PostgreSQL Source Code  git master
postmaster.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * postmaster.c
4  * This program acts as a clearing house for requests to the
5  * POSTGRES system. Frontend programs send a startup message
6  * to the Postmaster and the postmaster uses the info in the
7  * message to setup a backend process.
8  *
9  * The postmaster also manages system-wide operations such as
10  * startup and shutdown. The postmaster itself doesn't do those
11  * operations, mind you --- it just forks off a subprocess to do them
12  * at the right times. It also takes care of resetting the system
13  * if a backend crashes.
14  *
15  * The postmaster process creates the shared memory and semaphore
16  * pools during startup, but as a rule does not touch them itself.
17  * In particular, it is not a member of the PGPROC array of backends
18  * and so it cannot participate in lock-manager operations. Keeping
19  * the postmaster away from shared memory operations makes it simpler
20  * and more reliable. The postmaster is almost always able to recover
21  * from crashes of individual backends by resetting shared memory;
22  * if it did much with shared memory then it would be prone to crashing
23  * along with the backends.
24  *
25  * When a request message is received, we now fork() immediately.
26  * The child process performs authentication of the request, and
27  * then becomes a backend if successful. This allows the auth code
28  * to be written in a simple single-threaded style (as opposed to the
29  * crufty "poor man's multitasking" code that used to be needed).
30  * More importantly, it ensures that blockages in non-multithreaded
31  * libraries like SSL or PAM cannot cause denial of service to other
32  * clients.
33  *
34  *
35  * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
36  * Portions Copyright (c) 1994, Regents of the University of California
37  *
38  *
39  * IDENTIFICATION
40  * src/backend/postmaster/postmaster.c
41  *
42  * NOTES
43  *
44  * Initialization:
45  * The Postmaster sets up shared memory data structures
46  * for the backends.
47  *
48  * Synchronization:
49  * The Postmaster shares memory with the backends but should avoid
50  * touching shared memory, so as not to become stuck if a crashing
51  * backend screws up locks or shared memory. Likewise, the Postmaster
52  * should never block on messages from frontend clients.
53  *
54  * Garbage Collection:
55  * The Postmaster cleans up after backends if they have an emergency
56  * exit and/or core dump.
57  *
58  * Error Reporting:
59  * Use write_stderr() only for reporting "interactive" errors
60  * (essentially, bogus arguments on the command line). Once the
61  * postmaster is launched, use ereport().
62  *
63  *-------------------------------------------------------------------------
64  */
65 
66 #include "postgres.h"
67 
68 #include <unistd.h>
69 #include <signal.h>
70 #include <time.h>
71 #include <sys/wait.h>
72 #include <ctype.h>
73 #include <sys/stat.h>
74 #include <sys/socket.h>
75 #include <fcntl.h>
76 #include <sys/param.h>
77 #include <netdb.h>
78 #include <limits.h>
79 
80 #ifdef HAVE_SYS_SELECT_H
81 #include <sys/select.h>
82 #endif
83 
84 #ifdef USE_BONJOUR
85 #include <dns_sd.h>
86 #endif
87 
88 #ifdef USE_SYSTEMD
89 #include <systemd/sd-daemon.h>
90 #endif
91 
92 #ifdef HAVE_PTHREAD_IS_THREADED_NP
93 #include <pthread.h>
94 #endif
95 
96 #include "access/transam.h"
97 #include "access/xlog.h"
98 #include "bootstrap/bootstrap.h"
99 #include "catalog/pg_control.h"
100 #include "common/ip.h"
101 #include "lib/ilist.h"
102 #include "libpq/auth.h"
103 #include "libpq/libpq.h"
104 #include "libpq/pqformat.h"
105 #include "libpq/pqsignal.h"
106 #include "miscadmin.h"
107 #include "pg_getopt.h"
108 #include "pgstat.h"
109 #include "port/pg_bswap.h"
110 #include "postmaster/autovacuum.h"
112 #include "postmaster/fork_process.h"
113 #include "postmaster/pgarch.h"
114 #include "postmaster/postmaster.h"
115 #include "postmaster/syslogger.h"
117 #include "replication/walsender.h"
118 #include "storage/fd.h"
119 #include "storage/ipc.h"
120 #include "storage/pg_shmem.h"
121 #include "storage/pmsignal.h"
122 #include "storage/proc.h"
123 #include "tcop/tcopprot.h"
124 #include "utils/builtins.h"
125 #include "utils/datetime.h"
126 #include "utils/dynamic_loader.h"
127 #include "utils/memutils.h"
128 #include "utils/pidfile.h"
129 #include "utils/ps_status.h"
130 #include "utils/timeout.h"
131 #include "utils/varlena.h"
132 
133 #ifdef EXEC_BACKEND
134 #include "storage/spin.h"
135 #endif
136 
137 
138 /*
139  * Possible types of a backend. Beyond being the possible bkend_type values in
140  * struct bkend, these are OR-able request flag bits for SignalSomeChildren()
141  * and CountChildren().
142  */
143 #define BACKEND_TYPE_NORMAL 0x0001 /* normal backend */
144 #define BACKEND_TYPE_AUTOVAC 0x0002 /* autovacuum worker process */
145 #define BACKEND_TYPE_WALSND 0x0004 /* walsender process */
146 #define BACKEND_TYPE_BGWORKER 0x0008 /* bgworker process */
147 #define BACKEND_TYPE_ALL 0x000F /* OR of all the above */
148 
149 #define BACKEND_TYPE_WORKER (BACKEND_TYPE_AUTOVAC | BACKEND_TYPE_BGWORKER)
150 
151 /*
152  * List of active backends (or child processes anyway; we don't actually
153  * know whether a given child has become a backend or is still in the
154  * authorization phase). This is used mainly to keep track of how many
155  * children we have and send them appropriate signals when necessary.
156  *
157  * "Special" children such as the startup, bgwriter and autovacuum launcher
158  * tasks are not in this list. Autovacuum worker and walsender are in it.
159  * Also, "dead_end" children are in it: these are children launched just for
160  * the purpose of sending a friendly rejection message to a would-be client.
161  * We must track them because they are attached to shared memory, but we know
162  * they will never become live backends. dead_end children are not assigned a
163  * PMChildSlot.
164  *
165  * Background workers are in this list, too.
166  */
167 typedef struct bkend
168 {
169  pid_t pid; /* process id of backend */
170  int32 cancel_key; /* cancel key for cancels for this backend */
171  int child_slot; /* PMChildSlot for this backend, if any */
172 
173  /*
174  * Flavor of backend or auxiliary process. Note that BACKEND_TYPE_WALSND
175  * backends initially announce themselves as BACKEND_TYPE_NORMAL, so if
176  * bkend_type is normal, you should check for a recent transition.
177  */
179  bool dead_end; /* is it going to send an error and quit? */
180  bool bgworker_notify; /* gets bgworker start/stop notifications */
181  dlist_node elem; /* list link in BackendList */
182 } Backend;
183 
185 
186 #ifdef EXEC_BACKEND
187 static Backend *ShmemBackendArray;
188 #endif
189 
191 
192 
193 
194 /* The socket number we are listening for connections on */
196 
197 /* The directory names for Unix socket(s) */
199 
200 /* The TCP listen address(es) */
202 
203 /*
204  * ReservedBackends is the number of backends reserved for superuser use.
205  * This number is taken out of the pool size given by MaxBackends so
206  * number of backend slots available to non-superusers is
207  * (MaxBackends - ReservedBackends). Note what this really means is
208  * "if there are <= ReservedBackends connections available, only superusers
209  * can make new connections" --- pre-existing superuser connections don't
210  * count against the limit.
211  */
213 
214 /* The socket(s) we're listening to. */
215 #define MAXLISTEN 64
217 
218 /*
219  * Set by the -o option
220  */
221 static char ExtraOptions[MAXPGPATH];
222 
223 /*
224  * These globals control the behavior of the postmaster in case some
225  * backend dumps core. Normally, it kills all peers of the dead backend
226  * and reinitializes shared memory. By specifying -s or -n, we can have
227  * the postmaster stop (rather than kill) peers and not reinitialize
228  * shared data structures. (Reinit is currently dead code, though.)
229  */
230 static bool Reinit = true;
231 static int SendStop = false;
232 
233 /* still more option variables */
234 bool EnableSSL = false;
235 
236 int PreAuthDelay = 0;
238 
239 bool log_hostname; /* for ps display and logging */
240 bool Log_connections = false;
241 bool Db_user_namespace = false;
242 
243 bool enable_bonjour = false;
246 
247 /* PIDs of special child processes; 0 when not running */
248 static pid_t StartupPID = 0,
257 
258 /* Startup process's status */
259 typedef enum
260 {
263  STARTUP_SIGNALED, /* we sent it a SIGQUIT or SIGKILL */
266 
268 
269 /* Startup/shutdown state */
270 #define NoShutdown 0
271 #define SmartShutdown 1
272 #define FastShutdown 2
273 #define ImmediateShutdown 3
274 
275 static int Shutdown = NoShutdown;
276 
277 static bool FatalError = false; /* T if recovering from backend crash */
278 
279 /*
280  * We use a simple state machine to control startup, shutdown, and
281  * crash recovery (which is rather like shutdown followed by startup).
282  *
283  * After doing all the postmaster initialization work, we enter PM_STARTUP
284  * state and the startup process is launched. The startup process begins by
285  * reading the control file and other preliminary initialization steps.
286  * In a normal startup, or after crash recovery, the startup process exits
287  * with exit code 0 and we switch to PM_RUN state. However, archive recovery
288  * is handled specially since it takes much longer and we would like to support
289  * hot standby during archive recovery.
290  *
291  * When the startup process is ready to start archive recovery, it signals the
292  * postmaster, and we switch to PM_RECOVERY state. The background writer and
293  * checkpointer are launched, while the startup process continues applying WAL.
294  * If Hot Standby is enabled, then, after reaching a consistent point in WAL
295  * redo, startup process signals us again, and we switch to PM_HOT_STANDBY
296  * state and begin accepting connections to perform read-only queries. When
297  * archive recovery is finished, the startup process exits with exit code 0
298  * and we switch to PM_RUN state.
299  *
300  * Normal child backends can only be launched when we are in PM_RUN or
301  * PM_HOT_STANDBY state. (We also allow launch of normal
302  * child backends in PM_WAIT_BACKUP state, but only for superusers.)
303  * In other states we handle connection requests by launching "dead_end"
304  * child processes, which will simply send the client an error message and
305  * quit. (We track these in the BackendList so that we can know when they
306  * are all gone; this is important because they're still connected to shared
307  * memory, and would interfere with an attempt to destroy the shmem segment,
308  * possibly leading to SHMALL failure when we try to make a new one.)
309  * In PM_WAIT_DEAD_END state we are waiting for all the dead_end children
310  * to drain out of the system, and therefore stop accepting connection
311  * requests at all until the last existing child has quit (which hopefully
312  * will not be very long).
313  *
314  * Notice that this state variable does not distinguish *why* we entered
315  * states later than PM_RUN --- Shutdown and FatalError must be consulted
316  * to find that out. FatalError is never true in PM_RECOVERY_* or PM_RUN
317  * states, nor in PM_SHUTDOWN states (because we don't enter those states
318  * when trying to recover from a crash). It can be true in PM_STARTUP state,
319  * because we don't clear it until we've successfully started WAL redo.
320  */
321 typedef enum
322 {
323  PM_INIT, /* postmaster starting */
324  PM_STARTUP, /* waiting for startup subprocess */
325  PM_RECOVERY, /* in archive recovery mode */
326  PM_HOT_STANDBY, /* in hot standby mode */
327  PM_RUN, /* normal "database is alive" state */
328  PM_WAIT_BACKUP, /* waiting for online backup mode to end */
329  PM_WAIT_READONLY, /* waiting for read only backends to exit */
330  PM_WAIT_BACKENDS, /* waiting for live backends to exit */
331  PM_SHUTDOWN, /* waiting for checkpointer to do shutdown
332  * ckpt */
333  PM_SHUTDOWN_2, /* waiting for archiver and walsenders to
334  * finish */
335  PM_WAIT_DEAD_END, /* waiting for dead_end children to exit */
336  PM_NO_CHILDREN /* all important children have exited */
337 } PMState;
338 
340 
341 /* Start time of SIGKILL timeout during immediate shutdown or child crash */
342 /* Zero means timeout is not running */
343 static time_t AbortStartTime = 0;
344 
345 /* Length of said timeout */
346 #define SIGKILL_CHILDREN_AFTER_SECS 5
347 
348 static bool ReachedNormalRunning = false; /* T if we've reached PM_RUN */
349 
350 bool ClientAuthInProgress = false; /* T during new-client
351  * authentication */
352 
353 bool redirection_done = false; /* stderr redirected for syslogger? */
354 
355 /* received START_AUTOVAC_LAUNCHER signal */
356 static volatile sig_atomic_t start_autovac_launcher = false;
357 
358 /* the launcher needs to be signalled to communicate some condition */
359 static volatile bool avlauncher_needs_signal = false;
360 
361 /* received START_WALRECEIVER signal */
362 static volatile sig_atomic_t WalReceiverRequested = false;
363 
364 /* set when there's a worker that needs to be started up */
365 static volatile bool StartWorkerNeeded = true;
366 static volatile bool HaveCrashedWorker = false;
367 
368 #ifndef HAVE_STRONG_RANDOM
369 /*
370  * State for assigning cancel keys.
371  * Also, the global MyCancelKey passes the cancel key assigned to a given
372  * backend from the postmaster to that backend (via fork).
373  */
374 static unsigned int random_seed = 0;
375 static struct timeval random_start_time;
376 #endif
377 
378 #ifdef USE_SSL
379 /* Set when and if SSL has been initialized properly */
380 static bool LoadedSSL = false;
381 #endif
382 
383 #ifdef USE_BONJOUR
384 static DNSServiceRef bonjour_sdref = NULL;
385 #endif
386 
387 /*
388  * postmaster.c - function prototypes
389  */
390 static void CloseServerPorts(int status, Datum arg);
391 static void unlink_external_pid_file(int status, Datum arg);
392 static void getInstallationPaths(const char *argv0);
393 static void checkDataDir(void);
394 static Port *ConnCreate(int serverFd);
395 static void ConnFree(Port *port);
396 static void reset_shared(int port);
397 static void SIGHUP_handler(SIGNAL_ARGS);
398 static void pmdie(SIGNAL_ARGS);
399 static void reaper(SIGNAL_ARGS);
400 static void sigusr1_handler(SIGNAL_ARGS);
401 static void startup_die(SIGNAL_ARGS);
402 static void dummy_handler(SIGNAL_ARGS);
403 static void StartupPacketTimeoutHandler(void);
404 static void CleanupBackend(int pid, int exitstatus);
405 static bool CleanupBackgroundWorker(int pid, int exitstatus);
406 static void HandleChildCrash(int pid, int exitstatus, const char *procname);
407 static void LogChildExit(int lev, const char *procname,
408  int pid, int exitstatus);
409 static void PostmasterStateMachine(void);
410 static void BackendInitialize(Port *port);
411 static void BackendRun(Port *port) pg_attribute_noreturn();
412 static void ExitPostmaster(int status) pg_attribute_noreturn();
413 static int ServerLoop(void);
414 static int BackendStartup(Port *port);
415 static int ProcessStartupPacket(Port *port, bool SSLdone);
416 static void SendNegotiateProtocolVersion(List *unrecognized_protocol_options);
417 static void processCancelRequest(Port *port, void *pkt);
418 static int initMasks(fd_set *rmask);
419 static void report_fork_failure_to_client(Port *port, int errnum);
420 static CAC_state canAcceptConnections(void);
421 static bool RandomCancelKey(int32 *cancel_key);
422 static void signal_child(pid_t pid, int signal);
423 static bool SignalSomeChildren(int signal, int targets);
424 static void TerminateChildren(int signal);
425 
426 #define SignalChildren(sig) SignalSomeChildren(sig, BACKEND_TYPE_ALL)
427 
428 static int CountChildren(int target);
430 static void maybe_start_bgworkers(void);
431 static bool CreateOptsFile(int argc, char *argv[], char *fullprogname);
432 static pid_t StartChildProcess(AuxProcType type);
433 static void StartAutovacuumWorker(void);
434 static void MaybeStartWalReceiver(void);
435 static void InitPostmasterDeathWatchHandle(void);
436 
437 /*
438  * Archiver is allowed to start up at the current postmaster state?
439  *
440  * If WAL archiving is enabled always, we are allowed to start archiver
441  * even during recovery.
442  */
443 #define PgArchStartupAllowed() \
444  ((XLogArchivingActive() && pmState == PM_RUN) || \
445  (XLogArchivingAlways() && \
446  (pmState == PM_RECOVERY || pmState == PM_HOT_STANDBY)))
447 
448 #ifdef EXEC_BACKEND
449 
450 #ifdef WIN32
451 #define WNOHANG 0 /* ignored, so any integer value will do */
452 
453 static pid_t waitpid(pid_t pid, int *exitstatus, int options);
454 static void WINAPI pgwin32_deadchild_callback(PVOID lpParameter, BOOLEAN TimerOrWaitFired);
455 
456 static HANDLE win32ChildQueue;
457 
458 typedef struct
459 {
460  HANDLE waitHandle;
461  HANDLE procHandle;
462  DWORD procId;
463 } win32_deadchild_waitinfo;
464 #endif /* WIN32 */
465 
466 static pid_t backend_forkexec(Port *port);
467 static pid_t internal_forkexec(int argc, char *argv[], Port *port);
468 
469 /* Type for a socket that can be inherited to a client process */
470 #ifdef WIN32
471 typedef struct
472 {
473  SOCKET origsocket; /* Original socket value, or PGINVALID_SOCKET
474  * if not a socket */
475  WSAPROTOCOL_INFO wsainfo;
476 } InheritableSocket;
477 #else
478 typedef int InheritableSocket;
479 #endif
480 
481 /*
482  * Structure contains all variables passed to exec:ed backends
483  */
484 typedef struct
485 {
486  Port port;
487  InheritableSocket portsocket;
488  char DataDir[MAXPGPATH];
491  int MyPMChildSlot;
492 #ifndef WIN32
493  unsigned long UsedShmemSegID;
494 #else
495  HANDLE UsedShmemSegID;
496 #endif
497  void *UsedShmemSegAddr;
500  Backend *ShmemBackendArray;
501 #ifndef HAVE_SPINLOCKS
503 #endif
512  InheritableSocket pgStatSock;
513  pid_t PostmasterPid;
517  bool redirection_done;
518  bool IsBinaryUpgrade;
519  int max_safe_fds;
520  int MaxBackends;
521 #ifdef WIN32
522  HANDLE PostmasterHandle;
523  HANDLE initial_signal_pipe;
524  HANDLE syslogPipe[2];
525 #else
526  int postmaster_alive_fds[2];
527  int syslogPipe[2];
528 #endif
529  char my_exec_path[MAXPGPATH];
530  char pkglib_path[MAXPGPATH];
531  char ExtraOptions[MAXPGPATH];
532 } BackendParameters;
533 
534 static void read_backend_variables(char *id, Port *port);
535 static void restore_backend_variables(BackendParameters *param, Port *port);
536 
537 #ifndef WIN32
538 static bool save_backend_variables(BackendParameters *param, Port *port);
539 #else
540 static bool save_backend_variables(BackendParameters *param, Port *port,
541  HANDLE childProcess, pid_t childPid);
542 #endif
543 
544 static void ShmemBackendArrayAdd(Backend *bn);
545 static void ShmemBackendArrayRemove(Backend *bn);
546 #endif /* EXEC_BACKEND */
547 
548 #define StartupDataBase() StartChildProcess(StartupProcess)
549 #define StartBackgroundWriter() StartChildProcess(BgWriterProcess)
550 #define StartCheckpointer() StartChildProcess(CheckpointerProcess)
551 #define StartWalWriter() StartChildProcess(WalWriterProcess)
552 #define StartWalReceiver() StartChildProcess(WalReceiverProcess)
553 
554 /* Macros to check exit status of a child process */
555 #define EXIT_STATUS_0(st) ((st) == 0)
556 #define EXIT_STATUS_1(st) (WIFEXITED(st) && WEXITSTATUS(st) == 1)
557 #define EXIT_STATUS_3(st) (WIFEXITED(st) && WEXITSTATUS(st) == 3)
558 
559 #ifndef WIN32
560 /*
561  * File descriptors for pipe used to monitor if postmaster is alive.
