requires a value",
824  optarg)));
825  }
826 
828  free(name);
829  if (value)
830  free(value);
831  break;
832  }
833 
834  default:
835  write_stderr("Try \"%s --help\" for more information.\n",
836  progname);
837  ExitPostmaster(1);
838  }
839  }
840 
841  /*
842  * Postmaster accepts no non-option switch arguments.
843  */
844  if (optind < argc)
845  {
846  write_stderr("%s: invalid argument: \"%s\"\n",
847  progname, argv[optind]);
848  write_stderr("Try \"%s --help\" for more information.\n",
849  progname);
850  ExitPostmaster(1);
851  }
852 
853  /*
854  * Locate the proper configuration files and data directory, and read
855  * postgresql.conf for the first time.
856  */
857  if (!SelectConfigFiles(userDoption, progname))
858  ExitPostmaster(2);
859 
860  if (output_config_variable != NULL)
861  {
862  /*
863  * "-C guc" was specified, so print GUC's value and exit. No extra
864  * permission check is needed because the user is reading inside the
865  * data dir.
866  */
867  const char *config_val = GetConfigOption(output_config_variable,
868  false, false);
869 
870  puts(config_val ? config_val : "");
871  ExitPostmaster(0);
872  }
873 
874  /* Verify that DataDir looks reasonable */
875  checkDataDir();
876 
877  /* And switch working directory into it */
878  ChangeToDataDir();
879 
880  /*
881  * Check for invalid combinations of GUC settings.
882  */
884  {
885  write_stderr("%s: superuser_reserved_connections must be less than max_connections\n", progname);
886  ExitPostmaster(1);
887  }
889  {
890  write_stderr("%s: max_wal_senders must be less than max_connections\n", progname);
891  ExitPostmaster(1);
892  }
894  ereport(ERROR,
895  (errmsg("WAL archival cannot be enabled when wal_level is \"minimal\"")));
897  ereport(ERROR,
898  (errmsg("WAL streaming (max_wal_senders > 0) requires wal_level \"replica\" or \"logical\"")));
899 
900  /*
901  * Other one-time internal sanity checks can go here, if they are fast.
902  * (Put any slow processing further down, after postmaster.pid creation.)
903  */
904  if (!CheckDateTokenTables())
905  {
906  write_stderr("%s: invalid datetoken tables, please fix\n", progname);
907  ExitPostmaster(1);
908  }
909 
910  /*
911  * Now that we are done processing the postmaster arguments, reset
912  * getopt(3) library so that it will work correctly in subprocesses.
913  */
914  optind = 1;
915 #ifdef HAVE_INT_OPTRESET
916  optreset = 1; /* some systems need this too */
917 #endif
918 
919  /* For debugging: display postmaster environment */
920  {
921  extern char **environ;
922  char **p;
923 
924  ereport(DEBUG3,
925  (errmsg_internal("%s: PostmasterMain: initial environment dump:",
926  progname)));
927  ereport(DEBUG3,
928  (errmsg_internal("-----------------------------------------")));
929  for (p = environ; *p; ++p)
930  ereport(DEBUG3,
931  (errmsg_internal("\t%s", *p)));
932  ereport(DEBUG3,
933  (errmsg_internal("-----------------------------------------")));
934  }
935 
936  /*
937  * Create lockfile for data directory.
938  *
939  * We want to do this before we try to grab the input sockets, because the
940  * data directory interlock is more reliable than the socket-file
941  * interlock (thanks to whoever decided to put socket files in /tmp :-().
942  * For the same reason, it's best to grab the TCP socket(s) before the
943  * Unix socket(s).
944  *
945  * Also note that this internally sets up the on_proc_exit function that
946  * is responsible for removing both data directory and socket lockfiles;
947  * so it must happen before opening sockets so that at exit, the socket
948  * lockfiles go away after CloseServerPorts runs.
949  */
950  CreateDataDirLockFile(true);
951 
952  /*
953  * Initialize SSL library, if specified.
954  */
955 #ifdef USE_SSL
956  if (EnableSSL)
957  {
958  (void) secure_initialize(true);
959  LoadedSSL = true;
960  }
961 #endif
962 
963  /*
964  * Register the apply launcher. Since it registers a background worker,
965  * it needs to be called before InitializeMaxBackends(), and it's probably
966  * a good idea to call it before any modules had chance to take the
967  * background worker slots.
968  */
970 
971  /*
972  * process any libraries that should be preloaded at postmaster start
973  */
975 
976  /*
977  * Now that loadable modules have had their chance to register background
978  * workers, calculate MaxBackends.
979  */
981 
982  /*
983  * Establish input sockets.
984  *
985  * First, mark them all closed, and set up an on_proc_exit function that's
986  * charged with closing the sockets again at postmaster shutdown.
987  */
988  for (i = 0; i < MAXLISTEN; i++)
990 
992 
993  if (ListenAddresses)
994  {
995  char *rawstring;
996  List *elemlist;
997  ListCell *l;
998  int success = 0;
999 
1000  /* Need a modifiable copy of ListenAddresses */
1001  rawstring = pstrdup(ListenAddresses);
1002 
1003  /* Parse string into list of hostnames */
1004  if (!SplitIdentifierString(rawstring, ',', &elemlist))
1005  {
1006  /* syntax error in list */
1007  ereport(FATAL,
1008  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1009  errmsg("invalid list syntax in parameter \"%s\"",
1010  "listen_addresses")));
1011  }
1012 
1013  foreach(l, elemlist)
1014  {
1015  char *curhost = (char *) lfirst(l);
1016 
1017  if (strcmp(curhost, "*") == 0)
1018  status = StreamServerPort(AF_UNSPEC, NULL,
1019  (unsigned short) PostPortNumber,
1020  NULL,
1022  else
1023  status = StreamServerPort(AF_UNSPEC, curhost,
1024  (unsigned short) PostPortNumber,
1025  NULL,
1026  ListenSocket, MAXLISTEN);
1027 
1028  if (status == STATUS_OK)
1029  {
1030  success++;
1031  /* record the first successful host addr in lockfile */
1032  if (!listen_addr_saved)
1033  {
1035  listen_addr_saved = true;
1036  }
1037  }
1038  else
1039  ereport(WARNING,
1040  (errmsg("could not create listen socket for \"%s\"",
1041  curhost)));
1042  }
1043 
1044  if (!success && elemlist != NIL)
1045  ereport(FATAL,
1046  (errmsg("could not create any TCP/IP sockets")));
1047 
1048  list_free(elemlist);
1049  pfree(rawstring);
1050  }
1051 
1052 #ifdef USE_BONJOUR
1053  /* Register for Bonjour only if we opened TCP socket(s) */
1055  {
1056  DNSServiceErrorType err;
1057 
1058  /*
1059  * We pass 0 for interface_index, which will result in registering on
1060  * all "applicable" interfaces. It's not entirely clear from the
1061  * DNS-SD docs whether this would be appropriate if we have bound to
1062  * just a subset of the available network interfaces.
1063  */
1064  err = DNSServiceRegister(&bonjour_sdref,
1065  0,
1066  0,
1067  bonjour_name,
1068  "_postgresql._tcp.",
1069  NULL,
1070  NULL,
1071  htons(PostPortNumber),
1072  0,
1073  NULL,
1074  NULL,
1075  NULL);
1076  if (err != kDNSServiceErr_NoError)
1077  elog(LOG, "DNSServiceRegister() failed: error code %ld",
1078  (long) err);
1079 
1080  /*
1081  * We don't bother to read the mDNS daemon's reply, and we expect that
1082  * it will automatically terminate our registration when the socket is
1083  * closed at postmaster termination. So there's nothing more to be
1084  * done here. However, the bonjour_sdref is kept around so that
1085  * forked children can close their copies of the socket.
1086  */
1087  }
1088 #endif
1089 
1090 #ifdef HAVE_UNIX_SOCKETS
1092  {
1093  char *rawstring;
1094  List *elemlist;
1095  ListCell *l;
1096  int success = 0;
1097 
1098  /* Need a modifiable copy of Unix_socket_directories */
1099  rawstring = pstrdup(Unix_socket_directories);
1100 
1101  /* Parse string into list of directories */
1102  if (!SplitDirectoriesString(rawstring, ',', &elemlist))
1103  {
1104  /* syntax error in list */
1105  ereport(FATAL,
1106  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1107  errmsg("invalid list syntax in parameter \"%s\"",
1108  "unix_socket_directories")));
1109  }
1110 
1111  foreach(l, elemlist)
1112  {
1113  char *socketdir = (char *) lfirst(l);
1114 
1115  status = StreamServerPort(AF_UNIX, NULL,
1116  (unsigned short) PostPortNumber,
1117  socketdir,
1118  ListenSocket, MAXLISTEN);
1119 
1120  if (status == STATUS_OK)
1121  {
1122  success++;
1123  /* record the first successful Unix socket in lockfile */
1124  if (success == 1)
1126  }
1127  else
1128  ereport(WARNING,
1129  (errmsg("could not create Unix-domain socket in directory \"%s\"",
1130  socketdir)));
1131  }
1132 
1133  if (!success && elemlist != NIL)
1134  ereport(FATAL,
1135  (errmsg("could not create any Unix-domain sockets")));
1136 
1137  list_free_deep(elemlist);
1138  pfree(rawstring);
1139  }
1140 #endif
1141 
1142  /*
1143  * check that we have some socket to listen on
1144  */
1145  if (ListenSocket[0] == PGINVALID_SOCKET)
1146  ereport(FATAL,
1147  (errmsg("no socket created for listening")));
1148 
1149  /*
1150  * If no valid TCP ports, write an empty line for listen address,
1151  * indicating the Unix socket must be used. Note that this line is not
1152  * added to the lock file until there is a socket backing it.
1153  */
1154  if (!listen_addr_saved)
1156 
1157  /*
1158  * Set up shared memory and semaphores.
1159  */
1161 
1162  /*
1163  * Estimate number of openable files. This must happen after setting up
1164  * semaphores, because on some platforms semaphores count as open files.
1165  */
1166  set_max_safe_fds();
1167 
1168  /*
1169  * Set reference point for stack-depth checking.
1170  */
1171  set_stack_base();
1172 
1173  /*
1174  * Initialize pipe (or process handle on Windows) that allows children to
1175  * wake up from sleep on postmaster death.
1176  */
1178 
1179 #ifdef WIN32
1180 
1181  /*
1182  * Initialize I/O completion port used to deliver list of dead children.
1183  */
1184  win32ChildQueue = CreateIoCompletionPort(INVALID_HANDLE_VALUE, NULL, 0, 1);
1185  if (win32ChildQueue == NULL)
1186  ereport(FATAL,
1187  (errmsg("could not create I/O completion port for child queue")));
1188 #endif
1189 
1190  /*
1191  * Record postmaster options. We delay this till now to avoid recording
1192  * bogus options (eg, NBuffers too high for available memory).
1193  */
1194  if (!CreateOptsFile(argc, argv, my_exec_path))
1195  ExitPostmaster(1);
1196 
1197 #ifdef EXEC_BACKEND
1198  /* Write out nondefault GUC settings for child processes to use */
1199  write_nondefault_variables(PGC_POSTMASTER);
1200 #endif
1201 
1202  /*
1203  * Write the external PID file if requested
1204  */
1205  if (external_pid_file)
1206  {
1207  FILE *fpidfile = fopen(external_pid_file, "w");
1208 
1209  if (fpidfile)
1210  {
1211  fprintf(fpidfile, "%d\n", MyProcPid);
1212  fclose(fpidfile);
1213 
1214  /* Make PID file world readable */
1215  if (chmod(external_pid_file, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) != 0)
1216  write_stderr("%s: could not change permissions of external PID file \"%s\": %s\n",
1218  }
1219  else
1220  write_stderr("%s: could not write external PID file \"%s\": %s\n",
1222 
1224  }
1225 
1226  /*
1227  * Remove old temporary files. At this point there can be no other
1228  * Postgres processes running in this directory, so this should be safe.
1229  */
1231 
1232  /*
1233  * Forcibly remove the files signaling a standby promotion request.
1234  * Otherwise, the existence of those files triggers a promotion too early,
1235  * whether a user wants that or not.
1236  *
1237  * This removal of files is usually unnecessary because they can exist
1238  * only during a few moments during a standby promotion. However there is
1239  * a race condition: if pg_ctl promote is executed and creates the files
1240  * during a promotion, the files can stay around even after the server is
1241  * brought up to new master. Then, if new standby starts by using the
1242  * backup taken from that master, the files can exist at the server
1243  * startup and should be removed in order to avoid an unexpected
1244  * promotion.
1245  *
1246  * Note that promotion signal files need to be removed before the startup
1247  * process is invoked. Because, after that, they can be used by
1248  * postmaster's SIGUSR1 signal handler.
1249  */
1251 
1252  /* Remove any outdated file holding the current log filenames. */
1253  if (unlink(LOG_METAINFO_DATAFILE) < 0 && errno != ENOENT)
1254  ereport(LOG,
1256  errmsg("could not remove file \"%s\": %m",
1258 
1259  /*
1260  * If enabled, start up syslogger collection subprocess
1261  */
1263 
1264  /*
1265  * Reset whereToSendOutput from DestDebug (its starting state) to
1266  * DestNone. This stops ereport from sending log messages to stderr unless
1267  * Log_destination permits. We don't do this until the postmaster is
1268  * fully launched, since startup failures may as well be reported to
1269  * stderr.
1270  *
1271  * If we are in fact disabling logging to stderr, first emit a log message
1272  * saying so, to provide a breadcrumb trail for users who may not remember
1273  * that their logging is configured to go somewhere else.
1274  */
1276  ereport(LOG,
1277  (errmsg("ending log output to stderr"),
1278  errhint("Future log output will go to log destination \"%s\".",
1280 
1282 
1283  /*
1284  * Initialize stats collection subsystem (this does NOT start the
1285  * collector process!)
1286  */
1287  pgstat_init();
1288 
1289  /*
1290  * Initialize the autovacuum subsystem (again, no process start yet)
1291  */
1292  autovac_init();
1293 
1294  /*
1295  * Load configuration files for client authentication.
1296  */
1297  if (!load_hba())
1298  {
1299  /*
1300  * It makes no sense to continue if we fail to load the HBA file,
1301  * since there is no way to connect to the database in this case.
1302  */
1303  ereport(FATAL,
1304  (errmsg("could not load pg_hba.conf")));
1305  }
1306  if (!load_ident())
1307  {
1308  /*
1309  * We can start up without the IDENT file, although it means that you
1310  * cannot log in using any of the authentication methods that need a
1311  * user name mapping. load_ident() already logged the details of error
1312  * to the log.
1313  */
1314  }
1315 
1316 #ifdef HAVE_PTHREAD_IS_THREADED_NP
1317 
1318  /*
1319  * On macOS, libintl replaces setlocale() with a version that calls
1320  * CFLocaleCopyCurrent() when its second argument is "" and every relevant
1321  * environment variable is unset or empty. CFLocaleCopyCurrent() makes
1322  * the process multithreaded. The postmaster calls sigprocmask() and
1323  * calls fork() without an immediate exec(), both of which have undefined
1324  * behavior in a multithreaded program. A multithreaded postmaster is the
1325  * normal case on Windows, which offers neither fork() nor sigprocmask().
1326  */
1327  if (pthread_is_threaded_np() != 0)
1328  ereport(FATAL,
1329  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1330  errmsg("postmaster became multithreaded during startup"),
1331  errhint("Set the LC_ALL environment variable to a valid locale.")));
1332 #endif
1333 
1334  /*
1335  * Remember postmaster startup time
1336  */
1338 #ifndef HAVE_STRONG_RANDOM
1339  /* RandomCancelKey wants its own copy */
1341 #endif
1342 
1343  /*
1344  * We're ready to rock and roll...
1345  */
1347  Assert(StartupPID != 0);
1349  pmState = PM_STARTUP;
1350 
1351  /* Some workers may be scheduled to start now */
1353 
1354  status = ServerLoop();
1355 
1356  /*
1357  * ServerLoop probably shouldn't ever return, but if it does, close down.
1358  */
1359  ExitPostmaster(status != STATUS_OK);
1360 
1361  abort(); /* not reached */
1362 }
1363 
1364 
1365 /*
1366  * on_proc_exit callback to close server's listen sockets
1367  */
1368 static void
1370 {
1371  int i;
1372 
1373  /*
1374  * First, explicitly close all the socket FDs. We used to just let this
1375  * happen implicitly at postmaster exit, but it's better to close them
1376  * before we remove the postmaster.pid lockfile; otherwise there's a race
1377  * condition if a new postmaster wants to re-use the TCP port number.
1378  */
1379  for (i = 0; i < MAXLISTEN; i++)
1380  {
1381  if (ListenSocket[i] != PGINVALID_SOCKET)
1382  {
1385  }
1386  }
1387 
1388  /*
1389  * Next, remove any filesystem entries for Unix sockets. To avoid race
1390  * conditions against incoming postmasters, this must happen after closing
1391  * the sockets and before removing lock files.
1392  */
1394 
1395  /*
1396  * We don't do anything about socket lock files here; those will be
1397  * removed in a later on_proc_exit callback.
1398  */
1399 }
1400 
1401 /*
1402  * on_proc_exit callback to delete external_pid_file
1403  */
1404 static void
1406 {
1407  if (external_pid_file)
1409 }
1410 
1411 
1412 /*
1413  * Compute and check the directory paths to files that are part of the
1414  * installation (as deduced from the postgres executable's own location)
1415  */
1416 static void
1418 {
1419  DIR *pdir;
1420 
1421  /* Locate the postgres executable itself */
1422  if (find_my_exec(argv0, my_exec_path) < 0)
1423  elog(FATAL, "%s: could not locate my own executable path", argv0);
1424 
1425 #ifdef EXEC_BACKEND
1426  /* Locate executable backend before we change working directory */
1427  if (find_other_exec(argv0, "postgres", PG_BACKEND_VERSIONSTR,
1428  postgres_exec_path) < 0)
1429  ereport(FATAL,
1430  (errmsg("%s: could not locate matching postgres executable",
1431  argv0)));
1432 #endif
1433 
1434  /*
1435  * Locate the pkglib directory --- this has to be set early in case we try
1436  * to load any modules from it in response to postgresql.conf entries.
1437  */
1439 
1440  /*
1441  * Verify that there's a readable directory there; otherwise the Postgres
1442  * installation is incomplete or corrupt. (A typical cause of this
1443  * failure is that the postgres executable has been moved or hardlinked to
1444  * some directory that's not a sibling of the installation lib/
1445  * directory.)
1446  */
1447  pdir = AllocateDir(pkglib_path);
1448  if (pdir == NULL)
1449  ereport(ERROR,
1451  errmsg("could not open directory \"%s\": %m",
1452  pkglib_path),
1453  errhint("This may indicate an incomplete PostgreSQL installation, or that the file \"%s\" has been moved away from its proper location.",
1454  my_exec_path)));
1455  FreeDir(pdir);
1456 
1457  /*
1458  * XXX is it worth similarly checking the share/ directory? If the lib/
1459  * directory is there, then share/ probably is too.
