PostgreSQL Source Code  git master
postmaster.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * postmaster.c
4  * This program acts as a clearing house for requests to the
5  * POSTGRES system. Frontend programs send a startup message
6  * to the Postmaster and the postmaster uses the info in the
7  * message to setup a backend process.
8  *
9  * The postmaster also manages system-wide operations such as
10  * startup and shutdown. The postmaster itself doesn't do those
11  * operations, mind you --- it just forks off a subprocess to do them
12  * at the right times. It also takes care of resetting the system
13  * if a backend crashes.
14  *
15  * The postmaster process creates the shared memory and semaphore
16  * pools during startup, but as a rule does not touch them itself.
17  * In particular, it is not a member of the PGPROC array of backends
18  * and so it cannot participate in lock-manager operations. Keeping
19  * the postmaster away from shared memory operations makes it simpler
20  * and more reliable. The postmaster is almost always able to recover
21  * from crashes of individual backends by resetting shared memory;
22  * if it did much with shared memory then it would be prone to crashing
23  * along with the backends.
24  *
25  * When a request message is received, we now fork() immediately.
26  * The child process performs authentication of the request, and
27  * then becomes a backend if successful. This allows the auth code
28  * to be written in a simple single-threaded style (as opposed to the
29  * crufty "poor man's multitasking" code that used to be needed).
30  * More importantly, it ensures that blockages in non-multithreaded
31  * libraries like SSL or PAM cannot cause denial of service to other
32  * clients.
33  *
34  *
35  * Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
36  * Portions Copyright (c) 1994, Regents of the University of California
37  *
38  *
39  * IDENTIFICATION
40  * src/backend/postmaster/postmaster.c
41  *
42  * NOTES
43  *
44  * Initialization:
45  * The Postmaster sets up shared memory data structures
46  * for the backends.
47  *
48  * Synchronization:
49  * The Postmaster shares memory with the backends but should avoid
50  * touching shared memory, so as not to become stuck if a crashing
51  * backend screws up locks or shared memory. Likewise, the Postmaster
52  * should never block on messages from frontend clients.
53  *
54  * Garbage Collection:
55  * The Postmaster cleans up after backends if they have an emergency
56  * exit and/or core dump.
57  *
58  * Error Reporting:
59  * Use write_stderr() only for reporting "interactive" errors
60  * (essentially, bogus arguments on the command line). Once the
61  * postmaster is launched, use ereport().
62  *
63  *-------------------------------------------------------------------------
64  */
65 
66 #include "postgres.h"
67 
68 #include <unistd.h>
69 #include <signal.h>
70 #include <time.h>
71 #include <sys/wait.h>
72 #include <ctype.h>
73 #include <sys/select.h>
74 #include <sys/stat.h>
75 #include <sys/socket.h>
76 #include <fcntl.h>
77 #include <sys/param.h>
78 #include <netdb.h>
79 #include <limits.h>
80 
81 #ifdef USE_BONJOUR
82 #include <dns_sd.h>
83 #endif
84 
85 #ifdef USE_SYSTEMD
86 #include <systemd/sd-daemon.h>
87 #endif
88 
89 #ifdef HAVE_PTHREAD_IS_THREADED_NP
90 #include <pthread.h>
91 #endif
92 
93 #include "access/transam.h"
94 #include "access/xlog.h"
95 #include "access/xlogrecovery.h"
96 #include "catalog/pg_control.h"
97 #include "common/file_perm.h"
98 #include "common/ip.h"
99 #include "common/pg_prng.h"
100 #include "common/string.h"
101 #include "lib/ilist.h"
102 #include "libpq/auth.h"
103 #include "libpq/libpq.h"
104 #include "libpq/pqformat.h"
105 #include "libpq/pqsignal.h"
106 #include "pg_getopt.h"
107 #include "pgstat.h"
108 #include "port/pg_bswap.h"
109 #include "postmaster/autovacuum.h"
110 #include "postmaster/auxprocess.h"
112 #include "postmaster/fork_process.h"
113 #include "postmaster/interrupt.h"
114 #include "postmaster/pgarch.h"
115 #include "postmaster/postmaster.h"
116 #include "postmaster/syslogger.h"
118 #include "replication/walsender.h"
119 #include "storage/fd.h"
120 #include "storage/ipc.h"
121 #include "storage/pg_shmem.h"
122 #include "storage/pmsignal.h"
123 #include "storage/proc.h"
124 #include "tcop/tcopprot.h"
125 #include "utils/builtins.h"
126 #include "utils/datetime.h"
127 #include "utils/memutils.h"
128 #include "utils/pidfile.h"
129 #include "utils/ps_status.h"
130 #include "utils/queryjumble.h"
131 #include "utils/timeout.h"
132 #include "utils/timestamp.h"
133 #include "utils/varlena.h"
134 
135 #ifdef EXEC_BACKEND
136 #include "storage/spin.h"
137 #endif
138 
139 
140 /*
141  * Possible types of a backend. Beyond being the possible bkend_type values in
142  * struct bkend, these are OR-able request flag bits for SignalSomeChildren()
143  * and CountChildren().
144  */
145 #define BACKEND_TYPE_NORMAL 0x0001 /* normal backend */
146 #define BACKEND_TYPE_AUTOVAC 0x0002 /* autovacuum worker process */
147 #define BACKEND_TYPE_WALSND 0x0004 /* walsender process */
148 #define BACKEND_TYPE_BGWORKER 0x0008 /* bgworker process */
149 #define BACKEND_TYPE_ALL 0x000F /* OR of all the above */
150 
151 /*
152  * List of active backends (or child processes anyway; we don't actually
153  * know whether a given child has become a backend or is still in the
154  * authorization phase). This is used mainly to keep track of how many
155  * children we have and send them appropriate signals when necessary.
156  *
157  * As shown in the above set of backend types, this list includes not only
158  * "normal" client sessions, but also autovacuum workers, walsenders, and
159  * background workers. (Note that at the time of launch, walsenders are
160  * labeled BACKEND_TYPE_NORMAL; we relabel them to BACKEND_TYPE_WALSND
161  * upon noticing they've changed their PMChildFlags entry. Hence that check
162  * must be done before any operation that needs to distinguish walsenders
163  * from normal backends.)
164  *
165  * Also, "dead_end" children are in it: these are children launched just for
166  * the purpose of sending a friendly rejection message to a would-be client.
167  * We must track them because they are attached to shared memory, but we know
168  * they will never become live backends. dead_end children are not assigned a
169  * PMChildSlot. dead_end children have bkend_type NORMAL.
170  *
171  * "Special" children such as the startup, bgwriter and autovacuum launcher
172  * tasks are not in this list. They are tracked via StartupPID and other
173  * pid_t variables below. (Thus, there can't be more than one of any given
174  * "special" child process type. We use BackendList entries for any child
175  * process there can be more than one of.)
176  */
177 typedef struct bkend
178 {
179  pid_t pid; /* process id of backend */
180  int32 cancel_key; /* cancel key for cancels for this backend */
181  int child_slot; /* PMChildSlot for this backend, if any */
182  int bkend_type; /* child process flavor, see above */
183  bool dead_end; /* is it going to send an error and quit? */
184  bool bgworker_notify; /* gets bgworker start/stop notifications */
185  dlist_node elem; /* list link in BackendList */
187 
189 
190 #ifdef EXEC_BACKEND
191 static Backend *ShmemBackendArray;
192 #endif
193 
195 
196 
197 
198 /* The socket number we are listening for connections on */
199 int PostPortNumber = DEF_PGPORT;
200 
201 /* The directory names for Unix socket(s) */
203 
204 /* The TCP listen address(es) */
206 
207 /*
208  * ReservedBackends is the number of backends reserved for superuser use.
209  * This number is taken out of the pool size given by MaxConnections so
210  * number of backend slots available to non-superusers is
211  * (MaxConnections - ReservedBackends). Note what this really means is
212  * "if there are <= ReservedBackends connections available, only superusers
213  * can make new connections" --- pre-existing superuser connections don't
214  * count against the limit.
215  */
217 
218 /* The socket(s) we're listening to. */
219 #define MAXLISTEN 64
221 
222 /* still more option variables */
223 bool EnableSSL = false;
224 
225 int PreAuthDelay = 0;
227 
228 bool log_hostname; /* for ps display and logging */
229 bool Log_connections = false;
230 bool Db_user_namespace = false;
231 
232 bool enable_bonjour = false;
236 bool send_abort_for_crash = false;
237 bool send_abort_for_kill = false;
238 
239 /* PIDs of special child processes; 0 when not running */
240 static pid_t StartupPID = 0,
248 
249 /* Startup process's status */
250 typedef enum
251 {
254  STARTUP_SIGNALED, /* we sent it a SIGQUIT or SIGKILL */
257 
259 
260 /* Startup/shutdown state */
261 #define NoShutdown 0
262 #define SmartShutdown 1
263 #define FastShutdown 2
264 #define ImmediateShutdown 3
265 
266 static int Shutdown = NoShutdown;
267 
268 static bool FatalError = false; /* T if recovering from backend crash */
269 
270 /*
271  * We use a simple state machine to control startup, shutdown, and
272  * crash recovery (which is rather like shutdown followed by startup).
273  *
274  * After doing all the postmaster initialization work, we enter PM_STARTUP
275  * state and the startup process is launched. The startup process begins by
276  * reading the control file and other preliminary initialization steps.
277  * In a normal startup, or after crash recovery, the startup process exits
278  * with exit code 0 and we switch to PM_RUN state. However, archive recovery
279  * is handled specially since it takes much longer and we would like to support
280  * hot standby during archive recovery.
281  *
282  * When the startup process is ready to start archive recovery, it signals the
283  * postmaster, and we switch to PM_RECOVERY state. The background writer and
284  * checkpointer are launched, while the startup process continues applying WAL.
285  * If Hot Standby is enabled, then, after reaching a consistent point in WAL
286  * redo, startup process signals us again, and we switch to PM_HOT_STANDBY
287  * state and begin accepting connections to perform read-only queries. When
288  * archive recovery is finished, the startup process exits with exit code 0
289  * and we switch to PM_RUN state.
290  *
291  * Normal child backends can only be launched when we are in PM_RUN or
292  * PM_HOT_STANDBY state. (connsAllowed can also restrict launching.)
293  * In other states we handle connection requests by launching "dead_end"
294  * child processes, which will simply send the client an error message and
295  * quit. (We track these in the BackendList so that we can know when they
296  * are all gone; this is important because they're still connected to shared
297  * memory, and would interfere with an attempt to destroy the shmem segment,
298  * possibly leading to SHMALL failure when we try to make a new one.)
299  * In PM_WAIT_DEAD_END state we are waiting for all the dead_end children
300  * to drain out of the system, and therefore stop accepting connection
301  * requests at all until the last existing child has quit (which hopefully
302  * will not be very long).
303  *
304  * Notice that this state variable does not distinguish *why* we entered
305  * states later than PM_RUN --- Shutdown and FatalError must be consulted
306  * to find that out. FatalError is never true in PM_RECOVERY, PM_HOT_STANDBY,
307  * or PM_RUN states, nor in PM_SHUTDOWN states (because we don't enter those
308  * states when trying to recover from a crash). It can be true in PM_STARTUP
309  * state, because we don't clear it until we've successfully started WAL redo.
310  */
311 typedef enum
312 {
313  PM_INIT, /* postmaster starting */
314  PM_STARTUP, /* waiting for startup subprocess */
315  PM_RECOVERY, /* in archive recovery mode */
316  PM_HOT_STANDBY, /* in hot standby mode */
317  PM_RUN, /* normal "database is alive" state */
318  PM_STOP_BACKENDS, /* need to stop remaining backends */
319  PM_WAIT_BACKENDS, /* waiting for live backends to exit */
320  PM_SHUTDOWN, /* waiting for checkpointer to do shutdown
321  * ckpt */
322  PM_SHUTDOWN_2, /* waiting for archiver and walsenders to
323  * finish */
324  PM_WAIT_DEAD_END, /* waiting for dead_end children to exit */
325  PM_NO_CHILDREN /* all important children have exited */
327 
329 
330 /*
331  * While performing a "smart shutdown", we restrict new connections but stay
332  * in PM_RUN or PM_HOT_STANDBY state until all the client backends are gone.
333  * connsAllowed is a sub-state indicator showing the active restriction.
334  * It is of no interest unless pmState is PM_RUN or PM_HOT_STANDBY.
335  */
336 static bool connsAllowed = true;
337 
338 /* Start time of SIGKILL timeout during immediate shutdown or child crash */
339 /* Zero means timeout is not running */
340 static time_t AbortStartTime = 0;
341 
342 /* Length of said timeout */
343 #define SIGKILL_CHILDREN_AFTER_SECS 5
344 
345 static bool ReachedNormalRunning = false; /* T if we've reached PM_RUN */
346 
347 bool ClientAuthInProgress = false; /* T during new-client
348  * authentication */
349 
350 bool redirection_done = false; /* stderr redirected for syslogger? */
351 
352 /* received START_AUTOVAC_LAUNCHER signal */
353 static volatile sig_atomic_t start_autovac_launcher = false;
354 
355 /* the launcher needs to be signaled to communicate some condition */
356 static volatile bool avlauncher_needs_signal = false;
357 
358 /* received START_WALRECEIVER signal */
359 static volatile sig_atomic_t WalReceiverRequested = false;
360 
361 /* set when there's a worker that needs to be started up */
362 static volatile bool StartWorkerNeeded = true;
363 static volatile bool HaveCrashedWorker = false;
364 
365 #ifdef USE_SSL
366 /* Set when and if SSL has been initialized properly */
367 static bool LoadedSSL = false;
368 #endif
369 
370 #ifdef USE_BONJOUR
371 static DNSServiceRef bonjour_sdref = NULL;
372 #endif
373 
374 /*
375  * postmaster.c - function prototypes
376  */
377 static void CloseServerPorts(int status, Datum arg);
378 static void unlink_external_pid_file(int status, Datum arg);
379 static void getInstallationPaths(const char *argv0);
380 static void checkControlFile(void);
381 static Port *ConnCreate(int serverFd);
382 static void ConnFree(Port *port);
383 static void SIGHUP_handler(SIGNAL_ARGS);
384 static void pmdie(SIGNAL_ARGS);
385 static void reaper(SIGNAL_ARGS);
386 static void sigusr1_handler(SIGNAL_ARGS);
388 static void dummy_handler(SIGNAL_ARGS);
389 static void StartupPacketTimeoutHandler(void);
390 static void CleanupBackend(int pid, int exitstatus);
391 static bool CleanupBackgroundWorker(int pid, int exitstatus);
392 static void HandleChildCrash(int pid, int exitstatus, const char *procname);
393 static void LogChildExit(int lev, const char *procname,
394  int pid, int exitstatus);
395 static void PostmasterStateMachine(void);
396 static void BackendInitialize(Port *port);
397 static void BackendRun(Port *port) pg_attribute_noreturn();
398 static void ExitPostmaster(int status) pg_attribute_noreturn();
399 static int ServerLoop(void);
400 static int BackendStartup(Port *port);
401 static int ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done);
402 static void SendNegotiateProtocolVersion(List *unrecognized_protocol_options);
403 static void processCancelRequest(Port *port, void *pkt);
404 static int initMasks(fd_set *rmask);
405 static void report_fork_failure_to_client(Port *port, int errnum);
406 static CAC_state canAcceptConnections(int backend_type);
407 static bool RandomCancelKey(int32 *cancel_key);
408 static void signal_child(pid_t pid, int signal);
409 static void sigquit_child(pid_t pid);
410 static bool SignalSomeChildren(int signal, int target);
411 static void TerminateChildren(int signal);
412 
413 #define SignalChildren(sig) SignalSomeChildren(sig, BACKEND_TYPE_ALL)
414 
415 static int CountChildren(int target);
417 static void maybe_start_bgworkers(void);
418 static bool CreateOptsFile(int argc, char *argv[], char *fullprogname);
419 static pid_t StartChildProcess(AuxProcType type);
420 static void StartAutovacuumWorker(void);
421 static void MaybeStartWalReceiver(void);
422 static void InitPostmasterDeathWatchHandle(void);
423 
424 /*
425  * Archiver is allowed to start up at the current postmaster state?
426  *
427  * If WAL archiving is enabled always, we are allowed to start archiver
428  * even during recovery.
429  */
430 #define PgArchStartupAllowed() \
431  (((XLogArchivingActive() && pmState == PM_RUN) || \
432  (XLogArchivingAlways() && \
433  (pmState == PM_RECOVERY || pmState == PM_HOT_STANDBY))) && \
434  PgArchCanRestart())
435 
436 #ifdef EXEC_BACKEND
437 
438 #ifdef WIN32
439 #define WNOHANG 0 /* ignored, so any integer value will do */
440 
441 static pid_t waitpid(pid_t pid, int *exitstatus, int options);
442 static void WINAPI pgwin32_deadchild_callback(PVOID lpParameter, BOOLEAN TimerOrWaitFired);
443 
444 static HANDLE win32ChildQueue;
445 
446 typedef struct
447 {
448  HANDLE waitHandle;
449  HANDLE procHandle;
450  DWORD procId;
451 } win32_deadchild_waitinfo;
452 #endif /* WIN32 */
453 
454 static pid_t backend_forkexec(Port *port);
455 static pid_t internal_forkexec(int argc, char *argv[], Port *port);
456 
457 /* Type for a socket that can be inherited to a client process */
458 #ifdef WIN32
459 typedef struct
460 {
461  SOCKET origsocket; /* Original socket value, or PGINVALID_SOCKET
462  * if not a socket */
463  WSAPROTOCOL_INFO wsainfo;
464 } InheritableSocket;
465 #else
466 typedef int InheritableSocket;
467 #endif
468 
469 /*
470  * Structure contains all variables passed to exec:ed backends
471  */
472 typedef struct
473 {
474  Port port;
475  InheritableSocket portsocket;
476  char DataDir[MAXPGPATH];
479  int MyPMChildSlot;
480 #ifndef WIN32
481  unsigned long UsedShmemSegID;
482 #else
483  void *ShmemProtectiveRegion;
484  HANDLE UsedShmemSegID;
485 #endif
486  void *UsedShmemSegAddr;
489  Backend *ShmemBackendArray;
490 #ifndef HAVE_SPINLOCKS
492 #endif
501  pid_t PostmasterPid;
505  bool redirection_done;
506  bool IsBinaryUpgrade;
507  bool query_id_enabled;
508  int max_safe_fds;
509  int MaxBackends;
510 #ifdef WIN32
511  HANDLE PostmasterHandle;
512  HANDLE initial_signal_pipe;
513  HANDLE syslogPipe[2];
514 #else
515  int postmaster_alive_fds[2];
516  int syslogPipe[2];
517 #endif
518  char my_exec_path[MAXPGPATH];
519  char pkglib_path[MAXPGPATH];
520 } BackendParameters;
521 
522 static void read_backend_variables(char *id, Port *port);
523 static void restore_backend_variables(BackendParameters *param, Port *port);
524 
525 #ifndef WIN32
526 static bool save_backend_variables(BackendParameters *param, Port *port);
527 #else
528 static bool save_backend_variables(BackendParameters *param, Port *port,
529  HANDLE childProcess, pid_t childPid);
530 #endif
531 
532 static void ShmemBackendArrayAdd(Backend *bn);
533 static void ShmemBackendArrayRemove(Backend *bn);
534 #endif /* EXEC_BACKEND */
535 
536 #define StartupDataBase() StartChildProcess(StartupProcess)
537 #define StartArchiver() StartChildProcess(ArchiverProcess)
538 #define StartBackgroundWriter() StartChildProcess(BgWriterProcess)
539 #define StartCheckpointer() StartChildProcess(CheckpointerProcess)
540 #define StartWalWriter() StartChildProcess(WalWriterProcess)
541 #define StartWalReceiver() StartChildProcess(WalReceiverProcess)
542 
543 /* Macros to check exit status of a child process */
544 #define EXIT_STATUS_0(st) ((st) == 0)
545 #define EXIT_STATUS_1(st) (WIFEXITED(st) && WEXITSTATUS(st) == 1)
546 #define EXIT_STATUS_3(st) (WIFEXITED(st) && WEXITSTATUS(st) == 3)
547 
548 #ifndef WIN32
549 /*
550  * File descriptors for pipe used to monitor if postmaster is alive.
551  * First is POSTMASTER_FD_WATCH, second is POSTMASTER_FD_OWN.
552  */
553 int postmaster_alive_fds[2] = {-1, -1};
554 #else
555 /* Process handle of postmaster used for the same purpose on Windows */
556 HANDLE PostmasterHandle;
557 #endif
558 
559 /*
560  * Postmaster main entry point
561  */
562 void
563 PostmasterMain(int argc, char *argv[])
564 {
565  int opt;
566  int status;
567  char *userDoption = NULL;
568  bool listen_addr_saved = false;
569  int i;
570  char *output_config_variable = NULL;
571 
573 
575 
577 
578  /*
579  * Start our win32 signal implementation
580  */
581 #ifdef WIN32
583 #endif
584 
585  /*
586  * We should not be creating any files or directories before we check the
587  * data directory (see checkDataDir()), but just in case set the umask to
588  * the most restrictive (owner-only) permissions.
589  *
590  * checkDataDir() will reset the umask based on the data directory
591  * permissions.
592  */
593  umask(PG_MODE_MASK_OWNER);
594 
595  /*
596  * By default, palloc() requests in the postmaster will be allocated in
597  * the PostmasterContext, which is space that can be recycled by backends.
598  * Allocated data that needs to be available to backends should be
599  * allocated in TopMemoryContext.
600  */
602  "Postmaster",
605 
606  /* Initialize paths to installation files */
607  getInstallationPaths(argv[0]);
608 
609  /*
610  * Set up signal handlers for the postmaster process.
611  *
612  * In the postmaster, we use pqsignal_pm() rather than pqsignal() (which
613  * is used by all child processes and client processes). That has a
614  * couple of special behaviors:
615  *
616  * 1. We tell sigaction() to block all signals for the duration of the
617  * signal handler. This is faster than our old approach of
618  * blocking/unblocking explicitly in the signal handler, and it should also
619  * prevent excessive stack consumption if signals arrive quickly.
620  *
621  * 2. We do not set the SA_RESTART flag. This is because signals will be
622  * blocked at all times except when ServerLoop is waiting for something to
623  * happen, and during that window, we want signals to exit the select(2)
624  * wait so that ServerLoop can respond if anything interesting happened.
625  * On some platforms, signals marked SA_RESTART would not cause the
626  * select() wait to end.
627  *
628  * Child processes will generally want SA_RESTART, so pqsignal() sets that
629  * flag. We expect children to set up their own handlers before
630  * unblocking signals.
631  *
632  * CAUTION: when changing this list, check for side-effects on the signal
633  * handling setup of child processes. See tcop/postgres.c,
634  * bootstrap/bootstrap.c, postmaster/bgwriter.c, postmaster/walwriter.c,
635  * postmaster/autovacuum.c, postmaster/pgarch.c, postmaster/syslogger.c,
636  * postmaster/bgworker.c and postmaster/checkpointer.c.