562  * First is POSTMASTER_FD_WATCH, second is POSTMASTER_FD_OWN.
563  */
564 int postmaster_alive_fds[2] = {-1, -1};
565 #else
566 /* Process handle of postmaster used for the same purpose on Windows */
567 HANDLE PostmasterHandle;
568 #endif
569 
570 /*
571  * Postmaster main entry point
572  */
573 void
574 PostmasterMain(int argc, char *argv[])
575 {
576  int opt;
577  int status;
578  char *userDoption = NULL;
579  bool listen_addr_saved = false;
580  int i;
581  char *output_config_variable = NULL;
582 
583  MyProcPid = PostmasterPid = getpid();
584 
585  MyStartTime = time(NULL);
586 
588 
589  /*
590  * for security, no dir or file created can be group or other accessible
591  */
592  umask(S_IRWXG | S_IRWXO);
593 
594  /*
595  * Initialize random(3) so we don't get the same values in every run.
596  *
597  * Note: the seed is pretty predictable from externally-visible facts such
598  * as postmaster start time, so avoid using random() for security-critical
599  * random values during postmaster startup. At the time of first
600  * connection, PostmasterRandom will select a hopefully-more-random seed.
601  */
602  srandom((unsigned int) (MyProcPid ^ MyStartTime));
603 
604  /*
605  * By default, palloc() requests in the postmaster will be allocated in
606  * the PostmasterContext, which is space that can be recycled by backends.
607  * Allocated data that needs to be available to backends should be
608  * allocated in TopMemoryContext.
609  */
611  "Postmaster",
614 
615  /* Initialize paths to installation files */
616  getInstallationPaths(argv[0]);
617 
618  /*
619  * Set up signal handlers for the postmaster process.
620  *
621  * In the postmaster, we want to install non-ignored handlers *without*
622  * SA_RESTART. This is because they'll be blocked at all times except
623  * when ServerLoop is waiting for something to happen, and during that
624  * window, we want signals to exit the select(2) wait so that ServerLoop
625  * can respond if anything interesting happened. On some platforms,
626  * signals marked SA_RESTART would not cause the select() wait to end.
627  * Child processes will generally want SA_RESTART, but we expect them to
628  * set up their own handlers before unblocking signals.
629  *
630  * CAUTION: when changing this list, check for side-effects on the signal
631  * handling setup of child processes. See tcop/postgres.c,
632  * bootstrap/bootstrap.c, postmaster/bgwriter.c, postmaster/walwriter.c,
633  * postmaster/autovacuum.c, postmaster/pgarch.c, postmaster/pgstat.c,
634  * postmaster/syslogger.c, postmaster/bgworker.c and
635  * postmaster/checkpointer.c.
636  */
637  pqinitmask();
639 
640  pqsignal_no_restart(SIGHUP, SIGHUP_handler); /* reread config file and
641  * have children do same */
642  pqsignal_no_restart(SIGINT, pmdie); /* send SIGTERM and shut down */
643  pqsignal_no_restart(SIGQUIT, pmdie); /* send SIGQUIT and die */
644  pqsignal_no_restart(SIGTERM, pmdie); /* wait for children and shut down */
645  pqsignal(SIGALRM, SIG_IGN); /* ignored */
646  pqsignal(SIGPIPE, SIG_IGN); /* ignored */
647  pqsignal_no_restart(SIGUSR1, sigusr1_handler); /* message from child
648  * process */
649  pqsignal_no_restart(SIGUSR2, dummy_handler); /* unused, reserve for
650  * children */
651  pqsignal_no_restart(SIGCHLD, reaper); /* handle child termination */
652  pqsignal(SIGTTIN, SIG_IGN); /* ignored */
653  pqsignal(SIGTTOU, SIG_IGN); /* ignored */
654  /* ignore SIGXFSZ, so that ulimit violations work like disk full */
655 #ifdef SIGXFSZ
656  pqsignal(SIGXFSZ, SIG_IGN); /* ignored */
657 #endif
658 
659  /*
660  * Options setup
661  */
663 
664  opterr = 1;
665 
666  /*
667  * Parse command-line options. CAUTION: keep this in sync with
668  * tcop/postgres.c (the option sets should not conflict) and with the
669  * common help() function in main/main.c.
670  */
671  while ((opt = getopt(argc, argv, "B:bc:C:D:d:EeFf:h:ijk:lN:nOo:Pp:r:S:sTt:W:-:")) != -1)
672  {
673  switch (opt)
674  {
675  case 'B':
676  SetConfigOption("shared_buffers", optarg, PGC_POSTMASTER, PGC_S_ARGV);
677  break;
678 
679  case 'b':
680  /* Undocumented flag used for binary upgrades */
681  IsBinaryUpgrade = true;
682  break;
683 
684  case 'C':
685  output_config_variable = strdup(optarg);
686  break;
687 
688  case 'D':
689  userDoption = strdup(optarg);
690  break;
691 
692  case 'd':
694  break;
695 
696  case 'E':
697  SetConfigOption("log_statement", "all", PGC_POSTMASTER, PGC_S_ARGV);
698  break;
699 
700  case 'e':
701  SetConfigOption("datestyle", "euro", PGC_POSTMASTER, PGC_S_ARGV);
702  break;
703 
704  case 'F':
705  SetConfigOption("fsync", "false", PGC_POSTMASTER, PGC_S_ARGV);
706  break;
707 
708  case 'f':
710  {
711  write_stderr("%s: invalid argument for option -f: \"%s\"\n",
712  progname, optarg);
713  ExitPostmaster(1);
714  }
715  break;
716 
717  case 'h':
718  SetConfigOption("listen_addresses", optarg, PGC_POSTMASTER, PGC_S_ARGV);
719  break;
720 
721  case 'i':
722  SetConfigOption("listen_addresses", "*", PGC_POSTMASTER, PGC_S_ARGV);
723  break;
724 
725  case 'j':
726  /* only used by interactive backend */
727  break;
728 
729  case 'k':
730  SetConfigOption("unix_socket_directories", optarg, PGC_POSTMASTER, PGC_S_ARGV);
731  break;
732 
733  case 'l':
734  SetConfigOption("ssl", "true", PGC_POSTMASTER, PGC_S_ARGV);
735  break;
736 
737  case 'N':
738  SetConfigOption("max_connections", optarg, PGC_POSTMASTER, PGC_S_ARGV);
739  break;
740 
741  case 'n':
742  /* Don't reinit shared mem after abnormal exit */
743  Reinit = false;
744  break;
745 
746  case 'O':
747  SetConfigOption("allow_system_table_mods", "true", PGC_POSTMASTER, PGC_S_ARGV);
748  break;
749 
750  case 'o':
751  /* Other options to pass to the backend on the command line */
753  sizeof(ExtraOptions) - strlen(ExtraOptions),
754  " %s", optarg);
755  break;
756 
757  case 'P':
758  SetConfigOption("ignore_system_indexes", "true", PGC_POSTMASTER, PGC_S_ARGV);
759  break;
760 
761  case 'p':
763  break;
764 
765  case 'r':
766  /* only used by single-user backend */
767  break;
768 
769  case 'S':
771  break;
772 
773  case 's':
774  SetConfigOption("log_statement_stats", "true", PGC_POSTMASTER, PGC_S_ARGV);
775  break;
776 
777  case 'T':
778 
779  /*
780  * In the event that some backend dumps core, send SIGSTOP,
781  * rather than SIGQUIT, to all its peers. This lets the wily
782  * post_hacker collect core dumps from everyone.
783  */
784  SendStop = true;
785  break;
786 
787  case 't':
788  {
789  const char *tmp = get_stats_option_name(optarg);
790 
791  if (tmp)
792  {
794  }
795  else
796  {
797  write_stderr("%s: invalid argument for option -t: \"%s\"\n",
798  progname, optarg);
799  ExitPostmaster(1);
800  }
801  break;
802  }
803 
804  case 'W':
805  SetConfigOption("post_auth_delay", optarg, PGC_POSTMASTER, PGC_S_ARGV);
806  break;
807 
808  case 'c':
809  case '-':
810  {
811  char *name,
812  *value;
813 
814  ParseLongOption(optarg, &name, &value);
815  if (!value)
816  {
817  if (opt == '-')
818  ereport(ERROR,
819  (errcode(ERRCODE_SYNTAX_ERROR),
820  errmsg("--%s requires a value",
821  optarg)));
822  else
823  ereport(ERROR,
824  (errcode(ERRCODE_SYNTAX_ERROR),
825  errmsg("-c %s requires a value",
826  optarg)));
827  }
828 
830  free(name);
831  if (value)
832  free(value);
833  break;
834  }
835 
836  default:
837  write_stderr("Try \"%s --help\" for more information.\n",
838  progname);
839  ExitPostmaster(1);
840  }
841  }
842 
843  /*
844  * Postmaster accepts no non-option switch arguments.
845  */
846  if (optind < argc)
847  {
848  write_stderr("%s: invalid argument: \"%s\"\n",
849  progname, argv[optind]);
850  write_stderr("Try \"%s --help\" for more information.\n",
851  progname);
852  ExitPostmaster(1);
853  }
854 
855  /*
856  * Locate the proper configuration files and data directory, and read
857  * postgresql.conf for the first time.
858  */
859  if (!SelectConfigFiles(userDoption, progname))
860  ExitPostmaster(2);
861 
862  if (output_config_variable != NULL)
863  {
864  /*
865  * "-C guc" was specified, so print GUC's value and exit. No extra
866  * permission check is needed because the user is reading inside the
867  * data dir.
868  */
869  const char *config_val = GetConfigOption(output_config_variable,
870  false, false);
871 
872  puts(config_val ? config_val : "");
873  ExitPostmaster(0);
874  }
875 
876  /* Verify that DataDir looks reasonable */
877  checkDataDir();
878 
879  /* And switch working directory into it */
880  ChangeToDataDir();
881 
882  /*
883  * Check for invalid combinations of GUC settings.
884  */
886  {
887  write_stderr("%s: superuser_reserved_connections must be less than max_connections\n", progname);
888  ExitPostmaster(1);
889  }
891  {
892  write_stderr("%s: max_wal_senders must be less than max_connections\n", progname);
893  ExitPostmaster(1);
894  }
896  ereport(ERROR,
897  (errmsg("WAL archival cannot be enabled when wal_level is \"minimal\"")));
899  ereport(ERROR,
900  (errmsg("WAL streaming (max_wal_senders > 0) requires wal_level \"replica\" or \"logical\"")));
901 
902  /*
903  * Other one-time internal sanity checks can go here, if they are fast.
904  * (Put any slow processing further down, after postmaster.pid creation.)
905  */
906  if (!CheckDateTokenTables())
907  {
908  write_stderr("%s: invalid datetoken tables, please fix\n", progname);
909  ExitPostmaster(1);
910  }
911 
912  /*
913  * Now that we are done processing the postmaster arguments, reset
914  * getopt(3) library so that it will work correctly in subprocesses.
915  */
916  optind = 1;
917 #ifdef HAVE_INT_OPTRESET
918  optreset = 1; /* some systems need this too */
919 #endif
920 
921  /* For debugging: display postmaster environment */
922  {
923  extern char **environ;
924  char **p;
925 
926  ereport(DEBUG3,
927  (errmsg_internal("%s: PostmasterMain: initial environment dump:",
928  progname)));
929  ereport(DEBUG3,
930  (errmsg_internal("-----------------------------------------")));
931  for (p = environ; *p; ++p)
932  ereport(DEBUG3,
933  (errmsg_internal("\t%s", *p)));
934  ereport(DEBUG3,
935  (errmsg_internal("-----------------------------------------")));
936  }
937 
938  /*
939  * Create lockfile for data directory.
940  *
941  * We want to do this before we try to grab the input sockets, because the
942  * data directory interlock is more reliable than the socket-file
943  * interlock (thanks to whoever decided to put socket files in /tmp :-().
944  * For the same reason, it's best to grab the TCP socket(s) before the
945  * Unix socket(s).
946  *
947  * Also note that this internally sets up the on_proc_exit function that
948  * is responsible for removing both data directory and socket lockfiles;
949  * so it must happen before opening sockets so that at exit, the socket
950  * lockfiles go away after CloseServerPorts runs.
951  */
952  CreateDataDirLockFile(true);
953 
954  /* read control file (error checking and contains config) */
956 
957  /*
958  * Initialize SSL library, if specified.
959  */
960 #ifdef USE_SSL
961  if (EnableSSL)
962  {
963  (void) secure_initialize(true);
964  LoadedSSL = true;
965  }
966 #endif
967 
968  /*
969  * Register the apply launcher. Since it registers a background worker,
970  * it needs to be called before InitializeMaxBackends(), and it's probably
971  * a good idea to call it before any modules had chance to take the
972  * background worker slots.
973  */
975 
976  /*
977  * process any libraries that should be preloaded at postmaster start
978  */
980 
981  /*
982  * Now that loadable modules have had their chance to register background
983  * workers, calculate MaxBackends.
984  */
986 
987  /*
988  * Establish input sockets.
989  *
990  * First, mark them all closed, and set up an on_proc_exit function that's
991  * charged with closing the sockets again at postmaster shutdown.
992  */
993  for (i = 0; i < MAXLISTEN; i++)
995 
997 
998  if (ListenAddresses)
999  {
1000  char *rawstring;
1001  List *elemlist;
1002  ListCell *l;
1003  int success = 0;
1004 
1005  /* Need a modifiable copy of ListenAddresses */
1006  rawstring = pstrdup(ListenAddresses);
1007 
1008  /* Parse string into list of hostnames */
1009  if (!SplitIdentifierString(rawstring, ',', &elemlist))
1010  {
1011  /* syntax error in list */
1012  ereport(FATAL,
1013  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1014  errmsg("invalid list syntax in parameter \"%s\"",
1015  "listen_addresses")));
1016  }
1017 
1018  foreach(l, elemlist)
1019  {
1020  char *curhost = (char *) lfirst(l);
1021 
1022  if (strcmp(curhost, "*") == 0)
1023  status = StreamServerPort(AF_UNSPEC, NULL,
1024  (unsigned short) PostPortNumber,
1025  NULL,
1027  else
1028  status = StreamServerPort(AF_UNSPEC, curhost,
1029  (unsigned short) PostPortNumber,
1030  NULL,
1031  ListenSocket, MAXLISTEN);
1032 
1033  if (status == STATUS_OK)
1034  {
1035  success++;
1036  /* record the first successful host addr in lockfile */
1037  if (!listen_addr_saved)
1038  {
1040  listen_addr_saved = true;
1041  }
1042  }
1043  else
1044  ereport(WARNING,
1045  (errmsg("could not create listen socket for \"%s\"",
1046  curhost)));
1047  }
1048 
1049  if (!success && elemlist != NIL)
1050  ereport(FATAL,
1051  (errmsg("could not create any TCP/IP sockets")));
1052 
1053  list_free(elemlist);
1054  pfree(rawstring);
1055  }
1056 
1057 #ifdef USE_BONJOUR
1058  /* Register for Bonjour only if we opened TCP socket(s) */
1060  {
1061  DNSServiceErrorType err;
1062 
1063  /*
1064  * We pass 0 for interface_index, which will result in registering on
1065  * all "applicable" interfaces. It's not entirely clear from the
1066  * DNS-SD docs whether this would be appropriate if we have bound to
1067  * just a subset of the available network interfaces.
1068  */
1069  err = DNSServiceRegister(&bonjour_sdref,
1070  0,
1071  0,
1072  bonjour_name,
1073  "_postgresql._tcp.",
1074  NULL,
1075  NULL,
1077  0,
1078  NULL,
1079  NULL,
1080  NULL);
1081  if (err != kDNSServiceErr_NoError)
1082  elog(LOG, "DNSServiceRegister() failed: error code %ld",
1083  (long) err);
1084 
1085  /*
1086  * We don't bother to read the mDNS daemon's reply, and we expect that
1087  * it will automatically terminate our registration when the socket is
1088  * closed at postmaster termination. So there's nothing more to be
1089  * done here. However, the bonjour_sdref is kept around so that
1090  * forked children can close their copies of the socket.