1460  */
1461 }
1462 
1463 
1464 /*
1465  * Validate the proposed data directory
1466  */
1467 static void
1469 {
1470  char path[MAXPGPATH];
1471  FILE *fp;
1472  struct stat stat_buf;
1473 
1474  Assert(DataDir);
1475 
1476  if (stat(DataDir, &stat_buf) != 0)
1477  {
1478  if (errno == ENOENT)
1479  ereport(FATAL,
1481  errmsg("data directory \"%s\" does not exist",
1482  DataDir)));
1483  else
1484  ereport(FATAL,
1486  errmsg("could not read permissions of directory \"%s\": %m",
1487  DataDir)));
1488  }
1489 
1490  /* eventual chdir would fail anyway, but let's test ... */
1491  if (!S_ISDIR(stat_buf.st_mode))
1492  ereport(FATAL,
1493  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1494  errmsg("specified data directory \"%s\" is not a directory",
1495  DataDir)));
1496 
1497  /*
1498  * Check that the directory belongs to my userid; if not, reject.
1499  *
1500  * This check is an essential part of the interlock that prevents two
1501  * postmasters from starting in the same directory (see CreateLockFile()).
1502  * Do not remove or weaken it.
1503  *
1504  * XXX can we safely enable this check on Windows?
1505  */
1506 #if !defined(WIN32) && !defined(__CYGWIN__)
1507  if (stat_buf.st_uid != geteuid())
1508  ereport(FATAL,
1509  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1510  errmsg("data directory \"%s\" has wrong ownership",
1511  DataDir),
1512  errhint("The server must be started by the user that owns the data directory.")));
1513 #endif
1514 
1515  /*
1516  * Check if the directory has group or world access. If so, reject.
1517  *
1518  * It would be possible to allow weaker constraints (for example, allow
1519  * group access) but we cannot make a general assumption that that is
1520  * okay; for example there are platforms where nearly all users
1521  * customarily belong to the same group. Perhaps this test should be
1522  * configurable.
1523  *
1524  * XXX temporarily suppress check when on Windows, because there may not
1525  * be proper support for Unix-y file permissions. Need to think of a
1526  * reasonable check to apply on Windows.
1527  */
1528 #if !defined(WIN32) && !defined(__CYGWIN__)
1529  if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
1530  ereport(FATAL,
1531  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1532  errmsg("data directory \"%s\" has group or world access",
1533  DataDir),
1534  errdetail("Permissions should be u=rwx (0700).")));
1535 #endif
1536 
1537  /* Look for PG_VERSION before looking for pg_control */
1539 
1540  snprintf(path, sizeof(path), "%s/global/pg_control", DataDir);
1541 
1542  fp = AllocateFile(path, PG_BINARY_R);
1543  if (fp == NULL)
1544  {
1545  write_stderr("%s: could not find the database system\n"
1546  "Expected to find it in the directory \"%s\",\n"
1547  "but could not open file \"%s\": %s\n",
1548  progname, DataDir, path, strerror(errno));
1549  ExitPostmaster(2);
1550  }
1551  FreeFile(fp);
1552 }
1553 
1554 /*
1555  * Determine how long should we let ServerLoop sleep.
1556  *
1557  * In normal conditions we wait at most one minute, to ensure that the other
1558  * background tasks handled by ServerLoop get done even when no requests are
1559  * arriving. However, if there are background workers waiting to be started,
1560  * we don't actually sleep so that they are quickly serviced. Other exception
1561  * cases are as shown in the code.
1562  */
1563 static void
1564 DetermineSleepTime(struct timeval *timeout)
1565 {
1566  TimestampTz next_wakeup = 0;
1567 
1568  /*
1569  * Normal case: either there are no background workers at all, or we're in
1570  * a shutdown sequence (during which we ignore bgworkers altogether).
1571  */
1572  if (Shutdown > NoShutdown ||
1574  {
1575  if (AbortStartTime != 0)
1576  {
1577  /* time left to abort; clamp to 0 in case it already expired */
1578  timeout->tv_sec = SIGKILL_CHILDREN_AFTER_SECS -
1579  (time(NULL) - AbortStartTime);
1580  timeout->tv_sec = Max(timeout->tv_sec, 0);
1581  timeout->tv_usec = 0;
1582  }
1583  else
1584  {
1585  timeout->tv_sec = 60;
1586  timeout->tv_usec = 0;
1587  }
1588  return;
1589  }
1590 
1591  if (StartWorkerNeeded)
1592  {
1593  timeout->tv_sec = 0;
1594  timeout->tv_usec = 0;
1595  return;
1596  }
1597 
1598  if (HaveCrashedWorker)
1599  {
1600  slist_mutable_iter siter;
1601 
1602  /*
1603  * When there are crashed bgworkers, we sleep just long enough that
1604  * they are restarted when they request to be. Scan the list to
1605  * determine the minimum of all wakeup times according to most recent
1606  * crash time and requested restart interval.
1607  */
1609  {
1610  RegisteredBgWorker *rw;
1611  TimestampTz this_wakeup;
1612 
1613  rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
1614 
1615  if (rw->rw_crashed_at == 0)
1616  continue;
1617 
1619  || rw->rw_terminate)
1620  {
1621  ForgetBackgroundWorker(&siter);
1622  continue;
1623  }
1624 
1625  this_wakeup = TimestampTzPlusMilliseconds(rw->rw_crashed_at,
1626  1000L * rw->rw_worker.bgw_restart_time);
1627  if (next_wakeup == 0 || this_wakeup < next_wakeup)
1628  next_wakeup = this_wakeup;
1629  }
1630  }
1631 
1632  if (next_wakeup != 0)
1633  {
1634  long secs;
1635  int microsecs;
1636 
1638  &secs, &microsecs);
1639  timeout->tv_sec = secs;
1640  timeout->tv_usec = microsecs;
1641 
1642  /* Ensure we don't exceed one minute */
1643  if (timeout->tv_sec > 60)
1644  {
1645  timeout->tv_sec = 60;
1646  timeout->tv_usec = 0;
1647  }
1648  }
1649  else
1650  {
1651  timeout->tv_sec = 60;
1652  timeout->tv_usec = 0;
1653  }
1654 }
1655 
1656 /*
1657  * Main idle loop of postmaster
1658  *
1659  * NB: Needs to be called with signals blocked
1660  */
1661 static int
1663 {
1664  fd_set readmask;
1665  int nSockets;
1666  time_t last_lockfile_recheck_time,
1667  last_touch_time;
1668 
1669  last_lockfile_recheck_time = last_touch_time = time(NULL);
1670 
1671  nSockets = initMasks(&readmask);
1672 
1673  for (;;)
1674  {
1675  fd_set rmask;
1676  int selres;
1677  time_t now;
1678 
1679  /*
1680  * Wait for a connection request to arrive.
1681  *
1682  * We block all signals except while sleeping. That makes it safe for
1683  * signal handlers, which again block all signals while executing, to
1684  * do nontrivial work.
1685  *
1686  * If we are in PM_WAIT_DEAD_END state, then we don't want to accept
1687  * any new connections, so we don't call select(), and just sleep.
1688  */
1689  memcpy((char *) &rmask, (char *) &readmask, sizeof(fd_set));
1690 
1691  if (pmState == PM_WAIT_DEAD_END)
1692  {
1694 
1695  pg_usleep(100000L); /* 100 msec seems reasonable */
1696  selres = 0;
1697 
1698  PG_SETMASK(&BlockSig);
1699  }
1700  else
1701  {
1702  /* must set timeout each time; some OSes change it! */
1703  struct timeval timeout;
1704 
1705  /* Needs to run with blocked signals! */
1706  DetermineSleepTime(&timeout);
1707 
1709 
1710  selres = select(nSockets, &rmask, NULL, NULL, &timeout);
1711 
1712  PG_SETMASK(&BlockSig);
1713  }
1714 
1715  /* Now check the select() result */
1716  if (selres < 0)
1717  {
1718  if (errno != EINTR && errno != EWOULDBLOCK)
1719  {
1720  ereport(LOG,
1722  errmsg("select() failed in postmaster: %m")));
1723  return STATUS_ERROR;
1724  }
1725  }
1726 
1727  /*
1728  * New connection pending on any of our sockets? If so, fork a child
1729  * process to deal with it.
1730  */
1731  if (selres > 0)
1732  {
1733  int i;
1734 
1735  for (i = 0; i < MAXLISTEN; i++)
1736  {
1737  if (ListenSocket[i] == PGINVALID_SOCKET)
1738  break;
1739  if (FD_ISSET(ListenSocket[i], &rmask))
1740  {
1741  Port *port;
1742 
1743  port = ConnCreate(ListenSocket[i]);
1744  if (port)
1745  {
1746  BackendStartup(port);
1747 
1748  /*
1749  * We no longer need the open socket or port structure
1750  * in this process
1751  */
1752  StreamClose(port->sock);
1753  ConnFree(port);
1754  }
1755  }
1756  }
1757  }
1758 
1759  /* If we have lost the log collector, try to start a new one */
1760  if (SysLoggerPID == 0 && Logging_collector)
1762 
1763  /*
1764  * If no background writer process is running, and we are not in a
1765  * state that prevents it, start one. It doesn't matter if this
1766  * fails, we'll just try again later. Likewise for the checkpointer.
1767  */
1768  if (pmState == PM_RUN || pmState == PM_RECOVERY ||
1770  {
1771  if (CheckpointerPID == 0)
1773  if (BgWriterPID == 0)
1775  }
1776 
1777  /*
1778  * Likewise, if we have lost the walwriter process, try to start a new
1779  * one. But this is needed only in normal operation (else we cannot
1780  * be writing any new WAL).
1781  */
1782  if (WalWriterPID == 0 && pmState == PM_RUN)
1784 
1785  /*
1786  * If we have lost the autovacuum launcher, try to start a new one. We
1787  * don't want autovacuum to run in binary upgrade mode because
1788  * autovacuum might update relfrozenxid for empty tables before the
1789  * physical files are put in place.
1790  */
1791  if (!IsBinaryUpgrade && AutoVacPID == 0 &&
1793  pmState == PM_RUN)
1794  {
1796  if (AutoVacPID != 0)
1797  start_autovac_launcher = false; /* signal processed */
1798  }
1799 
1800  /* If we have lost the stats collector, try to start a new one */
1801  if (PgStatPID == 0 &&
1802  (pmState == PM_RUN || pmState == PM_HOT_STANDBY))
1803  PgStatPID = pgstat_start();
1804 
1805  /* If we have lost the archiver, try to start a new one. */
1806  if (PgArchPID == 0 && PgArchStartupAllowed())
1807  PgArchPID = pgarch_start();
1808 
1809  /* If we need to signal the autovacuum launcher, do so now */
1811  {
1812  avlauncher_needs_signal = false;
1813  if (AutoVacPID != 0)
1814  kill(AutoVacPID, SIGUSR2);
1815  }
1816 
1817  /* If we need to start a WAL receiver, try to do that now */
1820 
1821  /* Get other worker processes running, if needed */
1824 
1825 #ifdef HAVE_PTHREAD_IS_THREADED_NP
1826 
1827  /*
1828  * With assertions enabled, check regularly for appearance of
1829  * additional threads. All builds check at start and exit.
1830  */
1831  Assert(pthread_is_threaded_np() == 0);
1832 #endif
1833 
1834  /*
1835  * Lastly, check to see if it's time to do some things that we don't
1836  * want to do every single time through the loop, because they're a
1837  * bit expensive. Note that there's up to a minute of slop in when
1838  * these tasks will be performed, since DetermineSleepTime() will let
1839  * us sleep at most that long; except for SIGKILL timeout which has
1840  * special-case logic there.
1841  */
1842  now = time(NULL);
1843 
1844  /*
1845  * If we already sent SIGQUIT to children and they are slow to shut
1846  * down, it's time to send them SIGKILL. This doesn't happen
1847  * normally, but under certain conditions backends can get stuck while
1848  * shutting down. This is a last measure to get them unwedged.
1849  *
1850  * Note we also do this during recovery from a process crash.
1851  */
1852  if ((Shutdown >= ImmediateShutdown || (FatalError && !SendStop)) &&
1853  AbortStartTime != 0 &&
1855  {
1856  /* We were gentle with them before. Not anymore */
1858  /* reset flag so we don't SIGKILL again */
1859  AbortStartTime = 0;
1860  }
1861 
1862  /*
1863  * Once a minute, verify that postmaster.pid hasn't been removed or
1864  * overwritten. If it has, we force a shutdown. This avoids having
1865  * postmasters and child processes hanging around after their database
1866  * is gone, and maybe causing problems if a new database cluster is
1867  * created in the same place. It also provides some protection
1868  * against a DBA foolishly removing postmaster.pid and manually
1869  * starting a new postmaster. Data corruption is likely to ensue from
1870  * that anyway, but we can minimize the damage by aborting ASAP.
1871  */
1872  if (now - last_lockfile_recheck_time >= 1 * SECS_PER_MINUTE)
1873  {
1874  if (!RecheckDataDirLockFile())
1875  {
1876  ereport(LOG,
1877  (errmsg("performing immediate shutdown because data directory lock file is invalid")));
1878  kill(MyProcPid, SIGQUIT);
1879  }
1880  last_lockfile_recheck_time = now;
1881  }
1882 
1883  /*
1884  * Touch Unix socket and lock files every 58 minutes, to ensure that
1885  * they are not removed by overzealous /tmp-cleaning tasks. We assume
1886  * no one runs cleaners with cutoff times of less than an hour ...
1887  */
1888  if (now - last_touch_time >= 58 * SECS_PER_MINUTE)
1889  {
1890  TouchSocketFiles();
1892  last_touch_time = now;
1893  }
1894  }
1895 }
1896 
1897 /*
1898  * Initialise the masks for select() for the ports we are listening on.
1899  * Return the number of sockets to listen on.
1900  */
1901 static int
1902 initMasks(fd_set *rmask)
1903 {
1904  int maxsock = -1;
1905  int i;
1906 
1907  FD_ZERO(rmask);
1908 
1909  for (i = 0; i < MAXLISTEN; i++)
1910  {
1911  int fd = ListenSocket[i];
1912 
1913  if (fd == PGINVALID_SOCKET)
1914  break;
1915  FD_SET(fd, rmask);
1916 
1917  if (fd > maxsock)
1918  maxsock = fd;
1919  }
1920 
1921  return maxsock + 1;
1922 }
1923 
1924 
1925 /*
1926  * Read a client's startup packet and do something according to it.
1927  *
1928  * Returns STATUS_OK or STATUS_ERROR, or might call ereport(FATAL) and
1929  * not return at all.
1930  *
1931  * (Note that ereport(FATAL) stuff is sent to the client, so only use it
1932  * if that's what you want. Return STATUS_ERROR if you don't want to
1933  * send anything to the client, which would typically be appropriate
1934  * if we detect a communications failure.)
1935  */
1936 static int
1938 {
1939  int32 len;
1940  void *buf;
1941  ProtocolVersion proto;
1942  MemoryContext oldcontext;
1943 
1944  pq_startmsgread();
1945  if (pq_getbytes((char *) &len, 4) == EOF)
1946  {
1947  /*
1948  * EOF after SSLdone probably means the client didn't like our
1949  * response to NEGOTIATE_SSL_CODE. That's not an error condition, so
1950  * don't clutter the log with a complaint.
1951  */
1952  if (!SSLdone)
1954  (errcode(ERRCODE_PROTOCOL_VIOLATION),
1955  errmsg("incomplete startup packet")));
1956  return STATUS_ERROR;
1957  }
1958 
1959  len = ntohl(len);
1960  len -= 4;
1961 
1962  if (len < (int32) sizeof(ProtocolVersion) ||
1964  {
1966  (errcode(ERRCODE_PROTOCOL_VIOLATION),
1967  errmsg("invalid length of startup packet")));
1968  return STATUS_ERROR;
1969  }
1970 
1971  /*
1972  * Allocate at least the size of an old-style startup packet, plus one
1973  * extra byte, and make sure all are zeroes. This ensures we will have
1974  * null termination of all strings, in both fixed- and variable-length
1975  * packet layouts.
1976  */
1977  if (len <= (int32) sizeof(StartupPacket))
1978  buf = palloc0(sizeof(StartupPacket) + 1);
1979  else
1980  buf = palloc0(len + 1);
1981 
1982  if (pq_getbytes(buf, len) == EOF)
1983  {
1985  (errcode(ERRCODE_PROTOCOL_VIOLATION),
1986  errmsg("incomplete startup packet")));
1987  return STATUS_ERROR;
1988  }
1989  pq_endmsgread();
1990 
1991  /*
1992  * The first field is either a protocol version number or a special
1993  * request code.
1994  */
1995  port->proto = proto = ntohl(*((ProtocolVersion *) buf));
1996 
1997  if (proto == CANCEL_REQUEST_CODE)
1998  {
1999  processCancelRequest(port, buf);
2000  /* Not really an error, but we don't want to proceed further */
2001  return STATUS_ERROR;
2002  }
2003 
2004  if (proto == NEGOTIATE_SSL_CODE && !SSLdone)
2005  {
2006  char SSLok;
2007 
2008 #ifdef USE_SSL
2009  /* No SSL when disabled or on Unix sockets */
2010  if (!LoadedSSL || IS_AF_UNIX(port->laddr.addr.ss_family))
2011  SSLok = 'N';
2012  else
2013  SSLok = 'S'; /* Support for SSL */
2014 #else
2015  SSLok = 'N'; /* No support for SSL */
2016 #endif
2017 
2018 retry1:
2019  if (send(port->sock, &SSLok, 1, 0) != 1)
2020  {
2021  if (errno == EINTR)
2022  goto retry1; /* if interrupted, just retry */
2025  errmsg("failed to send SSL negotiation response: %m")));
2026  return STATUS_ERROR; /* close the connection */
2027  }
2028 
2029 #ifdef USE_SSL
2030  if (SSLok == 'S' && secure_open_server(port) == -1)
2031  return STATUS_ERROR;
2032 #endif
2033  /* regular startup packet, cancel, etc packet should follow... */
2034  /* but not another SSL negotiation request */
2035  return ProcessStartupPacket(port, true);
2036  }
2037 
2038  /* Could add additional special packet types here */
2039 
2040  /*
2041  * Set FrontendProtocol now so that ereport() knows what format to send if
2042  * we fail during startup.
2043  */
2044  FrontendProtocol = proto;
2045 
2046  /* Check we can handle the protocol the frontend is using. */
2047 
2052  ereport(FATAL,
2053  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2054  errmsg("unsupported frontend protocol %u.%u: server supports %u.0 to %u.%u",
2055  PG_PROTOCOL_MAJOR(proto), PG_PROTOCOL_MINOR(proto),
2059 
2060  /*
2061  * Now fetch parameters out of startup packet and save them into the Port
2062  * structure. All data structures attached to the Port struct must be
2063  * allocated in TopMemoryContext so that they will remain available in a
2064  * running backend (even after PostmasterContext is destroyed). We need
2065  * not worry about leaking this storage on failure, since we aren't in the
2066  * postmaster process anymore.
2067  */
2069 
2070  if (PG_PROTOCOL_MAJOR(proto) >= 3)
2071  {
2072  int32 offset = sizeof(ProtocolVersion);
2073 
2074  /*
2075  * Scan packet body for name/option pairs. We can assume any string
2076  * beginning within the packet body is null-terminated, thanks to
2077  * zeroing extra byte above.