637  */
638  pqinitmask();
640 
641  pqsignal_pm(SIGHUP, SIGHUP_handler); /* reread config file and have
642  * children do same */
643  pqsignal_pm(SIGINT, pmdie); /* send SIGTERM and shut down */
644  pqsignal_pm(SIGQUIT, pmdie); /* send SIGQUIT and die */
645  pqsignal_pm(SIGTERM, pmdie); /* wait for children and shut down */
646  pqsignal_pm(SIGALRM, SIG_IGN); /* ignored */
647  pqsignal_pm(SIGPIPE, SIG_IGN); /* ignored */
648  pqsignal_pm(SIGUSR1, sigusr1_handler); /* message from child process */
649  pqsignal_pm(SIGUSR2, dummy_handler); /* unused, reserve for children */
650  pqsignal_pm(SIGCHLD, reaper); /* handle child termination */
651 
652 #ifdef SIGURG
653 
654  /*
655  * Ignore SIGURG for now. Child processes may change this (see
656  * InitializeLatchSupport), but they will not receive any such signals
657  * until they wait on a latch.
658  */
659  pqsignal_pm(SIGURG, SIG_IGN); /* ignored */
660 #endif
661 
662  /*
663  * No other place in Postgres should touch SIGTTIN/SIGTTOU handling. We
664  * ignore those signals in a postmaster environment, so that there is no
665  * risk of a child process freezing up due to writing to stderr. But for
666  * a standalone backend, their default handling is reasonable. Hence, all
667  * child processes should just allow the inherited settings to stand.
668  */
669 #ifdef SIGTTIN
670  pqsignal_pm(SIGTTIN, SIG_IGN); /* ignored */
671 #endif
672 #ifdef SIGTTOU
673  pqsignal_pm(SIGTTOU, SIG_IGN); /* ignored */
674 #endif
675 
676  /* ignore SIGXFSZ, so that ulimit violations work like disk full */
677 #ifdef SIGXFSZ
678  pqsignal_pm(SIGXFSZ, SIG_IGN); /* ignored */
679 #endif
680 
681  /*
682  * Options setup
683  */
685 
686  opterr = 1;
687 
688  /*
689  * Parse command-line options. CAUTION: keep this in sync with
690  * tcop/postgres.c (the option sets should not conflict) and with the
691  * common help() function in main/main.c.
692  */
693  while ((opt = getopt(argc, argv, "B:bc:C:D:d:EeFf:h:ijk:lN:OPp:r:S:sTt:W:-:")) != -1)
694  {
695  switch (opt)
696  {
697  case 'B':
698  SetConfigOption("shared_buffers", optarg, PGC_POSTMASTER, PGC_S_ARGV);
699  break;
700 
701  case 'b':
702  /* Undocumented flag used for binary upgrades */
703  IsBinaryUpgrade = true;
704  break;
705 
706  case 'C':
707  output_config_variable = strdup(optarg);
708  break;
709 
710  case 'D':
711  userDoption = strdup(optarg);
712  break;
713 
714  case 'd':
716  break;
717 
718  case 'E':
719  SetConfigOption("log_statement", "all", PGC_POSTMASTER, PGC_S_ARGV);
720  break;
721 
722  case 'e':
723  SetConfigOption("datestyle", "euro", PGC_POSTMASTER, PGC_S_ARGV);
724  break;
725 
726  case 'F':
727  SetConfigOption("fsync", "false", PGC_POSTMASTER, PGC_S_ARGV);
728  break;
729 
730  case 'f':
732  {
733  write_stderr("%s: invalid argument for option -f: \"%s\"\n",
734  progname, optarg);
735  ExitPostmaster(1);
736  }
737  break;
738 
739  case 'h':
740  SetConfigOption("listen_addresses", optarg, PGC_POSTMASTER, PGC_S_ARGV);
741  break;
742 
743  case 'i':
744  SetConfigOption("listen_addresses", "*", PGC_POSTMASTER, PGC_S_ARGV);
745  break;
746 
747  case 'j':
748  /* only used by interactive backend */
749  break;
750 
751  case 'k':
752  SetConfigOption("unix_socket_directories", optarg, PGC_POSTMASTER, PGC_S_ARGV);
753  break;
754 
755  case 'l':
756  SetConfigOption("ssl", "true", PGC_POSTMASTER, PGC_S_ARGV);
757  break;
758 
759  case 'N':
760  SetConfigOption("max_connections", optarg, PGC_POSTMASTER, PGC_S_ARGV);
761  break;
762 
763  case 'O':
764  SetConfigOption("allow_system_table_mods", "true", PGC_POSTMASTER, PGC_S_ARGV);
765  break;
766 
767  case 'P':
768  SetConfigOption("ignore_system_indexes", "true", PGC_POSTMASTER, PGC_S_ARGV);
769  break;
770 
771  case 'p':
773  break;
774 
775  case 'r':
776  /* only used by single-user backend */
777  break;
778 
779  case 'S':
781  break;
782 
783  case 's':
784  SetConfigOption("log_statement_stats", "true", PGC_POSTMASTER, PGC_S_ARGV);
785  break;
786 
787  case 'T':
788 
789  /*
790  * This option used to be defined as sending SIGSTOP after a
791  * backend crash, but sending SIGABRT seems more useful.
792  */
793  SetConfigOption("send_abort_for_crash", "true", PGC_POSTMASTER, PGC_S_ARGV);
794  break;
795 
796  case 't':
797  {
798  const char *tmp = get_stats_option_name(optarg);
799 
800  if (tmp)
801  {
803  }
804  else
805  {
806  write_stderr("%s: invalid argument for option -t: \"%s\"\n",
807  progname, optarg);
808  ExitPostmaster(1);
809  }
810  break;
811  }
812 
813  case 'W':
814  SetConfigOption("post_auth_delay", optarg, PGC_POSTMASTER, PGC_S_ARGV);
815  break;
816 
817  case 'c':
818  case '-':
819  {
820  char *name,
821  *value;
822 
824  if (!value)
825  {
826  if (opt == '-')
827  ereport(ERROR,
828  (errcode(ERRCODE_SYNTAX_ERROR),
829  errmsg("--%s requires a value",
830  optarg)));
831  else
832  ereport(ERROR,
833  (errcode(ERRCODE_SYNTAX_ERROR),
834  errmsg("-c %s requires a value",
835  optarg)));
836  }
837 
839  pfree(name);
840  pfree(value);
841  break;
842  }
843 
844  default:
845  write_stderr("Try \"%s --help\" for more information.\n",
846  progname);
847  ExitPostmaster(1);
848  }
849  }
850 
851  /*
852  * Postmaster accepts no non-option switch arguments.
853  */
854  if (optind < argc)
855  {
856  write_stderr("%s: invalid argument: \"%s\"\n",
857  progname, argv[optind]);
858  write_stderr("Try \"%s --help\" for more information.\n",
859  progname);
860  ExitPostmaster(1);
861  }
862 
863  /*
864  * Locate the proper configuration files and data directory, and read
865  * postgresql.conf for the first time.
866  */
868  ExitPostmaster(2);
869 
870  if (output_config_variable != NULL)
871  {
872  /*
873  * If this is a runtime-computed GUC, it hasn't yet been initialized,
874  * and the present value is not useful. However, this is a convenient
875  * place to print the value for most GUCs because it is safe to run
876  * postmaster startup to this point even if the server is already
877  * running. For the handful of runtime-computed GUCs that we cannot
878  * provide meaningful values for yet, we wait until later in
879  * postmaster startup to print the value. We won't be able to use -C
880  * on running servers for those GUCs, but using this option now would
881  * lead to incorrect results for them.
882  */
883  int flags = GetConfigOptionFlags(output_config_variable, true);
884 
885  if ((flags & GUC_RUNTIME_COMPUTED) == 0)
886  {
887  /*
888  * "-C guc" was specified, so print GUC's value and exit. No
889  * extra permission check is needed because the user is reading
890  * inside the data dir.
891  */
892  const char *config_val = GetConfigOption(output_config_variable,
893  false, false);
894 
895  puts(config_val ? config_val : "");
896  ExitPostmaster(0);
897  }
898 
899  /*
900  * A runtime-computed GUC will be printed later on. As we initialize
901  * a server startup sequence, silence any log messages that may show
902  * up in the output generated. FATAL and more severe messages are
903  * useful to show, even if one would only expect at least PANIC. LOG
904  * entries are hidden.
905  */
906  SetConfigOption("log_min_messages", "FATAL", PGC_SUSET,
908  }
909 
910  /* Verify that DataDir looks reasonable */
911  checkDataDir();
912 
913  /* Check that pg_control exists */
915 
916  /* And switch working directory into it */
917  ChangeToDataDir();
918 
919  /*
920  * Check for invalid combinations of GUC settings.
921  */
923  {
924  write_stderr("%s: superuser_reserved_connections (%d) must be less than max_connections (%d)\n",
925  progname,
927  ExitPostmaster(1);
928  }
930  ereport(ERROR,
931  (errmsg("WAL archival cannot be enabled when wal_level is \"minimal\"")));
933  ereport(ERROR,
934  (errmsg("WAL streaming (max_wal_senders > 0) requires wal_level \"replica\" or \"logical\"")));
935 
936  /*
937  * Other one-time internal sanity checks can go here, if they are fast.
938  * (Put any slow processing further down, after postmaster.pid creation.)
939  */
940  if (!CheckDateTokenTables())
941  {
942  write_stderr("%s: invalid datetoken tables, please fix\n", progname);
943  ExitPostmaster(1);
944  }
945 
946  /*
947  * Now that we are done processing the postmaster arguments, reset
948  * getopt(3) library so that it will work correctly in subprocesses.
949  */
950  optind = 1;
951 #ifdef HAVE_INT_OPTRESET
952  optreset = 1; /* some systems need this too */
953 #endif
954 
955  /* For debugging: display postmaster environment */
956  {
957  extern char **environ;
958  char **p;
959 
960  ereport(DEBUG3,
961  (errmsg_internal("%s: PostmasterMain: initial environment dump:",
962  progname)));
963  ereport(DEBUG3,
964  (errmsg_internal("-----------------------------------------")));
965  for (p = environ; *p; ++p)
966  ereport(DEBUG3,
967  (errmsg_internal("\t%s", *p)));
968  ereport(DEBUG3,
969  (errmsg_internal("-----------------------------------------")));
970  }
971 
972  /*
973  * Create lockfile for data directory.
974  *
975  * We want to do this before we try to grab the input sockets, because the
976  * data directory interlock is more reliable than the socket-file
977  * interlock (thanks to whoever decided to put socket files in /tmp :-().
978  * For the same reason, it's best to grab the TCP socket(s) before the
979  * Unix socket(s).
980  *
981  * Also note that this internally sets up the on_proc_exit function that
982  * is responsible for removing both data directory and socket lockfiles;
983  * so it must happen before opening sockets so that at exit, the socket
984  * lockfiles go away after CloseServerPorts runs.
985  */
986  CreateDataDirLockFile(true);
987 
988  /*
989  * Read the control file (for error checking and config info).
990  *
991  * Since we verify the control file's CRC, this has a useful side effect
992  * on machines where we need a run-time test for CRC support instructions.
993  * The postmaster will do the test once at startup, and then its child
994  * processes will inherit the correct function pointer and not need to
995  * repeat the test.
996  */
998 
999  /*
1000  * Register the apply launcher. It's probably a good idea to call this
1001  * before any modules had a chance to take the background worker slots.
1002  */
1004 
1005  /*
1006  * process any libraries that should be preloaded at postmaster start
1007  */
1009 
1010  /*
1011  * Initialize SSL library, if specified.
1012  */
1013 #ifdef USE_SSL
1014  if (EnableSSL)
1015  {
1016  (void) secure_initialize(true);
1017  LoadedSSL = true;
1018  }
1019 #endif
1020 
1021  /*
1022  * Now that loadable modules have had their chance to alter any GUCs,
1023  * calculate MaxBackends.
1024  */
1026 
1027  /*
1028  * Give preloaded libraries a chance to request additional shared memory.
1029  */
1031 
1032  /*
1033  * Now that loadable modules have had their chance to request additional
1034  * shared memory, determine the value of any runtime-computed GUCs that
1035  * depend on the amount of shared memory required.
1036  */
1038 
1039  /*
1040  * Now that modules have been loaded, we can process any custom resource
1041  * managers specified in the wal_consistency_checking GUC.
1042  */
1044 
1045  /*
1046  * If -C was specified with a runtime-computed GUC, we held off printing
1047  * the value earlier, as the GUC was not yet initialized. We handle -C
1048  * for most GUCs before we lock the data directory so that the option may
1049  * be used on a running server. However, a handful of GUCs are runtime-
1050  * computed and do not have meaningful values until after locking the data
1051  * directory, and we cannot safely calculate their values earlier on a
1052  * running server. At this point, such GUCs should be properly
1053  * initialized, and we haven't yet set up shared memory, so this is a good
1054  * time to handle the -C option for these special GUCs.
1055  */
1056  if (output_config_variable != NULL)
1057  {
1058  const char *config_val = GetConfigOption(output_config_variable,
1059  false, false);
1060 
1061  puts(config_val ? config_val : "");
1062  ExitPostmaster(0);
1063  }
1064 
1065  /*
1066  * Set up shared memory and semaphores.
1067  *
1068  * Note: if using SysV shmem and/or semas, each postmaster startup will
1069  * normally choose the same IPC keys. This helps ensure that we will
1070  * clean up dead IPC objects if the postmaster crashes and is restarted.
1071  */
1073 
1074  /*
1075  * Estimate number of openable files. This must happen after setting up
1076  * semaphores, because on some platforms semaphores count as open files.
1077  */
1078  set_max_safe_fds();
1079 
1080  /*
1081  * Set reference point for stack-depth checking.
1082  */
1083  (void) set_stack_base();
1084 
1085  /*
1086  * Initialize pipe (or process handle on Windows) that allows children to
1087  * wake up from sleep on postmaster death.
1088  */
1090 
1091 #ifdef WIN32
1092 
1093  /*
1094  * Initialize I/O completion port used to deliver list of dead children.
1095  */
1096  win32ChildQueue = CreateIoCompletionPort(INVALID_HANDLE_VALUE, NULL, 0, 1);
1097  if (win32ChildQueue == NULL)
1098  ereport(FATAL,
1099  (errmsg("could not create I/O completion port for child queue")));
1100 #endif
1101 
1102 #ifdef EXEC_BACKEND
1103  /* Write out nondefault GUC settings for child processes to use */
1104  write_nondefault_variables(PGC_POSTMASTER);
1105 
1106  /*
1107  * Clean out the temp directory used to transmit parameters to child
1108  * processes (see internal_forkexec, below). We must do this before
1109  * launching any child processes, else we have a race condition: we could
1110  * remove a parameter file before the child can read it. It should be
1111  * safe to do so now, because we verified earlier that there are no
1112  * conflicting Postgres processes in this data directory.
1113  */
1115 #endif
1116 
1117  /*
1118  * Forcibly remove the files signaling a standby promotion request.
1119  * Otherwise, the existence of those files triggers a promotion too early,
1120  * whether a user wants that or not.
1121  *
1122  * This removal of files is usually unnecessary because they can exist
1123  * only during a few moments during a standby promotion. However there is
1124  * a race condition: if pg_ctl promote is executed and creates the files
1125  * during a promotion, the files can stay around even after the server is
1126  * brought up to be the primary. Then, if a new standby starts by using
1127  * the backup taken from the new primary, the files can exist at server
1128  * startup and must be removed in order to avoid an unexpected promotion.
1129  *
1130  * Note that promotion signal files need to be removed before the startup
1131  * process is invoked. Because, after that, they can be used by
1132  * postmaster's SIGUSR1 signal handler.
1133  */
1135 
1136  /* Do the same for logrotate signal file */
1138 
1139  /* Remove any outdated file holding the current log filenames. */
1140  if (unlink(LOG_METAINFO_DATAFILE) < 0 && errno != ENOENT)
1141  ereport(LOG,
1143  errmsg("could not remove file \"%s\": %m",
1145 
1146  /*
1147  * If enabled, start up syslogger collection subprocess
1148  */
1150 
1151  /*
1152  * Reset whereToSendOutput from DestDebug (its starting state) to
1153  * DestNone. This stops ereport from sending log messages to stderr unless
1154  * Log_destination permits. We don't do this until the postmaster is
1155  * fully launched, since startup failures may as well be reported to
1156  * stderr.
1157  *
1158  * If we are in fact disabling logging to stderr, first emit a log message
1159  * saying so, to provide a breadcrumb trail for users who may not remember
1160  * that their logging is configured to go somewhere else.
1161  */
1163  ereport(LOG,
1164  (errmsg("ending log output to stderr"),
1165  errhint("Future log output will go to log destination \"%s\".",
1167 
1169 
1170  /*
1171  * Report server startup in log. While we could emit this much earlier,
1172  * it seems best to do so after starting the log collector, if we intend
1173  * to use one.
1174  */
1175  ereport(LOG,
1176  (errmsg("starting %s", PG_VERSION_STR)));
1177 
1178  /*
1179  * Establish input sockets.
1180  *
1181  * First, mark them all closed, and set up an on_proc_exit function that's
1182  * charged with closing the sockets again at postmaster shutdown.
1183  */
1184  for (i = 0; i < MAXLISTEN; i++)
1186 
1188 
1189  if (ListenAddresses)
1190  {
1191  char *rawstring;
1192  List *elemlist;
1193  ListCell *l;
1194  int success = 0;
1195 
1196  /* Need a modifiable copy of ListenAddresses */
1197  rawstring = pstrdup(ListenAddresses);
1198 
1199  /* Parse string into list of hostnames */
1200  if (!SplitGUCList(rawstring, ',', &elemlist))
1201  {
1202  /* syntax error in list */
1203  ereport(FATAL,
1204  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1205  errmsg("invalid list syntax in parameter \"%s\"",
1206  "listen_addresses")));
1207  }
1208 
1209  foreach(l, elemlist)
1210  {
1211  char *curhost = (char *) lfirst(l);
1212 
1213  if (strcmp(curhost, "*") == 0)
1214  status = StreamServerPort(AF_UNSPEC, NULL,
1215  (unsigned short) PostPortNumber,
1216  NULL,
1218  else
1219  status = StreamServerPort(AF_UNSPEC, curhost,
1220  (unsigned short) PostPortNumber,
1221  NULL,
1223 
1224  if (status == STATUS_OK)
1225  {
1226  success++;
1227  /* record the first successful host addr in lockfile */
1228  if (!listen_addr_saved)
1229  {
1231  listen_addr_saved = true;
1232  }
1233  }
1234  else
1235  ereport(WARNING,
1236  (errmsg("could not create listen socket for \"%s\"",
1237  curhost)));
1238  }
1239 
1240  if (!success && elemlist != NIL)
1241  ereport(FATAL,
1242  (errmsg("could not create any TCP/IP sockets")));
1243 
1244  list_free(elemlist);
1245  pfree(rawstring);
1246  }
1247 
1248 #ifdef USE_BONJOUR
1249  /* Register for Bonjour only if we opened TCP socket(s) */
1251  {
1252  DNSServiceErrorType err;
1253 
1254  /*
1255  * We pass 0 for interface_index, which will result in registering on
1256  * all "applicable" interfaces. It's not entirely clear from the
1257  * DNS-SD docs whether this would be appropriate if we have bound to
1258  * just a subset of the available network interfaces.
1259  */
1260  err = DNSServiceRegister(&bonjour_sdref,
1261  0,
1262  0,
1263  bonjour_name,
1264  "_postgresql._tcp.",
1265  NULL,
1266  NULL,
1268  0,
1269  NULL,
1270  NULL,
1271  NULL);
1272  if (err != kDNSServiceErr_NoError)
1273  ereport(LOG,
1274  (errmsg("DNSServiceRegister() failed: error code %ld",
1275  (long) err)));
1276 
1277  /*
1278  * We don't bother to read the mDNS daemon's reply, and we expect that
1279  * it will automatically terminate our registration when the socket is
1280  * closed at postmaster termination. So there's nothing more to be
1281  * done here. However, the bonjour_sdref is kept around so that
1282  * forked children can close their copies of the socket.
1283  */
1284  }
1285 #endif
1286 
1288  {
1289  char *rawstring;
1290  List *elemlist;
1291  ListCell *l;
1292  int success = 0;
1293 
1294  /* Need a modifiable copy of Unix_socket_directories */
1295  rawstring = pstrdup(Unix_socket_directories);
1296 
1297  /* Parse string into list of directories */
1298  if (!SplitDirectoriesString(rawstring, ',', &elemlist))
1299  {
1300  /* syntax error in list */
1301  ereport(FATAL,
1302  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1303  errmsg("invalid list syntax in parameter \"%s\"",
1304  "unix_socket_directories")));
1305  }
1306 
1307  foreach(l, elemlist)
1308  {
1309  char *socketdir = (char *) lfirst(l);
1310 
1311  status = StreamServerPort(AF_UNIX, NULL,
1312  (unsigned short) PostPortNumber,
1313  socketdir,
1315 
1316  if (status == STATUS_OK)
1317  {
1318  success++;
1319  /* record the first successful Unix socket in lockfile */
1320  if (success == 1)
1322  }
1323  else
1324  ereport(WARNING,
1325  (errmsg("could not create Unix-domain socket in directory \"%s\"",
1326  socketdir)));
1327  }
1328 
1329  if (!success && elemlist != NIL)
1330  ereport(FATAL,
1331  (errmsg("could not create any Unix-domain sockets")));
1332 
1333  list_free_deep(elemlist);
1334  pfree(rawstring);
1335  }
1336 
1337  /*
1338  * check that we have some socket to listen on
1339  */
1340  if (ListenSocket[0] == PGINVALID_SOCKET)
1341  ereport(FATAL,
1342  (errmsg("no socket created for listening")));
1343 
1344  /*
1345  * If no valid TCP ports, write an empty line for listen address,
1346  * indicating the Unix socket must be used. Note that this line is not
1347  * added to the lock file until there is a socket backing it.
1348  */
1349  if (!listen_addr_saved)
1351 
1352  /*
1353  * Record postmaster options. We delay this till now to avoid recording
1354  * bogus options (eg, unusable port number).
1355  */
1356  if (!CreateOptsFile(argc, argv, my_exec_path))
1357  ExitPostmaster(1);
1358 
1359  /*
1360  * Write the external PID file if requested
1361  */
1362  if (external_pid_file)
1363  {
1364  FILE *fpidfile = fopen(external_pid_file, "w");
1365 
1366  if (fpidfile)
1367  {
1368  fprintf(fpidfile, "%d\n", MyProcPid);
1369  fclose(fpidfile);
1370 
1371  /* Make PID file world readable */
1372  if (chmod(external_pid_file, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) != 0)
1373  write_stderr("%s: could not change permissions of external PID file \"%s\": %s\n",
1375  }
1376  else
1377  write_stderr("%s: could not write external PID file \"%s\": %s\n",
1379 
1381  }
1382 
1383  /*
1384  * Remove old temporary files. At this point there can be no other
1385  * Postgres processes running in this directory, so this should be safe.