1091  */
1092  }
1093 #endif
1094 
1095 #ifdef HAVE_UNIX_SOCKETS
1097  {
1098  char *rawstring;
1099  List *elemlist;
1100  ListCell *l;
1101  int success = 0;
1102 
1103  /* Need a modifiable copy of Unix_socket_directories */
1104  rawstring = pstrdup(Unix_socket_directories);
1105 
1106  /* Parse string into list of directories */
1107  if (!SplitDirectoriesString(rawstring, ',', &elemlist))
1108  {
1109  /* syntax error in list */
1110  ereport(FATAL,
1111  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1112  errmsg("invalid list syntax in parameter \"%s\"",
1113  "unix_socket_directories")));
1114  }
1115 
1116  foreach(l, elemlist)
1117  {
1118  char *socketdir = (char *) lfirst(l);
1119 
1120  status = StreamServerPort(AF_UNIX, NULL,
1121  (unsigned short) PostPortNumber,
1122  socketdir,
1123  ListenSocket, MAXLISTEN);
1124 
1125  if (status == STATUS_OK)
1126  {
1127  success++;
1128  /* record the first successful Unix socket in lockfile */
1129  if (success == 1)
1131  }
1132  else
1133  ereport(WARNING,
1134  (errmsg("could not create Unix-domain socket in directory \"%s\"",
1135  socketdir)));
1136  }
1137 
1138  if (!success && elemlist != NIL)
1139  ereport(FATAL,
1140  (errmsg("could not create any Unix-domain sockets")));
1141 
1142  list_free_deep(elemlist);
1143  pfree(rawstring);
1144  }
1145 #endif
1146 
1147  /*
1148  * check that we have some socket to listen on
1149  */
1150  if (ListenSocket[0] == PGINVALID_SOCKET)
1151  ereport(FATAL,
1152  (errmsg("no socket created for listening")));
1153 
1154  /*
1155  * If no valid TCP ports, write an empty line for listen address,
1156  * indicating the Unix socket must be used. Note that this line is not
1157  * added to the lock file until there is a socket backing it.
1158  */
1159  if (!listen_addr_saved)
1161 
1162  /*
1163  * Set up shared memory and semaphores.
1164  */
1166 
1167  /*
1168  * Estimate number of openable files. This must happen after setting up
1169  * semaphores, because on some platforms semaphores count as open files.
1170  */
1171  set_max_safe_fds();
1172 
1173  /*
1174  * Set reference point for stack-depth checking.
1175  */
1176  set_stack_base();
1177 
1178  /*
1179  * Initialize pipe (or process handle on Windows) that allows children to
1180  * wake up from sleep on postmaster death.
1181  */
1183 
1184 #ifdef WIN32
1185 
1186  /*
1187  * Initialize I/O completion port used to deliver list of dead children.
1188  */
1189  win32ChildQueue = CreateIoCompletionPort(INVALID_HANDLE_VALUE, NULL, 0, 1);
1190  if (win32ChildQueue == NULL)
1191  ereport(FATAL,
1192  (errmsg("could not create I/O completion port for child queue")));
1193 #endif
1194 
1195  /*
1196  * Record postmaster options. We delay this till now to avoid recording
1197  * bogus options (eg, NBuffers too high for available memory).
1198  */
1199  if (!CreateOptsFile(argc, argv, my_exec_path))
1200  ExitPostmaster(1);
1201 
1202 #ifdef EXEC_BACKEND
1203  /* Write out nondefault GUC settings for child processes to use */
1204  write_nondefault_variables(PGC_POSTMASTER);
1205 #endif
1206 
1207  /*
1208  * Write the external PID file if requested
1209  */
1210  if (external_pid_file)
1211  {
1212  FILE *fpidfile = fopen(external_pid_file, "w");
1213 
1214  if (fpidfile)
1215  {
1216  fprintf(fpidfile, "%d\n", MyProcPid);
1217  fclose(fpidfile);
1218 
1219  /* Make PID file world readable */
1220  if (chmod(external_pid_file, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) != 0)
1221  write_stderr("%s: could not change permissions of external PID file \"%s\": %s\n",
1223  }
1224  else
1225  write_stderr("%s: could not write external PID file \"%s\": %s\n",
1227 
1229  }
1230 
1231  /*
1232  * Remove old temporary files. At this point there can be no other
1233  * Postgres processes running in this directory, so this should be safe.
1234  */
1236 
1237  /*
1238  * Forcibly remove the files signaling a standby promotion request.
1239  * Otherwise, the existence of those files triggers a promotion too early,
1240  * whether a user wants that or not.
1241  *
1242  * This removal of files is usually unnecessary because they can exist
1243  * only during a few moments during a standby promotion. However there is
1244  * a race condition: if pg_ctl promote is executed and creates the files
1245  * during a promotion, the files can stay around even after the server is
1246  * brought up to new master. Then, if new standby starts by using the
1247  * backup taken from that master, the files can exist at the server
1248  * startup and should be removed in order to avoid an unexpected
1249  * promotion.
1250  *
1251  * Note that promotion signal files need to be removed before the startup
1252  * process is invoked. Because, after that, they can be used by
1253  * postmaster's SIGUSR1 signal handler.
1254  */
1256 
1257  /* Remove any outdated file holding the current log filenames. */
1258  if (unlink(LOG_METAINFO_DATAFILE) < 0 && errno != ENOENT)
1259  ereport(LOG,
1261  errmsg("could not remove file \"%s\": %m",
1263 
1264  /*
1265  * If enabled, start up syslogger collection subprocess
1266  */
1268 
1269  /*
1270  * Reset whereToSendOutput from DestDebug (its starting state) to
1271  * DestNone. This stops ereport from sending log messages to stderr unless
1272  * Log_destination permits. We don't do this until the postmaster is
1273  * fully launched, since startup failures may as well be reported to
1274  * stderr.
1275  *
1276  * If we are in fact disabling logging to stderr, first emit a log message
1277  * saying so, to provide a breadcrumb trail for users who may not remember
1278  * that their logging is configured to go somewhere else.
1279  */
1281  ereport(LOG,
1282  (errmsg("ending log output to stderr"),
1283  errhint("Future log output will go to log destination \"%s\".",
1285 
1287 
1288  /*
1289  * Initialize stats collection subsystem (this does NOT start the
1290  * collector process!)
1291  */
1292  pgstat_init();
1293 
1294  /*
1295  * Initialize the autovacuum subsystem (again, no process start yet)
1296  */
1297  autovac_init();
1298 
1299  /*
1300  * Load configuration files for client authentication.
1301  */
1302  if (!load_hba())
1303  {
1304  /*
1305  * It makes no sense to continue if we fail to load the HBA file,
1306  * since there is no way to connect to the database in this case.
1307  */
1308  ereport(FATAL,
1309  (errmsg("could not load pg_hba.conf")));
1310  }
1311  if (!load_ident())
1312  {
1313  /*
1314  * We can start up without the IDENT file, although it means that you
1315  * cannot log in using any of the authentication methods that need a
1316  * user name mapping. load_ident() already logged the details of error
1317  * to the log.
1318  */
1319  }
1320 
1321 #ifdef HAVE_PTHREAD_IS_THREADED_NP
1322 
1323  /*
1324  * On macOS, libintl replaces setlocale() with a version that calls
1325  * CFLocaleCopyCurrent() when its second argument is "" and every relevant
1326  * environment variable is unset or empty. CFLocaleCopyCurrent() makes
1327  * the process multithreaded. The postmaster calls sigprocmask() and
1328  * calls fork() without an immediate exec(), both of which have undefined
1329  * behavior in a multithreaded program. A multithreaded postmaster is the
1330  * normal case on Windows, which offers neither fork() nor sigprocmask().
1331  */
1332  if (pthread_is_threaded_np() != 0)
1333  ereport(FATAL,
1334  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1335  errmsg("postmaster became multithreaded during startup"),
1336  errhint("Set the LC_ALL environment variable to a valid locale.")));
1337 #endif
1338 
1339  /*
1340  * Remember postmaster startup time
1341  */
1343 #ifndef HAVE_STRONG_RANDOM
1344  /* RandomCancelKey wants its own copy */
1346 #endif
1347 
1348  /*
1349  * Report postmaster status in the postmaster.pid file, to allow pg_ctl to
1350  * see what's happening.
1351  */
1353 
1354  /*
1355  * We're ready to rock and roll...
1356  */
1358  Assert(StartupPID != 0);
1360  pmState = PM_STARTUP;
1361 
1362  /* Some workers may be scheduled to start now */
1364 
1365  status = ServerLoop();
1366 
1367  /*
1368  * ServerLoop probably shouldn't ever return, but if it does, close down.
1369  */
1370  ExitPostmaster(status != STATUS_OK);
1371 
1372  abort(); /* not reached */
1373 }
1374 
1375 
1376 /*
1377  * on_proc_exit callback to close server's listen sockets
1378  */
1379 static void
1381 {
1382  int i;
1383 
1384  /*
1385  * First, explicitly close all the socket FDs. We used to just let this
1386  * happen implicitly at postmaster exit, but it's better to close them
1387  * before we remove the postmaster.pid lockfile; otherwise there's a race
1388  * condition if a new postmaster wants to re-use the TCP port number.
1389  */
1390  for (i = 0; i < MAXLISTEN; i++)
1391  {
1392  if (ListenSocket[i] != PGINVALID_SOCKET)
1393  {
1396  }
1397  }
1398 
1399  /*
1400  * Next, remove any filesystem entries for Unix sockets. To avoid race
1401  * conditions against incoming postmasters, this must happen after closing
1402  * the sockets and before removing lock files.
1403  */
1405 
1406  /*
1407  * We don't do anything about socket lock files here; those will be
1408  * removed in a later on_proc_exit callback.
1409  */
1410 }
1411 
1412 /*
1413  * on_proc_exit callback to delete external_pid_file
1414  */
1415 static void
1417 {
1418  if (external_pid_file)
1419  unlink(external_pid_file);
1420 }
1421 
1422 
1423 /*
1424  * Compute and check the directory paths to files that are part of the
1425  * installation (as deduced from the postgres executable's own location)
1426  */
1427 static void
1429 {
1430  DIR *pdir;
1431 
1432  /* Locate the postgres executable itself */
1433  if (find_my_exec(argv0, my_exec_path) < 0)
1434  elog(FATAL, "%s: could not locate my own executable path", argv0);
1435 
1436 #ifdef EXEC_BACKEND
1437  /* Locate executable backend before we change working directory */
1438  if (find_other_exec(argv0, "postgres", PG_BACKEND_VERSIONSTR,
1439  postgres_exec_path) < 0)
1440  ereport(FATAL,
1441  (errmsg("%s: could not locate matching postgres executable",
1442  argv0)));
1443 #endif
1444 
1445  /*
1446  * Locate the pkglib directory --- this has to be set early in case we try
1447  * to load any modules from it in response to postgresql.conf entries.
1448  */
1450 
1451  /*
1452  * Verify that there's a readable directory there; otherwise the Postgres
1453  * installation is incomplete or corrupt. (A typical cause of this
1454  * failure is that the postgres executable has been moved or hardlinked to
1455  * some directory that's not a sibling of the installation lib/
1456  * directory.)
1457  */
1458  pdir = AllocateDir(pkglib_path);
1459  if (pdir == NULL)
1460  ereport(ERROR,
1462  errmsg("could not open directory \"%s\": %m",
1463  pkglib_path),
1464  errhint("This may indicate an incomplete PostgreSQL installation, or that the file \"%s\" has been moved away from its proper location.",
1465  my_exec_path)));
1466  FreeDir(pdir);
1467 
1468  /*
1469  * XXX is it worth similarly checking the share/ directory? If the lib/
1470  * directory is there, then share/ probably is too.
1471  */
1472 }
1473 
1474 
1475 /*
1476  * Validate the proposed data directory
1477  */
1478 static void
1480 {
1481  char path[MAXPGPATH];
1482  FILE *fp;
1483  struct stat stat_buf;
1484 
1485  Assert(DataDir);
1486 
1487  if (stat(DataDir, &stat_buf) != 0)
1488  {
1489  if (errno == ENOENT)
1490  ereport(FATAL,
1492  errmsg("data directory \"%s\" does not exist",
1493  DataDir)));
1494  else
1495  ereport(FATAL,
1497  errmsg("could not read permissions of directory \"%s\": %m",
1498  DataDir)));
1499  }
1500 
1501  /* eventual chdir would fail anyway, but let's test ... */
1502  if (!S_ISDIR(stat_buf.st_mode))
1503  ereport(FATAL,
1504  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1505  errmsg("specified data directory \"%s\" is not a directory",
1506  DataDir)));
1507 
1508  /*
1509  * Check that the directory belongs to my userid; if not, reject.
1510  *
1511  * This check is an essential part of the interlock that prevents two
1512  * postmasters from starting in the same directory (see CreateLockFile()).
1513  * Do not remove or weaken it.
1514  *
1515  * XXX can we safely enable this check on Windows?
1516  */
1517 #if !defined(WIN32) && !defined(__CYGWIN__)
1518  if (stat_buf.st_uid != geteuid())
1519  ereport(FATAL,
1520  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1521  errmsg("data directory \"%s\" has wrong ownership",
1522  DataDir),
1523  errhint("The server must be started by the user that owns the data directory.")));
1524 #endif
1525 
1526  /*
1527  * Check if the directory has group or world access. If so, reject.
1528  *
1529  * It would be possible to allow weaker constraints (for example, allow
1530  * group access) but we cannot make a general assumption that that is
1531  * okay; for example there are platforms where nearly all users
1532  * customarily belong to the same group. Perhaps this test should be
1533  * configurable.
1534  *
1535  * XXX temporarily suppress check when on Windows, because there may not
1536  * be proper support for Unix-y file permissions. Need to think of a
1537  * reasonable check to apply on Windows.
1538  */
1539 #if !defined(WIN32) && !defined(__CYGWIN__)
1540  if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
1541  ereport(FATAL,
1542  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1543  errmsg("data directory \"%s\" has group or world access",
1544  DataDir),
1545  errdetail("Permissions should be u=rwx (0700).")));
1546 #endif
1547 
1548  /* Look for PG_VERSION before looking for pg_control */
1550 
1551  snprintf(path, sizeof(path), "%s/global/pg_control", DataDir);
1552 
1553  fp = AllocateFile(path, PG_BINARY_R);
1554  if (fp == NULL)
1555  {
1556  write_stderr("%s: could not find the database system\n"
1557  "Expected to find it in the directory \"%s\",\n"
1558  "but could not open file \"%s\": %s\n",
1559  progname, DataDir, path, strerror(errno));
1560  ExitPostmaster(2);
1561  }
1562  FreeFile(fp);
1563 }
1564 
1565 /*
1566  * Determine how long should we let ServerLoop sleep.
1567  *
1568  * In normal conditions we wait at most one minute, to ensure that the other
1569  * background tasks handled by ServerLoop get done even when no requests are
1570  * arriving. However, if there are background workers waiting to be started,
1571  * we don't actually sleep so that they are quickly serviced. Other exception
1572  * cases are as shown in the code.
1573  */
1574 static void
1575 DetermineSleepTime(struct timeval *timeout)
1576 {
1577  TimestampTz next_wakeup = 0;
1578 
1579  /*
1580  * Normal case: either there are no background workers at all, or we're in
1581  * a shutdown sequence (during which we ignore bgworkers altogether).
1582  */
1583  if (Shutdown > NoShutdown ||
1585  {
1586  if (AbortStartTime != 0)
1587  {
1588  /* time left to abort; clamp to 0 in case it already expired */
1589  timeout->tv_sec = SIGKILL_CHILDREN_AFTER_SECS -
1590  (time(NULL) - AbortStartTime);
1591  timeout->tv_sec = Max(timeout->tv_sec, 0);
1592  timeout->tv_usec = 0;
1593  }
1594  else
1595  {
1596  timeout->tv_sec = 60;
1597  timeout->tv_usec = 0;
1598  }
1599  return;
1600  }
1601 
1602  if (StartWorkerNeeded)
1603  {
1604  timeout->tv_sec = 0;
1605  timeout->tv_usec = 0;
1606  return;
1607  }
1608 
1609  if (HaveCrashedWorker)
1610  {
1611  slist_mutable_iter siter;
1612 
1613  /*
1614  * When there are crashed bgworkers, we sleep just long enough that
1615  * they are restarted when they request to be. Scan the list to
1616  * determine the minimum of all wakeup times according to most recent
1617  * crash time and requested restart interval.
1618  */
1620  {
1621  RegisteredBgWorker *rw;
1622  TimestampTz this_wakeup;
1623 
1624  rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
1625 
1626  if (rw->rw_crashed_at == 0)
1627  continue;
1628 
1630  || rw->rw_terminate)
1631  {
1632  ForgetBackgroundWorker(&siter);
1633  continue;
1634  }
1635 
1636  this_wakeup = TimestampTzPlusMilliseconds(rw->rw_crashed_at,
1637  1000L * rw->rw_worker.bgw_restart_time);
1638  if (next_wakeup == 0 || this_wakeup < next_wakeup)
1639  next_wakeup = this_wakeup;
1640  }
1641  }
1642 
1643  if (next_wakeup != 0)
1644  {
1645  long secs;
1646  int microsecs;
1647 
1649  &secs, &microsecs);
1650  timeout->tv_sec = secs;
1651  timeout->tv_usec = microsecs;
1652 
1653  /* Ensure we don't exceed one minute */
1654  if (timeout->tv_sec > 60)
1655  {
1656  timeout->tv_sec = 60;
1657  timeout->tv_usec = 0;
1658  }
1659  }
1660  else
1661  {
1662  timeout->tv_sec = 60;
1663  timeout->tv_usec = 0;
1664  }
1665 }
1666 
1667 /*
1668  * Main idle loop of postmaster
1669  *
1670  * NB: Needs to be called with signals blocked
1671  */
1672 static int
1674 {
1675  fd_set readmask;
1676  int nSockets;
1677  time_t last_lockfile_recheck_time,
1678  last_touch_time;
1679 
1680  last_lockfile_recheck_time = last_touch_time = time(NULL);
1681 
1682  nSockets = initMasks(&readmask);
1683 
1684  for (;;)
1685  {
1686  fd_set rmask;
1687  int selres;
1688  time_t now;
1689 
1690  /*
1691  * Wait for a connection request to arrive.
1692  *
1693  * We block all signals except while sleeping. That makes it safe for
1694  * signal handlers, which again block all signals while executing, to
1695  * do nontrivial work.
1696  *
1697  * If we are in PM_WAIT_DEAD_END state, then we don't want to accept
1698  * any new connections, so we don't call select(), and just sleep.
1699  */
1700  memcpy((char *) &rmask, (char *) &readmask, sizeof(fd_set));
1701 
1702  if (pmState == PM_WAIT_DEAD_END)
1703  {
1705 
1706  pg_usleep(100000L); /* 100 msec seems reasonable */
1707  selres = 0;
1708 
1709  PG_SETMASK(&BlockSig);
1710  }
1711  else
1712  {
1713  /* must set timeout each time; some OSes change it! */
1714  struct timeval timeout;
1715 
1716  /* Needs to run with blocked signals! */
1717  DetermineSleepTime(&timeout);
1718 
1720 
1721  selres = select(nSockets, &rmask, NULL, NULL, &timeout);
1722 
1723  PG_SETMASK(&BlockSig);
1724  }
1725 
1726  /* Now check the select() result */
1727  if (selres < 0)
1728  {
1729  if (errno != EINTR && errno != EWOULDBLOCK)
1730  {
1731  ereport(LOG,
1733  errmsg("select() failed in postmaster: %m")));
1734  return STATUS_ERROR;
1735  }
1736  }
1737 
1738  /*
1739  * New connection pending on any of our sockets? If so, fork a child
1740  * process to deal with it.