2078  */
2079  port->guc_options = NIL;
2080 
2081  while (offset < len)
2082  {
2083  char *nameptr = ((char *) buf) + offset;
2084  int32 valoffset;
2085  char *valptr;
2086 
2087  if (*nameptr == '\0')
2088  break; /* found packet terminator */
2089  valoffset = offset + strlen(nameptr) + 1;
2090  if (valoffset >= len)
2091  break; /* missing value, will complain below */
2092  valptr = ((char *) buf) + valoffset;
2093 
2094  if (strcmp(nameptr, "database") == 0)
2095  port->database_name = pstrdup(valptr);
2096  else if (strcmp(nameptr, "user") == 0)
2097  port->user_name = pstrdup(valptr);
2098  else if (strcmp(nameptr, "options") == 0)
2099  port->cmdline_options = pstrdup(valptr);
2100  else if (strcmp(nameptr, "replication") == 0)
2101  {
2102  /*
2103  * Due to backward compatibility concerns the replication
2104  * parameter is a hybrid beast which allows the value to be
2105  * either boolean or the string 'database'. The latter
2106  * connects to a specific database which is e.g. required for
2107  * logical decoding while.
2108  */
2109  if (strcmp(valptr, "database") == 0)
2110  {
2111  am_walsender = true;
2112  am_db_walsender = true;
2113  }
2114  else if (!parse_bool(valptr, &am_walsender))
2115  ereport(FATAL,
2116  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
2117  errmsg("invalid value for parameter \"%s\": \"%s\"",
2118  "replication",
2119  valptr),
2120  errhint("Valid values are: \"false\", 0, \"true\", 1, \"database\".")));
2121  }
2122  else
2123  {
2124  /* Assume it's a generic GUC option */
2125  port->guc_options = lappend(port->guc_options,
2126  pstrdup(nameptr));
2127  port->guc_options = lappend(port->guc_options,
2128  pstrdup(valptr));
2129  }
2130  offset = valoffset + strlen(valptr) + 1;
2131  }
2132 
2133  /*
2134  * If we didn't find a packet terminator exactly at the end of the
2135  * given packet length, complain.
2136  */
2137  if (offset != len - 1)
2138  ereport(FATAL,
2139  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2140  errmsg("invalid startup packet layout: expected terminator as last byte")));
2141  }
2142  else
2143  {
2144  /*
2145  * Get the parameters from the old-style, fixed-width-fields startup
2146  * packet as C strings. The packet destination was cleared first so a
2147  * short packet has zeros silently added. We have to be prepared to
2148  * truncate the pstrdup result for oversize fields, though.
2149  */
2150  StartupPacket *packet = (StartupPacket *) buf;
2151 
2152  port->database_name = pstrdup(packet->database);
2153  if (strlen(port->database_name) > sizeof(packet->database))
2154  port->database_name[sizeof(packet->database)] = '\0';
2155  port->user_name = pstrdup(packet->user);
2156  if (strlen(port->user_name) > sizeof(packet->user))
2157  port->user_name[sizeof(packet->user)] = '\0';
2158  port->cmdline_options = pstrdup(packet->options);
2159  if (strlen(port->cmdline_options) > sizeof(packet->options))
2160  port->cmdline_options[sizeof(packet->options)] = '\0';
2161  port->guc_options = NIL;
2162  }
2163 
2164  /* Check a user name was given. */
2165  if (port->user_name == NULL || port->user_name[0] == '\0')
2166  ereport(FATAL,
2167  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
2168  errmsg("no PostgreSQL user name specified in startup packet")));
2169 
2170  /* The database defaults to the user name. */
2171  if (port->database_name == NULL || port->database_name[0] == '\0')
2172  port->database_name = pstrdup(port->user_name);
2173 
2174  if (Db_user_namespace)
2175  {
2176  /*
2177  * If user@, it is a global user, remove '@'. We only want to do this
2178  * if there is an '@' at the end and no earlier in the user string or
2179  * they may fake as a local user of another database attaching to this
2180  * database.
2181  */
2182  if (strchr(port->user_name, '@') ==
2183  port->user_name + strlen(port->user_name) - 1)
2184  *strchr(port->user_name, '@') = '\0';
2185  else
2186  {
2187  /* Append '@' and dbname */
2188  port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
2189  }
2190  }
2191 
2192  /*
2193  * Truncate given database and user names to length of a Postgres name.
2194  * This avoids lookup failures when overlength names are given.
2195  */
2196  if (strlen(port->database_name) >= NAMEDATALEN)
2197  port->database_name[NAMEDATALEN - 1] = '\0';
2198  if (strlen(port->user_name) >= NAMEDATALEN)
2199  port->user_name[NAMEDATALEN - 1] = '\0';
2200 
2201  /*
2202  * Normal walsender backends, e.g. for streaming replication, are not
2203  * connected to a particular database. But walsenders used for logical
2204  * replication need to connect to a specific database. We allow streaming
2205  * replication commands to be issued even if connected to a database as it
2206  * can make sense to first make a basebackup and then stream changes
2207  * starting from that.
2208  */
2209  if (am_walsender && !am_db_walsender)
2210  port->database_name[0] = '\0';
2211 
2212  /*
2213  * Done putting stuff in TopMemoryContext.
2214  */
2215  MemoryContextSwitchTo(oldcontext);
2216 
2217  /*
2218  * If we're going to reject the connection due to database state, say so
2219  * now instead of wasting cycles on an authentication exchange. (This also
2220  * allows a pg_ping utility to be written.)
2221  */
2222  switch (port->canAcceptConnections)
2223  {
2224  case CAC_STARTUP:
2225  ereport(FATAL,
2227  errmsg("the database system is starting up")));
2228  break;
2229  case CAC_SHUTDOWN:
2230  ereport(FATAL,
2232  errmsg("the database system is shutting down")));
2233  break;
2234  case CAC_RECOVERY:
2235  ereport(FATAL,
2237  errmsg("the database system is in recovery mode")));
2238  break;
2239  case CAC_TOOMANY:
2240  ereport(FATAL,
2241  (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
2242  errmsg("sorry, too many clients already")));
2243  break;
2244  case CAC_WAITBACKUP:
2245  /* OK for now, will check in InitPostgres */
2246  break;
2247  case CAC_OK:
2248  break;
2249  }
2250 
2251  return STATUS_OK;
2252 }
2253 
2254 
2255 /*
2256  * The client has sent a cancel request packet, not a normal
2257  * start-a-new-connection packet. Perform the necessary processing.
2258  * Nothing is sent back to the client.
2259  */
2260 static void
2262 {
2263  CancelRequestPacket *canc = (CancelRequestPacket *) pkt;
2264  int backendPID;
2265  int32 cancelAuthCode;
2266  Backend *bp;
2267 
2268 #ifndef EXEC_BACKEND
2269  dlist_iter iter;
2270 #else
2271  int i;
2272 #endif
2273 
2274  backendPID = (int) ntohl(canc->backendPID);
2275  cancelAuthCode = (int32) ntohl(canc->cancelAuthCode);
2276 
2277  /*
2278  * See if we have a matching backend. In the EXEC_BACKEND case, we can no
2279  * longer access the postmaster's own backend list, and must rely on the
2280  * duplicate array in shared memory.
2281  */
2282 #ifndef EXEC_BACKEND
2283  dlist_foreach(iter, &BackendList)
2284  {
2285  bp = dlist_container(Backend, elem, iter.cur);
2286 #else
2287  for (i = MaxLivePostmasterChildren() - 1; i >= 0; i--)
2288  {
2289  bp = (Backend *) &ShmemBackendArray[i];
2290 #endif
2291  if (bp->pid == backendPID)
2292  {
2293  if (bp->cancel_key == cancelAuthCode)
2294  {
2295  /* Found a match; signal that backend to cancel current op */
2296  ereport(DEBUG2,
2297  (errmsg_internal("processing cancel request: sending SIGINT to process %d",
2298  backendPID)));
2299  signal_child(bp->pid, SIGINT);
2300  }
2301  else
2302  /* Right PID, wrong key: no way, Jose */
2303  ereport(LOG,
2304  (errmsg("wrong key in cancel request for process %d",
2305  backendPID)));
2306  return;
2307  }
2308  }
2309 
2310  /* No matching backend */
2311  ereport(LOG,
2312  (errmsg("PID %d in cancel request did not match any process",
2313  backendPID)));
2314 }
2315 
2316 /*
2317  * canAcceptConnections --- check to see if database state allows connections.
2318  */
2319 static CAC_state
2321 {
2323 
2324  /*
2325  * Can't start backends when in startup/shutdown/inconsistent recovery
2326  * state.
2327  *
2328  * In state PM_WAIT_BACKUP only superusers can connect (this must be
2329  * allowed so that a superuser can end online backup mode); we return
2330  * CAC_WAITBACKUP code to indicate that this must be checked later. Note
2331  * that neither CAC_OK nor CAC_WAITBACKUP can safely be returned until we
2332  * have checked for too many children.
2333  */
2334  if (pmState != PM_RUN)
2335  {
2336  if (pmState == PM_WAIT_BACKUP)
2337  result = CAC_WAITBACKUP; /* allow superusers only */
2338  else if (Shutdown > NoShutdown)
2339  return CAC_SHUTDOWN; /* shutdown is pending */
2340  else if (!FatalError &&
2341  (pmState == PM_STARTUP ||
2342  pmState == PM_RECOVERY))
2343  return CAC_STARTUP; /* normal startup */
2344  else if (!FatalError &&
2346  result = CAC_OK; /* connection OK during hot standby */
2347  else
2348  return CAC_RECOVERY; /* else must be crash recovery */
2349  }
2350 
2351  /*
2352  * Don't start too many children.
2353  *
2354  * We allow more connections than we can have backends here because some
2355  * might still be authenticating; they might fail auth, or some existing
2356  * backend might exit before the auth cycle is completed. The exact
2357  * MaxBackends limit is enforced when a new backend tries to join the
2358  * shared-inval backend array.
2359  *
2360  * The limit here must match the sizes of the per-child-process arrays;
2361  * see comments for MaxLivePostmasterChildren().
2362  */
2364  result = CAC_TOOMANY;
2365 
2366  return result;
2367 }
2368 
2369 
2370 /*
2371  * ConnCreate -- create a local connection data structure
2372  *
2373  * Returns NULL on failure, other than out-of-memory which is fatal.
2374  */
2375 static Port *
2376 ConnCreate(int serverFd)
2377 {
2378  Port *port;
2379 
2380  if (!(port = (Port *) calloc(1, sizeof(Port))))
2381  {
2382  ereport(LOG,
2383  (errcode(ERRCODE_OUT_OF_MEMORY),
2384  errmsg("out of memory")));
2385  ExitPostmaster(1);
2386  }
2387 
2388  if (StreamConnection(serverFd, port) != STATUS_OK)
2389  {
2390  if (port->sock != PGINVALID_SOCKET)
2391  StreamClose(port->sock);
2392  ConnFree(port);
2393  return NULL;
2394  }
2395 
2396  /*
2397  * Allocate GSSAPI specific state struct
2398  */
2399 #ifndef EXEC_BACKEND
2400 #if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
2401  port->gss = (pg_gssinfo *) calloc(1, sizeof(pg_gssinfo));
2402  if (!port->gss)
2403  {
2404  ereport(LOG,
2405  (errcode(ERRCODE_OUT_OF_MEMORY),
2406  errmsg("out of memory")));
2407  ExitPostmaster(1);
2408  }
2409 #endif
2410 #endif
2411 
2412  return port;
2413 }
2414 
2415 
2416 /*
2417  * ConnFree -- free a local connection data structure
2418  */
2419 static void
2421 {
2422 #ifdef USE_SSL
2423  secure_close(conn);
2424 #endif
2425  if (conn->gss)
2426  free(conn->gss);
2427  free(conn);
2428 }
2429 
2430 
2431 /*
2432  * ClosePostmasterPorts -- close all the postmaster's open sockets
2433  *
2434  * This is called during child process startup to release file descriptors
2435  * that are not needed by that child process. The postmaster still has
2436  * them open, of course.
2437  *
2438  * Note: we pass am_syslogger as a boolean because we don't want to set
2439  * the global variable yet when this is called.
2440  */
2441 void
2443 {
2444  int i;
2445 
2446 #ifndef WIN32
2447 
2448  /*
2449  * Close the write end of postmaster death watch pipe. It's important to
2450  * do this as early as possible, so that if postmaster dies, others won't
2451  * think that it's still running because we're holding the pipe open.
2452  */
2454  ereport(FATAL,
2456  errmsg_internal("could not close postmaster death monitoring pipe in child process: %m")));
2458 #endif
2459 
2460  /* Close the listen sockets */
2461  for (i = 0; i < MAXLISTEN; i++)
2462  {
2463  if (ListenSocket[i] != PGINVALID_SOCKET)
2464  {
2467  }
2468  }
2469 
2470  /* If using syslogger, close the read side of the pipe */
2471  if (!am_syslogger)
2472  {
2473 #ifndef WIN32
2474  if (syslogPipe[0] >= 0)
2475  close(syslogPipe[0]);
2476  syslogPipe[0] = -1;
2477 #else
2478  if (syslogPipe[0])
2479  CloseHandle(syslogPipe[0]);
2480  syslogPipe[0] = 0;
2481 #endif
2482  }
2483 
2484 #ifdef USE_BONJOUR
2485  /* If using Bonjour, close the connection to the mDNS daemon */
2486  if (bonjour_sdref)
2487  close(DNSServiceRefSockFD(bonjour_sdref));
2488 #endif
2489 }
2490 
2491 
2492 /*
2493  * reset_shared -- reset shared memory and semaphores
2494  */
2495 static void
2496 reset_shared(int port)
2497 {
2498  /*
2499  * Create or re-create shared memory and semaphores.
2500  *
2501  * Note: in each "cycle of life" we will normally assign the same IPC keys
2502  * (if using SysV shmem and/or semas), since the port number is used to
2503  * determine IPC keys. This helps ensure that we will clean up dead IPC
2504  * objects if the postmaster crashes and is restarted.
2505  */
2506  CreateSharedMemoryAndSemaphores(false, port);
2507 }
2508 
2509 
2510 /*
2511  * SIGHUP -- reread config files, and tell children to do same
2512  */
2513 static void
2515 {
2516  int save_errno = errno;
2517 
2518  PG_SETMASK(&BlockSig);
2519 
2520  if (Shutdown <= SmartShutdown)
2521  {
2522  ereport(LOG,
2523  (errmsg("received SIGHUP, reloading configuration files")));
2526  if (StartupPID != 0)
2528  if (BgWriterPID != 0)
2530  if (CheckpointerPID != 0)
2532  if (WalWriterPID != 0)
2534  if (WalReceiverPID != 0)
2536  if (AutoVacPID != 0)
2538  if (PgArchPID != 0)
2540  if (SysLoggerPID != 0)
2542  if (PgStatPID != 0)
2544 
2545  /* Reload authentication config files too */
2546  if (!load_hba())
2547  ereport(LOG,
2548  (errmsg("pg_hba.conf was not reloaded")));
2549 
2550  if (!load_ident())
2551  ereport(LOG,
2552  (errmsg("pg_ident.conf was not reloaded")));
2553 
2554 #ifdef USE_SSL
2555  /* Reload SSL configuration as well */
2556  if (EnableSSL)
2557  {
2558  if (secure_initialize(false) == 0)
2559  LoadedSSL = true;
2560  else
2561  ereport(LOG,
2562  (errmsg("SSL configuration was not reloaded")));
2563  }
2564  else
2565  {
2566  secure_destroy();
2567  LoadedSSL = false;
2568  }
2569 #endif
2570 
2571 #ifdef EXEC_BACKEND
2572  /* Update the starting-point file for future children */
2573  write_nondefault_variables(PGC_SIGHUP);
2574 #endif
2575  }
2576 
2578 
2579  errno = save_errno;
2580 }
2581 
2582 
2583 /*
2584  * pmdie -- signal handler for processing various postmaster signals.
2585  */
2586 static void
2588 {
2589  int save_errno = errno;
2590 
2591  PG_SETMASK(&BlockSig);
2592 
2593  ereport(DEBUG2,
2594  (errmsg_internal("postmaster received signal %d",
2595  postgres_signal_arg)));
2596 
2597  switch (postgres_signal_arg)
2598  {
2599  case SIGTERM:
2600 
2601  /*
2602  * Smart Shutdown:
2603  *
2604  * Wait for children to end their work, then shut down.
2605  */
2606  if (Shutdown >= SmartShutdown)
2607  break;
2609  ereport(LOG,
2610  (errmsg("received smart shutdown request")));
2611 #ifdef USE_SYSTEMD
2612  sd_notify(0, "STOPPING=1");
2613 #endif
2614 
2615  if (pmState == PM_RUN || pmState == PM_RECOVERY ||
2617  {
2618  /* autovac workers are told to shut down immediately */
2619  /* and bgworkers too; does this need tweaking? */
2620  SignalSomeChildren(SIGTERM,
2622  /* and the autovac launcher too */
2623  if (AutoVacPID != 0)
2624  signal_child(AutoVacPID, SIGTERM);
2625  /* and the bgwriter too */
2626  if (BgWriterPID != 0)
2627  signal_child(BgWriterPID, SIGTERM);
2628  /* and the walwriter too */
2629  if (WalWriterPID != 0)
2630  signal_child(WalWriterPID, SIGTERM);
2631 
2632  /*
2633  * If we're in recovery, we can't kill the startup process
2634  * right away, because at present doing so does not release
2635  * its locks. We might want to change this in a future
2636  * release. For the time being, the PM_WAIT_READONLY state
2637  * indicates that we're waiting for the regular (read only)
2638  * backends to die off; once they do, we'll kill the startup
2639  * and walreceiver processes.
2640  */
2641  pmState = (pmState == PM_RUN) ?
2643  }
2644 
2645  /*
2646  * Now wait for online backup mode to end and backends to exit. If
2647  * that is already the case, PostmasterStateMachine will take the
2648  * next step.
2649  */
2651  break;
2652 
2653  case SIGINT:
2654 
2655  /*
2656  * Fast Shutdown:
2657  *
2658  * Abort all children with SIGTERM (rollback active transactions
2659  * and exit) and shut down when they are gone.
2660  */
2661  if (Shutdown >= FastShutdown)
2662  break;
2664  ereport(LOG,
2665  (errmsg("received fast shutdown request")));
2666 #ifdef USE_SYSTEMD
2667  sd_notify(0, "STOPPING=1");
2668 #endif
2669 
2670  if (StartupPID != 0)
2671  signal_child(StartupPID, SIGTERM);
2672  if (BgWriterPID != 0)
2673  signal_child(BgWriterPID, SIGTERM);
2674  if (WalReceiverPID != 0)
2675  signal_child(WalReceiverPID, SIGTERM);
2676  if (pmState == PM_RECOVERY)
2677  {
2679 
2680  /*
2681  * Only startup, bgwriter, walreceiver, possibly bgworkers,
2682  * and/or checkpointer should be active in this state; we just
2683  * signaled the first four, and we don't want to kill
2684  * checkpointer yet.
2685  */
2687  }
2688  else if (pmState == PM_RUN ||
2689  pmState == PM_WAIT_BACKUP ||
2693  {
2694  ereport(LOG,
2695  (errmsg("aborting any active transactions")));
2696  /* shut down all backends and workers */
2697  SignalSomeChildren(SIGTERM,
2700  /* and the autovac launcher too */
2701  if (AutoVacPID != 0)
2702  signal_child(AutoVacPID, SIGTERM);
2703  /* and the walwriter too */
2704  if (WalWriterPID != 0)
2705  signal_child(WalWriterPID, SIGTERM);
2707  }
2708 
2709  /*
2710  * Now wait for backends to exit. If there are none,
2711  * PostmasterStateMachine will take the next step.
2712  */
2714  break;
2715 
2716  case SIGQUIT:
2717 
2718  /*
2719  * Immediate Shutdown:
2720  *
2721  * abort all children with SIGQUIT, wait for them to exit,
2722  * terminate remaining ones with SIGKILL, then exit without
2723  * attempt to properly shut down the data base system.