1386  */
1388 
1389  /*
1390  * Initialize the autovacuum subsystem (again, no process start yet)
1391  */
1392  autovac_init();
1393 
1394  /*
1395  * Load configuration files for client authentication.
1396  */
1397  if (!load_hba())
1398  {
1399  /*
1400  * It makes no sense to continue if we fail to load the HBA file,
1401  * since there is no way to connect to the database in this case.
1402  */
1403  ereport(FATAL,
1404  /* translator: %s is a configuration file */
1405  (errmsg("could not load %s", HbaFileName)));
1406  }
1407  if (!load_ident())
1408  {
1409  /*
1410  * We can start up without the IDENT file, although it means that you
1411  * cannot log in using any of the authentication methods that need a
1412  * user name mapping. load_ident() already logged the details of error
1413  * to the log.
1414  */
1415  }
1416 
1417 #ifdef HAVE_PTHREAD_IS_THREADED_NP
1418 
1419  /*
1420  * On macOS, libintl replaces setlocale() with a version that calls
1421  * CFLocaleCopyCurrent() when its second argument is "" and every relevant
1422  * environment variable is unset or empty. CFLocaleCopyCurrent() makes
1423  * the process multithreaded. The postmaster calls sigprocmask() and
1424  * calls fork() without an immediate exec(), both of which have undefined
1425  * behavior in a multithreaded program. A multithreaded postmaster is the
1426  * normal case on Windows, which offers neither fork() nor sigprocmask().
1427  */
1428  if (pthread_is_threaded_np() != 0)
1429  ereport(FATAL,
1430  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1431  errmsg("postmaster became multithreaded during startup"),
1432  errhint("Set the LC_ALL environment variable to a valid locale.")));
1433 #endif
1434 
1435  /*
1436  * Remember postmaster startup time
1437  */
1439 
1440  /*
1441  * Report postmaster status in the postmaster.pid file, to allow pg_ctl to
1442  * see what's happening.
1443  */
1445 
1446  /* Start bgwriter and checkpointer so they can help with recovery */
1447  if (CheckpointerPID == 0)
1449  if (BgWriterPID == 0)
1451 
1452  /*
1453  * We're ready to rock and roll...
1454  */
1456  Assert(StartupPID != 0);
1458  pmState = PM_STARTUP;
1459 
1460  /* Some workers may be scheduled to start now */
1462 
1463  status = ServerLoop();
1464 
1465  /*
1466  * ServerLoop probably shouldn't ever return, but if it does, close down.
1467  */
1469 
1470  abort(); /* not reached */
1471 }
1472 
1473 
1474 /*
1475  * on_proc_exit callback to close server's listen sockets
1476  */
1477 static void
1479 {
1480  int i;
1481 
1482  /*
1483  * First, explicitly close all the socket FDs. We used to just let this
1484  * happen implicitly at postmaster exit, but it's better to close them
1485  * before we remove the postmaster.pid lockfile; otherwise there's a race
1486  * condition if a new postmaster wants to re-use the TCP port number.
1487  */
1488  for (i = 0; i < MAXLISTEN; i++)
1489  {
1491  {
1494  }
1495  }
1496 
1497  /*
1498  * Next, remove any filesystem entries for Unix sockets. To avoid race
1499  * conditions against incoming postmasters, this must happen after closing
1500  * the sockets and before removing lock files.
1501  */
1503 
1504  /*
1505  * We don't do anything about socket lock files here; those will be
1506  * removed in a later on_proc_exit callback.
1507  */
1508 }
1509 
1510 /*
1511  * on_proc_exit callback to delete external_pid_file
1512  */
1513 static void
1515 {
1516  if (external_pid_file)
1517  unlink(external_pid_file);
1518 }
1519 
1520 
1521 /*
1522  * Compute and check the directory paths to files that are part of the
1523  * installation (as deduced from the postgres executable's own location)
1524  */
1525 static void
1527 {
1528  DIR *pdir;
1529 
1530  /* Locate the postgres executable itself */
1531  if (find_my_exec(argv0, my_exec_path) < 0)
1532  ereport(FATAL,
1533  (errmsg("%s: could not locate my own executable path", argv0)));
1534 
1535 #ifdef EXEC_BACKEND
1536  /* Locate executable backend before we change working directory */
1537  if (find_other_exec(argv0, "postgres", PG_BACKEND_VERSIONSTR,
1538  postgres_exec_path) < 0)
1539  ereport(FATAL,
1540  (errmsg("%s: could not locate matching postgres executable",
1541  argv0)));
1542 #endif
1543 
1544  /*
1545  * Locate the pkglib directory --- this has to be set early in case we try
1546  * to load any modules from it in response to postgresql.conf entries.
1547  */
1549 
1550  /*
1551  * Verify that there's a readable directory there; otherwise the Postgres
1552  * installation is incomplete or corrupt. (A typical cause of this
1553  * failure is that the postgres executable has been moved or hardlinked to
1554  * some directory that's not a sibling of the installation lib/
1555  * directory.)
1556  */
1557  pdir = AllocateDir(pkglib_path);
1558  if (pdir == NULL)
1559  ereport(ERROR,
1561  errmsg("could not open directory \"%s\": %m",
1562  pkglib_path),
1563  errhint("This may indicate an incomplete PostgreSQL installation, or that the file \"%s\" has been moved away from its proper location.",
1564  my_exec_path)));
1565  FreeDir(pdir);
1566 
1567  /*
1568  * XXX is it worth similarly checking the share/ directory? If the lib/
1569  * directory is there, then share/ probably is too.
1570  */
1571 }
1572 
1573 /*
1574  * Check that pg_control exists in the correct location in the data directory.
1575  *
1576  * No attempt is made to validate the contents of pg_control here. This is
1577  * just a sanity check to see if we are looking at a real data directory.
1578  */
1579 static void
1581 {
1582  char path[MAXPGPATH];
1583  FILE *fp;
1584 
1585  snprintf(path, sizeof(path), "%s/global/pg_control", DataDir);
1586 
1587  fp = AllocateFile(path, PG_BINARY_R);
1588  if (fp == NULL)
1589  {
1590  write_stderr("%s: could not find the database system\n"
1591  "Expected to find it in the directory \"%s\",\n"
1592  "but could not open file \"%s\": %s\n",
1593  progname, DataDir, path, strerror(errno));
1594  ExitPostmaster(2);
1595  }
1596  FreeFile(fp);
1597 }
1598 
1599 /*
1600  * Determine how long should we let ServerLoop sleep.
1601  *
1602  * In normal conditions we wait at most one minute, to ensure that the other
1603  * background tasks handled by ServerLoop get done even when no requests are
1604  * arriving. However, if there are background workers waiting to be started,
1605  * we don't actually sleep so that they are quickly serviced. Other exception
1606  * cases are as shown in the code.
1607  */
1608 static void
1609 DetermineSleepTime(struct timeval *timeout)
1610 {
1611  TimestampTz next_wakeup = 0;
1612 
1613  /*
1614  * Normal case: either there are no background workers at all, or we're in
1615  * a shutdown sequence (during which we ignore bgworkers altogether).
1616  */
1617  if (Shutdown > NoShutdown ||
1619  {
1620  if (AbortStartTime != 0)
1621  {
1622  /* time left to abort; clamp to 0 in case it already expired */
1623  timeout->tv_sec = SIGKILL_CHILDREN_AFTER_SECS -
1624  (time(NULL) - AbortStartTime);
1625  timeout->tv_sec = Max(timeout->tv_sec, 0);
1626  timeout->tv_usec = 0;
1627  }
1628  else
1629  {
1630  timeout->tv_sec = 60;
1631  timeout->tv_usec = 0;
1632  }
1633  return;
1634  }
1635 
1636  if (StartWorkerNeeded)
1637  {
1638  timeout->tv_sec = 0;
1639  timeout->tv_usec = 0;
1640  return;
1641  }
1642 
1643  if (HaveCrashedWorker)
1644  {
1645  slist_mutable_iter siter;
1646 
1647  /*
1648  * When there are crashed bgworkers, we sleep just long enough that
1649  * they are restarted when they request to be. Scan the list to
1650  * determine the minimum of all wakeup times according to most recent
1651  * crash time and requested restart interval.
1652  */
1654  {
1655  RegisteredBgWorker *rw;
1656  TimestampTz this_wakeup;
1657 
1658  rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
1659 
1660  if (rw->rw_crashed_at == 0)
1661  continue;
1662 
1664  || rw->rw_terminate)
1665  {
1666  ForgetBackgroundWorker(&siter);
1667  continue;
1668  }
1669 
1670  this_wakeup = TimestampTzPlusMilliseconds(rw->rw_crashed_at,
1671  1000L * rw->rw_worker.bgw_restart_time);
1672  if (next_wakeup == 0 || this_wakeup < next_wakeup)
1673  next_wakeup = this_wakeup;
1674  }
1675  }
1676 
1677  if (next_wakeup != 0)
1678  {
1679  long secs;
1680  int microsecs;
1681 
1683  &secs, &microsecs);
1684  timeout->tv_sec = secs;
1685  timeout->tv_usec = microsecs;
1686 
1687  /* Ensure we don't exceed one minute */
1688  if (timeout->tv_sec > 60)
1689  {
1690  timeout->tv_sec = 60;
1691  timeout->tv_usec = 0;
1692  }
1693  }
1694  else
1695  {
1696  timeout->tv_sec = 60;
1697  timeout->tv_usec = 0;
1698  }
1699 }
1700 
1701 /*
1702  * Main idle loop of postmaster
1703  *
1704  * NB: Needs to be called with signals blocked
1705  */
1706 static int
1708 {
1709  fd_set readmask;
1710  int nSockets;
1711  time_t last_lockfile_recheck_time,
1712  last_touch_time;
1713 
1714  last_lockfile_recheck_time = last_touch_time = time(NULL);
1715 
1716  nSockets = initMasks(&readmask);
1717 
1718  for (;;)
1719  {
1720  fd_set rmask;
1721  int selres;
1722  time_t now;
1723 
1724  /*
1725  * Wait for a connection request to arrive.
1726  *
1727  * We block all signals except while sleeping. That makes it safe for
1728  * signal handlers, which again block all signals while executing, to
1729  * do nontrivial work.
1730  *
1731  * If we are in PM_WAIT_DEAD_END state, then we don't want to accept
1732  * any new connections, so we don't call select(), and just sleep.
1733  */
1734  memcpy((char *) &rmask, (char *) &readmask, sizeof(fd_set));
1735 
1736  if (pmState == PM_WAIT_DEAD_END)
1737  {
1739 
1740  pg_usleep(100000L); /* 100 msec seems reasonable */
1741  selres = 0;
1742 
1743  PG_SETMASK(&BlockSig);
1744  }
1745  else
1746  {
1747  /* must set timeout each time; some OSes change it! */
1748  struct timeval timeout;
1749 
1750  /* Needs to run with blocked signals! */
1751  DetermineSleepTime(&timeout);
1752 
1754 
1755  selres = select(nSockets, &rmask, NULL, NULL, &timeout);
1756 
1757  PG_SETMASK(&BlockSig);
1758  }
1759 
1760  /* Now check the select() result */
1761  if (selres < 0)
1762  {
1763  if (errno != EINTR && errno != EWOULDBLOCK)
1764  {
1765  ereport(LOG,
1767  errmsg("select() failed in postmaster: %m")));
1768  return STATUS_ERROR;
1769  }
1770  }
1771 
1772  /*
1773  * New connection pending on any of our sockets? If so, fork a child
1774  * process to deal with it.
1775  */
1776  if (selres > 0)
1777  {
1778  int i;
1779 
1780  for (i = 0; i < MAXLISTEN; i++)
1781  {
1783  break;
1784  if (FD_ISSET(ListenSocket[i], &rmask))
1785  {
1786  Port *port;
1787 
1789  if (port)
1790  {
1792 
1793  /*
1794  * We no longer need the open socket or port structure
1795  * in this process
1796  */
1797  StreamClose(port->sock);
1798  ConnFree(port);
1799  }
1800  }
1801  }
1802  }
1803 
1804  /* If we have lost the log collector, try to start a new one */
1805  if (SysLoggerPID == 0 && Logging_collector)
1807 
1808  /*
1809  * If no background writer process is running, and we are not in a
1810  * state that prevents it, start one. It doesn't matter if this
1811  * fails, we'll just try again later. Likewise for the checkpointer.
1812  */
1813  if (pmState == PM_RUN || pmState == PM_RECOVERY ||
1815  {
1816  if (CheckpointerPID == 0)
1818  if (BgWriterPID == 0)
1820  }
1821 
1822  /*
1823  * Likewise, if we have lost the walwriter process, try to start a new
1824  * one. But this is needed only in normal operation (else we cannot
1825  * be writing any new WAL).
1826  */
1827  if (WalWriterPID == 0 && pmState == PM_RUN)
1829 
1830  /*
1831  * If we have lost the autovacuum launcher, try to start a new one. We
1832  * don't want autovacuum to run in binary upgrade mode because
1833  * autovacuum might update relfrozenxid for empty tables before the
1834  * physical files are put in place.
1835  */
1836  if (!IsBinaryUpgrade && AutoVacPID == 0 &&
1838  pmState == PM_RUN)
1839  {
1841  if (AutoVacPID != 0)
1842  start_autovac_launcher = false; /* signal processed */
1843  }
1844 
1845  /* If we have lost the archiver, try to start a new one. */
1846  if (PgArchPID == 0 && PgArchStartupAllowed())
1848 
1849  /* If we need to signal the autovacuum launcher, do so now */
1851  {
1852  avlauncher_needs_signal = false;
1853  if (AutoVacPID != 0)
1855  }
1856 
1857  /* If we need to start a WAL receiver, try to do that now */
1860 
1861  /* Get other worker processes running, if needed */
1864 
1865 #ifdef HAVE_PTHREAD_IS_THREADED_NP
1866 
1867  /*
1868  * With assertions enabled, check regularly for appearance of
1869  * additional threads. All builds check at start and exit.
1870  */
1871  Assert(pthread_is_threaded_np() == 0);
1872 #endif
1873 
1874  /*
1875  * Lastly, check to see if it's time to do some things that we don't
1876  * want to do every single time through the loop, because they're a
1877  * bit expensive. Note that there's up to a minute of slop in when
1878  * these tasks will be performed, since DetermineSleepTime() will let
1879  * us sleep at most that long; except for SIGKILL timeout which has
1880  * special-case logic there.
1881  */
1882  now = time(NULL);
1883 
1884  /*
1885  * If we already sent SIGQUIT to children and they are slow to shut
1886  * down, it's time to send them SIGKILL (or SIGABRT if requested).
1887  * This doesn't happen normally, but under certain conditions backends
1888  * can get stuck while shutting down. This is a last measure to get
1889  * them unwedged.
1890  *
1891  * Note we also do this during recovery from a process crash.
1892  */
1893  if ((Shutdown >= ImmediateShutdown || FatalError) &&
1894  AbortStartTime != 0 &&
1896  {
1897  /* We were gentle with them before. Not anymore */
1898  ereport(LOG,
1899  /* translator: %s is SIGKILL or SIGABRT */
1900  (errmsg("issuing %s to recalcitrant children",
1901  send_abort_for_kill ? "SIGABRT" : "SIGKILL")));
1903  /* reset flag so we don't SIGKILL again */
1904  AbortStartTime = 0;
1905  }
1906 
1907  /*
1908  * Once a minute, verify that postmaster.pid hasn't been removed or
1909  * overwritten. If it has, we force a shutdown. This avoids having
1910  * postmasters and child processes hanging around after their database
1911  * is gone, and maybe causing problems if a new database cluster is
1912  * created in the same place. It also provides some protection
1913  * against a DBA foolishly removing postmaster.pid and manually
1914  * starting a new postmaster. Data corruption is likely to ensue from
1915  * that anyway, but we can minimize the damage by aborting ASAP.
1916  */
1917  if (now - last_lockfile_recheck_time >= 1 * SECS_PER_MINUTE)
1918  {
1919  if (!RecheckDataDirLockFile())
1920  {
1921  ereport(LOG,
1922  (errmsg("performing immediate shutdown because data directory lock file is invalid")));
1924  }
1925  last_lockfile_recheck_time = now;
1926  }
1927 
1928  /*
1929  * Touch Unix socket and lock files every 58 minutes, to ensure that
1930  * they are not removed by overzealous /tmp-cleaning tasks. We assume
1931  * no one runs cleaners with cutoff times of less than an hour ...
1932  */
1933  if (now - last_touch_time >= 58 * SECS_PER_MINUTE)
1934  {
1935  TouchSocketFiles();
1937  last_touch_time = now;
1938  }
1939  }
1940 }
1941 
1942 /*
1943  * Initialise the masks for select() for the ports we are listening on.
1944  * Return the number of sockets to listen on.
1945  */
1946 static int
1947 initMasks(fd_set *rmask)
1948 {
1949  int maxsock = -1;
1950  int i;
1951 
1952  FD_ZERO(rmask);
1953 
1954  for (i = 0; i < MAXLISTEN; i++)
1955  {
1956  int fd = ListenSocket[i];
1957 
1958  if (fd == PGINVALID_SOCKET)
1959  break;
1960  FD_SET(fd, rmask);
1961 
1962  if (fd > maxsock)
1963  maxsock = fd;
1964  }
1965 
1966  return maxsock + 1;
1967 }
1968 
1969 
1970 /*
1971  * Read a client's startup packet and do something according to it.
1972  *
1973  * Returns STATUS_OK or STATUS_ERROR, or might call ereport(FATAL) and
1974  * not return at all.
1975  *
1976  * (Note that ereport(FATAL) stuff is sent to the client, so only use it
1977  * if that's what you want. Return STATUS_ERROR if you don't want to
1978  * send anything to the client, which would typically be appropriate
1979  * if we detect a communications failure.)
1980  *
1981  * Set ssl_done and/or gss_done when negotiation of an encrypted layer
1982  * (currently, TLS or GSSAPI) is completed. A successful negotiation of either
1983  * encryption layer sets both flags, but a rejected negotiation sets only the
1984  * flag for that layer, since the client may wish to try the other one. We
1985  * should make no assumption here about the order in which the client may make
1986  * requests.
1987  */
1988 static int
1989 ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
1990 {
1991  int32 len;
1992  char *buf;
1993  ProtocolVersion proto;
1994  MemoryContext oldcontext;
1995 
1996  pq_startmsgread();
1997 
1998  /*
1999  * Grab the first byte of the length word separately, so that we can tell
2000  * whether we have no data at all or an incomplete packet. (This might
2001  * sound inefficient, but it's not really, because of buffering in
2002  * pqcomm.c.)
2003  */
2004  if (pq_getbytes((char *) &len, 1) == EOF)
2005  {
2006  /*
2007  * If we get no data at all, don't clutter the log with a complaint;
2008  * such cases often occur for legitimate reasons. An example is that
2009  * we might be here after responding to NEGOTIATE_SSL_CODE, and if the
2010  * client didn't like our response, it'll probably just drop the
2011  * connection. Service-monitoring software also often just opens and
2012  * closes a connection without sending anything. (So do port
2013  * scanners, which may be less benign, but it's not really our job to
2014  * notice those.)
2015  */
2016  return STATUS_ERROR;
2017  }
2018 
2019  if (pq_getbytes(((char *) &len) + 1, 3) == EOF)
2020  {
2021  /* Got a partial length word, so bleat about that */
2022  if (!ssl_done && !gss_done)
2024  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2025  errmsg("incomplete startup packet")));
2026  return STATUS_ERROR;
2027  }
2028 
2029  len = pg_ntoh32(len);
2030  len -= 4;
2031 
2032  if (len < (int32) sizeof(ProtocolVersion) ||
2034  {
2036  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2037  errmsg("invalid length of startup packet")));
2038  return STATUS_ERROR;
2039  }
2040 
2041  /*
2042  * Allocate space to hold the startup packet, plus one extra byte that's
2043  * initialized to be zero. This ensures we will have null termination of
2044  * all strings inside the packet.
2045  */
2046  buf = palloc(len + 1);
2047  buf[len] = '\0';
2048 
2049  if (pq_getbytes(buf, len) == EOF)
2050  {
2052  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2053  errmsg("incomplete startup packet")));
2054  return STATUS_ERROR;
2055  }
2056  pq_endmsgread();
2057 
2058  /*
2059  * The first field is either a protocol version number or a special
2060  * request code.
2061  */
2062  port->proto = proto = pg_ntoh32(*((ProtocolVersion *) buf));
2063 
2064  if (proto == CANCEL_REQUEST_CODE)
2065  {
2067  /* Not really an error, but we don't want to proceed further */
2068  return STATUS_ERROR;
2069  }
2070 
2071  if (proto == NEGOTIATE_SSL_CODE && !ssl_done)
2072  {
2073  char SSLok;
2074 
2075 #ifdef USE_SSL
2076  /* No SSL when disabled or on Unix sockets */
2077  if (!LoadedSSL || port->laddr.addr.ss_family == AF_UNIX)
2078  SSLok = 'N';
2079  else
2080  SSLok = 'S'; /* Support for SSL */
2081 #else
2082  SSLok = 'N'; /* No support for SSL */
2083 #endif
2084 
2085 retry1:
2086  if (send(port->sock, &SSLok, 1, 0) != 1)
2087  {
2088  if (errno == EINTR)
2089  goto retry1; /* if interrupted, just retry */
2092  errmsg("failed to send SSL negotiation response: %m")));
2093  return STATUS_ERROR; /* close the connection */
2094  }
2095 
2096 #ifdef USE_SSL
2097  if (SSLok == 'S' && secure_open_server(port) == -1)
2098  return STATUS_ERROR;
2099 #endif
2100 
2101  /*
2102  * At this point we should have no data already buffered. If we do,
2103  * it was received before we performed the SSL handshake, so it wasn't
2104  * encrypted and indeed may have been injected by a man-in-the-middle.
2105  * We report this case to the client.