1741  */
1742  if (selres > 0)
1743  {
1744  int i;
1745 
1746  for (i = 0; i < MAXLISTEN; i++)
1747  {
1748  if (ListenSocket[i] == PGINVALID_SOCKET)
1749  break;
1750  if (FD_ISSET(ListenSocket[i], &rmask))
1751  {
1752  Port *port;
1753 
1754  port = ConnCreate(ListenSocket[i]);
1755  if (port)
1756  {
1757  BackendStartup(port);
1758 
1759  /*
1760  * We no longer need the open socket or port structure
1761  * in this process
1762  */
1763  StreamClose(port->sock);
1764  ConnFree(port);
1765  }
1766  }
1767  }
1768  }
1769 
1770  /* If we have lost the log collector, try to start a new one */
1771  if (SysLoggerPID == 0 && Logging_collector)
1773 
1774  /*
1775  * If no background writer process is running, and we are not in a
1776  * state that prevents it, start one. It doesn't matter if this
1777  * fails, we'll just try again later. Likewise for the checkpointer.
1778  */
1779  if (pmState == PM_RUN || pmState == PM_RECOVERY ||
1781  {
1782  if (CheckpointerPID == 0)
1784  if (BgWriterPID == 0)
1786  }
1787 
1788  /*
1789  * Likewise, if we have lost the walwriter process, try to start a new
1790  * one. But this is needed only in normal operation (else we cannot
1791  * be writing any new WAL).
1792  */
1793  if (WalWriterPID == 0 && pmState == PM_RUN)
1795 
1796  /*
1797  * If we have lost the autovacuum launcher, try to start a new one. We
1798  * don't want autovacuum to run in binary upgrade mode because
1799  * autovacuum might update relfrozenxid for empty tables before the
1800  * physical files are put in place.
1801  */
1802  if (!IsBinaryUpgrade && AutoVacPID == 0 &&
1804  pmState == PM_RUN)
1805  {
1807  if (AutoVacPID != 0)
1808  start_autovac_launcher = false; /* signal processed */
1809  }
1810 
1811  /* If we have lost the stats collector, try to start a new one */
1812  if (PgStatPID == 0 &&
1813  (pmState == PM_RUN || pmState == PM_HOT_STANDBY))
1814  PgStatPID = pgstat_start();
1815 
1816  /* If we have lost the archiver, try to start a new one. */
1817  if (PgArchPID == 0 && PgArchStartupAllowed())
1818  PgArchPID = pgarch_start();
1819 
1820  /* If we need to signal the autovacuum launcher, do so now */
1822  {
1823  avlauncher_needs_signal = false;
1824  if (AutoVacPID != 0)
1826  }
1827 
1828  /* If we need to start a WAL receiver, try to do that now */
1831 
1832  /* Get other worker processes running, if needed */
1835 
1836 #ifdef HAVE_PTHREAD_IS_THREADED_NP
1837 
1838  /*
1839  * With assertions enabled, check regularly for appearance of
1840  * additional threads. All builds check at start and exit.
1841  */
1842  Assert(pthread_is_threaded_np() == 0);
1843 #endif
1844 
1845  /*
1846  * Lastly, check to see if it's time to do some things that we don't
1847  * want to do every single time through the loop, because they're a
1848  * bit expensive. Note that there's up to a minute of slop in when
1849  * these tasks will be performed, since DetermineSleepTime() will let
1850  * us sleep at most that long; except for SIGKILL timeout which has
1851  * special-case logic there.
1852  */
1853  now = time(NULL);
1854 
1855  /*
1856  * If we already sent SIGQUIT to children and they are slow to shut
1857  * down, it's time to send them SIGKILL. This doesn't happen
1858  * normally, but under certain conditions backends can get stuck while
1859  * shutting down. This is a last measure to get them unwedged.
1860  *
1861  * Note we also do this during recovery from a process crash.
1862  */
1863  if ((Shutdown >= ImmediateShutdown || (FatalError && !SendStop)) &&
1864  AbortStartTime != 0 &&
1866  {
1867  /* We were gentle with them before. Not anymore */
1869  /* reset flag so we don't SIGKILL again */
1870  AbortStartTime = 0;
1871  }
1872 
1873  /*
1874  * Once a minute, verify that postmaster.pid hasn't been removed or
1875  * overwritten. If it has, we force a shutdown. This avoids having
1876  * postmasters and child processes hanging around after their database
1877  * is gone, and maybe causing problems if a new database cluster is
1878  * created in the same place. It also provides some protection
1879  * against a DBA foolishly removing postmaster.pid and manually
1880  * starting a new postmaster. Data corruption is likely to ensue from
1881  * that anyway, but we can minimize the damage by aborting ASAP.
1882  */
1883  if (now - last_lockfile_recheck_time >= 1 * SECS_PER_MINUTE)
1884  {
1885  if (!RecheckDataDirLockFile())
1886  {
1887  ereport(LOG,
1888  (errmsg("performing immediate shutdown because data directory lock file is invalid")));
1890  }
1891  last_lockfile_recheck_time = now;
1892  }
1893 
1894  /*
1895  * Touch Unix socket and lock files every 58 minutes, to ensure that
1896  * they are not removed by overzealous /tmp-cleaning tasks. We assume
1897  * no one runs cleaners with cutoff times of less than an hour ...
1898  */
1899  if (now - last_touch_time >= 58 * SECS_PER_MINUTE)
1900  {
1901  TouchSocketFiles();
1903  last_touch_time = now;
1904  }
1905  }
1906 }
1907 
1908 /*
1909  * Initialise the masks for select() for the ports we are listening on.
1910  * Return the number of sockets to listen on.
1911  */
1912 static int
1913 initMasks(fd_set *rmask)
1914 {
1915  int maxsock = -1;
1916  int i;
1917 
1918  FD_ZERO(rmask);
1919 
1920  for (i = 0; i < MAXLISTEN; i++)
1921  {
1922  int fd = ListenSocket[i];
1923 
1924  if (fd == PGINVALID_SOCKET)
1925  break;
1926  FD_SET(fd, rmask);
1927 
1928  if (fd > maxsock)
1929  maxsock = fd;
1930  }
1931 
1932  return maxsock + 1;
1933 }
1934 
1935 
1936 /*
1937  * Read a client's startup packet and do something according to it.
1938  *
1939  * Returns STATUS_OK or STATUS_ERROR, or might call ereport(FATAL) and
1940  * not return at all.
1941  *
1942  * (Note that ereport(FATAL) stuff is sent to the client, so only use it
1943  * if that's what you want. Return STATUS_ERROR if you don't want to
1944  * send anything to the client, which would typically be appropriate
1945  * if we detect a communications failure.)
1946  */
1947 static int
1949 {
1950  int32 len;
1951  void *buf;
1952  ProtocolVersion proto;
1953  MemoryContext oldcontext;
1954 
1955  pq_startmsgread();
1956  if (pq_getbytes((char *) &len, 4) == EOF)
1957  {
1958  /*
1959  * EOF after SSLdone probably means the client didn't like our
1960  * response to NEGOTIATE_SSL_CODE. That's not an error condition, so
1961  * don't clutter the log with a complaint.
1962  */
1963  if (!SSLdone)
1965  (errcode(ERRCODE_PROTOCOL_VIOLATION),
1966  errmsg("incomplete startup packet")));
1967  return STATUS_ERROR;
1968  }
1969 
1970  len = pg_ntoh32(len);
1971  len -= 4;
1972 
1973  if (len < (int32) sizeof(ProtocolVersion) ||
1975  {
1977  (errcode(ERRCODE_PROTOCOL_VIOLATION),
1978  errmsg("invalid length of startup packet")));
1979  return STATUS_ERROR;
1980  }
1981 
1982  /*
1983  * Allocate at least the size of an old-style startup packet, plus one
1984  * extra byte, and make sure all are zeroes. This ensures we will have
1985  * null termination of all strings, in both fixed- and variable-length
1986  * packet layouts.
1987  */
1988  if (len <= (int32) sizeof(StartupPacket))
1989  buf = palloc0(sizeof(StartupPacket) + 1);
1990  else
1991  buf = palloc0(len + 1);
1992 
1993  if (pq_getbytes(buf, len) == EOF)
1994  {
1996  (errcode(ERRCODE_PROTOCOL_VIOLATION),
1997  errmsg("incomplete startup packet")));
1998  return STATUS_ERROR;
1999  }
2000  pq_endmsgread();
2001 
2002  /*
2003  * The first field is either a protocol version number or a special
2004  * request code.
2005  */
2006  port->proto = proto = pg_ntoh32(*((ProtocolVersion *) buf));
2007 
2008  if (proto == CANCEL_REQUEST_CODE)
2009  {
2010  processCancelRequest(port, buf);
2011  /* Not really an error, but we don't want to proceed further */
2012  return STATUS_ERROR;
2013  }
2014 
2015  if (proto == NEGOTIATE_SSL_CODE && !SSLdone)
2016  {
2017  char SSLok;
2018 
2019 #ifdef USE_SSL
2020  /* No SSL when disabled or on Unix sockets */
2021  if (!LoadedSSL || IS_AF_UNIX(port->laddr.addr.ss_family))
2022  SSLok = 'N';
2023  else
2024  SSLok = 'S'; /* Support for SSL */
2025 #else
2026  SSLok = 'N'; /* No support for SSL */
2027 #endif
2028 
2029 retry1:
2030  if (send(port->sock, &SSLok, 1, 0) != 1)
2031  {
2032  if (errno == EINTR)
2033  goto retry1; /* if interrupted, just retry */
2036  errmsg("failed to send SSL negotiation response: %m")));
2037  return STATUS_ERROR; /* close the connection */
2038  }
2039 
2040 #ifdef USE_SSL
2041  if (SSLok == 'S' && secure_open_server(port) == -1)
2042  return STATUS_ERROR;
2043 #endif
2044  /* regular startup packet, cancel, etc packet should follow... */
2045  /* but not another SSL negotiation request */
2046  return ProcessStartupPacket(port, true);
2047  }
2048 
2049  /* Could add additional special packet types here */
2050 
2051  /*
2052  * Set FrontendProtocol now so that ereport() knows what format to send if
2053  * we fail during startup.
2054  */
2055  FrontendProtocol = proto;
2056 
2057  /* Check that the major protocol version is in range. */
2060  ereport(FATAL,
2061  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2062  errmsg("unsupported frontend protocol %u.%u: server supports %u.0 to %u.%u",
2063  PG_PROTOCOL_MAJOR(proto), PG_PROTOCOL_MINOR(proto),
2067 
2068  /*
2069  * Now fetch parameters out of startup packet and save them into the Port
2070  * structure. All data structures attached to the Port struct must be
2071  * allocated in TopMemoryContext so that they will remain available in a
2072  * running backend (even after PostmasterContext is destroyed). We need
2073  * not worry about leaking this storage on failure, since we aren't in the
2074  * postmaster process anymore.
2075  */
2077 
2078  if (PG_PROTOCOL_MAJOR(proto) >= 3)
2079  {
2080  int32 offset = sizeof(ProtocolVersion);
2081  List *unrecognized_protocol_options = NIL;
2082 
2083  /*
2084  * Scan packet body for name/option pairs. We can assume any string
2085  * beginning within the packet body is null-terminated, thanks to
2086  * zeroing extra byte above.
2087  */
2088  port->guc_options = NIL;
2089 
2090  while (offset < len)
2091  {
2092  char *nameptr = ((char *) buf) + offset;
2093  int32 valoffset;
2094  char *valptr;
2095 
2096  if (*nameptr == '\0')
2097  break; /* found packet terminator */
2098  valoffset = offset + strlen(nameptr) + 1;
2099  if (valoffset >= len)
2100  break; /* missing value, will complain below */
2101  valptr = ((char *) buf) + valoffset;
2102 
2103  if (strcmp(nameptr, "database") == 0)
2104  port->database_name = pstrdup(valptr);
2105  else if (strcmp(nameptr, "user") == 0)
2106  port->user_name = pstrdup(valptr);
2107  else if (strcmp(nameptr, "options") == 0)
2108  port->cmdline_options = pstrdup(valptr);
2109  else if (strcmp(nameptr, "replication") == 0)
2110  {
2111  /*
2112  * Due to backward compatibility concerns the replication
2113  * parameter is a hybrid beast which allows the value to be
2114  * either boolean or the string 'database'. The latter
2115  * connects to a specific database which is e.g. required for
2116  * logical decoding while.
2117  */
2118  if (strcmp(valptr, "database") == 0)
2119  {
2120  am_walsender = true;
2121  am_db_walsender = true;
2122  }
2123  else if (!parse_bool(valptr, &am_walsender))
2124  ereport(FATAL,
2125  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
2126  errmsg("invalid value for parameter \"%s\": \"%s\"",
2127  "replication",
2128  valptr),
2129  errhint("Valid values are: \"false\", 0, \"true\", 1, \"database\".")));
2130  }
2131  else if (strncmp(nameptr, "_pq_.", 5) == 0)
2132  {
2133  /*
2134  * Any option beginning with _pq_. is reserved for use as a
2135  * protocol-level option, but at present no such options are
2136  * defined.
2137  */
2138  unrecognized_protocol_options =
2139  lappend(unrecognized_protocol_options, pstrdup(nameptr));
2140  }
2141  else
2142  {
2143  /* Assume it's a generic GUC option */
2144  port->guc_options = lappend(port->guc_options,
2145  pstrdup(nameptr));
2146  port->guc_options = lappend(port->guc_options,
2147  pstrdup(valptr));
2148  }
2149  offset = valoffset + strlen(valptr) + 1;
2150  }
2151 
2152  /*
2153  * If we didn't find a packet terminator exactly at the end of the
2154  * given packet length, complain.
2155  */
2156  if (offset != len - 1)
2157  ereport(FATAL,
2158  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2159  errmsg("invalid startup packet layout: expected terminator as last byte")));
2160 
2161  /*
2162  * If the client requested a newer protocol version or if the client
2163  * requested any protocol options we didn't recognize, let them know
2164  * the newest minor protocol version we do support and the names of
2165  * any unrecognized options.
2166  */
2168  unrecognized_protocol_options != NIL)
2169  SendNegotiateProtocolVersion(unrecognized_protocol_options);
2170  }
2171  else
2172  {
2173  /*
2174  * Get the parameters from the old-style, fixed-width-fields startup
2175  * packet as C strings. The packet destination was cleared first so a
2176  * short packet has zeros silently added. We have to be prepared to
2177  * truncate the pstrdup result for oversize fields, though.
2178  */
2179  StartupPacket *packet = (StartupPacket *) buf;
2180 
2181  port->database_name = pstrdup(packet->database);
2182  if (strlen(port->database_name) > sizeof(packet->database))
2183  port->database_name[sizeof(packet->database)] = '\0';
2184  port->user_name = pstrdup(packet->user);
2185  if (strlen(port->user_name) > sizeof(packet->user))
2186  port->user_name[sizeof(packet->user)] = '\0';
2187  port->cmdline_options = pstrdup(packet->options);
2188  if (strlen(port->cmdline_options) > sizeof(packet->options))
2189  port->cmdline_options[sizeof(packet->options)] = '\0';
2190  port->guc_options = NIL;
2191  }
2192 
2193  /* Check a user name was given. */
2194  if (port->user_name == NULL || port->user_name[0] == '\0')
2195  ereport(FATAL,
2196  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
2197  errmsg("no PostgreSQL user name specified in startup packet")));
2198 
2199  /* The database defaults to the user name. */
2200  if (port->database_name == NULL || port->database_name[0] == '\0')
2201  port->database_name = pstrdup(port->user_name);
2202 
2203  if (Db_user_namespace)
2204  {
2205  /*
2206  * If user@, it is a global user, remove '@'. We only want to do this
2207  * if there is an '@' at the end and no earlier in the user string or
2208  * they may fake as a local user of another database attaching to this
2209  * database.
2210  */
2211  if (strchr(port->user_name, '@') ==
2212  port->user_name + strlen(port->user_name) - 1)
2213  *strchr(port->user_name, '@') = '\0';
2214  else
2215  {
2216  /* Append '@' and dbname */
2217  port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
2218  }
2219  }
2220 
2221  /*
2222  * Truncate given database and user names to length of a Postgres name.
2223  * This avoids lookup failures when overlength names are given.
2224  */
2225  if (strlen(port->database_name) >= NAMEDATALEN)
2226  port->database_name[NAMEDATALEN - 1] = '\0';
2227  if (strlen(port->user_name) >= NAMEDATALEN)
2228  port->user_name[NAMEDATALEN - 1] = '\0';
2229 
2230  /*
2231  * Normal walsender backends, e.g. for streaming replication, are not
2232  * connected to a particular database. But walsenders used for logical
2233  * replication need to connect to a specific database. We allow streaming
2234  * replication commands to be issued even if connected to a database as it
2235  * can make sense to first make a basebackup and then stream changes
2236  * starting from that.
2237  */
2238  if (am_walsender && !am_db_walsender)
2239  port->database_name[0] = '\0';
2240 
2241  /*
2242  * Done putting stuff in TopMemoryContext.
2243  */
2244  MemoryContextSwitchTo(oldcontext);
2245 
2246  /*
2247  * If we're going to reject the connection due to database state, say so
2248  * now instead of wasting cycles on an authentication exchange. (This also
2249  * allows a pg_ping utility to be written.)
2250  */
2251  switch (port->canAcceptConnections)
2252  {
2253  case CAC_STARTUP:
2254  ereport(FATAL,
2256  errmsg("the database system is starting up")));
2257  break;
2258  case CAC_SHUTDOWN:
2259  ereport(FATAL,
2261  errmsg("the database system is shutting down")));
2262  break;
2263  case CAC_RECOVERY:
2264  ereport(FATAL,
2266  errmsg("the database system is in recovery mode")));
2267  break;
2268  case CAC_TOOMANY:
2269  ereport(FATAL,
2270  (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
2271  errmsg("sorry, too many clients already")));
2272  break;
2273  case CAC_WAITBACKUP:
2274  /* OK for now, will check in InitPostgres */
2275  break;
2276  case CAC_OK:
2277  break;
2278  }
2279 
2280  return STATUS_OK;
2281 }
2282 
2283 /*
2284  * Send a NegotiateProtocolVersion to the client. This lets the client know
2285  * that they have requested a newer minor protocol version than we are able
2286  * to speak. We'll speak the highest version we know about; the client can,
2287  * of course, abandon the connection if that's a problem.
2288  *
2289  * We also include in the response a list of protocol options we didn't
2290  * understand. This allows clients to include optional parameters that might
2291  * be present either in newer protocol versions or third-party protocol
2292  * extensions without fear of having to reconnect if those options are not
2293  * understood, while at the same time making certain that the client is aware
2294  * of which options were actually accepted.