2724  */
2725  if (Shutdown >= ImmediateShutdown)
2726  break;
2728  ereport(LOG,
2729  (errmsg("received immediate shutdown request")));
2730 #ifdef USE_SYSTEMD
2731  sd_notify(0, "STOPPING=1");
2732 #endif
2733 
2736 
2737  /* set stopwatch for them to die */
2738  AbortStartTime = time(NULL);
2739 
2740  /*
2741  * Now wait for backends to exit. If there are none,
2742  * PostmasterStateMachine will take the next step.
2743  */
2745  break;
2746  }
2747 
2749 
2750  errno = save_errno;
2751 }
2752 
2753 /*
2754  * Reaper -- signal handler to cleanup after a child process dies.
2755  */
2756 static void
2758 {
2759  int save_errno = errno;
2760  int pid; /* process id of dead child process */
2761  int exitstatus; /* its exit status */
2762 
2763  PG_SETMASK(&BlockSig);
2764 
2765  ereport(DEBUG4,
2766  (errmsg_internal("reaping dead processes")));
2767 
2768  while ((pid = waitpid(-1, &exitstatus, WNOHANG)) > 0)
2769  {
2770  /*
2771  * Check if this child was a startup process.
2772  */
2773  if (pid == StartupPID)
2774  {
2775  StartupPID = 0;
2776 
2777  /*
2778  * Startup process exited in response to a shutdown request (or it
2779  * completed normally regardless of the shutdown request).
2780  */
2781  if (Shutdown > NoShutdown &&
2782  (EXIT_STATUS_0(exitstatus) || EXIT_STATUS_1(exitstatus)))
2783  {
2786  /* PostmasterStateMachine logic does the rest */
2787  continue;
2788  }
2789 
2790  if (EXIT_STATUS_3(exitstatus))
2791  {
2792  ereport(LOG,
2793  (errmsg("shutdown at recovery target")));
2796  TerminateChildren(SIGTERM);
2798  /* PostmasterStateMachine logic does the rest */
2799  continue;
2800  }
2801 
2802  /*
2803  * Unexpected exit of startup process (including FATAL exit)
2804  * during PM_STARTUP is treated as catastrophic. There are no
2805  * other processes running yet, so we can just exit.
2806  */
2807  if (pmState == PM_STARTUP && !EXIT_STATUS_0(exitstatus))
2808  {
2809  LogChildExit(LOG, _("startup process"),
2810  pid, exitstatus);
2811  ereport(LOG,
2812  (errmsg("aborting startup due to startup process failure")));
2813  ExitPostmaster(1);
2814  }
2815 
2816  /*
2817  * After PM_STARTUP, any unexpected exit (including FATAL exit) of
2818  * the startup process is catastrophic, so kill other children,
2819  * and set StartupStatus so we don't try to reinitialize after
2820  * they're gone. Exception: if StartupStatus is STARTUP_SIGNALED,
2821  * then we previously sent the startup process a SIGQUIT; so
2822  * that's probably the reason it died, and we do want to try to
2823  * restart in that case.
2824  */
2825  if (!EXIT_STATUS_0(exitstatus))
2826  {
2829  else
2831  HandleChildCrash(pid, exitstatus,
2832  _("startup process"));
2833  continue;
2834  }
2835 
2836  /*
2837  * Startup succeeded, commence normal operations
2838  */
2840  FatalError = false;
2841  Assert(AbortStartTime == 0);
2842  ReachedNormalRunning = true;
2843  pmState = PM_RUN;
2844 
2845  /*
2846  * Crank up the background tasks, if we didn't do that already
2847  * when we entered consistent recovery state. It doesn't matter
2848  * if this fails, we'll just try again later.
2849  */
2850  if (CheckpointerPID == 0)
2852  if (BgWriterPID == 0)
2854  if (WalWriterPID == 0)
2856 
2857  /*
2858  * Likewise, start other special children as needed. In a restart
2859  * situation, some of them may be alive already.
2860  */
2863  if (PgArchStartupAllowed() && PgArchPID == 0)
2864  PgArchPID = pgarch_start();
2865  if (PgStatPID == 0)
2866  PgStatPID = pgstat_start();
2867 
2868  /* workers may be scheduled to start now */
2870 
2871  /* at this point we are really open for business */
2872  ereport(LOG,
2873  (errmsg("database system is ready to accept connections")));
2874 
2875 #ifdef USE_SYSTEMD
2876  sd_notify(0, "READY=1");
2877 #endif
2878 
2879  continue;
2880  }
2881 
2882  /*
2883  * Was it the bgwriter? Normal exit can be ignored; we'll start a new
2884  * one at the next iteration of the postmaster's main loop, if
2885  * necessary. Any other exit condition is treated as a crash.
2886  */
2887  if (pid == BgWriterPID)
2888  {
2889  BgWriterPID = 0;
2890  if (!EXIT_STATUS_0(exitstatus))
2891  HandleChildCrash(pid, exitstatus,
2892  _("background writer process"));
2893  continue;
2894  }
2895 
2896  /*
2897  * Was it the checkpointer?
2898  */
2899  if (pid == CheckpointerPID)
2900  {
2901  CheckpointerPID = 0;
2902  if (EXIT_STATUS_0(exitstatus) && pmState == PM_SHUTDOWN)
2903  {
2904  /*
2905  * OK, we saw normal exit of the checkpointer after it's been
2906  * told to shut down. We expect that it wrote a shutdown
2907  * checkpoint. (If for some reason it didn't, recovery will
2908  * occur on next postmaster start.)
2909  *
2910  * At this point we should have no normal backend children
2911  * left (else we'd not be in PM_SHUTDOWN state) but we might
2912  * have dead_end children to wait for.
2913  *
2914  * If we have an archiver subprocess, tell it to do a last
2915  * archive cycle and quit. Likewise, if we have walsender
2916  * processes, tell them to send any remaining WAL and quit.
2917  */
2919 
2920  /* Waken archiver for the last time */
2921  if (PgArchPID != 0)
2923 
2924  /*
2925  * Waken walsenders for the last time. No regular backends
2926  * should be around anymore.
2927  */
2929 
2931 
2932  /*
2933  * We can also shut down the stats collector now; there's
2934  * nothing left for it to do.
2935  */
2936  if (PgStatPID != 0)
2938  }
2939  else
2940  {
2941  /*
2942  * Any unexpected exit of the checkpointer (including FATAL
2943  * exit) is treated as a crash.
2944  */
2945  HandleChildCrash(pid, exitstatus,
2946  _("checkpointer process"));
2947  }
2948 
2949  continue;
2950  }
2951 
2952  /*
2953  * Was it the wal writer? Normal exit can be ignored; we'll start a
2954  * new one at the next iteration of the postmaster's main loop, if
2955  * necessary. Any other exit condition is treated as a crash.
2956  */
2957  if (pid == WalWriterPID)
2958  {
2959  WalWriterPID = 0;
2960  if (!EXIT_STATUS_0(exitstatus))
2961  HandleChildCrash(pid, exitstatus,
2962  _("WAL writer process"));
2963  continue;
2964  }
2965 
2966  /*
2967  * Was it the wal receiver? If exit status is zero (normal) or one
2968  * (FATAL exit), we assume everything is all right just like normal
2969  * backends. (If we need a new wal receiver, we'll start one at the
2970  * next iteration of the postmaster's main loop.)
2971  */
2972  if (pid == WalReceiverPID)
2973  {
2974  WalReceiverPID = 0;
2975  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
2976  HandleChildCrash(pid, exitstatus,
2977  _("WAL receiver process"));
2978  continue;
2979  }
2980 
2981  /*
2982  * Was it the autovacuum launcher? Normal exit can be ignored; we'll
2983  * start a new one at the next iteration of the postmaster's main
2984  * loop, if necessary. Any other exit condition is treated as a
2985  * crash.
2986  */
2987  if (pid == AutoVacPID)
2988  {
2989  AutoVacPID = 0;
2990  if (!EXIT_STATUS_0(exitstatus))
2991  HandleChildCrash(pid, exitstatus,
2992  _("autovacuum launcher process"));
2993  continue;
2994  }
2995 
2996  /*
2997  * Was it the archiver? If so, just try to start a new one; no need
2998  * to force reset of the rest of the system. (If fail, we'll try
2999  * again in future cycles of the main loop.). Unless we were waiting
3000  * for it to shut down; don't restart it in that case, and
3001  * PostmasterStateMachine() will advance to the next shutdown step.
3002  */
3003  if (pid == PgArchPID)
3004  {
3005  PgArchPID = 0;
3006  if (!EXIT_STATUS_0(exitstatus))
3007  LogChildExit(LOG, _("archiver process"),
3008  pid, exitstatus);
3009  if (PgArchStartupAllowed())
3010  PgArchPID = pgarch_start();
3011  continue;
3012  }
3013 
3014  /*
3015  * Was it the statistics collector? If so, just try to start a new
3016  * one; no need to force reset of the rest of the system. (If fail,
3017  * we'll try again in future cycles of the main loop.)
3018  */
3019  if (pid == PgStatPID)
3020  {
3021  PgStatPID = 0;
3022  if (!EXIT_STATUS_0(exitstatus))
3023  LogChildExit(LOG, _("statistics collector process"),
3024  pid, exitstatus);
3025  if (pmState == PM_RUN || pmState == PM_HOT_STANDBY)
3026  PgStatPID = pgstat_start();
3027  continue;
3028  }
3029 
3030  /* Was it the system logger? If so, try to start a new one */
3031  if (pid == SysLoggerPID)
3032  {
3033  SysLoggerPID = 0;
3034  /* for safety's sake, launch new logger *first* */
3036  if (!EXIT_STATUS_0(exitstatus))
3037  LogChildExit(LOG, _("system logger process"),
3038  pid, exitstatus);
3039  continue;
3040  }
3041 
3042  /* Was it one of our background workers? */
3043  if (CleanupBackgroundWorker(pid, exitstatus))
3044  {
3045  /* have it be restarted */
3046  HaveCrashedWorker = true;
3047  continue;
3048  }
3049 
3050  /*
3051  * Else do standard backend child cleanup.
3052  */
3053  CleanupBackend(pid, exitstatus);
3054  } /* loop over pending child-death reports */
3055 
3056  /*
3057  * After cleaning out the SIGCHLD queue, see if we have any state changes
3058  * or actions to make.
3059  */
3061 
3062  /* Done with signal handler */
3064 
3065  errno = save_errno;
3066 }
3067 
3068 /*
3069  * Scan the bgworkers list and see if the given PID (which has just stopped
3070  * or crashed) is in it. Handle its shutdown if so, and return true. If not a
3071  * bgworker, return false.
3072  *
3073  * This is heavily based on CleanupBackend. One important difference is that
3074  * we don't know yet that the dying process is a bgworker, so we must be silent
3075  * until we're sure it is.
3076  */
3077 static bool
3079  int exitstatus) /* child's exit status */
3080 {
3081  char namebuf[MAXPGPATH];
3082  slist_mutable_iter iter;
3083 
3085  {
3086  RegisteredBgWorker *rw;
3087 
3088  rw = slist_container(RegisteredBgWorker, rw_lnode, iter.cur);
3089 
3090  if (rw->rw_pid != pid)
3091  continue;
3092 
3093 #ifdef WIN32
3094  /* see CleanupBackend */
3095  if (exitstatus == ERROR_WAIT_NO_CHILDREN)
3096  exitstatus = 0;
3097 #endif
3098 
3099  snprintf(namebuf, MAXPGPATH, "%s: %s", _("worker process"),
3100  rw->rw_worker.bgw_name);
3101 
3102  if (!EXIT_STATUS_0(exitstatus))
3103  {
3104  /* Record timestamp, so we know when to restart the worker. */
3106  }
3107  else
3108  {
3109  /* Zero exit status means terminate */
3110  rw->rw_crashed_at = 0;
3111  rw->rw_terminate = true;
3112  }
3113 
3114  /*
3115  * Additionally, for shared-memory-connected workers, just like a
3116  * backend, any exit status other than 0 or 1 is considered a crash
3117  * and causes a system-wide restart.
3118  */
3119  if ((rw->rw_worker.bgw_flags & BGWORKER_SHMEM_ACCESS) != 0)
3120  {
3121  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3122  {
3123  HandleChildCrash(pid, exitstatus, namebuf);
3124  return true;
3125  }
3126  }
3127 
3128  /*
3129  * We must release the postmaster child slot whether this worker is
3130  * connected to shared memory or not, but we only treat it as a crash
3131  * if it is in fact connected.
3132  */
3135  {
3136  HandleChildCrash(pid, exitstatus, namebuf);
3137  return true;
3138  }
3139 
3140  /* Get it out of the BackendList and clear out remaining data */
3141  dlist_delete(&rw->rw_backend->elem);
3142 #ifdef EXEC_BACKEND
3143  ShmemBackendArrayRemove(rw->rw_backend);
3144 #endif
3145 
3146  /*
3147  * It's possible that this background worker started some OTHER
3148  * background worker and asked to be notified when that worker started
3149  * or stopped. If so, cancel any notifications destined for the
3150  * now-dead backend.
3151  */
3152  if (rw->rw_backend->bgworker_notify)
3154  free(rw->rw_backend);
3155  rw->rw_backend = NULL;
3156  rw->rw_pid = 0;
3157  rw->rw_child_slot = 0;
3158  ReportBackgroundWorkerExit(&iter); /* report child death */
3159 
3160  LogChildExit(EXIT_STATUS_0(exitstatus) ? DEBUG1 : LOG,
3161  namebuf, pid, exitstatus);
3162 
3163  return true;
3164  }
3165 
3166  return false;
3167 }
3168 
3169 /*
3170  * CleanupBackend -- cleanup after terminated backend.
3171  *
3172  * Remove all local state associated with backend.
3173  *
3174  * If you change this, see also CleanupBackgroundWorker.
3175  */
3176 static void
3178  int exitstatus) /* child's exit status. */
3179 {
3180  dlist_mutable_iter iter;
3181 
3182  LogChildExit(DEBUG2, _("server process"), pid, exitstatus);
3183 
3184  /*
3185  * If a backend dies in an ugly way then we must signal all other backends
3186  * to quickdie. If exit status is zero (normal) or one (FATAL exit), we
3187  * assume everything is all right and proceed to remove the backend from
3188  * the active backend list.
3189  */
3190 
3191 #ifdef WIN32
3192 
3193  /*
3194  * On win32, also treat ERROR_WAIT_NO_CHILDREN (128) as nonfatal case,
3195  * since that sometimes happens under load when the process fails to start
3196  * properly (long before it starts using shared memory). Microsoft reports
3197  * it is related to mutex failure:
3198  * http://archives.postgresql.org/pgsql-hackers/2010-09/msg00790.php
3199  */
3200  if (exitstatus == ERROR_WAIT_NO_CHILDREN)
3201  {
3202  LogChildExit(LOG, _("server process"), pid, exitstatus);
3203  exitstatus = 0;
3204  }
3205 #endif
3206 
3207  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3208  {
3209  HandleChildCrash(pid, exitstatus, _("server process"));
3210  return;
3211  }
3212 
3213  dlist_foreach_modify(iter, &BackendList)
3214  {
3215  Backend *bp = dlist_container(Backend, elem, iter.cur);
3216 
3217  if (bp->pid == pid)
3218  {
3219  if (!bp->dead_end)
3220  {
3222  {
3223  /*
3224  * Uh-oh, the child failed to clean itself up. Treat as a
3225  * crash after all.
3226  */
3227  HandleChildCrash(pid, exitstatus, _("server process"));
3228  return;
3229  }
3230 #ifdef EXEC_BACKEND
3231  ShmemBackendArrayRemove(bp);
3232 #endif
3233  }
3234  if (bp->bgworker_notify)
3235  {
3236  /*
3237  * This backend may have been slated to receive SIGUSR1 when
3238  * some background worker started or stopped. Cancel those
3239  * notifications, as we don't want to signal PIDs that are not
3240  * PostgreSQL backends. This gets skipped in the (probably
3241  * very common) case where the backend has never requested any
3242  * such notifications.
3243  */
3245  }
3246  dlist_delete(iter.cur);
3247  free(bp);
3248  break;
3249  }
3250  }
3251 }
3252 
3253 /*
3254  * HandleChildCrash -- cleanup after failed backend, bgwriter, checkpointer,
3255  * walwriter, autovacuum, or background worker.
3256  *
3257  * The objectives here are to clean up our local state about the child
3258  * process, and to signal all other remaining children to quickdie.
3259  */
3260 static void
3261 HandleChildCrash(int pid, int exitstatus, const char *procname)
3262 {
3263  dlist_mutable_iter iter;
3264  slist_iter siter;
3265  Backend *bp;
3266  bool take_action;
3267 
3268  /*
3269  * We only log messages and send signals if this is the first process
3270  * crash and we're not doing an immediate shutdown; otherwise, we're only
3271  * here to update postmaster's idea of live processes. If we have already
3272  * signalled children, nonzero exit status is to be expected, so don't
3273  * clutter log.
3274  */
3275  take_action = !FatalError && Shutdown != ImmediateShutdown;
3276 
3277  if (take_action)
3278  {
3279  LogChildExit(LOG, procname, pid, exitstatus);
3280  ereport(LOG,
3281  (errmsg("terminating any other active server processes")));
3282  }
3283 
3284  /* Process background workers. */
3286  {
3287  RegisteredBgWorker *rw;
3288 
3289  rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
3290  if (rw->rw_pid == 0)
3291  continue; /* not running */
3292  if (rw->rw_pid == pid)
3293  {
3294  /*
3295  * Found entry for freshly-dead worker, so remove it.
3296  */
3298  dlist_delete(&rw->rw_backend->elem);
3299 #ifdef EXEC_BACKEND
3300  ShmemBackendArrayRemove(rw->rw_backend);
3301 #endif
3302  free(rw->rw_backend);
3303  rw->rw_backend = NULL;
3304  rw->rw_pid = 0;
3305  rw->rw_child_slot = 0;
3306  /* don't reset crashed_at */
3307  /* don't report child stop, either */
3308  /* Keep looping so we can signal remaining workers */
3309  }
3310  else
3311  {
3312  /*
3313  * This worker is still alive. Unless we did so already, tell it
3314  * to commit hara-kiri.
3315  *
3316  * SIGQUIT is the special signal that says exit without proc_exit
3317  * and let the user know what's going on. But if SendStop is set
3318  * (-s on command line), then we send SIGSTOP instead, so that we
3319  * can get core dumps from all backends by hand.
3320  */
3321  if (take_action)
3322  {
3323  ereport(DEBUG2,
3324  (errmsg_internal("sending %s to process %d",
3325  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3326  (int) rw->rw_pid)));
3328  }
3329  }
3330  }
3331 
3332  /* Process regular backends */
3333  dlist_foreach_modify(iter, &BackendList)
3334  {
3335  bp = dlist_container(Backend, elem, iter.cur);
3336 
3337  if (bp->pid == pid)
3338  {
3339  /*
3340  * Found entry for freshly-dead backend, so remove it.
3341  */
3342  if (!bp->dead_end)
3343  {
3345 #ifdef EXEC_BACKEND
3346  ShmemBackendArrayRemove(bp);
3347 #endif
3348  }
3349  dlist_delete(iter.cur);
3350  free(bp);
3351  /* Keep looping so we can signal remaining backends */
3352  }
3353  else
3354  {
3355  /*
3356  * This backend is still alive. Unless we did so already, tell it
3357  * to commit hara-kiri.