2106  */
2107  if (pq_buffer_has_data())
2108  ereport(FATAL,
2109  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2110  errmsg("received unencrypted data after SSL request"),
2111  errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
2112 
2113  /*
2114  * regular startup packet, cancel, etc packet should follow, but not
2115  * another SSL negotiation request, and a GSS request should only
2116  * follow if SSL was rejected (client may negotiate in either order)
2117  */
2118  return ProcessStartupPacket(port, true, SSLok == 'S');
2119  }
2120  else if (proto == NEGOTIATE_GSS_CODE && !gss_done)
2121  {
2122  char GSSok = 'N';
2123 
2124 #ifdef ENABLE_GSS
2125  /* No GSSAPI encryption when on Unix socket */
2126  if (port->laddr.addr.ss_family != AF_UNIX)
2127  GSSok = 'G';
2128 #endif
2129 
2130  while (send(port->sock, &GSSok, 1, 0) != 1)
2131  {
2132  if (errno == EINTR)
2133  continue;
2136  errmsg("failed to send GSSAPI negotiation response: %m")));
2137  return STATUS_ERROR; /* close the connection */
2138  }
2139 
2140 #ifdef ENABLE_GSS
2141  if (GSSok == 'G' && secure_open_gssapi(port) == -1)
2142  return STATUS_ERROR;
2143 #endif
2144 
2145  /*
2146  * At this point we should have no data already buffered. If we do,
2147  * it was received before we performed the GSS handshake, so it wasn't
2148  * encrypted and indeed may have been injected by a man-in-the-middle.
2149  * We report this case to the client.
2150  */
2151  if (pq_buffer_has_data())
2152  ereport(FATAL,
2153  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2154  errmsg("received unencrypted data after GSSAPI encryption request"),
2155  errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
2156 
2157  /*
2158  * regular startup packet, cancel, etc packet should follow, but not
2159  * another GSS negotiation request, and an SSL request should only
2160  * follow if GSS was rejected (client may negotiate in either order)
2161  */
2162  return ProcessStartupPacket(port, GSSok == 'G', true);
2163  }
2164 
2165  /* Could add additional special packet types here */
2166 
2167  /*
2168  * Set FrontendProtocol now so that ereport() knows what format to send if
2169  * we fail during startup.
2170  */
2171  FrontendProtocol = proto;
2172 
2173  /* Check that the major protocol version is in range. */
2176  ereport(FATAL,
2177  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2178  errmsg("unsupported frontend protocol %u.%u: server supports %u.0 to %u.%u",
2179  PG_PROTOCOL_MAJOR(proto), PG_PROTOCOL_MINOR(proto),
2183 
2184  /*
2185  * Now fetch parameters out of startup packet and save them into the Port
2186  * structure. All data structures attached to the Port struct must be
2187  * allocated in TopMemoryContext so that they will remain available in a
2188  * running backend (even after PostmasterContext is destroyed). We need
2189  * not worry about leaking this storage on failure, since we aren't in the
2190  * postmaster process anymore.
2191  */
2193 
2194  /* Handle protocol version 3 startup packet */
2195  {
2196  int32 offset = sizeof(ProtocolVersion);
2197  List *unrecognized_protocol_options = NIL;
2198 
2199  /*
2200  * Scan packet body for name/option pairs. We can assume any string
2201  * beginning within the packet body is null-terminated, thanks to
2202  * zeroing extra byte above.
2203  */
2204  port->guc_options = NIL;
2205 
2206  while (offset < len)
2207  {
2208  char *nameptr = buf + offset;
2209  int32 valoffset;
2210  char *valptr;
2211 
2212  if (*nameptr == '\0')
2213  break; /* found packet terminator */
2214  valoffset = offset + strlen(nameptr) + 1;
2215  if (valoffset >= len)
2216  break; /* missing value, will complain below */
2217  valptr = buf + valoffset;
2218 
2219  if (strcmp(nameptr, "database") == 0)
2220  port->database_name = pstrdup(valptr);
2221  else if (strcmp(nameptr, "user") == 0)
2222  port->user_name = pstrdup(valptr);
2223  else if (strcmp(nameptr, "options") == 0)
2224  port->cmdline_options = pstrdup(valptr);
2225  else if (strcmp(nameptr, "replication") == 0)
2226  {
2227  /*
2228  * Due to backward compatibility concerns the replication
2229  * parameter is a hybrid beast which allows the value to be
2230  * either boolean or the string 'database'. The latter
2231  * connects to a specific database which is e.g. required for
2232  * logical decoding while.
2233  */
2234  if (strcmp(valptr, "database") == 0)
2235  {
2236  am_walsender = true;
2237  am_db_walsender = true;
2238  }
2239  else if (!parse_bool(valptr, &am_walsender))
2240  ereport(FATAL,
2241  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
2242  errmsg("invalid value for parameter \"%s\": \"%s\"",
2243  "replication",
2244  valptr),
2245  errhint("Valid values are: \"false\", 0, \"true\", 1, \"database\".")));
2246  }
2247  else if (strncmp(nameptr, "_pq_.", 5) == 0)
2248  {
2249  /*
2250  * Any option beginning with _pq_. is reserved for use as a
2251  * protocol-level option, but at present no such options are
2252  * defined.
2253  */
2254  unrecognized_protocol_options =
2255  lappend(unrecognized_protocol_options, pstrdup(nameptr));
2256  }
2257  else
2258  {
2259  /* Assume it's a generic GUC option */
2260  port->guc_options = lappend(port->guc_options,
2261  pstrdup(nameptr));
2262  port->guc_options = lappend(port->guc_options,
2263  pstrdup(valptr));
2264 
2265  /*
2266  * Copy application_name to port if we come across it. This
2267  * is done so we can log the application_name in the
2268  * connection authorization message. Note that the GUC would
2269  * be used but we haven't gone through GUC setup yet.
2270  */
2271  if (strcmp(nameptr, "application_name") == 0)
2272  {
2273  port->application_name = pg_clean_ascii(valptr, 0);
2274  }
2275  }
2276  offset = valoffset + strlen(valptr) + 1;
2277  }
2278 
2279  /*
2280  * If we didn't find a packet terminator exactly at the end of the
2281  * given packet length, complain.
2282  */
2283  if (offset != len - 1)
2284  ereport(FATAL,
2285  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2286  errmsg("invalid startup packet layout: expected terminator as last byte")));
2287 
2288  /*
2289  * If the client requested a newer protocol version or if the client
2290  * requested any protocol options we didn't recognize, let them know
2291  * the newest minor protocol version we do support and the names of
2292  * any unrecognized options.
2293  */
2295  unrecognized_protocol_options != NIL)
2296  SendNegotiateProtocolVersion(unrecognized_protocol_options);
2297  }
2298 
2299  /* Check a user name was given. */
2300  if (port->user_name == NULL || port->user_name[0] == '\0')
2301  ereport(FATAL,
2302  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
2303  errmsg("no PostgreSQL user name specified in startup packet")));
2304 
2305  /* The database defaults to the user name. */
2306  if (port->database_name == NULL || port->database_name[0] == '\0')
2307  port->database_name = pstrdup(port->user_name);
2308 
2309  if (Db_user_namespace)
2310  {
2311  /*
2312  * If user@, it is a global user, remove '@'. We only want to do this
2313  * if there is an '@' at the end and no earlier in the user string or
2314  * they may fake as a local user of another database attaching to this
2315  * database.
2316  */
2317  if (strchr(port->user_name, '@') ==
2318  port->user_name + strlen(port->user_name) - 1)
2319  *strchr(port->user_name, '@') = '\0';
2320  else
2321  {
2322  /* Append '@' and dbname */
2323  port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
2324  }
2325  }
2326 
2327  /*
2328  * Truncate given database and user names to length of a Postgres name.
2329  * This avoids lookup failures when overlength names are given.
2330  */
2331  if (strlen(port->database_name) >= NAMEDATALEN)
2332  port->database_name[NAMEDATALEN - 1] = '\0';
2333  if (strlen(port->user_name) >= NAMEDATALEN)
2334  port->user_name[NAMEDATALEN - 1] = '\0';
2335 
2336  if (am_walsender)
2338  else
2340 
2341  /*
2342  * Normal walsender backends, e.g. for streaming replication, are not
2343  * connected to a particular database. But walsenders used for logical
2344  * replication need to connect to a specific database. We allow streaming
2345  * replication commands to be issued even if connected to a database as it
2346  * can make sense to first make a basebackup and then stream changes
2347  * starting from that.
2348  */
2349  if (am_walsender && !am_db_walsender)
2350  port->database_name[0] = '\0';
2351 
2352  /*
2353  * Done putting stuff in TopMemoryContext.
2354  */
2355  MemoryContextSwitchTo(oldcontext);
2356 
2357  /*
2358  * If we're going to reject the connection due to database state, say so
2359  * now instead of wasting cycles on an authentication exchange. (This also
2360  * allows a pg_ping utility to be written.)
2361  */
2362  switch (port->canAcceptConnections)
2363  {
2364  case CAC_STARTUP:
2365  ereport(FATAL,
2367  errmsg("the database system is starting up")));
2368  break;
2369  case CAC_NOTCONSISTENT:
2370  if (EnableHotStandby)
2371  ereport(FATAL,
2373  errmsg("the database system is not yet accepting connections"),
2374  errdetail("Consistent recovery state has not been yet reached.")));
2375  else
2376  ereport(FATAL,
2378  errmsg("the database system is not accepting connections"),
2379  errdetail("Hot standby mode is disabled.")));
2380  break;
2381  case CAC_SHUTDOWN:
2382  ereport(FATAL,
2384  errmsg("the database system is shutting down")));
2385  break;
2386  case CAC_RECOVERY:
2387  ereport(FATAL,
2389  errmsg("the database system is in recovery mode")));
2390  break;
2391  case CAC_TOOMANY:
2392  ereport(FATAL,
2393  (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
2394  errmsg("sorry, too many clients already")));
2395  break;
2396  case CAC_OK:
2397  break;
2398  }
2399 
2400  return STATUS_OK;
2401 }
2402 
2403 /*
2404  * Send a NegotiateProtocolVersion to the client. This lets the client know
2405  * that they have requested a newer minor protocol version than we are able
2406  * to speak. We'll speak the highest version we know about; the client can,
2407  * of course, abandon the connection if that's a problem.
2408  *
2409  * We also include in the response a list of protocol options we didn't
2410  * understand. This allows clients to include optional parameters that might
2411  * be present either in newer protocol versions or third-party protocol
2412  * extensions without fear of having to reconnect if those options are not
2413  * understood, while at the same time making certain that the client is aware
2414  * of which options were actually accepted.
2415  */
2416 static void
2417 SendNegotiateProtocolVersion(List *unrecognized_protocol_options)
2418 {
2420  ListCell *lc;
2421 
2422  pq_beginmessage(&buf, 'v'); /* NegotiateProtocolVersion */
2424  pq_sendint32(&buf, list_length(unrecognized_protocol_options));
2425  foreach(lc, unrecognized_protocol_options)
2426  pq_sendstring(&buf, lfirst(lc));
2427  pq_endmessage(&buf);
2428 
2429  /* no need to flush, some other message will follow */
2430 }
2431 
2432 /*
2433  * The client has sent a cancel request packet, not a normal
2434  * start-a-new-connection packet. Perform the necessary processing.
2435  * Nothing is sent back to the client.
2436  */
2437 static void
2439 {
2440  CancelRequestPacket *canc = (CancelRequestPacket *) pkt;
2441  int backendPID;
2442  int32 cancelAuthCode;
2443  Backend *bp;
2444 
2445 #ifndef EXEC_BACKEND
2446  dlist_iter iter;
2447 #else
2448  int i;
2449 #endif
2450 
2451  backendPID = (int) pg_ntoh32(canc->backendPID);
2452  cancelAuthCode = (int32) pg_ntoh32(canc->cancelAuthCode);
2453 
2454  /*
2455  * See if we have a matching backend. In the EXEC_BACKEND case, we can no
2456  * longer access the postmaster's own backend list, and must rely on the
2457  * duplicate array in shared memory.
2458  */
2459 #ifndef EXEC_BACKEND
2460  dlist_foreach(iter, &BackendList)
2461  {
2462  bp = dlist_container(Backend, elem, iter.cur);
2463 #else
2464  for (i = MaxLivePostmasterChildren() - 1; i >= 0; i--)
2465  {
2466  bp = (Backend *) &ShmemBackendArray[i];
2467 #endif
2468  if (bp->pid == backendPID)
2469  {
2470  if (bp->cancel_key == cancelAuthCode)
2471  {
2472  /* Found a match; signal that backend to cancel current op */
2473  ereport(DEBUG2,
2474  (errmsg_internal("processing cancel request: sending SIGINT to process %d",
2475  backendPID)));
2476  signal_child(bp->pid, SIGINT);
2477  }
2478  else
2479  /* Right PID, wrong key: no way, Jose */
2480  ereport(LOG,
2481  (errmsg("wrong key in cancel request for process %d",
2482  backendPID)));
2483  return;
2484  }
2485 #ifndef EXEC_BACKEND /* make GNU Emacs 26.1 see brace balance */
2486  }
2487 #else
2488  }
2489 #endif
2490 
2491  /* No matching backend */
2492  ereport(LOG,
2493  (errmsg("PID %d in cancel request did not match any process",
2494  backendPID)));
2495 }
2496 
2497 /*
2498  * canAcceptConnections --- check to see if database state allows connections
2499  * of the specified type. backend_type can be BACKEND_TYPE_NORMAL,
2500  * BACKEND_TYPE_AUTOVAC, or BACKEND_TYPE_BGWORKER. (Note that we don't yet
2501  * know whether a NORMAL connection might turn into a walsender.)
2502  */
2503 static CAC_state
2504 canAcceptConnections(int backend_type)
2505 {
2506  CAC_state result = CAC_OK;
2507 
2508  /*
2509  * Can't start backends when in startup/shutdown/inconsistent recovery
2510  * state. We treat autovac workers the same as user backends for this
2511  * purpose. However, bgworkers are excluded from this test; we expect
2512  * bgworker_should_start_now() decided whether the DB state allows them.
2513  */
2514  if (pmState != PM_RUN && pmState != PM_HOT_STANDBY &&
2515  backend_type != BACKEND_TYPE_BGWORKER)
2516  {
2517  if (Shutdown > NoShutdown)
2518  return CAC_SHUTDOWN; /* shutdown is pending */
2519  else if (!FatalError && pmState == PM_STARTUP)
2520  return CAC_STARTUP; /* normal startup */
2521  else if (!FatalError && pmState == PM_RECOVERY)
2522  return CAC_NOTCONSISTENT; /* not yet at consistent recovery
2523  * state */
2524  else
2525  return CAC_RECOVERY; /* else must be crash recovery */
2526  }
2527 
2528  /*
2529  * "Smart shutdown" restrictions are applied only to normal connections,
2530  * not to autovac workers or bgworkers.
2531  */
2532  if (!connsAllowed && backend_type == BACKEND_TYPE_NORMAL)
2533  return CAC_SHUTDOWN; /* shutdown is pending */
2534 
2535  /*
2536  * Don't start too many children.
2537  *
2538  * We allow more connections here than we can have backends because some
2539  * might still be authenticating; they might fail auth, or some existing
2540  * backend might exit before the auth cycle is completed. The exact
2541  * MaxBackends limit is enforced when a new backend tries to join the
2542  * shared-inval backend array.
2543  *
2544  * The limit here must match the sizes of the per-child-process arrays;
2545  * see comments for MaxLivePostmasterChildren().
2546  */
2548  result = CAC_TOOMANY;
2549 
2550  return result;
2551 }
2552 
2553 
2554 /*
2555  * ConnCreate -- create a local connection data structure
2556  *
2557  * Returns NULL on failure, other than out-of-memory which is fatal.
2558  */
2559 static Port *
2560 ConnCreate(int serverFd)
2561 {
2562  Port *port;
2563 
2564  if (!(port = (Port *) calloc(1, sizeof(Port))))
2565  {
2566  ereport(LOG,
2567  (errcode(ERRCODE_OUT_OF_MEMORY),
2568  errmsg("out of memory")));
2569  ExitPostmaster(1);
2570  }
2571 
2572  if (StreamConnection(serverFd, port) != STATUS_OK)
2573  {
2574  if (port->sock != PGINVALID_SOCKET)
2575  StreamClose(port->sock);
2576  ConnFree(port);
2577  return NULL;
2578  }
2579 
2580  return port;
2581 }
2582 
2583 
2584 /*
2585  * ConnFree -- free a local connection data structure
2586  *
2587  * Caller has already closed the socket if any, so there's not much
2588  * to do here.
2589  */
2590 static void
2592 {
2593  free(port);
2594 }
2595 
2596 
2597 /*
2598  * ClosePostmasterPorts -- close all the postmaster's open sockets
2599  *
2600  * This is called during child process startup to release file descriptors
2601  * that are not needed by that child process. The postmaster still has
2602  * them open, of course.
2603  *
2604  * Note: we pass am_syslogger as a boolean because we don't want to set
2605  * the global variable yet when this is called.
2606  */
2607 void
2608 ClosePostmasterPorts(bool am_syslogger)
2609 {
2610  int i;
2611 
2612 #ifndef WIN32
2613 
2614  /*
2615  * Close the write end of postmaster death watch pipe. It's important to
2616  * do this as early as possible, so that if postmaster dies, others won't
2617  * think that it's still running because we're holding the pipe open.
2618  */
2620  ereport(FATAL,
2622  errmsg_internal("could not close postmaster death monitoring pipe in child process: %m")));
2624  /* Notify fd.c that we released one pipe FD. */
2626 #endif
2627 
2628  /*
2629  * Close the postmaster's listen sockets. These aren't tracked by fd.c,
2630  * so we don't call ReleaseExternalFD() here.
2631  */
2632  for (i = 0; i < MAXLISTEN; i++)
2633  {
2635  {
2638  }
2639  }
2640 
2641  /*
2642  * If using syslogger, close the read side of the pipe. We don't bother
2643  * tracking this in fd.c, either.
2644  */
2645  if (!am_syslogger)
2646  {
2647 #ifndef WIN32
2648  if (syslogPipe[0] >= 0)
2649  close(syslogPipe[0]);
2650  syslogPipe[0] = -1;
2651 #else
2652  if (syslogPipe[0])
2653  CloseHandle(syslogPipe[0]);
2654  syslogPipe[0] = 0;
2655 #endif
2656  }
2657 
2658 #ifdef USE_BONJOUR
2659  /* If using Bonjour, close the connection to the mDNS daemon */
2660  if (bonjour_sdref)
2661  close(DNSServiceRefSockFD(bonjour_sdref));
2662 #endif
2663 }
2664 
2665 
2666 /*
2667  * InitProcessGlobals -- set MyProcPid, MyStartTime[stamp], random seeds
2668  *
2669  * Called early in the postmaster and every backend.
2670  */
2671 void
2673 {
2674  MyProcPid = getpid();
2677 
2678  /*
2679  * Set a different global seed in every process. We want something
2680  * unpredictable, so if possible, use high-quality random bits for the
2681  * seed. Otherwise, fall back to a seed based on timestamp and PID.
2682  */
2684  {
2685  uint64 rseed;
2686 
2687  /*
2688  * Since PIDs and timestamps tend to change more frequently in their
2689  * least significant bits, shift the timestamp left to allow a larger
2690  * total number of seeds in a given time period. Since that would
2691  * leave only 20 bits of the timestamp that cycle every ~1 second,
2692  * also mix in some higher bits.
2693  */
2694  rseed = ((uint64) MyProcPid) ^
2695  ((uint64) MyStartTimestamp << 12) ^
2696  ((uint64) MyStartTimestamp >> 20);
2697 
2699  }
2700 
2701  /*
2702  * Also make sure that we've set a good seed for random(3). Use of that
2703  * is deprecated in core Postgres, but extensions might use it.
2704  */
2705 #ifndef WIN32
2707 #endif
2708 }
2709 
2710 
2711 /*
2712  * SIGHUP -- reread config files, and tell children to do same
2713  */
2714 static void
2716 {
2717  int save_errno = errno;
2718 
2719  if (Shutdown <= SmartShutdown)
2720  {
2721  ereport(LOG,
2722  (errmsg("received SIGHUP, reloading configuration files")));
2725  if (StartupPID != 0)
2727  if (BgWriterPID != 0)
2729  if (CheckpointerPID != 0)
2731  if (WalWriterPID != 0)
2733  if (WalReceiverPID != 0)
2735  if (AutoVacPID != 0)
2737  if (PgArchPID != 0)
2739  if (SysLoggerPID != 0)
2741 
2742  /* Reload authentication config files too */
2743  if (!load_hba())
2744  ereport(LOG,
2745  /* translator: %s is a configuration file */
2746  (errmsg("%s was not reloaded", HbaFileName)));
2747 
2748  if (!load_ident())
2749  ereport(LOG,
2750  (errmsg("%s was not reloaded", IdentFileName)));
2751 
2752 #ifdef USE_SSL
2753  /* Reload SSL configuration as well */
2754  if (EnableSSL)
2755  {
2756  if (secure_initialize(false) == 0)
2757  LoadedSSL = true;
2758  else
2759  ereport(LOG,
2760  (errmsg("SSL configuration was not reloaded")));
2761  }
2762  else
2763  {
2764  secure_destroy();
2765  LoadedSSL = false;
2766  }
2767 #endif
2768 
2769 #ifdef EXEC_BACKEND
2770  /* Update the starting-point file for future children */
2771  write_nondefault_variables(PGC_SIGHUP);
2772 #endif
2773  }
2774 
2775  errno = save_errno;
2776 }
2777 
2778 
2779 /*
2780  * pmdie -- signal handler for processing various postmaster signals.
2781  */
2782 static void
2784 {
2785  int save_errno = errno;
2786 
2787  ereport(DEBUG2,
2788  (errmsg_internal("postmaster received signal %d",
2789  postgres_signal_arg)));
2790 
2791  switch (postgres_signal_arg)
2792  {
2793  case SIGTERM:
2794 
2795  /*
2796  * Smart Shutdown:
2797  *
2798  * Wait for children to end their work, then shut down.
2799  */
2800  if (Shutdown >= SmartShutdown)
2801  break;
2803  ereport(LOG,
2804  (errmsg("received smart shutdown request")));
2805 
2806  /* Report status */
2808 #ifdef USE_SYSTEMD
2809  sd_notify(0, "STOPPING=1");
2810 #endif
2811 
2812  /*
2813  * If we reached normal running, we go straight to waiting for
2814  * client backends to exit. If already in PM_STOP_BACKENDS or a
2815  * later state, do not change it.
2816  */
2817  if (pmState == PM_RUN || pmState == PM_HOT_STANDBY)
2818  connsAllowed = false;
2819  else if (pmState == PM_STARTUP || pmState == PM_RECOVERY)
2820  {
2821  /* There should be no clients, so proceed to stop children */
2823  }
2824 
2825  /*
2826  * Now wait for online backup mode to end and backends to exit. If
2827  * that is already the case, PostmasterStateMachine will take the
2828  * next step.
2829  */
2831  break;
2832 
2833  case SIGINT:
2834 
2835  /*
2836  * Fast Shutdown:
2837  *
2838  * Abort all children with SIGTERM (rollback active transactions
2839  * and exit) and shut down when they are gone.