2295  */
2296 static void
2297 SendNegotiateProtocolVersion(List *unrecognized_protocol_options)
2298 {
2300  ListCell *lc;
2301 
2302  pq_beginmessage(&buf, 'v'); /* NegotiateProtocolVersion */
2304  pq_sendint32(&buf, list_length(unrecognized_protocol_options));
2305  foreach(lc, unrecognized_protocol_options)
2306  pq_sendstring(&buf, lfirst(lc));
2307  pq_endmessage(&buf);
2308 
2309  /* no need to flush, some other message will follow */
2310 }
2311 
2312 /*
2313  * The client has sent a cancel request packet, not a normal
2314  * start-a-new-connection packet. Perform the necessary processing.
2315  * Nothing is sent back to the client.
2316  */
2317 static void
2319 {
2320  CancelRequestPacket *canc = (CancelRequestPacket *) pkt;
2321  int backendPID;
2322  int32 cancelAuthCode;
2323  Backend *bp;
2324 
2325 #ifndef EXEC_BACKEND
2326  dlist_iter iter;
2327 #else
2328  int i;
2329 #endif
2330 
2331  backendPID = (int) pg_ntoh32(canc->backendPID);
2332  cancelAuthCode = (int32) pg_ntoh32(canc->cancelAuthCode);
2333 
2334  /*
2335  * See if we have a matching backend. In the EXEC_BACKEND case, we can no
2336  * longer access the postmaster's own backend list, and must rely on the
2337  * duplicate array in shared memory.
2338  */
2339 #ifndef EXEC_BACKEND
2340  dlist_foreach(iter, &BackendList)
2341  {
2342  bp = dlist_container(Backend, elem, iter.cur);
2343 #else
2344  for (i = MaxLivePostmasterChildren() - 1; i >= 0; i--)
2345  {
2346  bp = (Backend *) &ShmemBackendArray[i];
2347 #endif
2348  if (bp->pid == backendPID)
2349  {
2350  if (bp->cancel_key == cancelAuthCode)
2351  {
2352  /* Found a match; signal that backend to cancel current op */
2353  ereport(DEBUG2,
2354  (errmsg_internal("processing cancel request: sending SIGINT to process %d",
2355  backendPID)));
2356  signal_child(bp->pid, SIGINT);
2357  }
2358  else
2359  /* Right PID, wrong key: no way, Jose */
2360  ereport(LOG,
2361  (errmsg("wrong key in cancel request for process %d",
2362  backendPID)));
2363  return;
2364  }
2365  }
2366 
2367  /* No matching backend */
2368  ereport(LOG,
2369  (errmsg("PID %d in cancel request did not match any process",
2370  backendPID)));
2371 }
2372 
2373 /*
2374  * canAcceptConnections --- check to see if database state allows connections.
2375  */
2376 static CAC_state
2378 {
2379  CAC_state result = CAC_OK;
2380 
2381  /*
2382  * Can't start backends when in startup/shutdown/inconsistent recovery
2383  * state.
2384  *
2385  * In state PM_WAIT_BACKUP only superusers can connect (this must be
2386  * allowed so that a superuser can end online backup mode); we return
2387  * CAC_WAITBACKUP code to indicate that this must be checked later. Note
2388  * that neither CAC_OK nor CAC_WAITBACKUP can safely be returned until we
2389  * have checked for too many children.
2390  */
2391  if (pmState != PM_RUN)
2392  {
2393  if (pmState == PM_WAIT_BACKUP)
2394  result = CAC_WAITBACKUP; /* allow superusers only */
2395  else if (Shutdown > NoShutdown)
2396  return CAC_SHUTDOWN; /* shutdown is pending */
2397  else if (!FatalError &&
2398  (pmState == PM_STARTUP ||
2399  pmState == PM_RECOVERY))
2400  return CAC_STARTUP; /* normal startup */
2401  else if (!FatalError &&
2403  result = CAC_OK; /* connection OK during hot standby */
2404  else
2405  return CAC_RECOVERY; /* else must be crash recovery */
2406  }
2407 
2408  /*
2409  * Don't start too many children.
2410  *
2411  * We allow more connections than we can have backends here because some
2412  * might still be authenticating; they might fail auth, or some existing
2413  * backend might exit before the auth cycle is completed. The exact
2414  * MaxBackends limit is enforced when a new backend tries to join the
2415  * shared-inval backend array.
2416  *
2417  * The limit here must match the sizes of the per-child-process arrays;
2418  * see comments for MaxLivePostmasterChildren().
2419  */
2421  result = CAC_TOOMANY;
2422 
2423  return result;
2424 }
2425 
2426 
2427 /*
2428  * ConnCreate -- create a local connection data structure
2429  *
2430  * Returns NULL on failure, other than out-of-memory which is fatal.
2431  */
2432 static Port *
2433 ConnCreate(int serverFd)
2434 {
2435  Port *port;
2436 
2437  if (!(port = (Port *) calloc(1, sizeof(Port))))
2438  {
2439  ereport(LOG,
2440  (errcode(ERRCODE_OUT_OF_MEMORY),
2441  errmsg("out of memory")));
2442  ExitPostmaster(1);
2443  }
2444 
2445  if (StreamConnection(serverFd, port) != STATUS_OK)
2446  {
2447  if (port->sock != PGINVALID_SOCKET)
2448  StreamClose(port->sock);
2449  ConnFree(port);
2450  return NULL;
2451  }
2452 
2453  /*
2454  * Allocate GSSAPI specific state struct
2455  */
2456 #ifndef EXEC_BACKEND
2457 #if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
2458  port->gss = (pg_gssinfo *) calloc(1, sizeof(pg_gssinfo));
2459  if (!port->gss)
2460  {
2461  ereport(LOG,
2462  (errcode(ERRCODE_OUT_OF_MEMORY),
2463  errmsg("out of memory")));
2464  ExitPostmaster(1);
2465  }
2466 #endif
2467 #endif
2468 
2469  return port;
2470 }
2471 
2472 
2473 /*
2474  * ConnFree -- free a local connection data structure
2475  */
2476 static void
2478 {
2479 #ifdef USE_SSL
2480  secure_close(conn);
2481 #endif
2482  if (conn->gss)
2483  free(conn->gss);
2484  free(conn);
2485 }
2486 
2487 
2488 /*
2489  * ClosePostmasterPorts -- close all the postmaster's open sockets
2490  *
2491  * This is called during child process startup to release file descriptors
2492  * that are not needed by that child process. The postmaster still has
2493  * them open, of course.
2494  *
2495  * Note: we pass am_syslogger as a boolean because we don't want to set
2496  * the global variable yet when this is called.
2497  */
2498 void
2500 {
2501  int i;
2502 
2503 #ifndef WIN32
2504 
2505  /*
2506  * Close the write end of postmaster death watch pipe. It's important to
2507  * do this as early as possible, so that if postmaster dies, others won't
2508  * think that it's still running because we're holding the pipe open.
2509  */
2511  ereport(FATAL,
2513  errmsg_internal("could not close postmaster death monitoring pipe in child process: %m")));
2515 #endif
2516 
2517  /* Close the listen sockets */
2518  for (i = 0; i < MAXLISTEN; i++)
2519  {
2520  if (ListenSocket[i] != PGINVALID_SOCKET)
2521  {
2524  }
2525  }
2526 
2527  /* If using syslogger, close the read side of the pipe */
2528  if (!am_syslogger)
2529  {
2530 #ifndef WIN32
2531  if (syslogPipe[0] >= 0)
2532  close(syslogPipe[0]);
2533  syslogPipe[0] = -1;
2534 #else
2535  if (syslogPipe[0])
2536  CloseHandle(syslogPipe[0]);
2537  syslogPipe[0] = 0;
2538 #endif
2539  }
2540 
2541 #ifdef USE_BONJOUR
2542  /* If using Bonjour, close the connection to the mDNS daemon */
2543  if (bonjour_sdref)
2544  close(DNSServiceRefSockFD(bonjour_sdref));
2545 #endif
2546 }
2547 
2548 
2549 /*
2550  * reset_shared -- reset shared memory and semaphores
2551  */
2552 static void
2553 reset_shared(int port)
2554 {
2555  /*
2556  * Create or re-create shared memory and semaphores.
2557  *
2558  * Note: in each "cycle of life" we will normally assign the same IPC keys
2559  * (if using SysV shmem and/or semas), since the port number is used to
2560  * determine IPC keys. This helps ensure that we will clean up dead IPC
2561  * objects if the postmaster crashes and is restarted.
2562  */
2563  CreateSharedMemoryAndSemaphores(false, port);
2564 }
2565 
2566 
2567 /*
2568  * SIGHUP -- reread config files, and tell children to do same
2569  */
2570 static void
2572 {
2573  int save_errno = errno;
2574 
2575  PG_SETMASK(&BlockSig);
2576 
2577  if (Shutdown <= SmartShutdown)
2578  {
2579  ereport(LOG,
2580  (errmsg("received SIGHUP, reloading configuration files")));
2583  if (StartupPID != 0)
2585  if (BgWriterPID != 0)
2587  if (CheckpointerPID != 0)
2589  if (WalWriterPID != 0)
2591  if (WalReceiverPID != 0)
2593  if (AutoVacPID != 0)
2595  if (PgArchPID != 0)
2597  if (SysLoggerPID != 0)
2599  if (PgStatPID != 0)
2601 
2602  /* Reload authentication config files too */
2603  if (!load_hba())
2604  ereport(LOG,
2605  (errmsg("pg_hba.conf was not reloaded")));
2606 
2607  if (!load_ident())
2608  ereport(LOG,
2609  (errmsg("pg_ident.conf was not reloaded")));
2610 
2611 #ifdef USE_SSL
2612  /* Reload SSL configuration as well */
2613  if (EnableSSL)
2614  {
2615  if (secure_initialize(false) == 0)
2616  LoadedSSL = true;
2617  else
2618  ereport(LOG,
2619  (errmsg("SSL configuration was not reloaded")));
2620  }
2621  else
2622  {
2623  secure_destroy();
2624  LoadedSSL = false;
2625  }
2626 #endif
2627 
2628 #ifdef EXEC_BACKEND
2629  /* Update the starting-point file for future children */
2630  write_nondefault_variables(PGC_SIGHUP);
2631 #endif
2632  }
2633 
2635 
2636  errno = save_errno;
2637 }
2638 
2639 
2640 /*
2641  * pmdie -- signal handler for processing various postmaster signals.
2642  */
2643 static void
2645 {
2646  int save_errno = errno;
2647 
2648  PG_SETMASK(&BlockSig);
2649 
2650  ereport(DEBUG2,
2651  (errmsg_internal("postmaster received signal %d",
2652  postgres_signal_arg)));
2653 
2654  switch (postgres_signal_arg)
2655  {
2656  case SIGTERM:
2657 
2658  /*
2659  * Smart Shutdown:
2660  *
2661  * Wait for children to end their work, then shut down.
2662  */
2663  if (Shutdown >= SmartShutdown)
2664  break;
2666  ereport(LOG,
2667  (errmsg("received smart shutdown request")));
2668 
2669  /* Report status */
2671 #ifdef USE_SYSTEMD
2672  sd_notify(0, "STOPPING=1");
2673 #endif
2674 
2675  if (pmState == PM_RUN || pmState == PM_RECOVERY ||
2677  {
2678  /* autovac workers are told to shut down immediately */
2679  /* and bgworkers too; does this need tweaking? */
2680  SignalSomeChildren(SIGTERM,
2682  /* and the autovac launcher too */
2683  if (AutoVacPID != 0)
2684  signal_child(AutoVacPID, SIGTERM);
2685  /* and the bgwriter too */
2686  if (BgWriterPID != 0)
2687  signal_child(BgWriterPID, SIGTERM);
2688  /* and the walwriter too */
2689  if (WalWriterPID != 0)
2690  signal_child(WalWriterPID, SIGTERM);
2691 
2692  /*
2693  * If we're in recovery, we can't kill the startup process
2694  * right away, because at present doing so does not release
2695  * its locks. We might want to change this in a future
2696  * release. For the time being, the PM_WAIT_READONLY state
2697  * indicates that we're waiting for the regular (read only)
2698  * backends to die off; once they do, we'll kill the startup
2699  * and walreceiver processes.
2700  */
2701  pmState = (pmState == PM_RUN) ?
2703  }
2704 
2705  /*
2706  * Now wait for online backup mode to end and backends to exit. If
2707  * that is already the case, PostmasterStateMachine will take the
2708  * next step.
2709  */
2711  break;
2712 
2713  case SIGINT:
2714 
2715  /*
2716  * Fast Shutdown:
2717  *
2718  * Abort all children with SIGTERM (rollback active transactions
2719  * and exit) and shut down when they are gone.
2720  */
2721  if (Shutdown >= FastShutdown)
2722  break;
2724  ereport(LOG,
2725  (errmsg("received fast shutdown request")));
2726 
2727  /* Report status */
2729 #ifdef USE_SYSTEMD
2730  sd_notify(0, "STOPPING=1");
2731 #endif
2732 
2733  if (StartupPID != 0)
2734  signal_child(StartupPID, SIGTERM);
2735  if (BgWriterPID != 0)
2736  signal_child(BgWriterPID, SIGTERM);
2737  if (WalReceiverPID != 0)
2738  signal_child(WalReceiverPID, SIGTERM);
2739  if (pmState == PM_RECOVERY)
2740  {
2742 
2743  /*
2744  * Only startup, bgwriter, walreceiver, possibly bgworkers,
2745  * and/or checkpointer should be active in this state; we just
2746  * signaled the first four, and we don't want to kill
2747  * checkpointer yet.
2748  */
2750  }
2751  else if (pmState == PM_RUN ||
2752  pmState == PM_WAIT_BACKUP ||
2756  {
2757  ereport(LOG,
2758  (errmsg("aborting any active transactions")));
2759  /* shut down all backends and workers */
2760  SignalSomeChildren(SIGTERM,
2763  /* and the autovac launcher too */
2764  if (AutoVacPID != 0)
2765  signal_child(AutoVacPID, SIGTERM);
2766  /* and the walwriter too */
2767  if (WalWriterPID != 0)
2768  signal_child(WalWriterPID, SIGTERM);
2770  }
2771 
2772  /*
2773  * Now wait for backends to exit. If there are none,
2774  * PostmasterStateMachine will take the next step.
2775  */
2777  break;
2778 
2779  case SIGQUIT:
2780 
2781  /*
2782  * Immediate Shutdown:
2783  *
2784  * abort all children with SIGQUIT, wait for them to exit,
2785  * terminate remaining ones with SIGKILL, then exit without
2786  * attempt to properly shut down the data base system.
2787  */
2788  if (Shutdown >= ImmediateShutdown)
2789  break;
2791  ereport(LOG,
2792  (errmsg("received immediate shutdown request")));
2793 
2794  /* Report status */
2796 #ifdef USE_SYSTEMD
2797  sd_notify(0, "STOPPING=1");
2798 #endif
2799 
2802 
2803  /* set stopwatch for them to die */
2804  AbortStartTime = time(NULL);
2805 
2806  /*
2807  * Now wait for backends to exit. If there are none,
2808  * PostmasterStateMachine will take the next step.
2809  */
2811  break;
2812  }
2813 
2815 
2816  errno = save_errno;
2817 }
2818 
2819 /*
2820  * Reaper -- signal handler to cleanup after a child process dies.
2821  */
2822 static void
2824 {
2825  int save_errno = errno;
2826  int pid; /* process id of dead child process */
2827  int exitstatus; /* its exit status */
2828 
2829  PG_SETMASK(&BlockSig);
2830 
2831  ereport(DEBUG4,
2832  (errmsg_internal("reaping dead processes")));
2833 
2834  while ((pid = waitpid(-1, &exitstatus, WNOHANG)) > 0)
2835  {
2836  /*
2837  * Check if this child was a startup process.
2838  */
2839  if (pid == StartupPID)
2840  {
2841  StartupPID = 0;
2842 
2843  /*
2844  * Startup process exited in response to a shutdown request (or it
2845  * completed normally regardless of the shutdown request).
2846  */
2847  if (Shutdown > NoShutdown &&
2848  (EXIT_STATUS_0(exitstatus) || EXIT_STATUS_1(exitstatus)))
2849  {
2852  /* PostmasterStateMachine logic does the rest */
2853  continue;
2854  }
2855 
2856  if (EXIT_STATUS_3(exitstatus))
2857  {
2858  ereport(LOG,
2859  (errmsg("shutdown at recovery target")));
2862  TerminateChildren(SIGTERM);
2864  /* PostmasterStateMachine logic does the rest */
2865  continue;
2866  }
2867 
2868  /*
2869  * Unexpected exit of startup process (including FATAL exit)
2870  * during PM_STARTUP is treated as catastrophic. There are no
2871  * other processes running yet, so we can just exit.
2872  */
2873  if (pmState == PM_STARTUP && !EXIT_STATUS_0(exitstatus))
2874  {
2875  LogChildExit(LOG, _("startup process"),
2876  pid, exitstatus);
2877  ereport(LOG,
2878  (errmsg("aborting startup due to startup process failure")));
2879  ExitPostmaster(1);
2880  }
2881 
2882  /*
2883  * After PM_STARTUP, any unexpected exit (including FATAL exit) of
2884  * the startup process is catastrophic, so kill other children,
2885  * and set StartupStatus so we don't try to reinitialize after
2886  * they're gone. Exception: if StartupStatus is STARTUP_SIGNALED,
2887  * then we previously sent the startup process a SIGQUIT; so
2888  * that's probably the reason it died, and we do want to try to
2889  * restart in that case.
2890  */
2891  if (!EXIT_STATUS_0(exitstatus))
2892  {
2895  else
2897  HandleChildCrash(pid, exitstatus,
2898  _("startup process"));
2899  continue;
2900  }
2901 
2902  /*
2903  * Startup succeeded, commence normal operations
2904  */
2906  FatalError = false;
2907  Assert(AbortStartTime == 0);
2908  ReachedNormalRunning = true;
2909  pmState = PM_RUN;
2910 
2911  /*
2912  * Crank up the background tasks, if we didn't do that already
2913  * when we entered consistent recovery state. It doesn't matter
2914  * if this fails, we'll just try again later.
2915  */
2916  if (CheckpointerPID == 0)
2918  if (BgWriterPID == 0)
2920  if (WalWriterPID == 0)
2922 
2923  /*
2924  * Likewise, start other special children as needed. In a restart
2925  * situation, some of them may be alive already.