3358  *
3359  * SIGQUIT is the special signal that says exit without proc_exit
3360  * and let the user know what's going on. But if SendStop is set
3361  * (-s on command line), then we send SIGSTOP instead, so that we
3362  * can get core dumps from all backends by hand.
3363  *
3364  * We could exclude dead_end children here, but at least in the
3365  * SIGSTOP case it seems better to include them.
3366  *
3367  * Background workers were already processed above; ignore them
3368  * here.
3369  */
3370  if (bp->bkend_type == BACKEND_TYPE_BGWORKER)
3371  continue;
3372 
3373  if (take_action)
3374  {
3375  ereport(DEBUG2,
3376  (errmsg_internal("sending %s to process %d",
3377  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3378  (int) bp->pid)));
3379  signal_child(bp->pid, (SendStop ? SIGSTOP : SIGQUIT));
3380  }
3381  }
3382  }
3383 
3384  /* Take care of the startup process too */
3385  if (pid == StartupPID)
3386  {
3387  StartupPID = 0;
3389  }
3390  else if (StartupPID != 0 && take_action)
3391  {
3392  ereport(DEBUG2,
3393  (errmsg_internal("sending %s to process %d",
3394  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3395  (int) StartupPID)));
3396  signal_child(StartupPID, (SendStop ? SIGSTOP : SIGQUIT));
3398  }
3399 
3400  /* Take care of the bgwriter too */
3401  if (pid == BgWriterPID)
3402  BgWriterPID = 0;
3403  else if (BgWriterPID != 0 && take_action)
3404  {
3405  ereport(DEBUG2,
3406  (errmsg_internal("sending %s to process %d",
3407  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3408  (int) BgWriterPID)));
3409  signal_child(BgWriterPID, (SendStop ? SIGSTOP : SIGQUIT));
3410  }
3411 
3412  /* Take care of the checkpointer too */
3413  if (pid == CheckpointerPID)
3414  CheckpointerPID = 0;
3415  else if (CheckpointerPID != 0 && take_action)
3416  {
3417  ereport(DEBUG2,
3418  (errmsg_internal("sending %s to process %d",
3419  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3420  (int) CheckpointerPID)));
3421  signal_child(CheckpointerPID, (SendStop ? SIGSTOP : SIGQUIT));
3422  }
3423 
3424  /* Take care of the walwriter too */
3425  if (pid == WalWriterPID)
3426  WalWriterPID = 0;
3427  else if (WalWriterPID != 0 && take_action)
3428  {
3429  ereport(DEBUG2,
3430  (errmsg_internal("sending %s to process %d",
3431  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3432  (int) WalWriterPID)));
3433  signal_child(WalWriterPID, (SendStop ? SIGSTOP : SIGQUIT));
3434  }
3435 
3436  /* Take care of the walreceiver too */
3437  if (pid == WalReceiverPID)
3438  WalReceiverPID = 0;
3439  else if (WalReceiverPID != 0 && take_action)
3440  {
3441  ereport(DEBUG2,
3442  (errmsg_internal("sending %s to process %d",
3443  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3444  (int) WalReceiverPID)));
3445  signal_child(WalReceiverPID, (SendStop ? SIGSTOP : SIGQUIT));
3446  }
3447 
3448  /* Take care of the autovacuum launcher too */
3449  if (pid == AutoVacPID)
3450  AutoVacPID = 0;
3451  else if (AutoVacPID != 0 && take_action)
3452  {
3453  ereport(DEBUG2,
3454  (errmsg_internal("sending %s to process %d",
3455  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3456  (int) AutoVacPID)));
3457  signal_child(AutoVacPID, (SendStop ? SIGSTOP : SIGQUIT));
3458  }
3459 
3460  /*
3461  * Force a power-cycle of the pgarch process too. (This isn't absolutely
3462  * necessary, but it seems like a good idea for robustness, and it
3463  * simplifies the state-machine logic in the case where a shutdown request
3464  * arrives during crash processing.)
3465  */
3466  if (PgArchPID != 0 && take_action)
3467  {
3468  ereport(DEBUG2,
3469  (errmsg_internal("sending %s to process %d",
3470  "SIGQUIT",
3471  (int) PgArchPID)));
3472  signal_child(PgArchPID, SIGQUIT);
3473  }
3474 
3475  /*
3476  * Force a power-cycle of the pgstat process too. (This isn't absolutely
3477  * necessary, but it seems like a good idea for robustness, and it
3478  * simplifies the state-machine logic in the case where a shutdown request
3479  * arrives during crash processing.)
3480  */
3481  if (PgStatPID != 0 && take_action)
3482  {
3483  ereport(DEBUG2,
3484  (errmsg_internal("sending %s to process %d",
3485  "SIGQUIT",
3486  (int) PgStatPID)));
3487  signal_child(PgStatPID, SIGQUIT);
3489  }
3490 
3491  /* We do NOT restart the syslogger */
3492 
3493  if (Shutdown != ImmediateShutdown)
3494  FatalError = true;
3495 
3496  /* We now transit into a state of waiting for children to die */
3497  if (pmState == PM_RECOVERY ||
3498  pmState == PM_HOT_STANDBY ||
3499  pmState == PM_RUN ||
3500  pmState == PM_WAIT_BACKUP ||
3502  pmState == PM_SHUTDOWN)
3504 
3505  /*
3506  * .. and if this doesn't happen quickly enough, now the clock is ticking
3507  * for us to kill them without mercy.
3508  */
3509  if (AbortStartTime == 0)
3510  AbortStartTime = time(NULL);
3511 }
3512 
3513 /*
3514  * Log the death of a child process.
3515  */
3516 static void
3517 LogChildExit(int lev, const char *procname, int pid, int exitstatus)
3518 {
3519  /*
3520  * size of activity_buffer is arbitrary, but set equal to default
3521  * track_activity_query_size
3522  */
3523  char activity_buffer[1024];
3524  const char *activity = NULL;
3525 
3526  if (!EXIT_STATUS_0(exitstatus))
3527  activity = pgstat_get_crashed_backend_activity(pid,
3528  activity_buffer,
3529  sizeof(activity_buffer));
3530 
3531  if (WIFEXITED(exitstatus))
3532  ereport(lev,
3533 
3534  /*------
3535  translator: %s is a noun phrase describing a child process, such as
3536  "server process" */
3537  (errmsg("%s (PID %d) exited with exit code %d",
3538  procname, pid, WEXITSTATUS(exitstatus)),
3539  activity ? errdetail("Failed process was running: %s", activity) : 0));
3540  else if (WIFSIGNALED(exitstatus))
3541 #if defined(WIN32)
3542  ereport(lev,
3543 
3544  /*------
3545  translator: %s is a noun phrase describing a child process, such as
3546  "server process" */
3547  (errmsg("%s (PID %d) was terminated by exception 0x%X",
3548  procname, pid, WTERMSIG(exitstatus)),
3549  errhint("See C include file \"ntstatus.h\" for a description of the hexadecimal value."),
3550  activity ? errdetail("Failed process was running: %s", activity) : 0));
3551 #elif defined(HAVE_DECL_SYS_SIGLIST) && HAVE_DECL_SYS_SIGLIST
3552  ereport(lev,
3553 
3554  /*------
3555  translator: %s is a noun phrase describing a child process, such as
3556  "server process" */
3557  (errmsg("%s (PID %d) was terminated by signal %d: %s",
3558  procname, pid, WTERMSIG(exitstatus),
3559  WTERMSIG(exitstatus) < NSIG ?
3560  sys_siglist[WTERMSIG(exitstatus)] : "(unknown)"),
3561  activity ? errdetail("Failed process was running: %s", activity) : 0));
3562 #else
3563  ereport(lev,
3564 
3565  /*------
3566  translator: %s is a noun phrase describing a child process, such as
3567  "server process" */
3568  (errmsg("%s (PID %d) was terminated by signal %d",
3569  procname, pid, WTERMSIG(exitstatus)),
3570  activity ? errdetail("Failed process was running: %s", activity) : 0));
3571 #endif
3572  else
3573  ereport(lev,
3574 
3575  /*------
3576  translator: %s is a noun phrase describing a child process, such as
3577  "server process" */
3578  (errmsg("%s (PID %d) exited with unrecognized status %d",
3579  procname, pid, exitstatus),
3580  activity ? errdetail("Failed process was running: %s", activity) : 0));
3581 }
3582 
3583 /*
3584  * Advance the postmaster's state machine and take actions as appropriate
3585  *
3586  * This is common code for pmdie(), reaper() and sigusr1_handler(), which
3587  * receive the signals that might mean we need to change state.
3588  */
3589 static void
3591 {
3592  if (pmState == PM_WAIT_BACKUP)
3593  {
3594  /*
3595  * PM_WAIT_BACKUP state ends when online backup mode is not active.
3596  */
3597  if (!BackupInProgress())
3599  }
3600 
3601  if (pmState == PM_WAIT_READONLY)
3602  {
3603  /*
3604  * PM_WAIT_READONLY state ends when we have no regular backends that
3605  * have been started during recovery. We kill the startup and
3606  * walreceiver processes and transition to PM_WAIT_BACKENDS. Ideally,
3607  * we might like to kill these processes first and then wait for
3608  * backends to die off, but that doesn't work at present because
3609  * killing the startup process doesn't release its locks.
3610  */
3612  {
3613  if (StartupPID != 0)
3614  signal_child(StartupPID, SIGTERM);
3615  if (WalReceiverPID != 0)
3616  signal_child(WalReceiverPID, SIGTERM);
3618  }
3619  }
3620 
3621  /*
3622  * If we are in a state-machine state that implies waiting for backends to
3623  * exit, see if they're all gone, and change state if so.
3624  */
3625  if (pmState == PM_WAIT_BACKENDS)
3626  {
3627  /*
3628  * PM_WAIT_BACKENDS state ends when we have no regular backends
3629  * (including autovac workers), no bgworkers (including unconnected
3630  * ones), and no walwriter, autovac launcher or bgwriter. If we are
3631  * doing crash recovery or an immediate shutdown then we expect the
3632  * checkpointer to exit as well, otherwise not. The archiver, stats,
3633  * and syslogger processes are disregarded since they are not
3634  * connected to shared memory; we also disregard dead_end children
3635  * here. Walsenders are also disregarded, they will be terminated
3636  * later after writing the checkpoint record, like the archiver
3637  * process.
3638  */
3640  StartupPID == 0 &&
3641  WalReceiverPID == 0 &&
3642  BgWriterPID == 0 &&
3643  (CheckpointerPID == 0 ||
3645  WalWriterPID == 0 &&
3646  AutoVacPID == 0)
3647  {
3649  {
3650  /*
3651  * Start waiting for dead_end children to die. This state
3652  * change causes ServerLoop to stop creating new ones.
3653  */
3655 
3656  /*
3657  * We already SIGQUIT'd the archiver and stats processes, if
3658  * any, when we started immediate shutdown or entered
3659  * FatalError state.
3660  */
3661  }
3662  else
3663  {
3664  /*
3665  * If we get here, we are proceeding with normal shutdown. All
3666  * the regular children are gone, and it's time to tell the
3667  * checkpointer to do a shutdown checkpoint.
3668  */
3670  /* Start the checkpointer if not running */
3671  if (CheckpointerPID == 0)
3673  /* And tell it to shut down */
3674  if (CheckpointerPID != 0)
3675  {
3677  pmState = PM_SHUTDOWN;
3678  }
3679  else
3680  {
3681  /*
3682  * If we failed to fork a checkpointer, just shut down.
3683  * Any required cleanup will happen at next restart. We
3684  * set FatalError so that an "abnormal shutdown" message
3685  * gets logged when we exit.
3686  */
3687  FatalError = true;
3689 
3690  /* Kill the walsenders, archiver and stats collector too */
3692  if (PgArchPID != 0)
3694  if (PgStatPID != 0)
3696  }
3697  }
3698  }
3699  }
3700 
3701  if (pmState == PM_SHUTDOWN_2)
3702  {
3703  /*
3704  * PM_SHUTDOWN_2 state ends when there's no other children than
3705  * dead_end children left. There shouldn't be any regular backends
3706  * left by now anyway; what we're really waiting for is walsenders and
3707  * archiver.
3708  *
3709  * Walreceiver should normally be dead by now, but not when a fast
3710  * shutdown is performed during recovery.
3711  */
3712  if (PgArchPID == 0 && CountChildren(BACKEND_TYPE_ALL) == 0 &&
3713  WalReceiverPID == 0)
3714  {
3716  }
3717  }
3718 
3719  if (pmState == PM_WAIT_DEAD_END)
3720  {
3721  /*
3722  * PM_WAIT_DEAD_END state ends when the BackendList is entirely empty
3723  * (ie, no dead_end children remain), and the archiver and stats
3724  * collector are gone too.
3725  *
3726  * The reason we wait for those two is to protect them against a new
3727  * postmaster starting conflicting subprocesses; this isn't an
3728  * ironclad protection, but it at least helps in the
3729  * shutdown-and-immediately-restart scenario. Note that they have
3730  * already been sent appropriate shutdown signals, either during a
3731  * normal state transition leading up to PM_WAIT_DEAD_END, or during
3732  * FatalError processing.
3733  */
3734  if (dlist_is_empty(&BackendList) &&
3735  PgArchPID == 0 && PgStatPID == 0)
3736  {
3737  /* These other guys should be dead already */
3738  Assert(StartupPID == 0);
3739  Assert(WalReceiverPID == 0);
3740  Assert(BgWriterPID == 0);
3741  Assert(CheckpointerPID == 0);
3742  Assert(WalWriterPID == 0);
3743  Assert(AutoVacPID == 0);
3744  /* syslogger is not considered here */
3746  }
3747  }
3748 
3749  /*
3750  * If we've been told to shut down, we exit as soon as there are no
3751  * remaining children. If there was a crash, cleanup will occur at the
3752  * next startup. (Before PostgreSQL 8.3, we tried to recover from the
3753  * crash before exiting, but that seems unwise if we are quitting because
3754  * we got SIGTERM from init --- there may well not be time for recovery
3755  * before init decides to SIGKILL us.)
3756  *
3757  * Note that the syslogger continues to run. It will exit when it sees
3758  * EOF on its input pipe, which happens when there are no more upstream
3759  * processes.
3760  */
3762  {
3763  if (FatalError)
3764  {
3765  ereport(LOG, (errmsg("abnormal database system shutdown")));
3766  ExitPostmaster(1);
3767  }
3768  else
3769  {
3770  /*
3771  * Terminate exclusive backup mode to avoid recovery after a clean
3772  * fast shutdown. Since an exclusive backup can only be taken
3773  * during normal running (and not, for example, while running
3774  * under Hot Standby) it only makes sense to do this if we reached
3775  * normal running. If we're still in recovery, the backup file is
3776  * one we're recovering *from*, and we must keep it around so that
3777  * recovery restarts from the right place.
3778  */
3780  CancelBackup();
3781 
3782  /* Normal exit from the postmaster is here */
3783  ExitPostmaster(0);
3784  }
3785  }
3786 
3787  /*
3788  * If the startup process failed, or the user does not want an automatic
3789  * restart after backend crashes, wait for all non-syslogger children to
3790  * exit, and then exit postmaster. We don't try to reinitialize when the
3791  * startup process fails, because more than likely it will just fail again
3792  * and we will keep trying forever.
3793  */
3794  if (pmState == PM_NO_CHILDREN &&
3796  ExitPostmaster(1);
3797 
3798  /*
3799  * If we need to recover from a crash, wait for all non-syslogger children
3800  * to exit, then reset shmem and StartupDataBase.
3801  */
3802  if (FatalError && pmState == PM_NO_CHILDREN)
3803  {
3804  ereport(LOG,
3805  (errmsg("all server processes terminated; reinitializing")));
3806 
3807  /* allow background workers to immediately restart */
3809 
3810  shmem_exit(1);
3812 
3814  Assert(StartupPID != 0);
3816  pmState = PM_STARTUP;
3817  /* crash recovery started, reset SIGKILL flag */
3818  AbortStartTime = 0;
3819  }
3820 }
3821 
3822 
3823 /*
3824  * Send a signal to a postmaster child process
3825  *
3826  * On systems that have setsid(), each child process sets itself up as a
3827  * process group leader. For signals that are generally interpreted in the
3828  * appropriate fashion, we signal the entire process group not just the
3829  * direct child process. This allows us to, for example, SIGQUIT a blocked
3830  * archive_recovery script, or SIGINT a script being run by a backend via
3831  * system().
3832  *
3833  * There is a race condition for recently-forked children: they might not
3834  * have executed setsid() yet. So we signal the child directly as well as
3835  * the group. We assume such a child will handle the signal before trying
3836  * to spawn any grandchild processes. We also assume that signaling the
3837  * child twice will not cause any problems.
3838  */
3839 static void
3840 signal_child(pid_t pid, int signal)
3841 {
3842  if (kill(pid, signal) < 0)
3843  elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) pid, signal);
3844 #ifdef HAVE_SETSID
3845  switch (signal)
3846  {
3847  case SIGINT:
3848  case SIGTERM:
3849  case SIGQUIT:
3850  case SIGSTOP:
3851  case SIGKILL:
3852  if (kill(-pid, signal) < 0)
3853  elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) (-pid), signal);
3854  break;
3855  default:
3856  break;
3857  }
3858 #endif
3859 }
3860 
3861 /*
3862  * Send a signal to the targeted children (but NOT special children;
3863  * dead_end children are never signaled, either).
3864  */
3865 static bool
3866 SignalSomeChildren(int signal, int target)
3867 {
3868  dlist_iter iter;
3869  bool signaled = false;
3870 
3871  dlist_foreach(iter, &BackendList)
3872  {
3873  Backend *bp = dlist_container(Backend, elem, iter.cur);
3874 
3875  if (bp->dead_end)
3876  continue;
3877 
3878  /*
3879  * Since target == BACKEND_TYPE_ALL is the most common case, we test
3880  * it first and avoid touching shared memory for every child.
3881  */
3882  if (target != BACKEND_TYPE_ALL)
3883  {
3884  /*
3885  * Assign bkend_type for any recently announced WAL Sender
3886  * processes.
3887  */
3888  if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
3891 
3892  if (!(target & bp->bkend_type))
3893  continue;
3894  }
3895 
3896  ereport(DEBUG4,
3897  (errmsg_internal("sending signal %d to process %d",
3898  signal, (int) bp->pid)));
3899  signal_child(bp->pid, signal);
3900  signaled = true;
3901  }
3902  return signaled;
3903 }
3904 
3905 /*
3906  * Send a termination signal to children. This considers all of our children
3907  * processes, except syslogger and dead_end backends.
3908  */
3909 static void
3911 {
3912  SignalChildren(signal);
3913  if (StartupPID != 0)
3914  {
3915  signal_child(StartupPID, signal);
3916  if (signal == SIGQUIT || signal == SIGKILL)
3918  }
3919  if (BgWriterPID != 0)
3920  signal_child(BgWriterPID, signal);
3921  if (CheckpointerPID != 0)
3922  signal_child(CheckpointerPID, signal);
3923  if (WalWriterPID != 0)
3924  signal_child(WalWriterPID, signal);
3925  if (WalReceiverPID != 0)
3926  signal_child(WalReceiverPID, signal);
3927  if (AutoVacPID != 0)
3928  signal_child(AutoVacPID, signal);
3929  if (PgArchPID != 0)
3930  signal_child(PgArchPID, signal);
3931  if (PgStatPID != 0)
3932  signal_child(PgStatPID, signal);
3933 }
3934 
3935 /*
3936  * BackendStartup -- start backend process
3937  *
3938  * returns: STATUS_ERROR if the fork failed, STATUS_OK otherwise.