2840  */
2841  if (Shutdown >= FastShutdown)
2842  break;
2844  ereport(LOG,
2845  (errmsg("received fast shutdown request")));
2846 
2847  /* Report status */
2849 #ifdef USE_SYSTEMD
2850  sd_notify(0, "STOPPING=1");
2851 #endif
2852 
2853  if (pmState == PM_STARTUP || pmState == PM_RECOVERY)
2854  {
2855  /* Just shut down background processes silently */
2857  }
2858  else if (pmState == PM_RUN ||
2860  {
2861  /* Report that we're about to zap live client sessions */
2862  ereport(LOG,
2863  (errmsg("aborting any active transactions")));
2865  }
2866 
2867  /*
2868  * PostmasterStateMachine will issue any necessary signals, or
2869  * take the next step if no child processes need to be killed.
2870  */
2872  break;
2873 
2874  case SIGQUIT:
2875 
2876  /*
2877  * Immediate Shutdown:
2878  *
2879  * abort all children with SIGQUIT, wait for them to exit,
2880  * terminate remaining ones with SIGKILL, then exit without
2881  * attempt to properly shut down the data base system.
2882  */
2883  if (Shutdown >= ImmediateShutdown)
2884  break;
2886  ereport(LOG,
2887  (errmsg("received immediate shutdown request")));
2888 
2889  /* Report status */
2891 #ifdef USE_SYSTEMD
2892  sd_notify(0, "STOPPING=1");
2893 #endif
2894 
2895  /* tell children to shut down ASAP */
2896  /* (note we don't apply send_abort_for_crash here) */
2900 
2901  /* set stopwatch for them to die */
2902  AbortStartTime = time(NULL);
2903 
2904  /*
2905  * Now wait for backends to exit. If there are none,
2906  * PostmasterStateMachine will take the next step.
2907  */
2909  break;
2910  }
2911 
2912  errno = save_errno;
2913 }
2914 
2915 /*
2916  * Reaper -- signal handler to cleanup after a child process dies.
2917  */
2918 static void
2920 {
2921  int save_errno = errno;
2922  int pid; /* process id of dead child process */
2923  int exitstatus; /* its exit status */
2924 
2925  ereport(DEBUG4,
2926  (errmsg_internal("reaping dead processes")));
2927 
2928  while ((pid = waitpid(-1, &exitstatus, WNOHANG)) > 0)
2929  {
2930  /*
2931  * Check if this child was a startup process.
2932  */
2933  if (pid == StartupPID)
2934  {
2935  StartupPID = 0;
2936 
2937  /*
2938  * Startup process exited in response to a shutdown request (or it
2939  * completed normally regardless of the shutdown request).
2940  */
2941  if (Shutdown > NoShutdown &&
2942  (EXIT_STATUS_0(exitstatus) || EXIT_STATUS_1(exitstatus)))
2943  {
2946  /* PostmasterStateMachine logic does the rest */
2947  continue;
2948  }
2949 
2950  if (EXIT_STATUS_3(exitstatus))
2951  {
2952  ereport(LOG,
2953  (errmsg("shutdown at recovery target")));
2956  TerminateChildren(SIGTERM);
2958  /* PostmasterStateMachine logic does the rest */
2959  continue;
2960  }
2961 
2962  /*
2963  * Unexpected exit of startup process (including FATAL exit)
2964  * during PM_STARTUP is treated as catastrophic. There are no
2965  * other processes running yet, so we can just exit.
2966  */
2967  if (pmState == PM_STARTUP &&
2969  !EXIT_STATUS_0(exitstatus))
2970  {
2971  LogChildExit(LOG, _("startup process"),
2972  pid, exitstatus);
2973  ereport(LOG,
2974  (errmsg("aborting startup due to startup process failure")));
2975  ExitPostmaster(1);
2976  }
2977 
2978  /*
2979  * After PM_STARTUP, any unexpected exit (including FATAL exit) of
2980  * the startup process is catastrophic, so kill other children,
2981  * and set StartupStatus so we don't try to reinitialize after
2982  * they're gone. Exception: if StartupStatus is STARTUP_SIGNALED,
2983  * then we previously sent the startup process a SIGQUIT; so
2984  * that's probably the reason it died, and we do want to try to
2985  * restart in that case.
2986  *
2987  * This stanza also handles the case where we sent a SIGQUIT
2988  * during PM_STARTUP due to some dead_end child crashing: in that
2989  * situation, if the startup process dies on the SIGQUIT, we need
2990  * to transition to PM_WAIT_BACKENDS state which will allow
2991  * PostmasterStateMachine to restart the startup process. (On the
2992  * other hand, the startup process might complete normally, if we
2993  * were too late with the SIGQUIT. In that case we'll fall
2994  * through and commence normal operations.)
2995  */
2996  if (!EXIT_STATUS_0(exitstatus))
2997  {
2999  {
3001  if (pmState == PM_STARTUP)
3003  }
3004  else
3006  HandleChildCrash(pid, exitstatus,
3007  _("startup process"));
3008  continue;
3009  }
3010 
3011  /*
3012  * Startup succeeded, commence normal operations
3013  */
3015  FatalError = false;
3016  AbortStartTime = 0;
3017  ReachedNormalRunning = true;
3018  pmState = PM_RUN;
3019  connsAllowed = true;
3020 
3021  /*
3022  * Crank up the background tasks, if we didn't do that already
3023  * when we entered consistent recovery state. It doesn't matter
3024  * if this fails, we'll just try again later.
3025  */
3026  if (CheckpointerPID == 0)
3028  if (BgWriterPID == 0)
3030  if (WalWriterPID == 0)
3032 
3033  /*
3034  * Likewise, start other special children as needed. In a restart
3035  * situation, some of them may be alive already.
3036  */
3039  if (PgArchStartupAllowed() && PgArchPID == 0)
3041 
3042  /* workers may be scheduled to start now */
3044 
3045  /* at this point we are really open for business */
3046  ereport(LOG,
3047  (errmsg("database system is ready to accept connections")));
3048 
3049  /* Report status */
3051 #ifdef USE_SYSTEMD
3052  sd_notify(0, "READY=1");
3053 #endif
3054 
3055  continue;
3056  }
3057 
3058  /*
3059  * Was it the bgwriter? Normal exit can be ignored; we'll start a new
3060  * one at the next iteration of the postmaster's main loop, if
3061  * necessary. Any other exit condition is treated as a crash.
3062  */
3063  if (pid == BgWriterPID)
3064  {
3065  BgWriterPID = 0;
3066  if (!EXIT_STATUS_0(exitstatus))
3067  HandleChildCrash(pid, exitstatus,
3068  _("background writer process"));
3069  continue;
3070  }
3071 
3072  /*
3073  * Was it the checkpointer?
3074  */
3075  if (pid == CheckpointerPID)
3076  {
3077  CheckpointerPID = 0;
3078  if (EXIT_STATUS_0(exitstatus) && pmState == PM_SHUTDOWN)
3079  {
3080  /*
3081  * OK, we saw normal exit of the checkpointer after it's been
3082  * told to shut down. We expect that it wrote a shutdown
3083  * checkpoint. (If for some reason it didn't, recovery will
3084  * occur on next postmaster start.)
3085  *
3086  * At this point we should have no normal backend children
3087  * left (else we'd not be in PM_SHUTDOWN state) but we might
3088  * have dead_end children to wait for.
3089  *
3090  * If we have an archiver subprocess, tell it to do a last
3091  * archive cycle and quit. Likewise, if we have walsender
3092  * processes, tell them to send any remaining WAL and quit.
3093  */
3095 
3096  /* Waken archiver for the last time */
3097  if (PgArchPID != 0)
3099 
3100  /*
3101  * Waken walsenders for the last time. No regular backends
3102  * should be around anymore.
3103  */
3105 
3107  }
3108  else
3109  {
3110  /*
3111  * Any unexpected exit of the checkpointer (including FATAL
3112  * exit) is treated as a crash.
3113  */
3114  HandleChildCrash(pid, exitstatus,
3115  _("checkpointer process"));
3116  }
3117 
3118  continue;
3119  }
3120 
3121  /*
3122  * Was it the wal writer? Normal exit can be ignored; we'll start a
3123  * new one at the next iteration of the postmaster's main loop, if
3124  * necessary. Any other exit condition is treated as a crash.
3125  */
3126  if (pid == WalWriterPID)
3127  {
3128  WalWriterPID = 0;
3129  if (!EXIT_STATUS_0(exitstatus))
3130  HandleChildCrash(pid, exitstatus,
3131  _("WAL writer process"));
3132  continue;
3133  }
3134 
3135  /*
3136  * Was it the wal receiver? If exit status is zero (normal) or one
3137  * (FATAL exit), we assume everything is all right just like normal
3138  * backends. (If we need a new wal receiver, we'll start one at the
3139  * next iteration of the postmaster's main loop.)
3140  */
3141  if (pid == WalReceiverPID)
3142  {
3143  WalReceiverPID = 0;
3144  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3145  HandleChildCrash(pid, exitstatus,
3146  _("WAL receiver process"));
3147  continue;
3148  }
3149 
3150  /*
3151  * Was it the autovacuum launcher? Normal exit can be ignored; we'll
3152  * start a new one at the next iteration of the postmaster's main
3153  * loop, if necessary. Any other exit condition is treated as a
3154  * crash.
3155  */
3156  if (pid == AutoVacPID)
3157  {
3158  AutoVacPID = 0;
3159  if (!EXIT_STATUS_0(exitstatus))
3160  HandleChildCrash(pid, exitstatus,
3161  _("autovacuum launcher process"));
3162  continue;
3163  }
3164 
3165  /*
3166  * Was it the archiver? If exit status is zero (normal) or one (FATAL
3167  * exit), we assume everything is all right just like normal backends
3168  * and just try to restart a new one so that we immediately retry
3169  * archiving remaining files. (If fail, we'll try again in future
3170  * cycles of the postmaster's main loop.) Unless we were waiting for
3171  * it to shut down; don't restart it in that case, and
3172  * PostmasterStateMachine() will advance to the next shutdown step.
3173  */
3174  if (pid == PgArchPID)
3175  {
3176  PgArchPID = 0;
3177  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3178  HandleChildCrash(pid, exitstatus,
3179  _("archiver process"));
3180  if (PgArchStartupAllowed())
3182  continue;
3183  }
3184 
3185  /* Was it the system logger? If so, try to start a new one */
3186  if (pid == SysLoggerPID)
3187  {
3188  SysLoggerPID = 0;
3189  /* for safety's sake, launch new logger *first* */
3191  if (!EXIT_STATUS_0(exitstatus))
3192  LogChildExit(LOG, _("system logger process"),
3193  pid, exitstatus);
3194  continue;
3195  }
3196 
3197  /* Was it one of our background workers? */
3198  if (CleanupBackgroundWorker(pid, exitstatus))
3199  {
3200  /* have it be restarted */
3201  HaveCrashedWorker = true;
3202  continue;
3203  }
3204 
3205  /*
3206  * Else do standard backend child cleanup.
3207  */
3208  CleanupBackend(pid, exitstatus);
3209  } /* loop over pending child-death reports */
3210 
3211  /*
3212  * After cleaning out the SIGCHLD queue, see if we have any state changes
3213  * or actions to make.
3214  */
3216 
3217  errno = save_errno;
3218 }
3219 
3220 /*
3221  * Scan the bgworkers list and see if the given PID (which has just stopped
3222  * or crashed) is in it. Handle its shutdown if so, and return true. If not a
3223  * bgworker, return false.
3224  *
3225  * This is heavily based on CleanupBackend. One important difference is that
3226  * we don't know yet that the dying process is a bgworker, so we must be silent
3227  * until we're sure it is.
3228  */
3229 static bool
3231  int exitstatus) /* child's exit status */
3232 {
3233  char namebuf[MAXPGPATH];
3234  slist_mutable_iter iter;
3235 
3237  {
3238  RegisteredBgWorker *rw;
3239 
3240  rw = slist_container(RegisteredBgWorker, rw_lnode, iter.cur);
3241 
3242  if (rw->rw_pid != pid)
3243  continue;
3244 
3245 #ifdef WIN32
3246  /* see CleanupBackend */
3247  if (exitstatus == ERROR_WAIT_NO_CHILDREN)
3248  exitstatus = 0;
3249 #endif
3250 
3251  snprintf(namebuf, MAXPGPATH, _("background worker \"%s\""),
3252  rw->rw_worker.bgw_type);
3253 
3254 
3255  if (!EXIT_STATUS_0(exitstatus))
3256  {
3257  /* Record timestamp, so we know when to restart the worker. */
3259  }
3260  else
3261  {
3262  /* Zero exit status means terminate */
3263  rw->rw_crashed_at = 0;
3264  rw->rw_terminate = true;
3265  }
3266 
3267  /*
3268  * Additionally, just like a backend, any exit status other than 0 or
3269  * 1 is considered a crash and causes a system-wide restart.
3270  */
3271  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3272  {
3273  HandleChildCrash(pid, exitstatus, namebuf);
3274  return true;
3275  }
3276 
3277  /*
3278  * We must release the postmaster child slot. If the worker failed to
3279  * do so, it did not clean up after itself, requiring a crash-restart
3280  * cycle.
3281  */
3283  {
3284  HandleChildCrash(pid, exitstatus, namebuf);
3285  return true;
3286  }
3287 
3288  /* Get it out of the BackendList and clear out remaining data */
3289  dlist_delete(&rw->rw_backend->elem);
3290 #ifdef EXEC_BACKEND
3291  ShmemBackendArrayRemove(rw->rw_backend);
3292 #endif
3293 
3294  /*
3295  * It's possible that this background worker started some OTHER
3296  * background worker and asked to be notified when that worker started
3297  * or stopped. If so, cancel any notifications destined for the
3298  * now-dead backend.
3299  */
3300  if (rw->rw_backend->bgworker_notify)
3302  free(rw->rw_backend);
3303  rw->rw_backend = NULL;
3304  rw->rw_pid = 0;
3305  rw->rw_child_slot = 0;
3306  ReportBackgroundWorkerExit(&iter); /* report child death */
3307 
3308  LogChildExit(EXIT_STATUS_0(exitstatus) ? DEBUG1 : LOG,
3309  namebuf, pid, exitstatus);
3310 
3311  return true;
3312  }
3313 
3314  return false;
3315 }
3316 
3317 /*
3318  * CleanupBackend -- cleanup after terminated backend.
3319  *
3320  * Remove all local state associated with backend.
3321  *
3322  * If you change this, see also CleanupBackgroundWorker.
3323  */
3324 static void
3326  int exitstatus) /* child's exit status. */
3327 {
3328  dlist_mutable_iter iter;
3329 
3330  LogChildExit(DEBUG2, _("server process"), pid, exitstatus);
3331 
3332  /*
3333  * If a backend dies in an ugly way then we must signal all other backends
3334  * to quickdie. If exit status is zero (normal) or one (FATAL exit), we
3335  * assume everything is all right and proceed to remove the backend from
3336  * the active backend list.
3337  */
3338 
3339 #ifdef WIN32
3340 
3341  /*
3342  * On win32, also treat ERROR_WAIT_NO_CHILDREN (128) as nonfatal case,
3343  * since that sometimes happens under load when the process fails to start
3344  * properly (long before it starts using shared memory). Microsoft reports
3345  * it is related to mutex failure:
3346  * http://archives.postgresql.org/pgsql-hackers/2010-09/msg00790.php
3347  */
3348  if (exitstatus == ERROR_WAIT_NO_CHILDREN)
3349  {
3350  LogChildExit(LOG, _("server process"), pid, exitstatus);
3351  exitstatus = 0;
3352  }
3353 #endif
3354 
3355  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3356  {
3357  HandleChildCrash(pid, exitstatus, _("server process"));
3358  return;
3359  }
3360 
3362  {
3363  Backend *bp = dlist_container(Backend, elem, iter.cur);
3364 
3365  if (bp->pid == pid)
3366  {
3367  if (!bp->dead_end)
3368  {
3370  {
3371  /*
3372  * Uh-oh, the child failed to clean itself up. Treat as a
3373  * crash after all.
3374  */
3375  HandleChildCrash(pid, exitstatus, _("server process"));
3376  return;
3377  }
3378 #ifdef EXEC_BACKEND
3379  ShmemBackendArrayRemove(bp);
3380 #endif
3381  }
3382  if (bp->bgworker_notify)
3383  {
3384  /*
3385  * This backend may have been slated to receive SIGUSR1 when
3386  * some background worker started or stopped. Cancel those
3387  * notifications, as we don't want to signal PIDs that are not
3388  * PostgreSQL backends. This gets skipped in the (probably
3389  * very common) case where the backend has never requested any
3390  * such notifications.
3391  */
3393  }
3394  dlist_delete(iter.cur);
3395  free(bp);
3396  break;
3397  }
3398  }
3399 }
3400 
3401 /*
3402  * HandleChildCrash -- cleanup after failed backend, bgwriter, checkpointer,
3403  * walwriter, autovacuum, archiver or background worker.
3404  *
3405  * The objectives here are to clean up our local state about the child
3406  * process, and to signal all other remaining children to quickdie.
3407  */
3408 static void
3409 HandleChildCrash(int pid, int exitstatus, const char *procname)
3410 {
3411  dlist_mutable_iter iter;
3412  slist_iter siter;
3413  Backend *bp;
3414  bool take_action;
3415 
3416  /*
3417  * We only log messages and send signals if this is the first process
3418  * crash and we're not doing an immediate shutdown; otherwise, we're only
3419  * here to update postmaster's idea of live processes. If we have already
3420  * signaled children, nonzero exit status is to be expected, so don't
3421  * clutter log.
3422  */
3423  take_action = !FatalError && Shutdown != ImmediateShutdown;
3424 
3425  if (take_action)
3426  {
3427  LogChildExit(LOG, procname, pid, exitstatus);
3428  ereport(LOG,
3429  (errmsg("terminating any other active server processes")));
3431  }
3432 
3433  /* Process background workers. */
3435  {
3436  RegisteredBgWorker *rw;
3437 
3438  rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
3439  if (rw->rw_pid == 0)
3440  continue; /* not running */
3441  if (rw->rw_pid == pid)
3442  {
3443  /*
3444  * Found entry for freshly-dead worker, so remove it.
3445  */
3447  dlist_delete(&rw->rw_backend->elem);
3448 #ifdef EXEC_BACKEND
3449  ShmemBackendArrayRemove(rw->rw_backend);
3450 #endif
3451  free(rw->rw_backend);
3452  rw->rw_backend = NULL;
3453  rw->rw_pid = 0;
3454  rw->rw_child_slot = 0;
3455  /* don't reset crashed_at */
3456  /* don't report child stop, either */
3457  /* Keep looping so we can signal remaining workers */
3458  }
3459  else
3460  {
3461  /*
3462  * This worker is still alive. Unless we did so already, tell it
3463  * to commit hara-kiri.
3464  */
3465  if (take_action)
3466  sigquit_child(rw->rw_pid);
3467  }
3468  }
3469 
3470  /* Process regular backends */
3472  {
3473  bp = dlist_container(Backend, elem, iter.cur);
3474 
3475  if (bp->pid == pid)
3476  {
3477  /*
3478  * Found entry for freshly-dead backend, so remove it.
3479  */
3480  if (!bp->dead_end)
3481  {
3483 #ifdef EXEC_BACKEND
3484  ShmemBackendArrayRemove(bp);
3485 #endif
3486  }
3487  dlist_delete(iter.cur);
3488  free(bp);
3489  /* Keep looping so we can signal remaining backends */
3490  }
3491  else
3492  {
3493  /*
3494  * This backend is still alive. Unless we did so already, tell it
3495  * to commit hara-kiri.
3496  *
3497  * We could exclude dead_end children here, but at least when
3498  * sending SIGABRT it seems better to include them.
3499  *
3500  * Background workers were already processed above; ignore them
3501  * here.
3502  */
3503  if (bp->bkend_type == BACKEND_TYPE_BGWORKER)
3504  continue;
3505 
3506  if (take_action)
3507  sigquit_child(bp->pid);
3508  }
3509  }
3510 
3511  /* Take care of the startup process too */
3512  if (pid == StartupPID)
3513  {
3514  StartupPID = 0;
3515  /* Caller adjusts StartupStatus, so don't touch it here */
3516  }
3517  else if (StartupPID != 0 && take_action)
3518  {
3521  }
3522 
3523  /* Take care of the bgwriter too */
3524  if (pid == BgWriterPID)
3525  BgWriterPID = 0;
3526  else if (BgWriterPID != 0 && take_action)
3528 
3529  /* Take care of the checkpointer too */
3530  if (pid == CheckpointerPID)
3531  CheckpointerPID = 0;
3532  else if (CheckpointerPID != 0 && take_action)
3534 
3535  /* Take care of the walwriter too */
3536  if (pid == WalWriterPID)
3537  WalWriterPID = 0;
3538  else if (WalWriterPID != 0 && take_action)
3540 
3541  /* Take care of the walreceiver too */
3542  if (pid == WalReceiverPID)
3543  WalReceiverPID = 0;
3544  else if (WalReceiverPID != 0 && take_action)
3546 
3547  /* Take care of the autovacuum launcher too */
3548  if (pid == AutoVacPID)
3549  AutoVacPID = 0;
3550  else if (AutoVacPID != 0 && take_action)
3552 
3553  /* Take care of the archiver too */
3554  if (pid == PgArchPID)
3555  PgArchPID = 0;
3556  else if (PgArchPID != 0 && take_action)
3558 
3559  /* We do NOT restart the syslogger */
3560 
3561  if (Shutdown != ImmediateShutdown)
3562  FatalError = true;
3563 
3564  /* We now transit into a state of waiting for children to die */
3565  if (pmState == PM_RECOVERY ||
3566  pmState == PM_HOT_STANDBY ||
3567  pmState == PM_RUN ||
3569  pmState == PM_SHUTDOWN)
3571 
3572  /*
3573  * .. and if this doesn't happen quickly enough, now the clock is ticking
3574  * for us to kill them without mercy.
3575  */
3576  if (AbortStartTime == 0)
3577  AbortStartTime = time(NULL);
3578 }
3579 
3580 /*
3581  * Log the death of a child process.