2926  */
2929  if (PgArchStartupAllowed() && PgArchPID == 0)
2930  PgArchPID = pgarch_start();
2931  if (PgStatPID == 0)
2932  PgStatPID = pgstat_start();
2933 
2934  /* workers may be scheduled to start now */
2936 
2937  /* at this point we are really open for business */
2938  ereport(LOG,
2939  (errmsg("database system is ready to accept connections")));
2940 
2941  /* Report status */
2943 #ifdef USE_SYSTEMD
2944  sd_notify(0, "READY=1");
2945 #endif
2946 
2947  continue;
2948  }
2949 
2950  /*
2951  * Was it the bgwriter? Normal exit can be ignored; we'll start a new
2952  * one at the next iteration of the postmaster's main loop, if
2953  * necessary. Any other exit condition is treated as a crash.
2954  */
2955  if (pid == BgWriterPID)
2956  {
2957  BgWriterPID = 0;
2958  if (!EXIT_STATUS_0(exitstatus))
2959  HandleChildCrash(pid, exitstatus,
2960  _("background writer process"));
2961  continue;
2962  }
2963 
2964  /*
2965  * Was it the checkpointer?
2966  */
2967  if (pid == CheckpointerPID)
2968  {
2969  CheckpointerPID = 0;
2970  if (EXIT_STATUS_0(exitstatus) && pmState == PM_SHUTDOWN)
2971  {
2972  /*
2973  * OK, we saw normal exit of the checkpointer after it's been
2974  * told to shut down. We expect that it wrote a shutdown
2975  * checkpoint. (If for some reason it didn't, recovery will
2976  * occur on next postmaster start.)
2977  *
2978  * At this point we should have no normal backend children
2979  * left (else we'd not be in PM_SHUTDOWN state) but we might
2980  * have dead_end children to wait for.
2981  *
2982  * If we have an archiver subprocess, tell it to do a last
2983  * archive cycle and quit. Likewise, if we have walsender
2984  * processes, tell them to send any remaining WAL and quit.
2985  */
2987 
2988  /* Waken archiver for the last time */
2989  if (PgArchPID != 0)
2991 
2992  /*
2993  * Waken walsenders for the last time. No regular backends
2994  * should be around anymore.
2995  */
2997 
2999 
3000  /*
3001  * We can also shut down the stats collector now; there's
3002  * nothing left for it to do.
3003  */
3004  if (PgStatPID != 0)
3006  }
3007  else
3008  {
3009  /*
3010  * Any unexpected exit of the checkpointer (including FATAL
3011  * exit) is treated as a crash.
3012  */
3013  HandleChildCrash(pid, exitstatus,
3014  _("checkpointer process"));
3015  }
3016 
3017  continue;
3018  }
3019 
3020  /*
3021  * Was it the wal writer? Normal exit can be ignored; we'll start a
3022  * new one at the next iteration of the postmaster's main loop, if
3023  * necessary. Any other exit condition is treated as a crash.
3024  */
3025  if (pid == WalWriterPID)
3026  {
3027  WalWriterPID = 0;
3028  if (!EXIT_STATUS_0(exitstatus))
3029  HandleChildCrash(pid, exitstatus,
3030  _("WAL writer process"));
3031  continue;
3032  }
3033 
3034  /*
3035  * Was it the wal receiver? If exit status is zero (normal) or one
3036  * (FATAL exit), we assume everything is all right just like normal
3037  * backends. (If we need a new wal receiver, we'll start one at the
3038  * next iteration of the postmaster's main loop.)
3039  */
3040  if (pid == WalReceiverPID)
3041  {
3042  WalReceiverPID = 0;
3043  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3044  HandleChildCrash(pid, exitstatus,
3045  _("WAL receiver process"));
3046  continue;
3047  }
3048 
3049  /*
3050  * Was it the autovacuum launcher? Normal exit can be ignored; we'll
3051  * start a new one at the next iteration of the postmaster's main
3052  * loop, if necessary. Any other exit condition is treated as a
3053  * crash.
3054  */
3055  if (pid == AutoVacPID)
3056  {
3057  AutoVacPID = 0;
3058  if (!EXIT_STATUS_0(exitstatus))
3059  HandleChildCrash(pid, exitstatus,
3060  _("autovacuum launcher process"));
3061  continue;
3062  }
3063 
3064  /*
3065  * Was it the archiver? If so, just try to start a new one; no need
3066  * to force reset of the rest of the system. (If fail, we'll try
3067  * again in future cycles of the main loop.). Unless we were waiting
3068  * for it to shut down; don't restart it in that case, and
3069  * PostmasterStateMachine() will advance to the next shutdown step.
3070  */
3071  if (pid == PgArchPID)
3072  {
3073  PgArchPID = 0;
3074  if (!EXIT_STATUS_0(exitstatus))
3075  LogChildExit(LOG, _("archiver process"),
3076  pid, exitstatus);
3077  if (PgArchStartupAllowed())
3078  PgArchPID = pgarch_start();
3079  continue;
3080  }
3081 
3082  /*
3083  * Was it the statistics collector? If so, just try to start a new
3084  * one; no need to force reset of the rest of the system. (If fail,
3085  * we'll try again in future cycles of the main loop.)
3086  */
3087  if (pid == PgStatPID)
3088  {
3089  PgStatPID = 0;
3090  if (!EXIT_STATUS_0(exitstatus))
3091  LogChildExit(LOG, _("statistics collector process"),
3092  pid, exitstatus);
3093  if (pmState == PM_RUN || pmState == PM_HOT_STANDBY)
3094  PgStatPID = pgstat_start();
3095  continue;
3096  }
3097 
3098  /* Was it the system logger? If so, try to start a new one */
3099  if (pid == SysLoggerPID)
3100  {
3101  SysLoggerPID = 0;
3102  /* for safety's sake, launch new logger *first* */
3104  if (!EXIT_STATUS_0(exitstatus))
3105  LogChildExit(LOG, _("system logger process"),
3106  pid, exitstatus);
3107  continue;
3108  }
3109 
3110  /* Was it one of our background workers? */
3111  if (CleanupBackgroundWorker(pid, exitstatus))
3112  {
3113  /* have it be restarted */
3114  HaveCrashedWorker = true;
3115  continue;
3116  }
3117 
3118  /*
3119  * Else do standard backend child cleanup.
3120  */
3121  CleanupBackend(pid, exitstatus);
3122  } /* loop over pending child-death reports */
3123 
3124  /*
3125  * After cleaning out the SIGCHLD queue, see if we have any state changes
3126  * or actions to make.
3127  */
3129 
3130  /* Done with signal handler */
3132 
3133  errno = save_errno;
3134 }
3135 
3136 /*
3137  * Scan the bgworkers list and see if the given PID (which has just stopped
3138  * or crashed) is in it. Handle its shutdown if so, and return true. If not a
3139  * bgworker, return false.
3140  *
3141  * This is heavily based on CleanupBackend. One important difference is that
3142  * we don't know yet that the dying process is a bgworker, so we must be silent
3143  * until we're sure it is.
3144  */
3145 static bool
3147  int exitstatus) /* child's exit status */
3148 {
3149  char namebuf[MAXPGPATH];
3150  slist_mutable_iter iter;
3151 
3153  {
3154  RegisteredBgWorker *rw;
3155 
3156  rw = slist_container(RegisteredBgWorker, rw_lnode, iter.cur);
3157 
3158  if (rw->rw_pid != pid)
3159  continue;
3160 
3161 #ifdef WIN32
3162  /* see CleanupBackend */
3163  if (exitstatus == ERROR_WAIT_NO_CHILDREN)
3164  exitstatus = 0;
3165 #endif
3166 
3167  snprintf(namebuf, MAXPGPATH, _("background worker \"%s\""),
3168  rw->rw_worker.bgw_type);
3169 
3170 
3171  if (!EXIT_STATUS_0(exitstatus))
3172  {
3173  /* Record timestamp, so we know when to restart the worker. */
3175  }
3176  else
3177  {
3178  /* Zero exit status means terminate */
3179  rw->rw_crashed_at = 0;
3180  rw->rw_terminate = true;
3181  }
3182 
3183  /*
3184  * Additionally, for shared-memory-connected workers, just like a
3185  * backend, any exit status other than 0 or 1 is considered a crash
3186  * and causes a system-wide restart.
3187  */
3188  if ((rw->rw_worker.bgw_flags & BGWORKER_SHMEM_ACCESS) != 0)
3189  {
3190  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3191  {
3192  HandleChildCrash(pid, exitstatus, namebuf);
3193  return true;
3194  }
3195  }
3196 
3197  /*
3198  * We must release the postmaster child slot whether this worker is
3199  * connected to shared memory or not, but we only treat it as a crash
3200  * if it is in fact connected.
3201  */
3204  {
3205  HandleChildCrash(pid, exitstatus, namebuf);
3206  return true;
3207  }
3208 
3209  /* Get it out of the BackendList and clear out remaining data */
3210  dlist_delete(&rw->rw_backend->elem);
3211 #ifdef EXEC_BACKEND
3212  ShmemBackendArrayRemove(rw->rw_backend);
3213 #endif
3214 
3215  /*
3216  * It's possible that this background worker started some OTHER
3217  * background worker and asked to be notified when that worker started
3218  * or stopped. If so, cancel any notifications destined for the
3219  * now-dead backend.
3220  */
3221  if (rw->rw_backend->bgworker_notify)
3223  free(rw->rw_backend);
3224  rw->rw_backend = NULL;
3225  rw->rw_pid = 0;
3226  rw->rw_child_slot = 0;
3227  ReportBackgroundWorkerExit(&iter); /* report child death */
3228 
3229  LogChildExit(EXIT_STATUS_0(exitstatus) ? DEBUG1 : LOG,
3230  namebuf, pid, exitstatus);
3231 
3232  return true;
3233  }
3234 
3235  return false;
3236 }
3237 
3238 /*
3239  * CleanupBackend -- cleanup after terminated backend.
3240  *
3241  * Remove all local state associated with backend.
3242  *
3243  * If you change this, see also CleanupBackgroundWorker.
3244  */
3245 static void
3247  int exitstatus) /* child's exit status. */
3248 {
3249  dlist_mutable_iter iter;
3250 
3251  LogChildExit(DEBUG2, _("server process"), pid, exitstatus);
3252 
3253  /*
3254  * If a backend dies in an ugly way then we must signal all other backends
3255  * to quickdie. If exit status is zero (normal) or one (FATAL exit), we
3256  * assume everything is all right and proceed to remove the backend from
3257  * the active backend list.
3258  */
3259 
3260 #ifdef WIN32
3261 
3262  /*
3263  * On win32, also treat ERROR_WAIT_NO_CHILDREN (128) as nonfatal case,
3264  * since that sometimes happens under load when the process fails to start
3265  * properly (long before it starts using shared memory). Microsoft reports
3266  * it is related to mutex failure:
3267  * http://archives.postgresql.org/pgsql-hackers/2010-09/msg00790.php
3268  */
3269  if (exitstatus == ERROR_WAIT_NO_CHILDREN)
3270  {
3271  LogChildExit(LOG, _("server process"), pid, exitstatus);
3272  exitstatus = 0;
3273  }
3274 #endif
3275 
3276  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3277  {
3278  HandleChildCrash(pid, exitstatus, _("server process"));
3279  return;
3280  }
3281 
3282  dlist_foreach_modify(iter, &BackendList)
3283  {
3284  Backend *bp = dlist_container(Backend, elem, iter.cur);
3285 
3286  if (bp->pid == pid)
3287  {
3288  if (!bp->dead_end)
3289  {
3291  {
3292  /*
3293  * Uh-oh, the child failed to clean itself up. Treat as a
3294  * crash after all.
3295  */
3296  HandleChildCrash(pid, exitstatus, _("server process"));
3297  return;
3298  }
3299 #ifdef EXEC_BACKEND
3300  ShmemBackendArrayRemove(bp);
3301 #endif
3302  }
3303  if (bp->bgworker_notify)
3304  {
3305  /*
3306  * This backend may have been slated to receive SIGUSR1 when
3307  * some background worker started or stopped. Cancel those
3308  * notifications, as we don't want to signal PIDs that are not
3309  * PostgreSQL backends. This gets skipped in the (probably
3310  * very common) case where the backend has never requested any
3311  * such notifications.
3312  */
3314  }
3315  dlist_delete(iter.cur);
3316  free(bp);
3317  break;
3318  }
3319  }
3320 }
3321 
3322 /*
3323  * HandleChildCrash -- cleanup after failed backend, bgwriter, checkpointer,
3324  * walwriter, autovacuum, or background worker.
3325  *
3326  * The objectives here are to clean up our local state about the child
3327  * process, and to signal all other remaining children to quickdie.
3328  */
3329 static void
3330 HandleChildCrash(int pid, int exitstatus, const char *procname)
3331 {
3332  dlist_mutable_iter iter;
3333  slist_iter siter;
3334  Backend *bp;
3335  bool take_action;
3336 
3337  /*
3338  * We only log messages and send signals if this is the first process
3339  * crash and we're not doing an immediate shutdown; otherwise, we're only
3340  * here to update postmaster's idea of live processes. If we have already
3341  * signalled children, nonzero exit status is to be expected, so don't
3342  * clutter log.
3343  */
3344  take_action = !FatalError && Shutdown != ImmediateShutdown;
3345 
3346  if (take_action)
3347  {
3348  LogChildExit(LOG, procname, pid, exitstatus);
3349  ereport(LOG,
3350  (errmsg("terminating any other active server processes")));
3351  }
3352 
3353  /* Process background workers. */
3355  {
3356  RegisteredBgWorker *rw;
3357 
3358  rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
3359  if (rw->rw_pid == 0)
3360  continue; /* not running */
3361  if (rw->rw_pid == pid)
3362  {
3363  /*
3364  * Found entry for freshly-dead worker, so remove it.
3365  */
3367  dlist_delete(&rw->rw_backend->elem);
3368 #ifdef EXEC_BACKEND
3369  ShmemBackendArrayRemove(rw->rw_backend);
3370 #endif
3371  free(rw->rw_backend);
3372  rw->rw_backend = NULL;
3373  rw->rw_pid = 0;
3374  rw->rw_child_slot = 0;
3375  /* don't reset crashed_at */
3376  /* don't report child stop, either */
3377  /* Keep looping so we can signal remaining workers */
3378  }
3379  else
3380  {
3381  /*
3382  * This worker is still alive. Unless we did so already, tell it
3383  * to commit hara-kiri.
3384  *
3385  * SIGQUIT is the special signal that says exit without proc_exit
3386  * and let the user know what's going on. But if SendStop is set
3387  * (-s on command line), then we send SIGSTOP instead, so that we
3388  * can get core dumps from all backends by hand.
3389  */
3390  if (take_action)
3391  {
3392  ereport(DEBUG2,
3393  (errmsg_internal("sending %s to process %d",
3394  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3395  (int) rw->rw_pid)));
3397  }
3398  }
3399  }
3400 
3401  /* Process regular backends */
3402  dlist_foreach_modify(iter, &BackendList)
3403  {
3404  bp = dlist_container(Backend, elem, iter.cur);
3405 
3406  if (bp->pid == pid)
3407  {
3408  /*
3409  * Found entry for freshly-dead backend, so remove it.
3410  */
3411  if (!bp->dead_end)
3412  {
3414 #ifdef EXEC_BACKEND
3415  ShmemBackendArrayRemove(bp);
3416 #endif
3417  }
3418  dlist_delete(iter.cur);
3419  free(bp);
3420  /* Keep looping so we can signal remaining backends */
3421  }
3422  else
3423  {
3424  /*
3425  * This backend is still alive. Unless we did so already, tell it
3426  * to commit hara-kiri.
3427  *
3428  * SIGQUIT is the special signal that says exit without proc_exit
3429  * and let the user know what's going on. But if SendStop is set
3430  * (-s on command line), then we send SIGSTOP instead, so that we
3431  * can get core dumps from all backends by hand.
3432  *
3433  * We could exclude dead_end children here, but at least in the
3434  * SIGSTOP case it seems better to include them.
3435  *
3436  * Background workers were already processed above; ignore them
3437  * here.
3438  */
3439  if (bp->bkend_type == BACKEND_TYPE_BGWORKER)
3440  continue;
3441 
3442  if (take_action)
3443  {
3444  ereport(DEBUG2,
3445  (errmsg_internal("sending %s to process %d",
3446  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3447  (int) bp->pid)));
3448  signal_child(bp->pid, (SendStop ? SIGSTOP : SIGQUIT));
3449  }
3450  }
3451  }
3452 
3453  /* Take care of the startup process too */
3454  if (pid == StartupPID)
3455  {
3456  StartupPID = 0;
3458  }
3459  else if (StartupPID != 0 && take_action)
3460  {
3461  ereport(DEBUG2,
3462  (errmsg_internal("sending %s to process %d",
3463  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3464  (int) StartupPID)));
3465  signal_child(StartupPID, (SendStop ? SIGSTOP : SIGQUIT));
3467  }
3468 
3469  /* Take care of the bgwriter too */
3470  if (pid == BgWriterPID)
3471  BgWriterPID = 0;
3472  else if (BgWriterPID != 0 && take_action)
3473  {
3474  ereport(DEBUG2,
3475  (errmsg_internal("sending %s to process %d",
3476  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3477  (int) BgWriterPID)));
3478  signal_child(BgWriterPID, (SendStop ? SIGSTOP : SIGQUIT));
3479  }
3480 
3481  /* Take care of the checkpointer too */
3482  if (pid == CheckpointerPID)
3483  CheckpointerPID = 0;
3484  else if (CheckpointerPID != 0 && take_action)
3485  {
3486  ereport(DEBUG2,
3487  (errmsg_internal("sending %s to process %d",
3488  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3489  (int) CheckpointerPID)));
3490  signal_child(CheckpointerPID, (SendStop ? SIGSTOP : SIGQUIT));
3491  }
3492 
3493  /* Take care of the walwriter too */
3494  if (pid == WalWriterPID)
3495  WalWriterPID = 0;
3496  else if (WalWriterPID != 0 && take_action)
3497  {
3498  ereport(DEBUG2,
3499  (errmsg_internal("sending %s to process %d",
3500  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3501  (int) WalWriterPID)));
3502  signal_child(WalWriterPID, (SendStop ? SIGSTOP : SIGQUIT));
3503  }
3504 
3505  /* Take care of the walreceiver too */
3506  if (pid == WalReceiverPID)
3507  WalReceiverPID = 0;
3508  else if (WalReceiverPID != 0 && take_action)
3509  {
3510  ereport(DEBUG2,
3511  (errmsg_internal("sending %s to process %d",
3512  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3513  (int) WalReceiverPID)));
3514  signal_child(WalReceiverPID, (SendStop ? SIGSTOP : SIGQUIT));
3515  }
3516 
3517  /* Take care of the autovacuum launcher too */
3518  if (pid == AutoVacPID)
3519  AutoVacPID = 0;
3520  else if (AutoVacPID != 0 && take_action)
3521  {
3522  ereport(DEBUG2,
3523  (errmsg_internal("sending %s to process %d",
3524  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3525  (int) AutoVacPID)));
3526  signal_child(AutoVacPID, (SendStop ? SIGSTOP : SIGQUIT));
3527  }
3528 
3529  /*
3530  * Force a power-cycle of the pgarch process too. (This isn't absolutely
3531  * necessary, but it seems like a good idea for robustness, and it
3532  * simplifies the state-machine logic in the case where a shutdown request
3533  * arrives during crash processing.)