3939  *
3940  * Note: if you change this code, also consider StartAutovacuumWorker.
3941  */
3942 static int
3944 {
3945  Backend *bn; /* for backend cleanup */
3946  pid_t pid;
3947 
3948  /*
3949  * Create backend data structure. Better before the fork() so we can
3950  * handle failure cleanly.
3951  */
3952  bn = (Backend *) malloc(sizeof(Backend));
3953  if (!bn)
3954  {
3955  ereport(LOG,
3956  (errcode(ERRCODE_OUT_OF_MEMORY),
3957  errmsg("out of memory")));
3958  return STATUS_ERROR;
3959  }
3960 
3961  /*
3962  * Compute the cancel key that will be assigned to this backend. The
3963  * backend will have its own copy in the forked-off process' value of
3964  * MyCancelKey, so that it can transmit the key to the frontend.
3965  */
3967  {
3968  free(bn);
3969  ereport(LOG,
3970  (errcode(ERRCODE_INTERNAL_ERROR),
3971  errmsg("could not generate random cancel key")));
3972  return STATUS_ERROR;
3973  }
3974 
3975  bn->cancel_key = MyCancelKey;
3976 
3977  /* Pass down canAcceptConnections state */
3979  bn->dead_end = (port->canAcceptConnections != CAC_OK &&
3981 
3982  /*
3983  * Unless it's a dead_end child, assign it a child slot number
3984  */
3985  if (!bn->dead_end)
3987  else
3988  bn->child_slot = 0;
3989 
3990  /* Hasn't asked to be notified about any bgworkers yet */
3991  bn->bgworker_notify = false;
3992 
3993 #ifdef EXEC_BACKEND
3994  pid = backend_forkexec(port);
3995 #else /* !EXEC_BACKEND */
3996  pid = fork_process();
3997  if (pid == 0) /* child */
3998  {
3999  free(bn);
4000 
4001  /* Detangle from postmaster */
4003 
4004  /* Close the postmaster's sockets */
4005  ClosePostmasterPorts(false);
4006 
4007  /* Perform additional initialization and collect startup packet */
4008  BackendInitialize(port);
4009 
4010  /* And run the backend */
4011  BackendRun(port);
4012  }
4013 #endif /* EXEC_BACKEND */
4014 
4015  if (pid < 0)
4016  {
4017  /* in parent, fork failed */
4018  int save_errno = errno;
4019 
4020  if (!bn->dead_end)
4022  free(bn);
4023  errno = save_errno;
4024  ereport(LOG,
4025  (errmsg("could not fork new process for connection: %m")));
4026  report_fork_failure_to_client(port, save_errno);
4027  return STATUS_ERROR;
4028  }
4029 
4030  /* in parent, successful fork */
4031  ereport(DEBUG2,
4032  (errmsg_internal("forked new backend, pid=%d socket=%d",
4033  (int) pid, (int) port->sock)));
4034 
4035  /*
4036  * Everything's been successful, it's safe to add this backend to our list
4037  * of backends.
4038  */
4039  bn->pid = pid;
4040  bn->bkend_type = BACKEND_TYPE_NORMAL; /* Can change later to WALSND */
4041  dlist_push_head(&BackendList, &bn->elem);
4042 
4043 #ifdef EXEC_BACKEND
4044  if (!bn->dead_end)
4045  ShmemBackendArrayAdd(bn);
4046 #endif
4047 
4048  return STATUS_OK;
4049 }
4050 
4051 /*
4052  * Try to report backend fork() failure to client before we close the
4053  * connection. Since we do not care to risk blocking the postmaster on
4054  * this connection, we set the connection to non-blocking and try only once.
4055  *
4056  * This is grungy special-purpose code; we cannot use backend libpq since
4057  * it's not up and running.
4058  */
4059 static void
4061 {
4062  char buffer[1000];
4063  int rc;
4064 
4065  /* Format the error message packet (always V2 protocol) */
4066  snprintf(buffer, sizeof(buffer), "E%s%s\n",
4067  _("could not fork new process for connection: "),
4068  strerror(errnum));
4069 
4070  /* Set port to non-blocking. Don't do send() if this fails */
4071  if (!pg_set_noblock(port->sock))
4072  return;
4073 
4074  /* We'll retry after EINTR, but ignore all other failures */
4075  do
4076  {
4077  rc = send(port->sock, buffer, strlen(buffer) + 1, 0);
4078  } while (rc < 0 && errno == EINTR);
4079 }
4080 
4081 
4082 /*
4083  * BackendInitialize -- initialize an interactive (postmaster-child)
4084  * backend process, and collect the client's startup packet.
4085  *
4086  * returns: nothing. Will not return at all if there's any failure.
4087  *
4088  * Note: this code does not depend on having any access to shared memory.
4089  * In the EXEC_BACKEND case, we are physically attached to shared memory
4090  * but have not yet set up most of our local pointers to shmem structures.
4091  */
4092 static void
4094 {
4095  int status;
4096  int ret;
4097  char remote_host[NI_MAXHOST];
4098  char remote_port[NI_MAXSERV];
4099  char remote_ps_data[NI_MAXHOST];
4100 
4101  /* Save port etc. for ps status */
4102  MyProcPort = port;
4103 
4104  /*
4105  * PreAuthDelay is a debugging aid for investigating problems in the
4106  * authentication cycle: it can be set in postgresql.conf to allow time to
4107  * attach to the newly-forked backend with a debugger. (See also
4108  * PostAuthDelay, which we allow clients to pass through PGOPTIONS, but it
4109  * is not honored until after authentication.)
4110  */
4111  if (PreAuthDelay > 0)
4112  pg_usleep(PreAuthDelay * 1000000L);
4113 
4114  /* This flag will remain set until InitPostgres finishes authentication */
4115  ClientAuthInProgress = true; /* limit visibility of log messages */
4116 
4117  /* save process start time */
4120 
4121  /* set these to empty in case they are needed before we set them up */
4122  port->remote_host = "";
4123  port->remote_port = "";
4124 
4125  /*
4126  * Initialize libpq and enable reporting of ereport errors to the client.
4127  * Must do this now because authentication uses libpq to send messages.
4128  */
4129  pq_init(); /* initialize libpq to talk to client */
4130  whereToSendOutput = DestRemote; /* now safe to ereport to client */
4131 
4132  /*
4133  * We arrange for a simple exit(1) if we receive SIGTERM or SIGQUIT or
4134  * timeout while trying to collect the startup packet. Otherwise the
4135  * postmaster cannot shutdown the database FAST or IMMED cleanly if a
4136  * buggy client fails to send the packet promptly. XXX it follows that
4137  * the remainder of this function must tolerate losing control at any
4138  * instant. Likewise, any pg_on_exit_callback registered before or during
4139  * this function must be prepared to execute at any instant between here
4140  * and the end of this function. Furthermore, affected callbacks execute
4141  * partially or not at all when a second exit-inducing signal arrives
4142  * after proc_exit_prepare() decrements on_proc_exit_index. (Thanks to
4143  * that mechanic, callbacks need not anticipate more than one call.) This
4144  * is fragile; it ought to instead follow the norm of handling interrupts
4145  * at selected, safe opportunities.
4146  */
4147  pqsignal(SIGTERM, startup_die);
4149  InitializeTimeouts(); /* establishes SIGALRM handler */
4151 
4152  /*
4153  * Get the remote host name and port for logging and status display.
4154  */
4155  remote_host[0] = '\0';
4156  remote_port[0] = '\0';
4157  if ((ret = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
4158  remote_host, sizeof(remote_host),
4159  remote_port, sizeof(remote_port),
4160  (log_hostname ? 0 : NI_NUMERICHOST) | NI_NUMERICSERV)) != 0)
4161  ereport(WARNING,
4162  (errmsg_internal("pg_getnameinfo_all() failed: %s",
4163  gai_strerror(ret))));
4164  if (remote_port[0] == '\0')
4165  snprintf(remote_ps_data, sizeof(remote_ps_data), "%s", remote_host);
4166  else
4167  snprintf(remote_ps_data, sizeof(remote_ps_data), "%s(%s)", remote_host, remote_port);
4168 
4169  /*
4170  * Save remote_host and remote_port in port structure (after this, they
4171  * will appear in log_line_prefix data for log messages).
4172  */
4173  port->remote_host = strdup(remote_host);
4174  port->remote_port = strdup(remote_port);
4175 
4176  /* And now we can issue the Log_connections message, if wanted */
4177  if (Log_connections)
4178  {
4179  if (remote_port[0])
4180  ereport(LOG,
4181  (errmsg("connection received: host=%s port=%s",
4182  remote_host,
4183  remote_port)));
4184  else
4185  ereport(LOG,
4186  (errmsg("connection received: host=%s",
4187  remote_host)));
4188  }
4189 
4190  /*
4191  * If we did a reverse lookup to name, we might as well save the results
4192  * rather than possibly repeating the lookup during authentication.
4193  *
4194  * Note that we don't want to specify NI_NAMEREQD above, because then we'd
4195  * get nothing useful for a client without an rDNS entry. Therefore, we
4196  * must check whether we got a numeric IPv4 or IPv6 address, and not save
4197  * it into remote_hostname if so. (This test is conservative and might
4198  * sometimes classify a hostname as numeric, but an error in that
4199  * direction is safe; it only results in a possible extra lookup.)
4200  */
4201  if (log_hostname &&
4202  ret == 0 &&
4203  strspn(remote_host, "0123456789.") < strlen(remote_host) &&
4204  strspn(remote_host, "0123456789ABCDEFabcdef:") < strlen(remote_host))
4205  port->remote_hostname = strdup(remote_host);
4206 
4207  /*
4208  * Ready to begin client interaction. We will give up and exit(1) after a
4209  * time delay, so that a broken client can't hog a connection
4210  * indefinitely. PreAuthDelay and any DNS interactions above don't count
4211  * against the time limit.
4212  *
4213  * Note: AuthenticationTimeout is applied here while waiting for the
4214  * startup packet, and then again in InitPostgres for the duration of any
4215  * authentication operations. So a hostile client could tie up the
4216  * process for nearly twice AuthenticationTimeout before we kick him off.
4217  *
4218  * Note: because PostgresMain will call InitializeTimeouts again, the
4219  * registration of STARTUP_PACKET_TIMEOUT will be lost. This is okay
4220  * since we never use it again after this function.
4221  */
4224 
4225  /*
4226  * Receive the startup packet (which might turn out to be a cancel request
4227  * packet).
4228  */
4229  status = ProcessStartupPacket(port, false);
4230 
4231  /*
4232  * Stop here if it was bad or a cancel packet. ProcessStartupPacket
4233  * already did any appropriate error reporting.
4234  */
4235  if (status != STATUS_OK)
4236  proc_exit(0);
4237 
4238  /*
4239  * Now that we have the user and database name, we can set the process
4240  * title for ps. It's good to do this as early as possible in startup.
4241  *
4242  * For a walsender, the ps display is set in the following form:
4243  *
4244  * postgres: wal sender process <user> <host> <activity>
4245  *
4246  * To achieve that, we pass "wal sender process" as username and username
4247  * as dbname to init_ps_display(). XXX: should add a new variant of
4248  * init_ps_display() to avoid abusing the parameters like this.
4249  */
4250  if (am_walsender)
4251  init_ps_display("wal sender process", port->user_name, remote_ps_data,
4252  update_process_title ? "authentication" : "");
4253  else
4254  init_ps_display(port->user_name, port->database_name, remote_ps_data,
4255  update_process_title ? "authentication" : "");
4256 
4257  /*
4258  * Disable the timeout, and prevent SIGTERM/SIGQUIT again.
4259  */
4261  PG_SETMASK(&BlockSig);
4262 }
4263 
4264 
4265 /*
4266  * BackendRun -- set up the backend's argument list and invoke PostgresMain()
4267  *
4268  * returns:
4269  * Shouldn't return at all.
4270  * If PostgresMain() fails, return status.
4271  */
4272 static void
4274 {
4275  char **av;
4276  int maxac;
4277  int ac;
4278  long secs;
4279  int usecs;
4280  int i;
4281 
4282  /*
4283  * Don't want backend to be able to see the postmaster random number
4284  * generator state. We have to clobber the static random_seed *and* start
4285  * a new random sequence in the random() library function.
4286  */
4287 #ifndef HAVE_STRONG_RANDOM
4288  random_seed = 0;
4289  random_start_time.tv_usec = 0;
4290 #endif
4291  /* slightly hacky way to convert timestamptz into integers */
4292  TimestampDifference(0, port->SessionStartTime, &secs, &usecs);
4293  srandom((unsigned int) (MyProcPid ^ (usecs << 12) ^ secs));
4294 
4295  /*
4296  * Now, build the argv vector that will be given to PostgresMain.
4297  *
4298  * The maximum possible number of commandline arguments that could come
4299  * from ExtraOptions is (strlen(ExtraOptions) + 1) / 2; see
4300  * pg_split_opts().
4301  */
4302  maxac = 2; /* for fixed args supplied below */
4303  maxac += (strlen(ExtraOptions) + 1) / 2;
4304 
4305  av = (char **) MemoryContextAlloc(TopMemoryContext,
4306  maxac * sizeof(char *));
4307  ac = 0;
4308 
4309  av[ac++] = "postgres";
4310 
4311  /*
4312  * Pass any backend switches specified with -o on the postmaster's own
4313  * command line. We assume these are secure.
4314  */
4315  pg_split_opts(av, &ac, ExtraOptions);
4316 
4317  av[ac] = NULL;
4318 
4319  Assert(ac < maxac);
4320 
4321  /*
4322  * Debug: print arguments being passed to backend
4323  */
4324  ereport(DEBUG3,
4325  (errmsg_internal("%s child[%d]: starting with (",
4326  progname, (int) getpid())));
4327  for (i = 0; i < ac; ++i)
4328  ereport(DEBUG3,
4329  (errmsg_internal("\t%s", av[i])));
4330  ereport(DEBUG3,
4331  (errmsg_internal(")")));
4332 
4333  /*
4334  * Make sure we aren't in PostmasterContext anymore. (We can't delete it
4335  * just yet, though, because InitPostgres will need the HBA data.)
4336  */
4338 
4339  PostgresMain(ac, av, port->database_name, port->user_name);
4340 }
4341 
4342 
4343 #ifdef EXEC_BACKEND
4344 
4345 /*
4346  * postmaster_forkexec -- fork and exec a postmaster subprocess
4347  *
4348  * The caller must have set up the argv array already, except for argv[2]
4349  * which will be filled with the name of the temp variable file.
4350  *
4351  * Returns the child process PID, or -1 on fork failure (a suitable error
4352  * message has been logged on failure).
4353  *
4354  * All uses of this routine will dispatch to SubPostmasterMain in the
4355  * child process.
4356  */
4357 pid_t
4358 postmaster_forkexec(int argc, char *argv[])
4359 {
4360  Port port;
4361 
4362  /* This entry point passes dummy values for the Port variables */
4363  memset(&port, 0, sizeof(port));
4364  return internal_forkexec(argc, argv, &port);
4365 }
4366 
4367 /*
4368  * backend_forkexec -- fork/exec off a backend process
4369  *
4370  * Some operating systems (WIN32) don't have fork() so we have to simulate
4371  * it by storing parameters that need to be passed to the child and
4372  * then create a new child process.
4373  *
4374  * returns the pid of the fork/exec'd process, or -1 on failure
4375  */
4376 static pid_t
4377 backend_forkexec(Port *port)
4378 {
4379  char *av[4];
4380  int ac = 0;
4381 
4382  av[ac++] = "postgres";
4383  av[ac++] = "--forkbackend";
4384  av[ac++] = NULL; /* filled in by internal_forkexec */
4385 
4386  av[ac] = NULL;
4387  Assert(ac < lengthof(av));
4388 
4389  return internal_forkexec(ac, av, port);
4390 }
4391 
4392 #ifndef WIN32
4393 
4394 /*
4395  * internal_forkexec non-win32 implementation
4396  *
4397  * - writes out backend variables to the parameter file
4398  * - fork():s, and then exec():s the child process
4399  */
4400 static pid_t
4401 internal_forkexec(int argc, char *argv[], Port *port)
4402 {
4403  static unsigned long tmpBackendFileNum = 0;
4404  pid_t pid;
4405  char tmpfilename[MAXPGPATH];
4406  BackendParameters param;
4407  FILE *fp;
4408 
4409  if (!save_backend_variables(&param, port))
4410  return -1; /* log made by save_backend_variables */
4411 
4412  /* Calculate name for temp file */
4413  snprintf(tmpfilename, MAXPGPATH, "%s/%s.backend_var.%d.%lu",
4415  MyProcPid, ++tmpBackendFileNum);
4416 
4417  /* Open file */
4418  fp = AllocateFile(tmpfilename, PG_BINARY_W);
4419  if (!fp)
4420  {
4421  /*
4422  * As in OpenTemporaryFileInTablespace, try to make the temp-file
4423  * directory
4424  */
4425  mkdir(PG_TEMP_FILES_DIR, S_IRWXU);
4426 
4427  fp = AllocateFile(tmpfilename, PG_BINARY_W);
4428  if (!fp)
4429  {
4430  ereport(LOG,
4432  errmsg("could not create file \"%s\": %m",
4433  tmpfilename)));
4434  return -1;
4435  }
4436  }
4437 
4438  if (fwrite(&param, sizeof(param), 1, fp) != 1)
4439  {
4440  ereport(LOG,
4442  errmsg("could not write to file \"%s\": %m", tmpfilename)));
4443  FreeFile(fp);
4444  return -1;
4445  }
4446 
4447  /* Release file */
4448  if (FreeFile(fp))
4449  {
4450  ereport(LOG,
4452  errmsg("could not write to file \"%s\": %m", tmpfilename)));
4453  return -1;
4454  }
4455 
4456  /* Make sure caller set up argv properly */
4457  Assert(argc >= 3);
4458  Assert(argv[argc] == NULL);
4459  Assert(strncmp(argv[1], "--fork", 6) == 0);
4460  Assert(argv[2] == NULL);
4461 
4462  /* Insert temp file name after --fork argument */
4463  argv[2] = tmpfilename;
4464 
4465  /* Fire off execv in child */
4466  if ((pid = fork_process()) == 0)
4467  {
4468  if (execv(postgres_exec_path, argv) < 0)
4469  {
4470  ereport(LOG,
4471  (errmsg("could not execute server process \"%s\": %m",
4472  postgres_exec_path)));
4473  /* We're already in the child process here, can't return */
4474  exit(1);
4475  }
4476  }
4477 
4478  return pid; /* Parent returns pid, or -1 on fork failure */
4479 }
4480 #else /* WIN32 */
4481 
4482 /*
4483  * internal_forkexec win32 implementation
4484  *
4485  * - starts backend using CreateProcess(), in suspended state
4486  * - writes out backend variables to the parameter file
4487  * - during this, duplicates handles and sockets required for
4488  * inheritance into the new process
4489  * - resumes execution of the new process once the backend parameter
4490  * file is complete.