3582  */
3583 static void
3584 LogChildExit(int lev, const char *procname, int pid, int exitstatus)
3585 {
3586  /*
3587  * size of activity_buffer is arbitrary, but set equal to default
3588  * track_activity_query_size
3589  */
3590  char activity_buffer[1024];
3591  const char *activity = NULL;
3592 
3593  if (!EXIT_STATUS_0(exitstatus))
3594  activity = pgstat_get_crashed_backend_activity(pid,
3595  activity_buffer,
3596  sizeof(activity_buffer));
3597 
3598  if (WIFEXITED(exitstatus))
3599  ereport(lev,
3600 
3601  /*------
3602  translator: %s is a noun phrase describing a child process, such as
3603  "server process" */
3604  (errmsg("%s (PID %d) exited with exit code %d",
3605  procname, pid, WEXITSTATUS(exitstatus)),
3606  activity ? errdetail("Failed process was running: %s", activity) : 0));
3607  else if (WIFSIGNALED(exitstatus))
3608  {
3609 #if defined(WIN32)
3610  ereport(lev,
3611 
3612  /*------
3613  translator: %s is a noun phrase describing a child process, such as
3614  "server process" */
3615  (errmsg("%s (PID %d) was terminated by exception 0x%X",
3616  procname, pid, WTERMSIG(exitstatus)),
3617  errhint("See C include file \"ntstatus.h\" for a description of the hexadecimal value."),
3618  activity ? errdetail("Failed process was running: %s", activity) : 0));
3619 #else
3620  ereport(lev,
3621 
3622  /*------
3623  translator: %s is a noun phrase describing a child process, such as
3624  "server process" */
3625  (errmsg("%s (PID %d) was terminated by signal %d: %s",
3626  procname, pid, WTERMSIG(exitstatus),
3627  pg_strsignal(WTERMSIG(exitstatus))),
3628  activity ? errdetail("Failed process was running: %s", activity) : 0));
3629 #endif
3630  }
3631  else
3632  ereport(lev,
3633 
3634  /*------
3635  translator: %s is a noun phrase describing a child process, such as
3636  "server process" */
3637  (errmsg("%s (PID %d) exited with unrecognized status %d",
3638  procname, pid, exitstatus),
3639  activity ? errdetail("Failed process was running: %s", activity) : 0));
3640 }
3641 
3642 /*
3643  * Advance the postmaster's state machine and take actions as appropriate
3644  *
3645  * This is common code for pmdie(), reaper() and sigusr1_handler(), which
3646  * receive the signals that might mean we need to change state.
3647  */
3648 static void
3650 {
3651  /* If we're doing a smart shutdown, try to advance that state. */
3652  if (pmState == PM_RUN || pmState == PM_HOT_STANDBY)
3653  {
3654  if (!connsAllowed)
3655  {
3656  /*
3657  * This state ends when we have no normal client backends running.
3658  * Then we're ready to stop other children.
3659  */
3662  }
3663  }
3664 
3665  /*
3666  * If we're ready to do so, signal child processes to shut down. (This
3667  * isn't a persistent state, but treating it as a distinct pmState allows
3668  * us to share this code across multiple shutdown code paths.)
3669  */
3670  if (pmState == PM_STOP_BACKENDS)
3671  {
3672  /*
3673  * Forget any pending requests for background workers, since we're no
3674  * longer willing to launch any new workers. (If additional requests
3675  * arrive, BackgroundWorkerStateChange will reject them.)
3676  */
3678 
3679  /* Signal all backend children except walsenders */
3680  SignalSomeChildren(SIGTERM,
3682  /* and the autovac launcher too */
3683  if (AutoVacPID != 0)
3684  signal_child(AutoVacPID, SIGTERM);
3685  /* and the bgwriter too */
3686  if (BgWriterPID != 0)
3687  signal_child(BgWriterPID, SIGTERM);
3688  /* and the walwriter too */
3689  if (WalWriterPID != 0)
3690  signal_child(WalWriterPID, SIGTERM);
3691  /* If we're in recovery, also stop startup and walreceiver procs */
3692  if (StartupPID != 0)
3693  signal_child(StartupPID, SIGTERM);
3694  if (WalReceiverPID != 0)
3695  signal_child(WalReceiverPID, SIGTERM);
3696  /* checkpointer, archiver, stats, and syslogger may continue for now */
3697 
3698  /* Now transition to PM_WAIT_BACKENDS state to wait for them to die */
3700  }
3701 
3702  /*
3703  * If we are in a state-machine state that implies waiting for backends to
3704  * exit, see if they're all gone, and change state if so.
3705  */
3706  if (pmState == PM_WAIT_BACKENDS)
3707  {
3708  /*
3709  * PM_WAIT_BACKENDS state ends when we have no regular backends
3710  * (including autovac workers), no bgworkers (including unconnected
3711  * ones), and no walwriter, autovac launcher or bgwriter. If we are
3712  * doing crash recovery or an immediate shutdown then we expect the
3713  * checkpointer to exit as well, otherwise not. The stats and
3714  * syslogger processes are disregarded since they are not connected to
3715  * shared memory; we also disregard dead_end children here. Walsenders
3716  * and archiver are also disregarded, they will be terminated later
3717  * after writing the checkpoint record.
3718  */
3720  StartupPID == 0 &&
3721  WalReceiverPID == 0 &&
3722  BgWriterPID == 0 &&
3723  (CheckpointerPID == 0 ||
3725  WalWriterPID == 0 &&
3726  AutoVacPID == 0)
3727  {
3729  {
3730  /*
3731  * Start waiting for dead_end children to die. This state
3732  * change causes ServerLoop to stop creating new ones.
3733  */
3735 
3736  /*
3737  * We already SIGQUIT'd the archiver and stats processes, if
3738  * any, when we started immediate shutdown or entered
3739  * FatalError state.
3740  */
3741  }
3742  else
3743  {
3744  /*
3745  * If we get here, we are proceeding with normal shutdown. All
3746  * the regular children are gone, and it's time to tell the
3747  * checkpointer to do a shutdown checkpoint.
3748  */
3750  /* Start the checkpointer if not running */
3751  if (CheckpointerPID == 0)
3753  /* And tell it to shut down */
3754  if (CheckpointerPID != 0)
3755  {
3757  pmState = PM_SHUTDOWN;
3758  }
3759  else
3760  {
3761  /*
3762  * If we failed to fork a checkpointer, just shut down.
3763  * Any required cleanup will happen at next restart. We
3764  * set FatalError so that an "abnormal shutdown" message
3765  * gets logged when we exit.
3766  *
3767  * We don't consult send_abort_for_crash here, as it's
3768  * unlikely that dumping cores would illuminate the reason
3769  * for checkpointer fork failure.
3770  */
3771  FatalError = true;
3773 
3774  /* Kill the walsenders and archiver too */
3776  if (PgArchPID != 0)
3778  }
3779  }
3780  }
3781  }
3782 
3783  if (pmState == PM_SHUTDOWN_2)
3784  {
3785  /*
3786  * PM_SHUTDOWN_2 state ends when there's no other children than
3787  * dead_end children left. There shouldn't be any regular backends
3788  * left by now anyway; what we're really waiting for is walsenders and
3789  * archiver.
3790  */
3791  if (PgArchPID == 0 && CountChildren(BACKEND_TYPE_ALL) == 0)
3792  {
3794  }
3795  }
3796 
3797  if (pmState == PM_WAIT_DEAD_END)
3798  {
3799  /*
3800  * PM_WAIT_DEAD_END state ends when the BackendList is entirely empty
3801  * (ie, no dead_end children remain), and the archiver is gone too.
3802  *
3803  * The reason we wait for those two is to protect them against a new
3804  * postmaster starting conflicting subprocesses; this isn't an
3805  * ironclad protection, but it at least helps in the
3806  * shutdown-and-immediately-restart scenario. Note that they have
3807  * already been sent appropriate shutdown signals, either during a
3808  * normal state transition leading up to PM_WAIT_DEAD_END, or during
3809  * FatalError processing.
3810  */
3811  if (dlist_is_empty(&BackendList) && PgArchPID == 0)
3812  {
3813  /* These other guys should be dead already */
3814  Assert(StartupPID == 0);
3815  Assert(WalReceiverPID == 0);
3816  Assert(BgWriterPID == 0);
3817  Assert(CheckpointerPID == 0);
3818  Assert(WalWriterPID == 0);
3819  Assert(AutoVacPID == 0);
3820  /* syslogger is not considered here */
3822  }
3823  }
3824 
3825  /*
3826  * If we've been told to shut down, we exit as soon as there are no
3827  * remaining children. If there was a crash, cleanup will occur at the
3828  * next startup. (Before PostgreSQL 8.3, we tried to recover from the
3829  * crash before exiting, but that seems unwise if we are quitting because
3830  * we got SIGTERM from init --- there may well not be time for recovery
3831  * before init decides to SIGKILL us.)
3832  *
3833  * Note that the syslogger continues to run. It will exit when it sees
3834  * EOF on its input pipe, which happens when there are no more upstream
3835  * processes.
3836  */
3838  {
3839  if (FatalError)
3840  {
3841  ereport(LOG, (errmsg("abnormal database system shutdown")));
3842  ExitPostmaster(1);
3843  }
3844  else
3845  {
3846  /*
3847  * Normal exit from the postmaster is here. We don't need to log
3848  * anything here, since the UnlinkLockFiles proc_exit callback
3849  * will do so, and that should be the last user-visible action.
3850  */
3851  ExitPostmaster(0);
3852  }
3853  }
3854 
3855  /*
3856  * If the startup process failed, or the user does not want an automatic
3857  * restart after backend crashes, wait for all non-syslogger children to
3858  * exit, and then exit postmaster. We don't try to reinitialize when the
3859  * startup process fails, because more than likely it will just fail again
3860  * and we will keep trying forever.
3861  */
3862  if (pmState == PM_NO_CHILDREN)
3863  {
3865  {
3866  ereport(LOG,
3867  (errmsg("shutting down due to startup process failure")));
3868  ExitPostmaster(1);
3869  }
3870  if (!restart_after_crash)
3871  {
3872  ereport(LOG,
3873  (errmsg("shutting down because restart_after_crash is off")));
3874  ExitPostmaster(1);
3875  }
3876  }
3877 
3878  /*
3879  * If we need to recover from a crash, wait for all non-syslogger children
3880  * to exit, then reset shmem and StartupDataBase.
3881  */
3882  if (FatalError && pmState == PM_NO_CHILDREN)
3883  {
3884  ereport(LOG,
3885  (errmsg("all server processes terminated; reinitializing")));
3886 
3887  /* remove leftover temporary files after a crash */
3890 
3891  /* allow background workers to immediately restart */
3893 
3894  shmem_exit(1);
3895 
3896  /* re-read control file into local memory */
3898 
3899  /* re-create shared memory and semaphores */
3901 
3903  Assert(StartupPID != 0);
3905  pmState = PM_STARTUP;
3906  /* crash recovery started, reset SIGKILL flag */
3907  AbortStartTime = 0;
3908  }
3909 }
3910 
3911 
3912 /*
3913  * Send a signal to a postmaster child process
3914  *
3915  * On systems that have setsid(), each child process sets itself up as a
3916  * process group leader. For signals that are generally interpreted in the
3917  * appropriate fashion, we signal the entire process group not just the
3918  * direct child process. This allows us to, for example, SIGQUIT a blocked
3919  * archive_recovery script, or SIGINT a script being run by a backend via
3920  * system().
3921  *
3922  * There is a race condition for recently-forked children: they might not
3923  * have executed setsid() yet. So we signal the child directly as well as
3924  * the group. We assume such a child will handle the signal before trying
3925  * to spawn any grandchild processes. We also assume that signaling the
3926  * child twice will not cause any problems.
3927  */
3928 static void
3929 signal_child(pid_t pid, int signal)
3930 {
3931  if (kill(pid, signal) < 0)
3932  elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) pid, signal);
3933 #ifdef HAVE_SETSID
3934  switch (signal)
3935  {
3936  case SIGINT:
3937  case SIGTERM:
3938  case SIGQUIT:
3939  case SIGKILL:
3940  case SIGABRT:
3941  if (kill(-pid, signal) < 0)
3942  elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) (-pid), signal);
3943  break;
3944  default:
3945  break;
3946  }
3947 #endif
3948 }
3949 
3950 /*
3951  * Convenience function for killing a child process after a crash of some
3952  * other child process. We log the action at a higher level than we would
3953  * otherwise do, and we apply send_abort_for_crash to decide which signal
3954  * to send. Normally it's SIGQUIT -- and most other comments in this file
3955  * are written on the assumption that it is -- but developers might prefer
3956  * to use SIGABRT to collect per-child core dumps.
3957  */
3958 static void
3959 sigquit_child(pid_t pid)
3960 {
3961  ereport(DEBUG2,
3962  (errmsg_internal("sending %s to process %d",
3963  (send_abort_for_crash ? "SIGABRT" : "SIGQUIT"),
3964  (int) pid)));
3966 }
3967 
3968 /*
3969  * Send a signal to the targeted children (but NOT special children;
3970  * dead_end children are never signaled, either).
3971  */
3972 static bool
3973 SignalSomeChildren(int signal, int target)
3974 {
3975  dlist_iter iter;
3976  bool signaled = false;
3977 
3978  dlist_foreach(iter, &BackendList)
3979  {
3980  Backend *bp = dlist_container(Backend, elem, iter.cur);
3981 
3982  if (bp->dead_end)
3983  continue;
3984 
3985  /*
3986  * Since target == BACKEND_TYPE_ALL is the most common case, we test
3987  * it first and avoid touching shared memory for every child.
3988  */
3989  if (target != BACKEND_TYPE_ALL)
3990  {
3991  /*
3992  * Assign bkend_type for any recently announced WAL Sender
3993  * processes.
3994  */
3995  if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
3998 
3999  if (!(target & bp->bkend_type))
4000  continue;
4001  }
4002 
4003  ereport(DEBUG4,
4004  (errmsg_internal("sending signal %d to process %d",
4005  signal, (int) bp->pid)));
4006  signal_child(bp->pid, signal);
4007  signaled = true;
4008  }
4009  return signaled;
4010 }
4011 
4012 /*
4013  * Send a termination signal to children. This considers all of our children
4014  * processes, except syslogger and dead_end backends.
4015  */
4016 static void
4018 {
4019  SignalChildren(signal);
4020  if (StartupPID != 0)
4021  {
4022  signal_child(StartupPID, signal);
4023  if (signal == SIGQUIT || signal == SIGKILL || signal == SIGABRT)
4025  }
4026  if (BgWriterPID != 0)
4027  signal_child(BgWriterPID, signal);
4028  if (CheckpointerPID != 0)
4029  signal_child(CheckpointerPID, signal);
4030  if (WalWriterPID != 0)
4031  signal_child(WalWriterPID, signal);
4032  if (WalReceiverPID != 0)
4033  signal_child(WalReceiverPID, signal);
4034  if (AutoVacPID != 0)
4035  signal_child(AutoVacPID, signal);
4036  if (PgArchPID != 0)
4037  signal_child(PgArchPID, signal);
4038 }
4039 
4040 /*
4041  * BackendStartup -- start backend process
4042  *
4043  * returns: STATUS_ERROR if the fork failed, STATUS_OK otherwise.
4044  *
4045  * Note: if you change this code, also consider StartAutovacuumWorker.
4046  */
4047 static int
4049 {
4050  Backend *bn; /* for backend cleanup */
4051  pid_t pid;
4052 
4053  /*
4054  * Create backend data structure. Better before the fork() so we can
4055  * handle failure cleanly.
4056  */
4057  bn = (Backend *) malloc(sizeof(Backend));
4058  if (!bn)
4059  {
4060  ereport(LOG,
4061  (errcode(ERRCODE_OUT_OF_MEMORY),
4062  errmsg("out of memory")));
4063  return STATUS_ERROR;
4064  }
4065 
4066  /*
4067  * Compute the cancel key that will be assigned to this backend. The
4068  * backend will have its own copy in the forked-off process' value of
4069  * MyCancelKey, so that it can transmit the key to the frontend.
4070  */
4072  {
4073  free(bn);
4074  ereport(LOG,
4075  (errcode(ERRCODE_INTERNAL_ERROR),
4076  errmsg("could not generate random cancel key")));
4077  return STATUS_ERROR;
4078  }
4079 
4080  bn->cancel_key = MyCancelKey;
4081 
4082  /* Pass down canAcceptConnections state */
4083  port->canAcceptConnections = canAcceptConnections(BACKEND_TYPE_NORMAL);
4084  bn->dead_end = (port->canAcceptConnections != CAC_OK);
4085 
4086  /*
4087  * Unless it's a dead_end child, assign it a child slot number
4088  */
4089  if (!bn->dead_end)
4091  else
4092  bn->child_slot = 0;
4093 
4094  /* Hasn't asked to be notified about any bgworkers yet */
4095  bn->bgworker_notify = false;
4096 
4097 #ifdef EXEC_BACKEND
4098  pid = backend_forkexec(port);
4099 #else /* !EXEC_BACKEND */
4100  pid = fork_process();
4101  if (pid == 0) /* child */
4102  {
4103  free(bn);
4104 
4105  /* Detangle from postmaster */
4107 
4108  /* Close the postmaster's sockets */
4109  ClosePostmasterPorts(false);
4110 
4111  /* Perform additional initialization and collect startup packet */
4113 
4114  /*
4115  * Create a per-backend PGPROC struct in shared memory. We must do
4116  * this before we can use LWLocks. In the !EXEC_BACKEND case (here)
4117  * this could be delayed a bit further, but EXEC_BACKEND needs to do
4118  * stuff with LWLocks before PostgresMain(), so we do it here as well
4119  * for symmetry.
4120  */
4121  InitProcess();
4122 
4123  /* And run the backend */
4124  BackendRun(port);
4125  }
4126 #endif /* EXEC_BACKEND */
4127 
4128  if (pid < 0)
4129  {
4130  /* in parent, fork failed */
4131  int save_errno = errno;
4132 
4133  if (!bn->dead_end)
4135  free(bn);
4136  errno = save_errno;
4137  ereport(LOG,
4138  (errmsg("could not fork new process for connection: %m")));
4139  report_fork_failure_to_client(port, save_errno);
4140  return STATUS_ERROR;
4141  }
4142 
4143  /* in parent, successful fork */
4144  ereport(DEBUG2,
4145  (errmsg_internal("forked new backend, pid=%d socket=%d",
4146  (int) pid, (int) port->sock)));
4147 
4148  /*
4149  * Everything's been successful, it's safe to add this backend to our list
4150  * of backends.
4151  */
4152  bn->pid = pid;
4153  bn->bkend_type = BACKEND_TYPE_NORMAL; /* Can change later to WALSND */
4155 
4156 #ifdef EXEC_BACKEND
4157  if (!bn->dead_end)
4158  ShmemBackendArrayAdd(bn);
4159 #endif
4160 
4161  return STATUS_OK;
4162 }
4163 
4164 /*
4165  * Try to report backend fork() failure to client before we close the
4166  * connection. Since we do not care to risk blocking the postmaster on
4167  * this connection, we set the connection to non-blocking and try only once.
4168  *
4169  * This is grungy special-purpose code; we cannot use backend libpq since
4170  * it's not up and running.
4171  */
4172 static void
4174 {
4175  char buffer[1000];
4176  int rc;
4177 
4178  /* Format the error message packet (always V2 protocol) */
4179  snprintf(buffer, sizeof(buffer), "E%s%s\n",
4180  _("could not fork new process for connection: "),
4181  strerror(errnum));
4182 
4183  /* Set port to non-blocking. Don't do send() if this fails */
4184  if (!pg_set_noblock(port->sock))
4185  return;
4186 
4187  /* We'll retry after EINTR, but ignore all other failures */
4188  do
4189  {
4190  rc = send(port->sock, buffer, strlen(buffer) + 1, 0);
4191  } while (rc < 0 && errno == EINTR);
4192 }
4193 
4194 
4195 /*
4196  * BackendInitialize -- initialize an interactive (postmaster-child)
4197  * backend process, and collect the client's startup packet.
4198  *
4199  * returns: nothing. Will not return at all if there's any failure.
4200  *
4201  * Note: this code does not depend on having any access to shared memory.
4202  * Indeed, our approach to SIGTERM/timeout handling *requires* that
4203  * shared memory not have been touched yet; see comments within.
4204  * In the EXEC_BACKEND case, we are physically attached to shared memory
4205  * but have not yet set up most of our local pointers to shmem structures.
4206  */
4207 static void
4209 {
4210  int status;
4211  int ret;
4212  char remote_host[NI_MAXHOST];
4213  char remote_port[NI_MAXSERV];
4214  StringInfoData ps_data;
4215 
4216  /* Save port etc. for ps status */
4217  MyProcPort = port;
4218 
4219  /* Tell fd.c about the long-lived FD associated with the port */
4221 
4222  /*
4223  * PreAuthDelay is a debugging aid for investigating problems in the
4224  * authentication cycle: it can be set in postgresql.conf to allow time to
4225  * attach to the newly-forked backend with a debugger. (See also
4226  * PostAuthDelay, which we allow clients to pass through PGOPTIONS, but it
4227  * is not honored until after authentication.)
4228  */
4229  if (PreAuthDelay > 0)
4230  pg_usleep(PreAuthDelay * 1000000L);
4231 
4232  /* This flag will remain set until InitPostgres finishes authentication */
4233  ClientAuthInProgress = true; /* limit visibility of log messages */
4234 
4235  /* set these to empty in case they are needed before we set them up */
4236  port->remote_host = "";
4237  port->remote_port = "";
4238 
4239  /*
4240  * Initialize libpq and enable reporting of ereport errors to the client.
4241  * Must do this now because authentication uses libpq to send messages.
4242  */
4243  pq_init(); /* initialize libpq to talk to client */
4244  whereToSendOutput = DestRemote; /* now safe to ereport to client */
4245 
4246  /*
4247  * We arrange to do _exit(1) if we receive SIGTERM or timeout while trying
4248  * to collect the startup packet; while SIGQUIT results in _exit(2).
4249  * Otherwise the postmaster cannot shutdown the database FAST or IMMED
4250  * cleanly if a buggy client fails to send the packet promptly.
4251  *
4252  * Exiting with _exit(1) is only possible because we have not yet touched
4253  * shared memory; therefore no outside-the-process state needs to get
4254  * cleaned up.
4255  */
4257  /* SIGQUIT handler was already set up by InitPostmasterChild */
4258  InitializeTimeouts(); /* establishes SIGALRM handler */
4260 
4261  /*
4262  * Get the remote host name and port for logging and status display.
4263  */
4264  remote_host[0] = '\0';
4265  remote_port[0] = '\0';
4266  if ((ret = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
4267  remote_host, sizeof(remote_host),
4268  remote_port, sizeof(remote_port),
4269  (log_hostname ? 0 : NI_NUMERICHOST) | NI_NUMERICSERV)) != 0)
4270  ereport(WARNING,
4271  (errmsg_internal("pg_getnameinfo_all() failed: %s",
4272  gai_strerror(ret))));
4273 
4274  /*
4275  * Save remote_host and remote_port in port structure (after this, they
4276  * will appear in log_line_prefix data for log messages).
4277  */
4278  port->remote_host = strdup(remote_host);
4279  port->remote_port = strdup(remote_port);
4280 
4281  /* And now we can issue the Log_connections message, if wanted */
4282  if (Log_connections)
4283  {
4284  if (remote_port[0])
4285  ereport(LOG,
4286  (errmsg("connection received: host=%s port=%s",
4287  remote_host,
4288  remote_port)));
4289  else
4290  ereport(LOG,
4291  (errmsg("connection received: host=%s",
4292  remote_host)));
4293  }
4294 
4295  /*
4296  * If we did a reverse lookup to name, we might as well save the results
4297  * rather than possibly repeating the lookup during authentication.