3534  */
3535  if (PgArchPID != 0 && take_action)
3536  {
3537  ereport(DEBUG2,
3538  (errmsg_internal("sending %s to process %d",
3539  "SIGQUIT",
3540  (int) PgArchPID)));
3541  signal_child(PgArchPID, SIGQUIT);
3542  }
3543 
3544  /*
3545  * Force a power-cycle of the pgstat process too. (This isn't absolutely
3546  * necessary, but it seems like a good idea for robustness, and it
3547  * simplifies the state-machine logic in the case where a shutdown request
3548  * arrives during crash processing.)
3549  */
3550  if (PgStatPID != 0 && take_action)
3551  {
3552  ereport(DEBUG2,
3553  (errmsg_internal("sending %s to process %d",
3554  "SIGQUIT",
3555  (int) PgStatPID)));
3556  signal_child(PgStatPID, SIGQUIT);
3558  }
3559 
3560  /* We do NOT restart the syslogger */
3561 
3562  if (Shutdown != ImmediateShutdown)
3563  FatalError = true;
3564 
3565  /* We now transit into a state of waiting for children to die */
3566  if (pmState == PM_RECOVERY ||
3567  pmState == PM_HOT_STANDBY ||
3568  pmState == PM_RUN ||
3569  pmState == PM_WAIT_BACKUP ||
3571  pmState == PM_SHUTDOWN)
3573 
3574  /*
3575  * .. and if this doesn't happen quickly enough, now the clock is ticking
3576  * for us to kill them without mercy.
3577  */
3578  if (AbortStartTime == 0)
3579  AbortStartTime = time(NULL);
3580 }
3581 
3582 /*
3583  * Log the death of a child process.
3584  */
3585 static void
3586 LogChildExit(int lev, const char *procname, int pid, int exitstatus)
3587 {
3588  /*
3589  * size of activity_buffer is arbitrary, but set equal to default
3590  * track_activity_query_size
3591  */
3592  char activity_buffer[1024];
3593  const char *activity = NULL;
3594 
3595  if (!EXIT_STATUS_0(exitstatus))
3596  activity = pgstat_get_crashed_backend_activity(pid,
3597  activity_buffer,
3598  sizeof(activity_buffer));
3599 
3600  if (WIFEXITED(exitstatus))
3601  ereport(lev,
3602 
3603  /*------
3604  translator: %s is a noun phrase describing a child process, such as
3605  "server process" */
3606  (errmsg("%s (PID %d) exited with exit code %d",
3607  procname, pid, WEXITSTATUS(exitstatus)),
3608  activity ? errdetail("Failed process was running: %s", activity) : 0));
3609  else if (WIFSIGNALED(exitstatus))
3610 #if defined(WIN32)
3611  ereport(lev,
3612 
3613  /*------
3614  translator: %s is a noun phrase describing a child process, such as
3615  "server process" */
3616  (errmsg("%s (PID %d) was terminated by exception 0x%X",
3617  procname, pid, WTERMSIG(exitstatus)),
3618  errhint("See C include file \"ntstatus.h\" for a description of the hexadecimal value."),
3619  activity ? errdetail("Failed process was running: %s", activity) : 0));
3620 #elif defined(HAVE_DECL_SYS_SIGLIST) && HAVE_DECL_SYS_SIGLIST
3621  ereport(lev,
3622 
3623  /*------
3624  translator: %s is a noun phrase describing a child process, such as
3625  "server process" */
3626  (errmsg("%s (PID %d) was terminated by signal %d: %s",
3627  procname, pid, WTERMSIG(exitstatus),
3628  WTERMSIG(exitstatus) < NSIG ?
3629  sys_siglist[WTERMSIG(exitstatus)] : "(unknown)"),
3630  activity ? errdetail("Failed process was running: %s", activity) : 0));
3631 #else
3632  ereport(lev,
3633 
3634  /*------
3635  translator: %s is a noun phrase describing a child process, such as
3636  "server process" */
3637  (errmsg("%s (PID %d) was terminated by signal %d",
3638  procname, pid, WTERMSIG(exitstatus)),
3639  activity ? errdetail("Failed process was running: %s", activity) : 0));
3640 #endif
3641  else
3642  ereport(lev,
3643 
3644  /*------
3645  translator: %s is a noun phrase describing a child process, such as
3646  "server process" */
3647  (errmsg("%s (PID %d) exited with unrecognized status %d",
3648  procname, pid, exitstatus),
3649  activity ? errdetail("Failed process was running: %s", activity) : 0));
3650 }
3651 
3652 /*
3653  * Advance the postmaster's state machine and take actions as appropriate
3654  *
3655  * This is common code for pmdie(), reaper() and sigusr1_handler(), which
3656  * receive the signals that might mean we need to change state.
3657  */
3658 static void
3660 {
3661  if (pmState == PM_WAIT_BACKUP)
3662  {
3663  /*
3664  * PM_WAIT_BACKUP state ends when online backup mode is not active.
3665  */
3666  if (!BackupInProgress())
3668  }
3669 
3670  if (pmState == PM_WAIT_READONLY)
3671  {
3672  /*
3673  * PM_WAIT_READONLY state ends when we have no regular backends that
3674  * have been started during recovery. We kill the startup and
3675  * walreceiver processes and transition to PM_WAIT_BACKENDS. Ideally,
3676  * we might like to kill these processes first and then wait for
3677  * backends to die off, but that doesn't work at present because
3678  * killing the startup process doesn't release its locks.
3679  */
3681  {
3682  if (StartupPID != 0)
3683  signal_child(StartupPID, SIGTERM);
3684  if (WalReceiverPID != 0)
3685  signal_child(WalReceiverPID, SIGTERM);
3687  }
3688  }
3689 
3690  /*
3691  * If we are in a state-machine state that implies waiting for backends to
3692  * exit, see if they're all gone, and change state if so.
3693  */
3694  if (pmState == PM_WAIT_BACKENDS)
3695  {
3696  /*
3697  * PM_WAIT_BACKENDS state ends when we have no regular backends
3698  * (including autovac workers), no bgworkers (including unconnected
3699  * ones), and no walwriter, autovac launcher or bgwriter. If we are
3700  * doing crash recovery or an immediate shutdown then we expect the
3701  * checkpointer to exit as well, otherwise not. The archiver, stats,
3702  * and syslogger processes are disregarded since they are not
3703  * connected to shared memory; we also disregard dead_end children
3704  * here. Walsenders are also disregarded, they will be terminated
3705  * later after writing the checkpoint record, like the archiver
3706  * process.
3707  */
3709  StartupPID == 0 &&
3710  WalReceiverPID == 0 &&
3711  BgWriterPID == 0 &&
3712  (CheckpointerPID == 0 ||
3714  WalWriterPID == 0 &&
3715  AutoVacPID == 0)
3716  {
3718  {
3719  /*
3720  * Start waiting for dead_end children to die. This state
3721  * change causes ServerLoop to stop creating new ones.
3722  */
3724 
3725  /*
3726  * We already SIGQUIT'd the archiver and stats processes, if
3727  * any, when we started immediate shutdown or entered
3728  * FatalError state.
3729  */
3730  }
3731  else
3732  {
3733  /*
3734  * If we get here, we are proceeding with normal shutdown. All
3735  * the regular children are gone, and it's time to tell the
3736  * checkpointer to do a shutdown checkpoint.
3737  */
3739  /* Start the checkpointer if not running */
3740  if (CheckpointerPID == 0)
3742  /* And tell it to shut down */
3743  if (CheckpointerPID != 0)
3744  {
3746  pmState = PM_SHUTDOWN;
3747  }
3748  else
3749  {
3750  /*
3751  * If we failed to fork a checkpointer, just shut down.
3752  * Any required cleanup will happen at next restart. We
3753  * set FatalError so that an "abnormal shutdown" message
3754  * gets logged when we exit.
3755  */
3756  FatalError = true;
3758 
3759  /* Kill the walsenders, archiver and stats collector too */
3761  if (PgArchPID != 0)
3763  if (PgStatPID != 0)
3765  }
3766  }
3767  }
3768  }
3769 
3770  if (pmState == PM_SHUTDOWN_2)
3771  {
3772  /*
3773  * PM_SHUTDOWN_2 state ends when there's no other children than
3774  * dead_end children left. There shouldn't be any regular backends
3775  * left by now anyway; what we're really waiting for is walsenders and
3776  * archiver.
3777  *
3778  * Walreceiver should normally be dead by now, but not when a fast
3779  * shutdown is performed during recovery.
3780  */
3781  if (PgArchPID == 0 && CountChildren(BACKEND_TYPE_ALL) == 0 &&
3782  WalReceiverPID == 0)
3783  {
3785  }
3786  }
3787 
3788  if (pmState == PM_WAIT_DEAD_END)
3789  {
3790  /*
3791  * PM_WAIT_DEAD_END state ends when the BackendList is entirely empty
3792  * (ie, no dead_end children remain), and the archiver and stats
3793  * collector are gone too.
3794  *
3795  * The reason we wait for those two is to protect them against a new
3796  * postmaster starting conflicting subprocesses; this isn't an
3797  * ironclad protection, but it at least helps in the
3798  * shutdown-and-immediately-restart scenario. Note that they have
3799  * already been sent appropriate shutdown signals, either during a
3800  * normal state transition leading up to PM_WAIT_DEAD_END, or during
3801  * FatalError processing.
3802  */
3803  if (dlist_is_empty(&BackendList) &&
3804  PgArchPID == 0 && PgStatPID == 0)
3805  {
3806  /* These other guys should be dead already */
3807  Assert(StartupPID == 0);
3808  Assert(WalReceiverPID == 0);
3809  Assert(BgWriterPID == 0);
3810  Assert(CheckpointerPID == 0);
3811  Assert(WalWriterPID == 0);
3812  Assert(AutoVacPID == 0);
3813  /* syslogger is not considered here */
3815  }
3816  }
3817 
3818  /*
3819  * If we've been told to shut down, we exit as soon as there are no
3820  * remaining children. If there was a crash, cleanup will occur at the
3821  * next startup. (Before PostgreSQL 8.3, we tried to recover from the
3822  * crash before exiting, but that seems unwise if we are quitting because
3823  * we got SIGTERM from init --- there may well not be time for recovery
3824  * before init decides to SIGKILL us.)
3825  *
3826  * Note that the syslogger continues to run. It will exit when it sees
3827  * EOF on its input pipe, which happens when there are no more upstream
3828  * processes.
3829  */
3831  {
3832  if (FatalError)
3833  {
3834  ereport(LOG, (errmsg("abnormal database system shutdown")));
3835  ExitPostmaster(1);
3836  }
3837  else
3838  {
3839  /*
3840  * Terminate exclusive backup mode to avoid recovery after a clean
3841  * fast shutdown. Since an exclusive backup can only be taken
3842  * during normal running (and not, for example, while running
3843  * under Hot Standby) it only makes sense to do this if we reached
3844  * normal running. If we're still in recovery, the backup file is
3845  * one we're recovering *from*, and we must keep it around so that
3846  * recovery restarts from the right place.
3847  */
3849  CancelBackup();
3850 
3851  /* Normal exit from the postmaster is here */
3852  ExitPostmaster(0);
3853  }
3854  }
3855 
3856  /*
3857  * If the startup process failed, or the user does not want an automatic
3858  * restart after backend crashes, wait for all non-syslogger children to
3859  * exit, and then exit postmaster. We don't try to reinitialize when the
3860  * startup process fails, because more than likely it will just fail again
3861  * and we will keep trying forever.
3862  */
3863  if (pmState == PM_NO_CHILDREN &&
3865  ExitPostmaster(1);
3866 
3867  /*
3868  * If we need to recover from a crash, wait for all non-syslogger children
3869  * to exit, then reset shmem and StartupDataBase.
3870  */
3871  if (FatalError && pmState == PM_NO_CHILDREN)
3872  {
3873  ereport(LOG,
3874  (errmsg("all server processes terminated; reinitializing")));
3875 
3876  /* allow background workers to immediately restart */
3878 
3879  shmem_exit(1);
3880 
3881  /* re-read control file into local memory */
3883 
3885 
3887  Assert(StartupPID != 0);
3889  pmState = PM_STARTUP;
3890  /* crash recovery started, reset SIGKILL flag */
3891  AbortStartTime = 0;
3892  }
3893 }
3894 
3895 
3896 /*
3897  * Send a signal to a postmaster child process
3898  *
3899  * On systems that have setsid(), each child process sets itself up as a
3900  * process group leader. For signals that are generally interpreted in the
3901  * appropriate fashion, we signal the entire process group not just the
3902  * direct child process. This allows us to, for example, SIGQUIT a blocked
3903  * archive_recovery script, or SIGINT a script being run by a backend via
3904  * system().
3905  *
3906  * There is a race condition for recently-forked children: they might not
3907  * have executed setsid() yet. So we signal the child directly as well as
3908  * the group. We assume such a child will handle the signal before trying
3909  * to spawn any grandchild processes. We also assume that signaling the
3910  * child twice will not cause any problems.
3911  */
3912 static void
3913 signal_child(pid_t pid, int signal)
3914 {
3915  if (kill(pid, signal) < 0)
3916  elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) pid, signal);
3917 #ifdef HAVE_SETSID
3918  switch (signal)
3919  {
3920  case SIGINT:
3921  case SIGTERM:
3922  case SIGQUIT:
3923  case SIGSTOP:
3924  case SIGKILL:
3925  if (kill(-pid, signal) < 0)
3926  elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) (-pid), signal);
3927  break;
3928  default:
3929  break;
3930  }
3931 #endif
3932 }
3933 
3934 /*
3935  * Send a signal to the targeted children (but NOT special children;
3936  * dead_end children are never signaled, either).
3937  */
3938 static bool
3939 SignalSomeChildren(int signal, int target)
3940 {
3941  dlist_iter iter;
3942  bool signaled = false;
3943 
3944  dlist_foreach(iter, &BackendList)
3945  {
3946  Backend *bp = dlist_container(Backend, elem, iter.cur);
3947 
3948  if (bp->dead_end)
3949  continue;
3950 
3951  /*
3952  * Since target == BACKEND_TYPE_ALL is the most common case, we test
3953  * it first and avoid touching shared memory for every child.
3954  */
3955  if (target != BACKEND_TYPE_ALL)
3956  {
3957  /*
3958  * Assign bkend_type for any recently announced WAL Sender
3959  * processes.
3960  */
3961  if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
3964 
3965  if (!(target & bp->bkend_type))
3966  continue;
3967  }
3968 
3969  ereport(DEBUG4,
3970  (errmsg_internal("sending signal %d to process %d",
3971  signal, (int) bp->pid)));
3972  signal_child(bp->pid, signal);
3973  signaled = true;
3974  }
3975  return signaled;
3976 }
3977 
3978 /*
3979  * Send a termination signal to children. This considers all of our children
3980  * processes, except syslogger and dead_end backends.
3981  */
3982 static void
3984 {
3985  SignalChildren(signal);
3986  if (StartupPID != 0)
3987  {
3988  signal_child(StartupPID, signal);
3989  if (signal == SIGQUIT || signal == SIGKILL)
3991  }
3992  if (BgWriterPID != 0)
3993  signal_child(BgWriterPID, signal);
3994  if (CheckpointerPID != 0)
3995  signal_child(CheckpointerPID, signal);
3996  if (WalWriterPID != 0)
3997  signal_child(WalWriterPID, signal);
3998  if (WalReceiverPID != 0)
3999  signal_child(WalReceiverPID, signal);
4000  if (AutoVacPID != 0)
4001  signal_child(AutoVacPID, signal);
4002  if (PgArchPID != 0)
4003  signal_child(PgArchPID, signal);
4004  if (PgStatPID != 0)
4005  signal_child(PgStatPID, signal);
4006 }
4007 
4008 /*
4009  * BackendStartup -- start backend process
4010  *
4011  * returns: STATUS_ERROR if the fork failed, STATUS_OK otherwise.
4012  *
4013  * Note: if you change this code, also consider StartAutovacuumWorker.
4014  */
4015 static int
4017 {
4018  Backend *bn; /* for backend cleanup */
4019  pid_t pid;
4020 
4021  /*
4022  * Create backend data structure. Better before the fork() so we can
4023  * handle failure cleanly.
4024  */
4025  bn = (Backend *) malloc(sizeof(Backend));
4026  if (!bn)
4027  {
4028  ereport(LOG,
4029  (errcode(ERRCODE_OUT_OF_MEMORY),
4030  errmsg("out of memory")));
4031  return STATUS_ERROR;
4032  }
4033 
4034  /*
4035  * Compute the cancel key that will be assigned to this backend. The
4036  * backend will have its own copy in the forked-off process' value of
4037  * MyCancelKey, so that it can transmit the key to the frontend.
4038  */
4040  {
4041  free(bn);
4042  ereport(LOG,
4043  (errcode(ERRCODE_INTERNAL_ERROR),
4044  errmsg("could not generate random cancel key")));
4045  return STATUS_ERROR;
4046  }
4047 
4048  bn->cancel_key = MyCancelKey;
4049 
4050  /* Pass down canAcceptConnections state */
4052  bn->dead_end = (port->canAcceptConnections != CAC_OK &&
4054 
4055  /*
4056  * Unless it's a dead_end child, assign it a child slot number
4057  */
4058  if (!bn->dead_end)
4060  else
4061  bn->child_slot = 0;
4062 
4063  /* Hasn't asked to be notified about any bgworkers yet */
4064  bn->bgworker_notify = false;
4065 
4066 #ifdef EXEC_BACKEND
4067  pid = backend_forkexec(port);
4068 #else /* !EXEC_BACKEND */
4069  pid = fork_process();
4070  if (pid == 0) /* child */
4071  {
4072  free(bn);
4073 
4074  /* Detangle from postmaster */
4076 
4077  /* Close the postmaster's sockets */
4078  ClosePostmasterPorts(false);
4079 
4080  /* Perform additional initialization and collect startup packet */
4081  BackendInitialize(port);
4082 
4083  /* And run the backend */
4084  BackendRun(port);
4085  }
4086 #endif /* EXEC_BACKEND */
4087 
4088  if (pid < 0)
4089  {
4090  /* in parent, fork failed */
4091  int save_errno = errno;
4092 
4093  if (!bn->dead_end)
4095  free(bn);
4096  errno = save_errno;
4097  ereport(LOG,
4098  (errmsg("could not fork new process for connection: %m")));
4099  report_fork_failure_to_client(port, save_errno);
4100  return STATUS_ERROR;
4101  }
4102 
4103  /* in parent, successful fork */
4104  ereport(DEBUG2,
4105  (errmsg_internal("forked new backend, pid=%d socket=%d",
4106  (int) pid, (int) port->sock)));
4107 
4108  /*
4109  * Everything's been successful, it's safe to add this backend to our list
4110  * of backends.