4491  */
4492 static pid_t
4493 internal_forkexec(int argc, char *argv[], Port *port)
4494 {
4495  STARTUPINFO si;
4496  PROCESS_INFORMATION pi;
4497  int i;
4498  int j;
4499  char cmdLine[MAXPGPATH * 2];
4500  HANDLE paramHandle;
4501  BackendParameters *param;
4502  SECURITY_ATTRIBUTES sa;
4503  char paramHandleStr[32];
4504  win32_deadchild_waitinfo *childinfo;
4505 
4506  /* Make sure caller set up argv properly */
4507  Assert(argc >= 3);
4508  Assert(argv[argc] == NULL);
4509  Assert(strncmp(argv[1], "--fork", 6) == 0);
4510  Assert(argv[2] == NULL);
4511 
4512  /* Set up shared memory for parameter passing */
4513  ZeroMemory(&sa, sizeof(sa));
4514  sa.nLength = sizeof(sa);
4515  sa.bInheritHandle = TRUE;
4516  paramHandle = CreateFileMapping(INVALID_HANDLE_VALUE,
4517  &sa,
4518  PAGE_READWRITE,
4519  0,
4520  sizeof(BackendParameters),
4521  NULL);
4522  if (paramHandle == INVALID_HANDLE_VALUE)
4523  {
4524  elog(LOG, "could not create backend parameter file mapping: error code %lu",
4525  GetLastError());
4526  return -1;
4527  }
4528 
4529  param = MapViewOfFile(paramHandle, FILE_MAP_WRITE, 0, 0, sizeof(BackendParameters));
4530  if (!param)
4531  {
4532  elog(LOG, "could not map backend parameter memory: error code %lu",
4533  GetLastError());
4534  CloseHandle(paramHandle);
4535  return -1;
4536  }
4537 
4538  /* Insert temp file name after --fork argument */
4539 #ifdef _WIN64
4540  sprintf(paramHandleStr, "%llu", (LONG_PTR) paramHandle);
4541 #else
4542  sprintf(paramHandleStr, "%lu", (DWORD) paramHandle);
4543 #endif
4544  argv[2] = paramHandleStr;
4545 
4546  /* Format the cmd line */
4547  cmdLine[sizeof(cmdLine) - 1] = '\0';
4548  cmdLine[sizeof(cmdLine) - 2] = '\0';
4549  snprintf(cmdLine, sizeof(cmdLine) - 1, "\"%s\"", postgres_exec_path);
4550  i = 0;
4551  while (argv[++i] != NULL)
4552  {
4553  j = strlen(cmdLine);
4554  snprintf(cmdLine + j, sizeof(cmdLine) - 1 - j, " \"%s\"", argv[i]);
4555  }
4556  if (cmdLine[sizeof(cmdLine) - 2] != '\0')
4557  {
4558  elog(LOG, "subprocess command line too long");
4559  return -1;
4560  }
4561 
4562  memset(&pi, 0, sizeof(pi));
4563  memset(&si, 0, sizeof(si));
4564  si.cb = sizeof(si);
4565 
4566  /*
4567  * Create the subprocess in a suspended state. This will be resumed later,
4568  * once we have written out the parameter file.
4569  */
4570  if (!CreateProcess(NULL, cmdLine, NULL, NULL, TRUE, CREATE_SUSPENDED,
4571  NULL, NULL, &si, &pi))
4572  {
4573  elog(LOG, "CreateProcess call failed: %m (error code %lu)",
4574  GetLastError());
4575  return -1;
4576  }
4577 
4578  if (!save_backend_variables(param, port, pi.hProcess, pi.dwProcessId))
4579  {
4580  /*
4581  * log made by save_backend_variables, but we have to clean up the
4582  * mess with the half-started process
4583  */
4584  if (!TerminateProcess(pi.hProcess, 255))
4585  ereport(LOG,
4586  (errmsg_internal("could not terminate unstarted process: error code %lu",
4587  GetLastError())));
4588  CloseHandle(pi.hProcess);
4589  CloseHandle(pi.hThread);
4590  return -1; /* log made by save_backend_variables */
4591  }
4592 
4593  /* Drop the parameter shared memory that is now inherited to the backend */
4594  if (!UnmapViewOfFile(param))
4595  elog(LOG, "could not unmap view of backend parameter file: error code %lu",
4596  GetLastError());
4597  if (!CloseHandle(paramHandle))
4598  elog(LOG, "could not close handle to backend parameter file: error code %lu",
4599  GetLastError());
4600 
4601  /*
4602  * Reserve the memory region used by our main shared memory segment before
4603  * we resume the child process.
4604  */
4605  if (!pgwin32_ReserveSharedMemoryRegion(pi.hProcess))
4606  {
4607  /*
4608  * Failed to reserve the memory, so terminate the newly created
4609  * process and give up.
4610  */
4611  if (!TerminateProcess(pi.hProcess, 255))
4612  ereport(LOG,
4613  (errmsg_internal("could not terminate process that failed to reserve memory: error code %lu",
4614  GetLastError())));
4615  CloseHandle(pi.hProcess);
4616  CloseHandle(pi.hThread);
4617  return -1; /* logging done made by
4618  * pgwin32_ReserveSharedMemoryRegion() */
4619  }
4620 
4621  /*
4622  * Now that the backend variables are written out, we start the child
4623  * thread so it can start initializing while we set up the rest of the
4624  * parent state.
4625  */
4626  if (ResumeThread(pi.hThread) == -1)
4627  {
4628  if (!TerminateProcess(pi.hProcess, 255))
4629  {
4630  ereport(LOG,
4631  (errmsg_internal("could not terminate unstartable process: error code %lu",
4632  GetLastError())));
4633  CloseHandle(pi.hProcess);
4634  CloseHandle(pi.hThread);
4635  return -1;
4636  }
4637  CloseHandle(pi.hProcess);
4638  CloseHandle(pi.hThread);
4639  ereport(LOG,
4640  (errmsg_internal("could not resume thread of unstarted process: error code %lu",
4641  GetLastError())));
4642  return -1;
4643  }
4644 
4645  /*
4646  * Queue a waiter for to signal when this child dies. The wait will be
4647  * handled automatically by an operating system thread pool.
4648  *
4649  * Note: use malloc instead of palloc, since it needs to be thread-safe.
4650  * Struct will be free():d from the callback function that runs on a
4651  * different thread.
4652  */
4653  childinfo = malloc(sizeof(win32_deadchild_waitinfo));
4654  if (!childinfo)
4655  ereport(FATAL,
4656  (errcode(ERRCODE_OUT_OF_MEMORY),
4657  errmsg("out of memory")));
4658 
4659  childinfo->procHandle = pi.hProcess;
4660  childinfo->procId = pi.dwProcessId;
4661 
4662  if (!RegisterWaitForSingleObject(&childinfo->waitHandle,
4663  pi.hProcess,
4664  pgwin32_deadchild_callback,
4665  childinfo,
4666  INFINITE,
4667  WT_EXECUTEONLYONCE | WT_EXECUTEINWAITTHREAD))
4668  ereport(FATAL,
4669  (errmsg_internal("could not register process for wait: error code %lu",
4670  GetLastError())));
4671 
4672  /* Don't close pi.hProcess here - the wait thread needs access to it */
4673 
4674  CloseHandle(pi.hThread);
4675 
4676  return pi.dwProcessId;
4677 }
4678 #endif /* WIN32 */
4679 
4680 
4681 /*
4682  * SubPostmasterMain -- Get the fork/exec'd process into a state equivalent
4683  * to what it would be if we'd simply forked on Unix, and then
4684  * dispatch to the appropriate place.
4685  *
4686  * The first two command line arguments are expected to be "--forkFOO"
4687  * (where FOO indicates which postmaster child we are to become), and
4688  * the name of a variables file that we can read to load data that would
4689  * have been inherited by fork() on Unix. Remaining arguments go to the
4690  * subprocess FooMain() routine.
4691  */
4692 void
4693 SubPostmasterMain(int argc, char *argv[])
4694 {
4695  Port port;
4696 
4697  /* In EXEC_BACKEND case we will not have inherited these settings */
4698  IsPostmasterEnvironment = true;
4700 
4701  /* Setup as postmaster child */
4703 
4704  /* Setup essential subsystems (to ensure elog() behaves sanely) */
4706 
4707  /* Check we got appropriate args */
4708  if (argc < 3)
4709  elog(FATAL, "invalid subpostmaster invocation");
4710 
4711  /* Read in the variables file */
4712  memset(&port, 0, sizeof(Port));
4713  read_backend_variables(argv[2], &port);
4714 
4715  /* Close the postmaster's sockets (as soon as we know them) */
4716  ClosePostmasterPorts(strcmp(argv[1], "--forklog") == 0);
4717 
4718  /*
4719  * Set reference point for stack-depth checking
4720  */
4721  set_stack_base();
4722 
4723  /*
4724  * Set up memory area for GSS information. Mirrors the code in ConnCreate
4725  * for the non-exec case.
4726  */
4727 #if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
4728  port.gss = (pg_gssinfo *) calloc(1, sizeof(pg_gssinfo));
4729  if (!port.gss)
4730  ereport(FATAL,
4731  (errcode(ERRCODE_OUT_OF_MEMORY),
4732  errmsg("out of memory")));
4733 #endif
4734 
4735  /*
4736  * If appropriate, physically re-attach to shared memory segment. We want
4737  * to do this before going any further to ensure that we can attach at the
4738  * same address the postmaster used. On the other hand, if we choose not
4739  * to re-attach, we may have other cleanup to do.
4740  *
4741  * If testing EXEC_BACKEND on Linux, you should run this as root before
4742  * starting the postmaster:
4743  *
4744  * echo 0 >/proc/sys/kernel/randomize_va_space
4745  *
4746  * This prevents using randomized stack and code addresses that cause the
4747  * child process's memory map to be different from the parent's, making it
4748  * sometimes impossible to attach to shared memory at the desired address.
4749  * Return the setting to its old value (usually '1' or '2') when finished.
4750  */
4751  if (strcmp(argv[1], "--forkbackend") == 0 ||
4752  strcmp(argv[1], "--forkavlauncher") == 0 ||
4753  strcmp(argv[1], "--forkavworker") == 0 ||
4754  strcmp(argv[1], "--forkboot") == 0 ||
4755  strncmp(argv[1], "--forkbgworker=", 15) == 0)
4757  else
4759 
4760  /* autovacuum needs this set before calling InitProcess */
4761  if (strcmp(argv[1], "--forkavlauncher") == 0)
4762  AutovacuumLauncherIAm();
4763  if (strcmp(argv[1], "--forkavworker") == 0)
4764  AutovacuumWorkerIAm();
4765 
4766  /*
4767  * Start our win32 signal implementation. This has to be done after we
4768  * read the backend variables, because we need to pick up the signal pipe
4769  * from the parent process.
4770  */
4771 #ifdef WIN32
4773 #endif
4774 
4775  /* In EXEC_BACKEND case we will not have inherited these settings */
4776  pqinitmask();
4777  PG_SETMASK(&BlockSig);
4778 
4779  /* Read in remaining GUC variables */
4780  read_nondefault_variables();
4781 
4782  /*
4783  * Reload any libraries that were preloaded by the postmaster. Since we
4784  * exec'd this process, those libraries didn't come along with us; but we
4785  * should load them into all child processes to be consistent with the
4786  * non-EXEC_BACKEND behavior.
4787  */
4789 
4790  /* Run backend or appropriate child */
4791  if (strcmp(argv[1], "--forkbackend") == 0)
4792  {
4793  Assert(argc == 3); /* shouldn't be any more args */
4794 
4795  /*
4796  * Need to reinitialize the SSL library in the backend, since the
4797  * context structures contain function pointers and cannot be passed
4798  * through the parameter file.
4799  *
4800  * If for some reason reload fails (maybe the user installed broken
4801  * key files), soldier on without SSL; that's better than all
4802  * connections becoming impossible.
4803  *
4804  * XXX should we do this in all child processes? For the moment it's
4805  * enough to do it in backend children.
4806  */
4807 #ifdef USE_SSL
4808  if (EnableSSL)
4809  {
4810  if (secure_initialize(false) == 0)
4811  LoadedSSL = true;
4812  else
4813  ereport(LOG,
4814  (errmsg("SSL configuration could not be loaded in child process")));
4815  }
4816 #endif
4817 
4818  /*
4819  * Perform additional initialization and collect startup packet.
4820  *
4821  * We want to do this before InitProcess() for a couple of reasons: 1.
4822  * so that we aren't eating up a PGPROC slot while waiting on the
4823  * client. 2. so that if InitProcess() fails due to being out of
4824  * PGPROC slots, we have already initialized libpq and are able to
4825  * report the error to the client.
4826  */
4827  BackendInitialize(&port);
4828 
4829  /* Restore basic shared memory pointers */
4831 
4832  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4833  InitProcess();
4834 
4835  /* Attach process to shared data structures */
4837 
4838  /* And run the backend */
4839  BackendRun(&port); /* does not return */
4840  }
4841  if (strcmp(argv[1], "--forkboot") == 0)
4842  {
4843  /* Restore basic shared memory pointers */
4845 
4846  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4848 
4849  /* Attach process to shared data structures */
4851 
4852  AuxiliaryProcessMain(argc - 2, argv + 2); /* does not return */
4853  }
4854  if (strcmp(argv[1], "--forkavlauncher") == 0)
4855  {
4856  /* Restore basic shared memory pointers */
4858 
4859  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4860  InitProcess();
4861 
4862  /* Attach process to shared data structures */
4864 
4865  AutoVacLauncherMain(argc - 2, argv + 2); /* does not return */
4866  }
4867  if (strcmp(argv[1], "--forkavworker") == 0)
4868  {
4869  /* Restore basic shared memory pointers */
4871 
4872  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4873  InitProcess();
4874 
4875  /* Attach process to shared data structures */
4877 
4878  AutoVacWorkerMain(argc - 2, argv + 2); /* does not return */
4879  }
4880  if (strncmp(argv[1], "--forkbgworker=", 15) == 0)
4881  {
4882  int shmem_slot;
4883 
4884  /* do this as early as possible; in particular, before InitProcess() */
4885  IsBackgroundWorker = true;
4886 
4887  /* Restore basic shared memory pointers */
4889 
4890  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4891  InitProcess();
4892 
4893  /* Attach process to shared data structures */
4895 
4896  /* Fetch MyBgworkerEntry from shared memory */
4897  shmem_slot = atoi(argv[1] + 15);
4898  MyBgworkerEntry = BackgroundWorkerEntry(shmem_slot);
4899 
4901  }
4902  if (strcmp(argv[1], "--forkarch") == 0)
4903  {
4904  /* Do not want to attach to shared memory */
4905 
4906  PgArchiverMain(argc, argv); /* does not return */
4907  }
4908  if (strcmp(argv[1], "--forkcol") == 0)
4909  {
4910  /* Do not want to attach to shared memory */
4911 
4912  PgstatCollectorMain(argc, argv); /* does not return */
4913  }
4914  if (strcmp(argv[1], "--forklog") == 0)
4915  {
4916  /* Do not want to attach to shared memory */
4917 
4918  SysLoggerMain(argc, argv); /* does not return */
4919  }
4920 
4921  abort(); /* shouldn't get here */
4922 }
4923 #endif /* EXEC_BACKEND */
4924 
4925 
4926 /*
4927  * ExitPostmaster -- cleanup
4928  *
4929  * Do NOT call exit() directly --- always go through here!
4930  */
4931 static void
4933 {
4934 #ifdef HAVE_PTHREAD_IS_THREADED_NP
4935 
4936  /*
4937  * There is no known cause for a postmaster to become multithreaded after
4938  * startup. Recheck to account for the possibility of unknown causes.
4939  * This message uses LOG level, because an unclean shutdown at this point
4940  * would usually not look much different from a clean shutdown.
4941  */
4942  if (pthread_is_threaded_np() != 0)
4943  ereport(LOG,
4944  (errcode(ERRCODE_INTERNAL_ERROR),
4945  errmsg_internal("postmaster became multithreaded"),
4946  errdetail("Please report this to <pgsql-bugs@postgresql.org>.")));
4947 #endif
4948 
4949  /* should cleanup shared memory and kill all backends */
4950 
4951  /*
4952  * Not sure of the semantics here. When the Postmaster dies, should the
4953  * backends all be killed? probably not.
4954  *
4955  * MUST -- vadim 05-10-1999
4956  */
4957 
4958  proc_exit(status);
4959 }
4960 
4961 /*
4962  * sigusr1_handler - handle signal conditions from child processes
4963  */
4964 static void
4966 {
4967  int save_errno = errno;
4968 
4969  PG_SETMASK(&BlockSig);
4970 
4971  /* Process background worker state change. */
4973  {
4975  StartWorkerNeeded = true;
4976  }
4977 
4978  /*
4979  * RECOVERY_STARTED and BEGIN_HOT_STANDBY signals are ignored in
4980  * unexpected states. If the startup process quickly starts up, completes
4981  * recovery, exits, we might process the death of the startup process
4982  * first. We don't want to go back to recovery in that case.
4983  */
4986  {
4987  /* WAL redo has started. We're out of reinitialization. */
4988  FatalError = false;
4989  Assert(AbortStartTime == 0);
4990 
4991  /*
4992  * Crank up the background tasks. It doesn't matter if this fails,
4993  * we'll just try again later.
4994  */
4995  Assert(CheckpointerPID == 0);
4997  Assert(BgWriterPID == 0);
4999 
5000  /*
5001  * Start the archiver if we're responsible for (re-)archiving received
5002  * files.
5003  */
5004  Assert(PgArchPID == 0);
5005  if (XLogArchivingAlways())
5006  PgArchPID = pgarch_start();
5007 
5008 #ifdef USE_SYSTEMD
5009  if (!EnableHotStandby)
5010  sd_notify(0, "READY=1");
5011 #endif
5012 
5013  pmState = PM_RECOVERY;
5014  }
5017  {
5018  /*
5019  * Likewise, start other special children as needed.
5020  */
5021  Assert(PgStatPID == 0);
5022  PgStatPID = pgstat_start();
5023 
5024  ereport(LOG,
5025  (errmsg("database system is ready to accept read only connections")));
5026 
5027 #ifdef USE_SYSTEMD
5028  sd_notify(0, "READY=1");
5029 #endif
5030 
5032  /* Some workers may be scheduled to start now */
5033  StartWorkerNeeded = true;
5034  }
5035 
5038 
5040  PgArchPID != 0)
5041  {
5042  /*
5043  * Send SIGUSR1 to archiver process, to wake it up and begin archiving
5044  * next WAL file.
5045  */
5047  }
5048 
5050  SysLoggerPID != 0)
5051  {
5052  /* Tell syslogger to rotate logfile */
5054  }
5055 
5057  Shutdown == NoShutdown)
5058  {
5059  /*
5060  * Start one iteration of the autovacuum daemon, even if autovacuuming
5061  * is nominally not enabled. This is so we can have an active defense
5062  * against transaction ID wraparound. We set a flag for the main loop
5063  * to do it rather than trying to do it here --- this is because the
5064  * autovac process itself may send the signal, and we want to handle
5065  * that by launching another iteration as soon as the current one
5066  * completes.
5067  */
5068  start_autovac_launcher = true;
5069  }
5070 
5072  Shutdown == NoShutdown)
5073  {
5074  /* The autovacuum launcher wants us to start a worker process. */
5076  }
5077 
5079  {
5080  /* Startup Process wants us to start the walreceiver process. */
5081  /* Start immediately if possible, else remember request for later. */
5082  WalReceiverRequested = true;
5084  }
5085 
5088  {
5089  /* Advance postmaster's state machine */
5091  }
5092 
5093  if (CheckPromoteSignal() && StartupPID != 0 &&
5094  (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
5096  {
5097  /* Tell startup process to finish recovery */
5099  }
5100 
5102 
5103  errno = save_errno;
5104 }
5105 
5106 /*
5107  * SIGTERM or SIGQUIT while processing startup packet.