4298  *
4299  * Note that we don't want to specify NI_NAMEREQD above, because then we'd
4300  * get nothing useful for a client without an rDNS entry. Therefore, we
4301  * must check whether we got a numeric IPv4 or IPv6 address, and not save
4302  * it into remote_hostname if so. (This test is conservative and might
4303  * sometimes classify a hostname as numeric, but an error in that
4304  * direction is safe; it only results in a possible extra lookup.)
4305  */
4306  if (log_hostname &&
4307  ret == 0 &&
4308  strspn(remote_host, "0123456789.") < strlen(remote_host) &&
4309  strspn(remote_host, "0123456789ABCDEFabcdef:") < strlen(remote_host))
4310  port->remote_hostname = strdup(remote_host);
4311 
4312  /*
4313  * Ready to begin client interaction. We will give up and _exit(1) after
4314  * a time delay, so that a broken client can't hog a connection
4315  * indefinitely. PreAuthDelay and any DNS interactions above don't count
4316  * against the time limit.
4317  *
4318  * Note: AuthenticationTimeout is applied here while waiting for the
4319  * startup packet, and then again in InitPostgres for the duration of any
4320  * authentication operations. So a hostile client could tie up the
4321  * process for nearly twice AuthenticationTimeout before we kick him off.
4322  *
4323  * Note: because PostgresMain will call InitializeTimeouts again, the
4324  * registration of STARTUP_PACKET_TIMEOUT will be lost. This is okay
4325  * since we never use it again after this function.
4326  */
4329 
4330  /*
4331  * Receive the startup packet (which might turn out to be a cancel request
4332  * packet).
4333  */
4334  status = ProcessStartupPacket(port, false, false);
4335 
4336  /*
4337  * Disable the timeout, and prevent SIGTERM again.
4338  */
4340  PG_SETMASK(&BlockSig);
4341 
4342  /*
4343  * As a safety check that nothing in startup has yet performed
4344  * shared-memory modifications that would need to be undone if we had
4345  * exited through SIGTERM or timeout above, check that no on_shmem_exit
4346  * handlers have been registered yet. (This isn't terribly bulletproof,
4347  * since someone might misuse an on_proc_exit handler for shmem cleanup,
4348  * but it's a cheap and helpful check. We cannot disallow on_proc_exit
4349  * handlers unfortunately, since pq_init() already registered one.)
4350  */
4352 
4353  /*
4354  * Stop here if it was bad or a cancel packet. ProcessStartupPacket
4355  * already did any appropriate error reporting.
4356  */
4357  if (status != STATUS_OK)
4358  proc_exit(0);
4359 
4360  /*
4361  * Now that we have the user and database name, we can set the process
4362  * title for ps. It's good to do this as early as possible in startup.
4363  */
4364  initStringInfo(&ps_data);
4365  if (am_walsender)
4367  appendStringInfo(&ps_data, "%s ", port->user_name);
4368  if (port->database_name[0] != '\0')
4369  appendStringInfo(&ps_data, "%s ", port->database_name);
4370  appendStringInfoString(&ps_data, port->remote_host);
4371  if (port->remote_port[0] != '\0')
4372  appendStringInfo(&ps_data, "(%s)", port->remote_port);
4373 
4374  init_ps_display(ps_data.data);
4375  pfree(ps_data.data);
4376 
4377  set_ps_display("initializing");
4378 }
4379 
4380 
4381 /*
4382  * BackendRun -- set up the backend's argument list and invoke PostgresMain()
4383  *
4384  * returns:
4385  * Doesn't return at all.
4386  */
4387 static void
4389 {
4390  /*
4391  * Make sure we aren't in PostmasterContext anymore. (We can't delete it
4392  * just yet, though, because InitPostgres will need the HBA data.)
4393  */
4395 
4396  PostgresMain(port->database_name, port->user_name);
4397 }
4398 
4399 
4400 #ifdef EXEC_BACKEND
4401 
4402 /*
4403  * postmaster_forkexec -- fork and exec a postmaster subprocess
4404  *
4405  * The caller must have set up the argv array already, except for argv[2]
4406  * which will be filled with the name of the temp variable file.
4407  *
4408  * Returns the child process PID, or -1 on fork failure (a suitable error
4409  * message has been logged on failure).
4410  *
4411  * All uses of this routine will dispatch to SubPostmasterMain in the
4412  * child process.
4413  */
4414 pid_t
4415 postmaster_forkexec(int argc, char *argv[])
4416 {
4417  Port port;
4418 
4419  /* This entry point passes dummy values for the Port variables */
4420  memset(&port, 0, sizeof(port));
4421  return internal_forkexec(argc, argv, &port);
4422 }
4423 
4424 /*
4425  * backend_forkexec -- fork/exec off a backend process
4426  *
4427  * Some operating systems (WIN32) don't have fork() so we have to simulate
4428  * it by storing parameters that need to be passed to the child and
4429  * then create a new child process.
4430  *
4431  * returns the pid of the fork/exec'd process, or -1 on failure
4432  */
4433 static pid_t
4434 backend_forkexec(Port *port)
4435 {
4436  char *av[4];
4437  int ac = 0;
4438 
4439  av[ac++] = "postgres";
4440  av[ac++] = "--forkbackend";
4441  av[ac++] = NULL; /* filled in by internal_forkexec */
4442 
4443  av[ac] = NULL;
4444  Assert(ac < lengthof(av));
4445 
4446  return internal_forkexec(ac, av, port);
4447 }
4448 
4449 #ifndef WIN32
4450 
4451 /*
4452  * internal_forkexec non-win32 implementation
4453  *
4454  * - writes out backend variables to the parameter file
4455  * - fork():s, and then exec():s the child process
4456  */
4457 static pid_t
4458 internal_forkexec(int argc, char *argv[], Port *port)
4459 {
4460  static unsigned long tmpBackendFileNum = 0;
4461  pid_t pid;
4462  char tmpfilename[MAXPGPATH];
4463  BackendParameters param;
4464  FILE *fp;
4465 
4466  if (!save_backend_variables(&param, port))
4467  return -1; /* log made by save_backend_variables */
4468 
4469  /* Calculate name for temp file */
4470  snprintf(tmpfilename, MAXPGPATH, "%s/%s.backend_var.%d.%lu",
4472  MyProcPid, ++tmpBackendFileNum);
4473 
4474  /* Open file */
4475  fp = AllocateFile(tmpfilename, PG_BINARY_W);
4476  if (!fp)
4477  {
4478  /*
4479  * As in OpenTemporaryFileInTablespace, try to make the temp-file
4480  * directory, ignoring errors.
4481  */
4483 
4484  fp = AllocateFile(tmpfilename, PG_BINARY_W);
4485  if (!fp)
4486  {
4487  ereport(LOG,
4489  errmsg("could not create file \"%s\": %m",
4490  tmpfilename)));
4491  return -1;
4492  }
4493  }
4494 
4495  if (fwrite(&param, sizeof(param), 1, fp) != 1)
4496  {
4497  ereport(LOG,
4499  errmsg("could not write to file \"%s\": %m", tmpfilename)));
4500  FreeFile(fp);
4501  return -1;
4502  }
4503 
4504  /* Release file */
4505  if (FreeFile(fp))
4506  {
4507  ereport(LOG,
4509  errmsg("could not write to file \"%s\": %m", tmpfilename)));
4510  return -1;
4511  }
4512 
4513  /* Make sure caller set up argv properly */
4514  Assert(argc >= 3);
4515  Assert(argv[argc] == NULL);
4516  Assert(strncmp(argv[1], "--fork", 6) == 0);
4517  Assert(argv[2] == NULL);
4518 
4519  /* Insert temp file name after --fork argument */
4520  argv[2] = tmpfilename;
4521 
4522  /* Fire off execv in child */
4523  if ((pid = fork_process()) == 0)
4524  {
4525  if (execv(postgres_exec_path, argv) < 0)
4526  {
4527  ereport(LOG,
4528  (errmsg("could not execute server process \"%s\": %m",
4529  postgres_exec_path)));
4530  /* We're already in the child process here, can't return */
4531  exit(1);
4532  }
4533  }
4534 
4535  return pid; /* Parent returns pid, or -1 on fork failure */
4536 }
4537 #else /* WIN32 */
4538 
4539 /*
4540  * internal_forkexec win32 implementation
4541  *
4542  * - starts backend using CreateProcess(), in suspended state
4543  * - writes out backend variables to the parameter file
4544  * - during this, duplicates handles and sockets required for
4545  * inheritance into the new process
4546  * - resumes execution of the new process once the backend parameter
4547  * file is complete.
4548  */
4549 static pid_t
4550 internal_forkexec(int argc, char *argv[], Port *port)
4551 {
4552  int retry_count = 0;
4553  STARTUPINFO si;
4554  PROCESS_INFORMATION pi;
4555  int i;
4556  int j;
4557  char cmdLine[MAXPGPATH * 2];
4558  HANDLE paramHandle;
4559  BackendParameters *param;
4560  SECURITY_ATTRIBUTES sa;
4561  char paramHandleStr[32];
4562  win32_deadchild_waitinfo *childinfo;
4563 
4564  /* Make sure caller set up argv properly */
4565  Assert(argc >= 3);
4566  Assert(argv[argc] == NULL);
4567  Assert(strncmp(argv[1], "--fork", 6) == 0);
4568  Assert(argv[2] == NULL);
4569 
4570  /* Resume here if we need to retry */
4571 retry:
4572 
4573  /* Set up shared memory for parameter passing */
4574  ZeroMemory(&sa, sizeof(sa));
4575  sa.nLength = sizeof(sa);
4576  sa.bInheritHandle = TRUE;
4577  paramHandle = CreateFileMapping(INVALID_HANDLE_VALUE,
4578  &sa,
4579  PAGE_READWRITE,
4580  0,
4581  sizeof(BackendParameters),
4582  NULL);
4583  if (paramHandle == INVALID_HANDLE_VALUE)
4584  {
4585  ereport(LOG,
4586  (errmsg("could not create backend parameter file mapping: error code %lu",
4587  GetLastError())));
4588  return -1;
4589  }
4590 
4591  param = MapViewOfFile(paramHandle, FILE_MAP_WRITE, 0, 0, sizeof(BackendParameters));
4592  if (!param)
4593  {
4594  ereport(LOG,
4595  (errmsg("could not map backend parameter memory: error code %lu",
4596  GetLastError())));
4597  CloseHandle(paramHandle);
4598  return -1;
4599  }
4600 
4601  /* Insert temp file name after --fork argument */
4602 #ifdef _WIN64
4603  sprintf(paramHandleStr, "%llu", (LONG_PTR) paramHandle);
4604 #else
4605  sprintf(paramHandleStr, "%lu", (DWORD) paramHandle);
4606 #endif
4607  argv[2] = paramHandleStr;
4608 
4609  /* Format the cmd line */
4610  cmdLine[sizeof(cmdLine) - 1] = '\0';
4611  cmdLine[sizeof(cmdLine) - 2] = '\0';
4612  snprintf(cmdLine, sizeof(cmdLine) - 1, "\"%s\"", postgres_exec_path);
4613  i = 0;
4614  while (argv[++i] != NULL)
4615  {
4616  j = strlen(cmdLine);
4617  snprintf(cmdLine + j, sizeof(cmdLine) - 1 - j, " \"%s\"", argv[i]);
4618  }
4619  if (cmdLine[sizeof(cmdLine) - 2] != '\0')
4620  {
4621  ereport(LOG,
4622  (errmsg("subprocess command line too long")));
4623  UnmapViewOfFile(param);
4624  CloseHandle(paramHandle);
4625  return -1;
4626  }
4627 
4628  memset(&pi, 0, sizeof(pi));
4629  memset(&si, 0, sizeof(si));
4630  si.cb = sizeof(si);
4631 
4632  /*
4633  * Create the subprocess in a suspended state. This will be resumed later,
4634  * once we have written out the parameter file.
4635  */
4636  if (!CreateProcess(NULL, cmdLine, NULL, NULL, TRUE, CREATE_SUSPENDED,
4637  NULL, NULL, &si, &pi))
4638  {
4639  ereport(LOG,
4640  (errmsg("CreateProcess() call failed: %m (error code %lu)",
4641  GetLastError())));
4642  UnmapViewOfFile(param);
4643  CloseHandle(paramHandle);
4644  return -1;
4645  }
4646 
4647  if (!save_backend_variables(param, port, pi.hProcess, pi.dwProcessId))
4648  {
4649  /*
4650  * log made by save_backend_variables, but we have to clean up the
4651  * mess with the half-started process
4652  */
4653  if (!TerminateProcess(pi.hProcess, 255))
4654  ereport(LOG,
4655  (errmsg_internal("could not terminate unstarted process: error code %lu",
4656  GetLastError())));
4657  CloseHandle(pi.hProcess);
4658  CloseHandle(pi.hThread);
4659  UnmapViewOfFile(param);
4660  CloseHandle(paramHandle);
4661  return -1; /* log made by save_backend_variables */
4662  }
4663 
4664  /* Drop the parameter shared memory that is now inherited to the backend */
4665  if (!UnmapViewOfFile(param))
4666  ereport(LOG,
4667  (errmsg("could not unmap view of backend parameter file: error code %lu",
4668  GetLastError())));
4669  if (!CloseHandle(paramHandle))
4670  ereport(LOG,
4671  (errmsg("could not close handle to backend parameter file: error code %lu",
4672  GetLastError())));
4673 
4674  /*
4675  * Reserve the memory region used by our main shared memory segment before
4676  * we resume the child process. Normally this should succeed, but if ASLR
4677  * is active then it might sometimes fail due to the stack or heap having
4678  * gotten mapped into that range. In that case, just terminate the
4679  * process and retry.
4680  */
4681  if (!pgwin32_ReserveSharedMemoryRegion(pi.hProcess))
4682  {
4683  /* pgwin32_ReserveSharedMemoryRegion already made a log entry */
4684  if (!TerminateProcess(pi.hProcess, 255))
4685  ereport(LOG,
4686  (errmsg_internal("could not terminate process that failed to reserve memory: error code %lu",
4687  GetLastError())));
4688  CloseHandle(pi.hProcess);
4689  CloseHandle(pi.hThread);
4690  if (++retry_count < 100)
4691  goto retry;
4692  ereport(LOG,
4693  (errmsg("giving up after too many tries to reserve shared memory"),
4694  errhint("This might be caused by ASLR or antivirus software.")));
4695  return -1;
4696  }
4697 
4698  /*
4699  * Now that the backend variables are written out, we start the child
4700  * thread so it can start initializing while we set up the rest of the
4701  * parent state.
4702  */
4703  if (ResumeThread(pi.hThread) == -1)
4704  {
4705  if (!TerminateProcess(pi.hProcess, 255))
4706  {
4707  ereport(LOG,
4708  (errmsg_internal("could not terminate unstartable process: error code %lu",
4709  GetLastError())));
4710  CloseHandle(pi.hProcess);
4711  CloseHandle(pi.hThread);
4712  return -1;
4713  }
4714  CloseHandle(pi.hProcess);
4715  CloseHandle(pi.hThread);
4716  ereport(LOG,
4717  (errmsg_internal("could not resume thread of unstarted process: error code %lu",
4718  GetLastError())));
4719  return -1;
4720  }
4721 
4722  /*
4723  * Queue a waiter to signal when this child dies. The wait will be handled
4724  * automatically by an operating system thread pool.
4725  *
4726  * Note: use malloc instead of palloc, since it needs to be thread-safe.
4727  * Struct will be free():d from the callback function that runs on a
4728  * different thread.
4729  */
4730  childinfo = malloc(sizeof(win32_deadchild_waitinfo));
4731  if (!childinfo)
4732  ereport(FATAL,
4733  (errcode(ERRCODE_OUT_OF_MEMORY),
4734  errmsg("out of memory")));
4735 
4736  childinfo->procHandle = pi.hProcess;
4737  childinfo->procId = pi.dwProcessId;
4738 
4739  if (!RegisterWaitForSingleObject(&childinfo->waitHandle,
4740  pi.hProcess,
4741  pgwin32_deadchild_callback,
4742  childinfo,
4743  INFINITE,
4744  WT_EXECUTEONLYONCE | WT_EXECUTEINWAITTHREAD))
4745  ereport(FATAL,
4746  (errmsg_internal("could not register process for wait: error code %lu",
4747  GetLastError())));
4748 
4749  /* Don't close pi.hProcess here - the wait thread needs access to it */
4750 
4751  CloseHandle(pi.hThread);
4752 
4753  return pi.dwProcessId;
4754 }
4755 #endif /* WIN32 */
4756 
4757 
4758 /*
4759  * SubPostmasterMain -- Get the fork/exec'd process into a state equivalent
4760  * to what it would be if we'd simply forked on Unix, and then
4761  * dispatch to the appropriate place.
4762  *
4763  * The first two command line arguments are expected to be "--forkFOO"
4764  * (where FOO indicates which postmaster child we are to become), and
4765  * the name of a variables file that we can read to load data that would
4766  * have been inherited by fork() on Unix. Remaining arguments go to the
4767  * subprocess FooMain() routine.
4768  */
4769 void
4770 SubPostmasterMain(int argc, char *argv[])
4771 {
4772  Port port;
4773 
4774  /* In EXEC_BACKEND case we will not have inherited these settings */
4775  IsPostmasterEnvironment = true;
4777 
4778  /* Setup essential subsystems (to ensure elog() behaves sanely) */
4780 
4781  /* Check we got appropriate args */
4782  if (argc < 3)
4783  elog(FATAL, "invalid subpostmaster invocation");
4784 
4785  /* Read in the variables file */
4786  memset(&port, 0, sizeof(Port));
4787  read_backend_variables(argv[2], &port);
4788 
4789  /* Close the postmaster's sockets (as soon as we know them) */
4790  ClosePostmasterPorts(strcmp(argv[1], "--forklog") == 0);
4791 
4792  /* Setup as postmaster child */
4794 
4795  /*
4796  * If appropriate, physically re-attach to shared memory segment. We want
4797  * to do this before going any further to ensure that we can attach at the
4798  * same address the postmaster used. On the other hand, if we choose not
4799  * to re-attach, we may have other cleanup to do.
4800  *
4801  * If testing EXEC_BACKEND on Linux, you should run this as root before
4802  * starting the postmaster:
4803  *
4804  * sysctl -w kernel.randomize_va_space=0
4805  *
4806  * This prevents using randomized stack and code addresses that cause the
4807  * child process's memory map to be different from the parent's, making it
4808  * sometimes impossible to attach to shared memory at the desired address.
4809  * Return the setting to its old value (usually '1' or '2') when finished.
4810  */
4811  if (strcmp(argv[1], "--forkbackend") == 0 ||
4812  strcmp(argv[1], "--forkavlauncher") == 0 ||
4813  strcmp(argv[1], "--forkavworker") == 0 ||
4814  strcmp(argv[1], "--forkaux") == 0 ||
4815  strncmp(argv[1], "--forkbgworker=", 15) == 0)
4817  else
4819 
4820  /* autovacuum needs this set before calling InitProcess */
4821  if (strcmp(argv[1], "--forkavlauncher") == 0)
4822  AutovacuumLauncherIAm();
4823  if (strcmp(argv[1], "--forkavworker") == 0)
4824  AutovacuumWorkerIAm();
4825 
4826  /* Read in remaining GUC variables */
4827  read_nondefault_variables();
4828 
4829  /*
4830  * Check that the data directory looks valid, which will also check the
4831  * privileges on the data directory and update our umask and file/group
4832  * variables for creating files later. Note: this should really be done
4833  * before we create any files or directories.
4834  */
4835  checkDataDir();
4836 
4837  /*
4838  * (re-)read control file, as it contains config. The postmaster will
4839  * already have read this, but this process doesn't know about that.
4840  */
4841  LocalProcessControlFile(false);
4842 
4843  /*
4844  * Reload any libraries that were preloaded by the postmaster. Since we
4845  * exec'd this process, those libraries didn't come along with us; but we
4846  * should load them into all child processes to be consistent with the
4847  * non-EXEC_BACKEND behavior.
4848  */
4850 
4851  /* Run backend or appropriate child */
4852  if (strcmp(argv[1], "--forkbackend") == 0)
4853  {
4854  Assert(argc == 3); /* shouldn't be any more args */
4855 
4856  /*
4857  * Need to reinitialize the SSL library in the backend, since the
4858  * context structures contain function pointers and cannot be passed
4859  * through the parameter file.
4860  *
4861  * If for some reason reload fails (maybe the user installed broken
4862  * key files), soldier on without SSL; that's better than all
4863  * connections becoming impossible.
4864  *
4865  * XXX should we do this in all child processes? For the moment it's
4866  * enough to do it in backend children.
4867  */
4868 #ifdef USE_SSL
4869  if (EnableSSL)
4870  {
4871  if (secure_initialize(false) == 0)
4872  LoadedSSL = true;
4873  else
4874  ereport(LOG,
4875  (errmsg("SSL configuration could not be loaded in child process")));
4876  }
4877 #endif
4878 
4879  /*
4880  * Perform additional initialization and collect startup packet.
4881  *
4882  * We want to do this before InitProcess() for a couple of reasons: 1.
4883  * so that we aren't eating up a PGPROC slot while waiting on the
4884  * client. 2. so that if InitProcess() fails due to being out of
4885  * PGPROC slots, we have already initialized libpq and are able to
4886  * report the error to the client.
4887  */
4889 
4890  /* Restore basic shared memory pointers */
4892 
4893  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4894  InitProcess();
4895 
4896  /* Attach process to shared data structures */
4898 
4899  /* And run the backend */
4900  BackendRun(&port); /* does not return */
4901  }
4902  if (strcmp(argv[1], "--forkaux") == 0)
4903  {
4904  AuxProcType auxtype;
4905 
4906  Assert(argc == 4);
4907 
4908  /* Restore basic shared memory pointers */
4910 
4911  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4913 
4914  /* Attach process to shared data structures */
4916 
4917  auxtype = atoi(argv[3]);
4918  AuxiliaryProcessMain(auxtype); /* does not return */
4919  }
4920  if (strcmp(argv[1], "--forkavlauncher") == 0)
4921  {
4922  /* Restore basic shared memory pointers */
4924 
4925  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4926  InitProcess();
4927 
4928  /* Attach process to shared data structures */
4930 
4931  AutoVacLauncherMain(argc - 2, argv + 2); /* does not return */
4932  }
4933  if (strcmp(argv[1], "--forkavworker") == 0)
4934  {
4935  /* Restore basic shared memory pointers */
4937 
4938  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4939  InitProcess();
4940 
4941  /* Attach process to shared data structures */
4943 
4944  AutoVacWorkerMain(argc - 2, argv + 2); /* does not return */
4945  }
4946  if (strncmp(argv[1], "--forkbgworker=", 15) == 0)
4947  {
4948  int shmem_slot;
4949 
4950  /* do this as early as possible; in particular, before InitProcess() */
4951  IsBackgroundWorker = true;
4952 
4953  /* Restore basic shared memory pointers */
4955 
4956  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4957  InitProcess();
4958 
4959  /* Attach process to shared data structures */
4961 
4962  /* Fetch MyBgworkerEntry from shared memory */
4963  shmem_slot = atoi(argv[1] + 15);
4964  MyBgworkerEntry = BackgroundWorkerEntry(shmem_slot);
4965 
4967  }
4968  if (strcmp(argv[1], "--forklog") == 0)
4969  {
4970  /* Do not want to attach to shared memory */
4971 
4972  SysLoggerMain(argc, argv); /* does not return */
4973  }
4974 
4975  abort(); /* shouldn't get here */
4976 }
4977 #endif /* EXEC_BACKEND */
4978 
4979 
4980 /*
4981  * ExitPostmaster -- cleanup
4982  *
4983  * Do NOT call exit() directly --- always go through here!