5108  * Clean up and exit(1).
5109  *
5110  * XXX: possible future improvement: try to send a message indicating
5111  * why we are disconnecting. Problem is to be sure we don't block while
5112  * doing so, nor mess up SSL initialization. In practice, if the client
5113  * has wedged here, it probably couldn't do anything with the message anyway.
5114  */
5115 static void
5117 {
5118  proc_exit(1);
5119 }
5120 
5121 /*
5122  * Dummy signal handler
5123  *
5124  * We use this for signals that we don't actually use in the postmaster,
5125  * but we do use in backends. If we were to SIG_IGN such signals in the
5126  * postmaster, then a newly started backend might drop a signal that arrives
5127  * before it's able to reconfigure its signal processing. (See notes in
5128  * tcop/postgres.c.)
5129  */
5130 static void
5132 {
5133 }
5134 
5135 /*
5136  * Timeout while processing startup packet.
5137  * As for startup_die(), we clean up and exit(1).
5138  */
5139 static void
5141 {
5142  proc_exit(1);
5143 }
5144 
5145 
5146 /*
5147  * Generate a random cancel key.
5148  */
5149 static bool
5151 {
5152 #ifdef HAVE_STRONG_RANDOM
5153  return pg_strong_random((char *) cancel_key, sizeof(int32));
5154 #else
5155 
5156  /*
5157  * If built with --disable-strong-random, use plain old erand48.
5158  *
5159  * We cannot use pg_backend_random() in postmaster, because it stores its
5160  * state in shared memory.
5161  */
5162  static unsigned short seed[3];
5163 
5164  /*
5165  * Select a random seed at the time of first receiving a request.
5166  */
5167  if (random_seed == 0)
5168  {
5169  struct timeval random_stop_time;
5170 
5171  gettimeofday(&random_stop_time, NULL);
5172 
5173  seed[0] = (unsigned short) random_start_time.tv_usec;
5174  seed[1] = (unsigned short) (random_stop_time.tv_usec) ^ (random_start_time.tv_usec >> 16);
5175  seed[2] = (unsigned short) (random_stop_time.tv_usec >> 16);
5176 
5177  random_seed = 1;
5178  }
5179 
5180  *cancel_key = pg_jrand48(seed);
5181 
5182  return true;
5183 #endif
5184 }
5185 
5186 /*
5187  * Count up number of child processes of specified types (dead_end children
5188  * are always excluded).
5189  */
5190 static int
5191 CountChildren(int target)
5192 {
5193  dlist_iter iter;
5194  int cnt = 0;
5195 
5196  dlist_foreach(iter, &BackendList)
5197  {
5198  Backend *bp = dlist_container(Backend, elem, iter.cur);
5199 
5200  if (bp->dead_end)
5201  continue;
5202 
5203  /*
5204  * Since target == BACKEND_TYPE_ALL is the most common case, we test
5205  * it first and avoid touching shared memory for every child.
5206  */
5207  if (target != BACKEND_TYPE_ALL)
5208  {
5209  /*
5210  * Assign bkend_type for any recently announced WAL Sender
5211  * processes.
5212  */
5213  if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
5216 
5217  if (!(target & bp->bkend_type))
5218  continue;
5219  }
5220 
5221  cnt++;
5222  }
5223  return cnt;
5224 }
5225 
5226 
5227 /*
5228  * StartChildProcess -- start an auxiliary process for the postmaster
5229  *
5230  * "type" determines what kind of child will be started. All child types
5231  * initially go to AuxiliaryProcessMain, which will handle common setup.
5232  *
5233  * Return value of StartChildProcess is subprocess' PID, or 0 if failed
5234  * to start subprocess.
5235  */
5236 static pid_t
5238 {
5239  pid_t pid;
5240  char *av[10];
5241  int ac = 0;
5242  char typebuf[32];
5243 
5244  /*
5245  * Set up command-line arguments for subprocess
5246  */
5247  av[ac++] = "postgres";
5248 
5249 #ifdef EXEC_BACKEND
5250  av[ac++] = "--forkboot";
5251  av[ac++] = NULL; /* filled in by postmaster_forkexec */
5252 #endif
5253 
5254  snprintf(typebuf, sizeof(typebuf), "-x%d", type);
5255  av[ac++] = typebuf;
5256 
5257  av[ac] = NULL;
5258  Assert(ac < lengthof(av));
5259 
5260 #ifdef EXEC_BACKEND
5261  pid = postmaster_forkexec(ac, av);
5262 #else /* !EXEC_BACKEND */
5263  pid = fork_process();
5264 
5265  if (pid == 0) /* child */
5266  {
5268 
5269  /* Close the postmaster's sockets */
5270  ClosePostmasterPorts(false);
5271 
5272  /* Release postmaster's working memory context */
5276 
5277  AuxiliaryProcessMain(ac, av);
5278  ExitPostmaster(0);
5279  }
5280 #endif /* EXEC_BACKEND */
5281 
5282  if (pid < 0)
5283  {
5284  /* in parent, fork failed */
5285  int save_errno = errno;
5286 
5287  errno = save_errno;
5288  switch (type)
5289  {
5290  case StartupProcess:
5291  ereport(LOG,
5292  (errmsg("could not fork startup process: %m")));
5293  break;
5294  case BgWriterProcess:
5295  ereport(LOG,
5296  (errmsg("could not fork background writer process: %m")));
5297  break;
5298  case CheckpointerProcess:
5299  ereport(LOG,
5300  (errmsg("could not fork checkpointer process: %m")));
5301  break;
5302  case WalWriterProcess:
5303  ereport(LOG,
5304  (errmsg("could not fork WAL writer process: %m")));
5305  break;
5306  case WalReceiverProcess:
5307  ereport(LOG,
5308  (errmsg("could not fork WAL receiver process: %m")));
5309  break;
5310  default:
5311  ereport(LOG,
5312  (errmsg("could not fork process: %m")));
5313  break;
5314  }
5315 
5316  /*
5317  * fork failure is fatal during startup, but there's no need to choke
5318  * immediately if starting other child types fails.
5319  */
5320  if (type == StartupProcess)
5321  ExitPostmaster(1);
5322  return 0;
5323  }
5324 
5325  /*
5326  * in parent, successful fork
5327  */
5328  return pid;
5329 }
5330 
5331 /*
5332  * StartAutovacuumWorker
5333  * Start an autovac worker process.
5334  *
5335  * This function is here because it enters the resulting PID into the
5336  * postmaster's private backends list.
5337  *
5338  * NB -- this code very roughly matches BackendStartup.
5339  */
5340 static void
5342 {
5343  Backend *bn;
5344 
5345  /*
5346  * If not in condition to run a process, don't try, but handle it like a
5347  * fork failure. This does not normally happen, since the signal is only
5348  * supposed to be sent by autovacuum launcher when it's OK to do it, but
5349  * we have to check to avoid race-condition problems during DB state
5350  * changes.
5351  */
5352  if (canAcceptConnections() == CAC_OK)
5353  {
5354  /*
5355  * Compute the cancel key that will be assigned to this session. We
5356  * probably don't need cancel keys for autovac workers, but we'd
5357  * better have something random in the field to prevent unfriendly
5358  * people from sending cancels to them.
5359  */
5361  {
5362  ereport(LOG,
5363  (errcode(ERRCODE_INTERNAL_ERROR),
5364  errmsg("could not generate random cancel key")));
5365  return;
5366  }
5367 
5368  bn = (Backend *) malloc(sizeof(Backend));
5369  if (bn)
5370  {
5371  bn->cancel_key = MyCancelKey;
5372 
5373  /* Autovac workers are not dead_end and need a child slot */
5374  bn->dead_end = false;
5376  bn->bgworker_notify = false;
5377 
5378  bn->pid = StartAutoVacWorker();
5379  if (bn->pid > 0)
5380  {
5382  dlist_push_head(&BackendList, &bn->elem);
5383 #ifdef EXEC_BACKEND
5384  ShmemBackendArrayAdd(bn);
5385 #endif
5386  /* all OK */
5387  return;
5388  }
5389 
5390  /*
5391  * fork failed, fall through to report -- actual error message was
5392  * logged by StartAutoVacWorker
5393  */
5395  free(bn);
5396  }
5397  else
5398  ereport(LOG,
5399  (errcode(ERRCODE_OUT_OF_MEMORY),
5400  errmsg("out of memory")));
5401  }
5402 
5403  /*
5404  * Report the failure to the launcher, if it's running. (If it's not, we
5405  * might not even be connected to shared memory, so don't try to call
5406  * AutoVacWorkerFailed.) Note that we also need to signal it so that it
5407  * responds to the condition, but we don't do that here, instead waiting
5408  * for ServerLoop to do it. This way we avoid a ping-pong signalling in
5409  * quick succession between the autovac launcher and postmaster in case
5410  * things get ugly.
5411  */
5412  if (AutoVacPID != 0)
5413  {
5415  avlauncher_needs_signal = true;
5416  }
5417 }
5418 
5419 /*
5420  * MaybeStartWalReceiver
5421  * Start the WAL receiver process, if not running and our state allows.
5422  */
5423 static void
5425 {
5426  if (WalReceiverPID == 0 &&
5427  (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
5429  Shutdown == NoShutdown)
5430  {
5432  WalReceiverRequested = false;
5433  }
5434 }
5435 
5436 
5437 /*
5438  * Create the opts file
5439  */
5440 static bool
5441 CreateOptsFile(int argc, char *argv[], char *fullprogname)
5442 {
5443  FILE *fp;
5444  int i;
5445 
5446 #define OPTS_FILE "postmaster.opts"
5447 
5448  if ((fp = fopen(OPTS_FILE, "w")) == NULL)
5449  {
5450  elog(LOG, "could not create file \"%s\": %m", OPTS_FILE);
5451  return false;
5452  }
5453 
5454  fprintf(fp, "%s", fullprogname);
5455  for (i = 1; i < argc; i++)
5456  fprintf(fp, " \"%s\"", argv[i]);
5457  fputs("\n", fp);
5458 
5459  if (fclose(fp))
5460  {
5461  elog(LOG, "could not write file \"%s\": %m", OPTS_FILE);
5462  return false;
5463  }
5464 
5465  return true;
5466 }
5467 
5468 
5469 /*
5470  * MaxLivePostmasterChildren
5471  *
5472  * This reports the number of entries needed in per-child-process arrays
5473  * (the PMChildFlags array, and if EXEC_BACKEND the ShmemBackendArray).
5474  * These arrays include regular backends, autovac workers, walsenders
5475  * and background workers, but not special children nor dead_end children.
5476  * This allows the arrays to have a fixed maximum size, to wit the same
5477  * too-many-children limit enforced by canAcceptConnections(). The exact value
5478  * isn't too critical as long as it's more than MaxBackends.
5479  */
5480 int
5482 {
5483  return 2 * (MaxConnections + autovacuum_max_workers + 1 +
5485 }
5486 
5487 /*
5488  * Connect background worker to a database.
5489  */
5490 void
5492 {
5494 
5495  /* XXX is this the right errcode? */
5497  ereport(FATAL,
5498  (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
5499  errmsg("database connection requirement not indicated during registration")));
5500 
5501  InitPostgres(dbname, InvalidOid, username, InvalidOid, NULL);
5502 
5503  /* it had better not gotten out of "init" mode yet */
5504  if (!IsInitProcessingMode())
5505  ereport(ERROR,
5506  (errmsg("invalid processing mode in background worker")));
5508 }
5509 
5510 /*
5511  * Connect background worker to a database using OIDs.
5512  */
5513 void
5515 {
5517 
5518  /* XXX is this the right errcode? */
5520  ereport(FATAL,
5521  (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
5522  errmsg("database connection requirement not indicated during registration")));
5523 
5524  InitPostgres(NULL, dboid, NULL, useroid, NULL);
5525 
5526  /* it had better not gotten out of "init" mode yet */
5527  if (!IsInitProcessingMode())
5528  ereport(ERROR,
5529  (errmsg("invalid processing mode in background worker")));
5531 }
5532 
5533 /*
5534  * Block/unblock signals in a background worker
5535  */
5536 void
5538 {
5539  PG_SETMASK(&BlockSig);
5540 }
5541 
5542 void
5544 {
5546 }
5547 
5548 #ifdef EXEC_BACKEND
5549 static pid_t
5550 bgworker_forkexec(int shmem_slot)
5551 {
5552  char *av[10];
5553  int ac = 0;
5554  char forkav[MAXPGPATH];
5555 
5556  snprintf(forkav, MAXPGPATH, "--forkbgworker=%d", shmem_slot);
5557 
5558  av[ac++] = "postgres";
5559  av[ac++] = forkav;
5560  av[ac++] = NULL; /* filled in by postmaster_forkexec */
5561  av[ac] = NULL;
5562 
5563  Assert(ac < lengthof(av));
5564 
5565  return postmaster_forkexec(ac, av);
5566 }
5567 #endif
5568 
5569 /*
5570  * Start a new bgworker.
5571  * Starting time conditions must have been checked already.
5572  *
5573  * Returns true on success, false on failure.
5574  * In either case, update the RegisteredBgWorker's state appropriately.
5575  *
5576  * This code is heavily based on autovacuum.c, q.v.
5577  */
5578 static bool
5580 {
5581  pid_t worker_pid;
5582 
5583  Assert(rw->rw_pid == 0);
5584 
5585  /*
5586  * Allocate and assign the Backend element. Note we must do this before
5587  * forking, so that we can handle out of memory properly.
5588  *
5589  * Treat failure as though the worker had crashed. That way, the
5590  * postmaster will wait a bit before attempting to start it again; if it
5591  * tried again right away, most likely it'd find itself repeating the
5592  * out-of-memory or fork failure condition.
5593  */
5594  if (!assign_backendlist_entry(rw))
5595  {
5597  return false;
5598  }
5599 
5600  ereport(DEBUG1,
5601  (errmsg("starting background worker process \"%s\"",
5602  rw->rw_worker.bgw_name)));
5603 
5604 #ifdef EXEC_BACKEND
5605  switch ((worker_pid = bgworker_forkexec(rw->rw_shmem_slot)))
5606 #else
5607  switch ((worker_pid = fork_process()))
5608 #endif
5609  {
5610  case -1:
5611  /* in postmaster, fork failed ... */
5612  ereport(LOG,
5613  (errmsg("could not fork worker process: %m")));
5614  /* undo what assign_backendlist_entry did */
5616  rw->rw_child_slot = 0;
5617  free(rw->rw_backend);
5618  rw->rw_backend = NULL;
5619  /* mark entry as crashed, so we'll try again later */
5621  break;
5622 
5623 #ifndef EXEC_BACKEND
5624  case 0:
5625  /* in postmaster child ... */
5627 
5628  /* Close the postmaster's sockets */
5629  ClosePostmasterPorts(false);
5630 
5631  /*
5632  * Before blowing away PostmasterContext, save this bgworker's
5633  * data where it can find it.
5634  */
5635  MyBgworkerEntry = (BackgroundWorker *)
5637  memcpy(MyBgworkerEntry, &rw->rw_worker, sizeof(BackgroundWorker));
5638 
5639  /* Release postmaster's working memory context */
5643 
5645 
5646  exit(1); /* should not get here */
5647  break;
5648 #endif
5649  default:
5650  /* in postmaster, fork successful ... */
5651  rw->rw_pid = worker_pid;
5652  rw->rw_backend->pid = rw->rw_pid;
5654  /* add new worker to lists of backends */
5655  dlist_push_head(&BackendList, &rw->rw_backend->elem);
5656 #ifdef EXEC_BACKEND
5657  ShmemBackendArrayAdd(rw->rw_backend);
5658 #endif
5659  return true;
5660  }
5661 
5662  return false;
5663 }
5664 
5665 /*
5666  * Does the current postmaster state require starting a worker with the
5667  * specified start_time?
5668  */
5669 static bool
5671 {
5672  switch (pmState)
5673  {
5674  case PM_NO_CHILDREN:
5675  case PM_WAIT_DEAD_END:
5676  case PM_SHUTDOWN_2:
5677  case PM_SHUTDOWN:
5678  case PM_WAIT_BACKENDS:
5679  case PM_WAIT_READONLY:
5680  case PM_WAIT_BACKUP:
5681  break;
5682 
5683  case PM_RUN:
5684  if (start_time == BgWorkerStart_RecoveryFinished)
5685  return true;
5686  /* fall through */
5687 
5688  case PM_HOT_STANDBY:
5689  if (start_time == BgWorkerStart_ConsistentState)
5690  return true;
5691  /* fall through */
5692 
5693  case PM_RECOVERY:
5694  case PM_STARTUP:
5695  case PM_INIT:
5696  if (start_time == BgWorkerStart_PostmasterStart)
5697  return true;
5698  /* fall through */
5699 
5700  }
5701 
5702  return false;
5703 }
5704 
5705 /*
5706  * Allocate the Backend struct for a connected background worker, but don't
5707  * add it to the list of backends just yet.
5708  *
5709  * On failure, return false without changing any worker state.
5710  *
5711  * Some info from the Backend is copied into the passed rw.
5712  */
5713 static bool
5715 {
5716  Backend *bn;
5717 
5718  /*
5719  * Compute the cancel key that will be assigned to this session. We
5720  * probably don't need cancel keys for background workers, but we'd better
5721  * have something random in the field to prevent unfriendly people from
5722  * sending cancels to them.
5723  */
5725  {
5726  ereport(LOG,
5727  (errcode(ERRCODE_INTERNAL_ERROR),
5728  errmsg("could not generate random cancel key")));
5729  return false;
5730  }
5731 
5732  bn = malloc(sizeof(Backend));
5733  if (bn == NULL)
5734  {
5735  ereport(LOG,
5736  (errcode(ERRCODE_OUT_OF_MEMORY),
5737  errmsg("out of memory")));
5738  return false;
5739  }
5740 
5741  bn->cancel_key = MyCancelKey;
5744  bn->dead_end = false;
5745  bn->bgworker_notify = false;
5746 
5747  rw->rw_backend = bn;
5748  rw->rw_child_slot = bn->child_slot;
5749 
5750  return true;
5751 }
5752 
5753 /*
5754  * If the time is right, start background worker(s).
5755  *
5756  * As a side effect, the bgworker control variables are set or reset
5757  * depending on whether more workers may need to be started.
5758  *
5759  * We limit the number of workers started per call, to avoid consuming the
5760  * postmaster's attention for too long when many such requests are pending.
5761  * As long as StartWorkerNeeded is true, ServerLoop will not block and will
5762  * call this function again after dealing with any other issues.
5763  */
5764 static void
5766 {
5767 #define MAX_BGWORKERS_TO_LAUNCH 100
5768  int num_launched = 0;
5769  TimestampTz now = 0;
5770  slist_mutable_iter iter;
5771 
5772  /*
5773  * During crash recovery, we have no need to be called until the state
5774  * transition out of recovery.
5775  */
5776  if (FatalError)
5777  {
5778  StartWorkerNeeded = false;
5779  HaveCrashedWorker = false;
5780  return;
5781  }
5782 
5783  /* Don't need to be called again unless we find a reason for it below */
5784  StartWorkerNeeded = false;
5785  HaveCrashedWorker = false;
5786 
5788  {
5789  RegisteredBgWorker *rw;
5790 
5791  rw = slist_container(RegisteredBgWorker, rw_lnode, i