4984  */
4985 static void
4987 {
4988 #ifdef HAVE_PTHREAD_IS_THREADED_NP
4989 
4990  /*
4991  * There is no known cause for a postmaster to become multithreaded after
4992  * startup. Recheck to account for the possibility of unknown causes.
4993  * This message uses LOG level, because an unclean shutdown at this point
4994  * would usually not look much different from a clean shutdown.
4995  */
4996  if (pthread_is_threaded_np() != 0)
4997  ereport(LOG,
4998  (errcode(ERRCODE_INTERNAL_ERROR),
4999  errmsg_internal("postmaster became multithreaded"),
5000  errdetail("Please report this to <%s>.", PACKAGE_BUGREPORT)));
5001 #endif
5002 
5003  /* should cleanup shared memory and kill all backends */
5004 
5005  /*
5006  * Not sure of the semantics here. When the Postmaster dies, should the
5007  * backends all be killed? probably not.
5008  *
5009  * MUST -- vadim 05-10-1999
5010  */
5011 
5012  proc_exit(status);
5013 }
5014 
5015 /*
5016  * sigusr1_handler - handle signal conditions from child processes
5017  */
5018 static void
5020 {
5021  int save_errno = errno;
5022 
5023  /*
5024  * RECOVERY_STARTED and BEGIN_HOT_STANDBY signals are ignored in
5025  * unexpected states. If the startup process quickly starts up, completes
5026  * recovery, exits, we might process the death of the startup process
5027  * first. We don't want to go back to recovery in that case.
5028  */
5031  {
5032  /* WAL redo has started. We're out of reinitialization. */
5033  FatalError = false;
5034  AbortStartTime = 0;
5035 
5036  /*
5037  * Start the archiver if we're responsible for (re-)archiving received
5038  * files.
5039  */
5040  Assert(PgArchPID == 0);
5041  if (XLogArchivingAlways())
5043 
5044  /*
5045  * If we aren't planning to enter hot standby mode later, treat
5046  * RECOVERY_STARTED as meaning we're out of startup, and report status
5047  * accordingly.
5048  */
5049  if (!EnableHotStandby)
5050  {
5052 #ifdef USE_SYSTEMD
5053  sd_notify(0, "READY=1");
5054 #endif
5055  }
5056 
5057  pmState = PM_RECOVERY;
5058  }
5059 
5062  {
5063  ereport(LOG,
5064  (errmsg("database system is ready to accept read-only connections")));
5065 
5066  /* Report status */
5068 #ifdef USE_SYSTEMD
5069  sd_notify(0, "READY=1");
5070 #endif
5071 
5073  connsAllowed = true;
5074 
5075  /* Some workers may be scheduled to start now */
5076  StartWorkerNeeded = true;
5077  }
5078 
5079  /* Process background worker state changes. */
5081  {
5082  /* Accept new worker requests only if not stopping. */
5084  StartWorkerNeeded = true;
5085  }
5086 
5089 
5090  /* Tell syslogger to rotate logfile if requested */
5091  if (SysLoggerPID != 0)
5092  {
5093  if (CheckLogrotateSignal())
5094  {
5097  }
5099  {
5101  }
5102  }
5103 
5106  {
5107  /*
5108  * Start one iteration of the autovacuum daemon, even if autovacuuming
5109  * is nominally not enabled. This is so we can have an active defense
5110  * against transaction ID wraparound. We set a flag for the main loop
5111  * to do it rather than trying to do it here --- this is because the
5112  * autovac process itself may send the signal, and we want to handle
5113  * that by launching another iteration as soon as the current one
5114  * completes.
5115  */
5116  start_autovac_launcher = true;
5117  }
5118 
5121  {
5122  /* The autovacuum launcher wants us to start a worker process. */
5124  }
5125 
5127  {
5128  /* Startup Process wants us to start the walreceiver process. */
5129  /* Start immediately if possible, else remember request for later. */
5130  WalReceiverRequested = true;
5132  }
5133 
5134  /*
5135  * Try to advance postmaster's state machine, if a child requests it.
5136  *
5137  * Be careful about the order of this action relative to sigusr1_handler's
5138  * other actions. Generally, this should be after other actions, in case
5139  * they have effects PostmasterStateMachine would need to know about.
5140  * However, we should do it before the CheckPromoteSignal step, which
5141  * cannot have any (immediate) effect on the state machine, but does
5142  * depend on what state we're in now.
5143  */
5145  {
5147  }
5148 
5149  if (StartupPID != 0 &&
5150  (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
5151  pmState == PM_HOT_STANDBY) &&
5153  {
5154  /*
5155  * Tell startup process to finish recovery.
5156  *
5157  * Leave the promote signal file in place and let the Startup process
5158  * do the unlink.
5159  */
5161  }
5162 
5163  errno = save_errno;
5164 }
5165 
5166 /*
5167  * SIGTERM while processing startup packet.
5168  *
5169  * Running proc_exit() from a signal handler would be quite unsafe.
5170  * However, since we have not yet touched shared memory, we can just
5171  * pull the plug and exit without running any atexit handlers.
5172  *
5173  * One might be tempted to try to send a message, or log one, indicating
5174  * why we are disconnecting. However, that would be quite unsafe in itself.
5175  * Also, it seems undesirable to provide clues about the database's state
5176  * to a client that has not yet completed authentication, or even sent us
5177  * a startup packet.
5178  */
5179 static void
5181 {
5182  _exit(1);
5183 }
5184 
5185 /*
5186  * Dummy signal handler
5187  *
5188  * We use this for signals that we don't actually use in the postmaster,
5189  * but we do use in backends. If we were to SIG_IGN such signals in the
5190  * postmaster, then a newly started backend might drop a signal that arrives
5191  * before it's able to reconfigure its signal processing. (See notes in
5192  * tcop/postgres.c.)
5193  */
5194 static void
5196 {
5197 }
5198 
5199 /*
5200  * Timeout while processing startup packet.
5201  * As for process_startup_packet_die(), we exit via _exit(1).
5202  */
5203 static void
5205 {
5206  _exit(1);
5207 }
5208 
5209 
5210 /*
5211  * Generate a random cancel key.
5212  */
5213 static bool
5215 {
5216  return pg_strong_random(cancel_key, sizeof(int32));
5217 }
5218 
5219 /*
5220  * Count up number of child processes of specified types (dead_end children
5221  * are always excluded).
5222  */
5223 static int
5224 CountChildren(int target)
5225 {
5226  dlist_iter iter;
5227  int cnt = 0;
5228 
5229  dlist_foreach(iter, &BackendList)
5230  {
5231  Backend *bp = dlist_container(Backend, elem, iter.cur);
5232 
5233  if (bp->dead_end)
5234  continue;
5235 
5236  /*
5237  * Since target == BACKEND_TYPE_ALL is the most common case, we test
5238  * it first and avoid touching shared memory for every child.
5239  */
5240  if (target != BACKEND_TYPE_ALL)
5241  {
5242  /*
5243  * Assign bkend_type for any recently announced WAL Sender
5244  * processes.
5245  */
5246  if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
5249 
5250  if (!(target & bp->bkend_type))
5251  continue;
5252  }
5253 
5254  cnt++;
5255  }
5256  return cnt;
5257 }
5258 
5259 
5260 /*
5261  * StartChildProcess -- start an auxiliary process for the postmaster
5262  *
5263  * "type" determines what kind of child will be started. All child types
5264  * initially go to AuxiliaryProcessMain, which will handle common setup.
5265  *
5266  * Return value of StartChildProcess is subprocess' PID, or 0 if failed
5267  * to start subprocess.
5268  */
5269 static pid_t
5271 {
5272  pid_t pid;
5273 
5274 #ifdef EXEC_BACKEND
5275  {
5276  char *av[10];
5277  int ac = 0;
5278  char typebuf[32];
5279 
5280  /*
5281  * Set up command-line arguments for subprocess
5282  */
5283  av[ac++] = "postgres";
5284  av[ac++] = "--forkaux";
5285  av[ac++] = NULL; /* filled in by postmaster_forkexec */
5286 
5287  snprintf(typebuf, sizeof(typebuf), "%d", type);
5288  av[ac++] = typebuf;
5289 
5290  av[ac] = NULL;
5291  Assert(ac < lengthof(av));
5292 
5293  pid = postmaster_forkexec(ac, av);
5294  }
5295 #else /* !EXEC_BACKEND */
5296  pid = fork_process();
5297 
5298  if (pid == 0) /* child */
5299  {
5301 
5302  /* Close the postmaster's sockets */
5303  ClosePostmasterPorts(false);
5304 
5305  /* Release postmaster's working memory context */
5308  PostmasterContext = NULL;
5309 
5310  AuxiliaryProcessMain(type); /* does not return */
5311  }
5312 #endif /* EXEC_BACKEND */
5313 
5314  if (pid < 0)
5315  {
5316  /* in parent, fork failed */
5317  int save_errno = errno;
5318 
5319  errno = save_errno;
5320  switch (type)
5321  {
5322  case StartupProcess:
5323  ereport(LOG,
5324  (errmsg("could not fork startup process: %m")));
5325  break;
5326  case ArchiverProcess:
5327  ereport(LOG,
5328  (errmsg("could not fork archiver process: %m")));
5329  break;
5330  case BgWriterProcess:
5331  ereport(LOG,
5332  (errmsg("could not fork background writer process: %m")));
5333  break;
5334  case CheckpointerProcess:
5335  ereport(LOG,
5336  (errmsg("could not fork checkpointer process: %m")));
5337  break;
5338  case WalWriterProcess:
5339  ereport(LOG,
5340  (errmsg("could not fork WAL writer process: %m")));
5341  break;
5342  case WalReceiverProcess:
5343  ereport(LOG,
5344  (errmsg("could not fork WAL receiver process: %m")));
5345  break;
5346  default:
5347  ereport(LOG,
5348  (errmsg("could not fork process: %m")));
5349  break;
5350  }
5351 
5352  /*
5353  * fork failure is fatal during startup, but there's no need to choke
5354  * immediately if starting other child types fails.
5355  */
5356  if (type == StartupProcess)
5357  ExitPostmaster(1);
5358  return 0;
5359  }
5360 
5361  /*
5362  * in parent, successful fork
5363  */
5364  return pid;
5365 }
5366 
5367 /*
5368  * StartAutovacuumWorker
5369  * Start an autovac worker process.
5370  *
5371  * This function is here because it enters the resulting PID into the
5372  * postmaster's private backends list.
5373  *
5374  * NB -- this code very roughly matches BackendStartup.
5375  */
5376 static void
5378 {
5379  Backend *bn;
5380 
5381  /*
5382  * If not in condition to run a process, don't try, but handle it like a
5383  * fork failure. This does not normally happen, since the signal is only
5384  * supposed to be sent by autovacuum launcher when it's OK to do it, but
5385  * we have to check to avoid race-condition problems during DB state
5386  * changes.
5387  */
5389  {
5390  /*
5391  * Compute the cancel key that will be assigned to this session. We
5392  * probably don't need cancel keys for autovac workers, but we'd
5393  * better have something random in the field to prevent unfriendly
5394  * people from sending cancels to them.
5395  */
5397  {
5398  ereport(LOG,
5399  (errcode(ERRCODE_INTERNAL_ERROR),
5400  errmsg("could not generate random cancel key")));
5401  return;
5402  }
5403 
5404  bn = (Backend *) malloc(sizeof(Backend));
5405  if (bn)
5406  {
5407  bn->cancel_key = MyCancelKey;
5408 
5409  /* Autovac workers are not dead_end and need a child slot */
5410  bn->dead_end = false;
5412  bn->bgworker_notify = false;
5413 
5414  bn->pid = StartAutoVacWorker();
5415  if (bn->pid > 0)
5416  {
5419 #ifdef EXEC_BACKEND
5420  ShmemBackendArrayAdd(bn);
5421 #endif
5422  /* all OK */
5423  return;
5424  }
5425 
5426  /*
5427  * fork failed, fall through to report -- actual error message was
5428  * logged by StartAutoVacWorker
5429  */
5431  free(bn);
5432  }
5433  else
5434  ereport(LOG,
5435  (errcode(ERRCODE_OUT_OF_MEMORY),
5436  errmsg("out of memory")));
5437  }
5438 
5439  /*
5440  * Report the failure to the launcher, if it's running. (If it's not, we
5441  * might not even be connected to shared memory, so don't try to call
5442  * AutoVacWorkerFailed.) Note that we also need to signal it so that it
5443  * responds to the condition, but we don't do that here, instead waiting
5444  * for ServerLoop to do it. This way we avoid a ping-pong signaling in
5445  * quick succession between the autovac launcher and postmaster in case
5446  * things get ugly.
5447  */
5448  if (AutoVacPID != 0)
5449  {
5451  avlauncher_needs_signal = true;
5452  }
5453 }
5454 
5455 /*
5456  * MaybeStartWalReceiver
5457  * Start the WAL receiver process, if not running and our state allows.
5458  *
5459  * Note: if WalReceiverPID is already nonzero, it might seem that we should
5460  * clear WalReceiverRequested. However, there's a race condition if the
5461  * walreceiver terminates and the startup process immediately requests a new
5462  * one: it's quite possible to get the signal for the request before reaping
5463  * the dead walreceiver process. Better to risk launching an extra
5464  * walreceiver than to miss launching one we need. (The walreceiver code
5465  * has logic to recognize that it should go away if not needed.)
5466  */
5467 static void
5469 {
5470  if (WalReceiverPID == 0 &&
5471  (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
5472  pmState == PM_HOT_STANDBY) &&
5474  {
5476  if (WalReceiverPID != 0)
5477  WalReceiverRequested = false;
5478  /* else leave the flag set, so we'll try again later */
5479  }
5480 }
5481 
5482 
5483 /*
5484  * Create the opts file
5485  */
5486 static bool
5487 CreateOptsFile(int argc, char *argv[], char *fullprogname)
5488 {
5489  FILE *fp;
5490  int i;
5491 
5492 #define OPTS_FILE "postmaster.opts"
5493 
5494  if ((fp = fopen(OPTS_FILE, "w")) == NULL)
5495  {
5496  ereport(LOG,
5498  errmsg("could not create file \"%s\": %m", OPTS_FILE)));
5499  return false;
5500  }
5501 
5502  fprintf(fp, "%s", fullprogname);
5503  for (i = 1; i < argc; i++)
5504  fprintf(fp, " \"%s\"", argv[i]);
5505  fputs("\n", fp);
5506 
5507  if (fclose(fp))
5508  {
5509  ereport(LOG,
5511  errmsg("could not write file \"%s\": %m", OPTS_FILE)));
5512  return false;
5513  }
5514 
5515  return true;
5516 }
5517 
5518 
5519 /*
5520  * MaxLivePostmasterChildren
5521  *
5522  * This reports the number of entries needed in per-child-process arrays
5523  * (the PMChildFlags array, and if EXEC_BACKEND the ShmemBackendArray).
5524  * These arrays include regular backends, autovac workers, walsenders
5525  * and background workers, but not special children nor dead_end children.
5526  * This allows the arrays to have a fixed maximum size, to wit the same
5527  * too-many-children limit enforced by canAcceptConnections(). The exact value
5528  * isn't too critical as long as it's more than MaxBackends.
5529  */
5530 int
5532 {
5533  return 2 * (MaxConnections + autovacuum_max_workers + 1 +
5535 }
5536 
5537 /*
5538  * Connect background worker to a database.
5539  */
5540 void
5542 {
5544 
5545  /* XXX is this the right errcode? */
5547  ereport(FATAL,
5548  (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
5549  errmsg("database connection requirement not indicated during registration")));
5550 
5551  InitPostgres(dbname, InvalidOid, /* database to connect to */
5552  username, InvalidOid, /* role to connect as */
5553  false, /* never honor session_preload_libraries */
5554  (flags & BGWORKER_BYPASS_ALLOWCONN) != 0, /* ignore datallowconn? */
5555  NULL); /* no out_dbname */
5556 
5557  /* it had better not gotten out of "init" mode yet */
5558  if (!IsInitProcessingMode())
5559  ereport(ERROR,
5560  (errmsg("invalid processing mode in background worker")));
5562 }
5563 
5564 /*
5565  * Connect background worker to a database using OIDs.
5566  */
5567 void
5569 {
5571 
5572  /* XXX is this the right errcode? */
5574  ereport(FATAL,
5575  (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
5576  errmsg("database connection requirement not indicated during registration")));
5577 
5578  InitPostgres(NULL, dboid, /* database to connect to */
5579  NULL, useroid, /* role to connect as */
5580  false, /* never honor session_preload_libraries */
5581  (flags & BGWORKER_BYPASS_ALLOWCONN) != 0, /* ignore datallowconn? */
5582  NULL); /* no out_dbname */
5583 
5584  /* it had better not gotten out of "init" mode yet */
5585  if (!IsInitProcessingMode())
5586  ereport(ERROR,
5587  (errmsg("invalid processing mode in background worker")));
5589 }
5590 
5591 /*
5592  * Block/unblock signals in a background worker
5593  */
5594 void
5596 {
5597  PG_SETMASK(&BlockSig);
5598 }
5599 
5600 void
5602 {
5604 }
5605 
5606 #ifdef EXEC_BACKEND
5607 static pid_t
5608 bgworker_forkexec(int shmem_slot)
5609 {
5610  char *av[10];
5611  int ac = 0;
5612  char forkav[MAXPGPATH];
5613 
5614  snprintf(forkav, MAXPGPATH, "--forkbgworker=%d", shmem_slot);
5615 
5616  av[ac++] = "postgres";
5617  av[ac++] = forkav;
5618  av[ac++] = NULL; /* filled in by postmaster_forkexec */
5619  av[ac] = NULL;
5620 
5621  Assert(ac < lengthof(av));
5622 
5623  return postmaster_forkexec(ac, av);
5624 }
5625 #endif
5626 
5627 /*
5628  * Start a new bgworker.
5629  * Starting time conditions must have been checked already.
5630  *
5631  * Returns true on success, false on failure.
5632  * In either case, update the RegisteredBgWorker's state appropriately.
5633  *
5634  * This code is heavily based on autovacuum.c, q.v.
5635  */
5636 static bool
5638 {
5639  pid_t worker_pid;
5640 
5641  Assert(rw->rw_pid == 0);
5642 
5643  /*
5644  * Allocate and assign the Backend element. Note we must do this before
5645  * forking, so that we can handle failures (out of memory or child-process
5646  * slots) cleanly.
5647  *
5648  * Treat failure as though the worker had crashed. That way, the
5649  * postmaster will wait a bit before attempting to start it again; if we
5650  * tried again right away, most likely we'd find ourselves hitting the
5651  * same resource-exhaustion condition.
5652  */
5653  if (!assign_backendlist_entry(rw))
5654  {
5656  return false;
5657  }
5658 
5659  ereport(DEBUG1,
5660  (errmsg_internal("starting background worker process \"%s\"",
5661  rw->rw_worker.bgw_name)));
5662 
5663 #ifdef EXEC_BACKEND
5664  switch ((worker_pid = bgworker_forkexec(rw->rw_shmem_slot)))
5665 #else
5666  switch ((worker_pid = fork_process()))
5667 #endif
5668  {
5669  case -1:
5670  /* in postmaster, fork failed ... */
5671  ereport(LOG,
5672  (errmsg("could not fork worker process: %m")));
5673  /* undo what assign_backendlist_entry did */
5675  rw->rw_child_slot = 0;
5676  free(rw->rw_backend);
5677  rw->rw_backend = NULL;
5678  /* mark entry as crashed, so we'll try again later */
5680  break;
5681 
5682 #ifndef EXEC_BACKEND
5683  case 0:
5684  /* in postmaster child ... */
5686 
5687  /* Close the postmaster's sockets */
5688  ClosePostmasterPorts(false);
5689 
5690  /*
5691  * Before blowing away PostmasterContext, save this bgworker's
5692  * data where it can find it.
5693  */
5696  memcpy(MyBgworkerEntry, &rw->rw_worker, sizeof(BackgroundWorker));
5697 
5698  /* Release postmaster's working memory context */
5701  PostmasterContext = NULL;
5702 
5704 
5705  exit(1); /* should not get here */
5706  break;
5707 #endif
5708  default:
5709  /* in postmaster, fork successful ... */
5710  rw->rw_pid = worker_pid;
5711  rw->rw_backend->pid = rw->rw_pid;
5713  /* add new worker to lists of backends */
5715 #ifdef EXEC_BACKEND
5716  ShmemBackendArrayAdd(rw->rw_backend);
5717 #endif
5718  return true;
5719  }
5720 
5721  return false;
5722 }
5723 
5724 /*
5725  * Does the current postmaster state require starting a worker with the
5726  * specified start_time?
5727  */
5728 static bool
5730 {
5731  switch (pmState)
5732  {
5733  case PM_NO_CHILDREN:
5734  case PM_WAIT_DEAD_END:
5735  case PM_SHUTDOWN_2:
5736  case PM_SHUTDOWN:
5737  case PM_WAIT_BACKENDS:
5738  case PM_STOP_BACKENDS:
5739  break;
5740 
5741  case PM_RUN:
5743  return true;
5744  /* fall through */
5745 
5746  case PM_HOT_STANDBY:
5748  return true;
5749  /* fall through */
5750 
5751  case PM_RECOVERY:
5752  case PM_STARTUP:
5753  case PM_INIT:
5755  return true;
5756  /* fall through */
5757  }
5758 
5759  return false;
5760 }
5761 
5762 /*
5763  * Allocate the Backend struct for a connected background worker, but don't
5764  * add it to the list of backends just yet.
5765  *
5766  * On failure, return false without changing any worker state.
5767  *
5768  * Some info from the Backend is copied into the passed rw.
5769  */
5770 static bool
5772 {
5773  Backend *bn;
5774 
5775  /*
5776  * Check that database state allows another connection. Currently the
5777  * only possible failure is CAC_TOOMANY, so we just log an error message
5778  * based on that rather than checking the error code precisely.
5779  */
5781  {
5782