4111  */
4112  bn->pid = pid;
4113  bn->bkend_type = BACKEND_TYPE_NORMAL; /* Can change later to WALSND */
4114  dlist_push_head(&BackendList, &bn->elem);
4115 
4116 #ifdef EXEC_BACKEND
4117  if (!bn->dead_end)
4118  ShmemBackendArrayAdd(bn);
4119 #endif
4120 
4121  return STATUS_OK;
4122 }
4123 
4124 /*
4125  * Try to report backend fork() failure to client before we close the
4126  * connection. Since we do not care to risk blocking the postmaster on
4127  * this connection, we set the connection to non-blocking and try only once.
4128  *
4129  * This is grungy special-purpose code; we cannot use backend libpq since
4130  * it's not up and running.
4131  */
4132 static void
4134 {
4135  char buffer[1000];
4136  int rc;
4137 
4138  /* Format the error message packet (always V2 protocol) */
4139  snprintf(buffer, sizeof(buffer), "E%s%s\n",
4140  _("could not fork new process for connection: "),
4141  strerror(errnum));
4142 
4143  /* Set port to non-blocking. Don't do send() if this fails */
4144  if (!pg_set_noblock(port->sock))
4145  return;
4146 
4147  /* We'll retry after EINTR, but ignore all other failures */
4148  do
4149  {
4150  rc = send(port->sock, buffer, strlen(buffer) + 1, 0);
4151  } while (rc < 0 && errno == EINTR);
4152 }
4153 
4154 
4155 /*
4156  * BackendInitialize -- initialize an interactive (postmaster-child)
4157  * backend process, and collect the client's startup packet.
4158  *
4159  * returns: nothing. Will not return at all if there's any failure.
4160  *
4161  * Note: this code does not depend on having any access to shared memory.
4162  * In the EXEC_BACKEND case, we are physically attached to shared memory
4163  * but have not yet set up most of our local pointers to shmem structures.
4164  */
4165 static void
4167 {
4168  int status;
4169  int ret;
4170  char remote_host[NI_MAXHOST];
4171  char remote_port[NI_MAXSERV];
4172  char remote_ps_data[NI_MAXHOST];
4173 
4174  /* Save port etc. for ps status */
4175  MyProcPort = port;
4176 
4177  /*
4178  * PreAuthDelay is a debugging aid for investigating problems in the
4179  * authentication cycle: it can be set in postgresql.conf to allow time to
4180  * attach to the newly-forked backend with a debugger. (See also
4181  * PostAuthDelay, which we allow clients to pass through PGOPTIONS, but it
4182  * is not honored until after authentication.)
4183  */
4184  if (PreAuthDelay > 0)
4185  pg_usleep(PreAuthDelay * 1000000L);
4186 
4187  /* This flag will remain set until InitPostgres finishes authentication */
4188  ClientAuthInProgress = true; /* limit visibility of log messages */
4189 
4190  /* save process start time */
4193 
4194  /* set these to empty in case they are needed before we set them up */
4195  port->remote_host = "";
4196  port->remote_port = "";
4197 
4198  /*
4199  * Initialize libpq and enable reporting of ereport errors to the client.
4200  * Must do this now because authentication uses libpq to send messages.
4201  */
4202  pq_init(); /* initialize libpq to talk to client */
4203  whereToSendOutput = DestRemote; /* now safe to ereport to client */
4204 
4205  /*
4206  * We arrange for a simple exit(1) if we receive SIGTERM or SIGQUIT or
4207  * timeout while trying to collect the startup packet. Otherwise the
4208  * postmaster cannot shutdown the database FAST or IMMED cleanly if a
4209  * buggy client fails to send the packet promptly. XXX it follows that
4210  * the remainder of this function must tolerate losing control at any
4211  * instant. Likewise, any pg_on_exit_callback registered before or during
4212  * this function must be prepared to execute at any instant between here
4213  * and the end of this function. Furthermore, affected callbacks execute
4214  * partially or not at all when a second exit-inducing signal arrives
4215  * after proc_exit_prepare() decrements on_proc_exit_index. (Thanks to
4216  * that mechanic, callbacks need not anticipate more than one call.) This
4217  * is fragile; it ought to instead follow the norm of handling interrupts
4218  * at selected, safe opportunities.
4219  */
4220  pqsignal(SIGTERM, startup_die);
4222  InitializeTimeouts(); /* establishes SIGALRM handler */
4224 
4225  /*
4226  * Get the remote host name and port for logging and status display.
4227  */
4228  remote_host[0] = '\0';
4229  remote_port[0] = '\0';
4230  if ((ret = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
4231  remote_host, sizeof(remote_host),
4232  remote_port, sizeof(remote_port),
4233  (log_hostname ? 0 : NI_NUMERICHOST) | NI_NUMERICSERV)) != 0)
4234  ereport(WARNING,
4235  (errmsg_internal("pg_getnameinfo_all() failed: %s",
4236  gai_strerror(ret))));
4237  if (remote_port[0] == '\0')
4238  snprintf(remote_ps_data, sizeof(remote_ps_data), "%s", remote_host);
4239  else
4240  snprintf(remote_ps_data, sizeof(remote_ps_data), "%s(%s)", remote_host, remote_port);
4241 
4242  /*
4243  * Save remote_host and remote_port in port structure (after this, they
4244  * will appear in log_line_prefix data for log messages).
4245  */
4246  port->remote_host = strdup(remote_host);
4247  port->remote_port = strdup(remote_port);
4248 
4249  /* And now we can issue the Log_connections message, if wanted */
4250  if (Log_connections)
4251  {
4252  if (remote_port[0])
4253  ereport(LOG,
4254  (errmsg("connection received: host=%s port=%s",
4255  remote_host,
4256  remote_port)));
4257  else
4258  ereport(LOG,
4259  (errmsg("connection received: host=%s",
4260  remote_host)));
4261  }
4262 
4263  /*
4264  * If we did a reverse lookup to name, we might as well save the results
4265  * rather than possibly repeating the lookup during authentication.
4266  *
4267  * Note that we don't want to specify NI_NAMEREQD above, because then we'd
4268  * get nothing useful for a client without an rDNS entry. Therefore, we
4269  * must check whether we got a numeric IPv4 or IPv6 address, and not save
4270  * it into remote_hostname if so. (This test is conservative and might
4271  * sometimes classify a hostname as numeric, but an error in that
4272  * direction is safe; it only results in a possible extra lookup.)
4273  */
4274  if (log_hostname &&
4275  ret == 0 &&
4276  strspn(remote_host, "0123456789.") < strlen(remote_host) &&
4277  strspn(remote_host, "0123456789ABCDEFabcdef:") < strlen(remote_host))
4278  port->remote_hostname = strdup(remote_host);
4279 
4280  /*
4281  * Ready to begin client interaction. We will give up and exit(1) after a
4282  * time delay, so that a broken client can't hog a connection
4283  * indefinitely. PreAuthDelay and any DNS interactions above don't count
4284  * against the time limit.
4285  *
4286  * Note: AuthenticationTimeout is applied here while waiting for the
4287  * startup packet, and then again in InitPostgres for the duration of any
4288  * authentication operations. So a hostile client could tie up the
4289  * process for nearly twice AuthenticationTimeout before we kick him off.
4290  *
4291  * Note: because PostgresMain will call InitializeTimeouts again, the
4292  * registration of STARTUP_PACKET_TIMEOUT will be lost. This is okay
4293  * since we never use it again after this function.
4294  */
4297 
4298  /*
4299  * Receive the startup packet (which might turn out to be a cancel request
4300  * packet).
4301  */
4302  status = ProcessStartupPacket(port, false);
4303 
4304  /*
4305  * Stop here if it was bad or a cancel packet. ProcessStartupPacket
4306  * already did any appropriate error reporting.
4307  */
4308  if (status != STATUS_OK)
4309  proc_exit(0);
4310 
4311  /*
4312  * Now that we have the user and database name, we can set the process
4313  * title for ps. It's good to do this as early as possible in startup.
4314  *
4315  * For a walsender, the ps display is set in the following form:
4316  *
4317  * postgres: walsender <user> <host> <activity>
4318  *
4319  * To achieve that, we pass "walsender" as username and username as dbname
4320  * to init_ps_display(). XXX: should add a new variant of
4321  * init_ps_display() to avoid abusing the parameters like this.
4322  */
4323  if (am_walsender)
4325  update_process_title ? "authentication" : "");
4326  else
4327  init_ps_display(port->user_name, port->database_name, remote_ps_data,
4328  update_process_title ? "authentication" : "");
4329 
4330  /*
4331  * Disable the timeout, and prevent SIGTERM/SIGQUIT again.
4332  */
4334  PG_SETMASK(&BlockSig);
4335 }
4336 
4337 
4338 /*
4339  * BackendRun -- set up the backend's argument list and invoke PostgresMain()
4340  *
4341  * returns:
4342  * Shouldn't return at all.
4343  * If PostgresMain() fails, return status.
4344  */
4345 static void
4347 {
4348  char **av;
4349  int maxac;
4350  int ac;
4351  long secs;
4352  int usecs;
4353  int i;
4354 
4355  /*
4356  * Don't want backend to be able to see the postmaster random number
4357  * generator state. We have to clobber the static random_seed *and* start
4358  * a new random sequence in the random() library function.
4359  */
4360 #ifndef HAVE_STRONG_RANDOM
4361  random_seed = 0;
4362  random_start_time.tv_usec = 0;
4363 #endif
4364  /* slightly hacky way to convert timestamptz into integers */
4365  TimestampDifference(0, port->SessionStartTime, &secs, &usecs);
4366  srandom((unsigned int) (MyProcPid ^ (usecs << 12) ^ secs));
4367 
4368  /*
4369  * Now, build the argv vector that will be given to PostgresMain.
4370  *
4371  * The maximum possible number of commandline arguments that could come
4372  * from ExtraOptions is (strlen(ExtraOptions) + 1) / 2; see
4373  * pg_split_opts().
4374  */
4375  maxac = 2; /* for fixed args supplied below */
4376  maxac += (strlen(ExtraOptions) + 1) / 2;
4377 
4378  av = (char **) MemoryContextAlloc(TopMemoryContext,
4379  maxac * sizeof(char *));
4380  ac = 0;
4381 
4382  av[ac++] = "postgres";
4383 
4384  /*
4385  * Pass any backend switches specified with -o on the postmaster's own
4386  * command line. We assume these are secure.
4387  */
4388  pg_split_opts(av, &ac, ExtraOptions);
4389 
4390  av[ac] = NULL;
4391 
4392  Assert(ac < maxac);
4393 
4394  /*
4395  * Debug: print arguments being passed to backend
4396  */
4397  ereport(DEBUG3,
4398  (errmsg_internal("%s child[%d]: starting with (",
4399  progname, (int) getpid())));
4400  for (i = 0; i < ac; ++i)
4401  ereport(DEBUG3,
4402  (errmsg_internal("\t%s", av[i])));
4403  ereport(DEBUG3,
4404  (errmsg_internal(")")));
4405 
4406  /*
4407  * Make sure we aren't in PostmasterContext anymore. (We can't delete it
4408  * just yet, though, because InitPostgres will need the HBA data.)
4409  */
4411 
4412  PostgresMain(ac, av, port->database_name, port->user_name);
4413 }
4414 
4415 
4416 #ifdef EXEC_BACKEND
4417 
4418 /*
4419  * postmaster_forkexec -- fork and exec a postmaster subprocess
4420  *
4421  * The caller must have set up the argv array already, except for argv[2]
4422  * which will be filled with the name of the temp variable file.
4423  *
4424  * Returns the child process PID, or -1 on fork failure (a suitable error
4425  * message has been logged on failure).
4426  *
4427  * All uses of this routine will dispatch to SubPostmasterMain in the
4428  * child process.
4429  */
4430 pid_t
4431 postmaster_forkexec(int argc, char *argv[])
4432 {
4433  Port port;
4434 
4435  /* This entry point passes dummy values for the Port variables */
4436  memset(&port, 0, sizeof(port));
4437  return internal_forkexec(argc, argv, &port);
4438 }
4439 
4440 /*
4441  * backend_forkexec -- fork/exec off a backend process
4442  *
4443  * Some operating systems (WIN32) don't have fork() so we have to simulate
4444  * it by storing parameters that need to be passed to the child and
4445  * then create a new child process.
4446  *
4447  * returns the pid of the fork/exec'd process, or -1 on failure
4448  */
4449 static pid_t
4450 backend_forkexec(Port *port)
4451 {
4452  char *av[4];
4453  int ac = 0;
4454 
4455  av[ac++] = "postgres";
4456  av[ac++] = "--forkbackend";
4457  av[ac++] = NULL; /* filled in by internal_forkexec */
4458 
4459  av[ac] = NULL;
4460  Assert(ac < lengthof(av));
4461 
4462  return internal_forkexec(ac, av, port);
4463 }
4464 
4465 #ifndef WIN32
4466 
4467 /*
4468  * internal_forkexec non-win32 implementation
4469  *
4470  * - writes out backend variables to the parameter file
4471  * - fork():s, and then exec():s the child process
4472  */
4473 static pid_t
4474 internal_forkexec(int argc, char *argv[], Port *port)
4475 {
4476  static unsigned long tmpBackendFileNum = 0;
4477  pid_t pid;
4478  char tmpfilename[MAXPGPATH];
4479  BackendParameters param;
4480  FILE *fp;
4481 
4482  if (!save_backend_variables(&param, port))
4483  return -1; /* log made by save_backend_variables */
4484 
4485  /* Calculate name for temp file */
4486  snprintf(tmpfilename, MAXPGPATH, "%s/%s.backend_var.%d.%lu",
4488  MyProcPid, ++tmpBackendFileNum);
4489 
4490  /* Open file */
4491  fp = AllocateFile(tmpfilename, PG_BINARY_W);
4492  if (!fp)
4493  {
4494  /*
4495  * As in OpenTemporaryFileInTablespace, try to make the temp-file
4496  * directory
4497  */
4499 
4500  fp = AllocateFile(tmpfilename, PG_BINARY_W);
4501  if (!fp)
4502  {
4503  ereport(LOG,
4505  errmsg("could not create file \"%s\": %m",
4506  tmpfilename)));
4507  return -1;
4508  }
4509  }
4510 
4511  if (fwrite(&param, sizeof(param), 1, fp) != 1)
4512  {
4513  ereport(LOG,
4515  errmsg("could not write to file \"%s\": %m", tmpfilename)));
4516  FreeFile(fp);
4517  return -1;
4518  }
4519 
4520  /* Release file */
4521  if (FreeFile(fp))
4522  {
4523  ereport(LOG,
4525  errmsg("could not write to file \"%s\": %m", tmpfilename)));
4526  return -1;
4527  }
4528 
4529  /* Make sure caller set up argv properly */
4530  Assert(argc >= 3);
4531  Assert(argv[argc] == NULL);
4532  Assert(strncmp(argv[1], "--fork", 6) == 0);
4533  Assert(argv[2] == NULL);
4534 
4535  /* Insert temp file name after --fork argument */
4536  argv[2] = tmpfilename;
4537 
4538  /* Fire off execv in child */
4539  if ((pid = fork_process()) == 0)
4540  {
4541  if (execv(postgres_exec_path, argv) < 0)
4542  {
4543  ereport(LOG,
4544  (errmsg("could not execute server process \"%s\": %m",
4545  postgres_exec_path)));
4546  /* We're already in the child process here, can't return */
4547  exit(1);
4548  }
4549  }
4550 
4551  return pid; /* Parent returns pid, or -1 on fork failure */
4552 }
4553 #else /* WIN32 */
4554 
4555 /*
4556  * internal_forkexec win32 implementation
4557  *
4558  * - starts backend using CreateProcess(), in suspended state
4559  * - writes out backend variables to the parameter file
4560  * - during this, duplicates handles and sockets required for
4561  * inheritance into the new process
4562  * - resumes execution of the new process once the backend parameter
4563  * file is complete.
4564  */
4565 static pid_t
4566 internal_forkexec(int argc, char *argv[], Port *port)
4567 {
4568  int retry_count = 0;
4569  STARTUPINFO si;
4570  PROCESS_INFORMATION pi;
4571  int i;
4572  int j;
4573  char cmdLine[MAXPGPATH * 2];
4574  HANDLE paramHandle;
4575  BackendParameters *param;
4576  SECURITY_ATTRIBUTES sa;
4577  char paramHandleStr[32];
4578  win32_deadchild_waitinfo *childinfo;
4579 
4580  /* Make sure caller set up argv properly */
4581  Assert(argc >= 3);
4582  Assert(argv[argc] == NULL);
4583  Assert(strncmp(argv[1], "--fork", 6) == 0);
4584  Assert(argv[2] == NULL);
4585 
4586  /* Resume here if we need to retry */
4587 retry:
4588 
4589  /* Set up shared memory for parameter passing */
4590  ZeroMemory(&sa, sizeof(sa));
4591  sa.nLength = sizeof(sa);
4592  sa.bInheritHandle = TRUE;
4593  paramHandle = CreateFileMapping(INVALID_HANDLE_VALUE,
4594  &sa,
4595  PAGE_READWRITE,
4596  0,
4597  sizeof(BackendParameters),
4598  NULL);
4599  if (paramHandle == INVALID_HANDLE_VALUE)
4600  {
4601  elog(LOG, "could not create backend parameter file mapping: error code %lu",
4602  GetLastError());
4603  return -1;
4604  }
4605 
4606  param = MapViewOfFile(paramHandle, FILE_MAP_WRITE, 0, 0, sizeof(BackendParameters));
4607  if (!param)
4608  {
4609  elog(LOG, "could not map backend parameter memory: error code %lu",
4610  GetLastError());
4611  CloseHandle(paramHandle);
4612  return -1;
4613  }
4614 
4615  /* Insert temp file name after --fork argument */
4616 #ifdef _WIN64
4617  sprintf(paramHandleStr, "%llu", (LONG_PTR) paramHandle);
4618 #else
4619  sprintf(paramHandleStr, "%lu", (DWORD) paramHandle);
4620 #endif
4621  argv[2] = paramHandleStr;
4622 
4623  /* Format the cmd line */
4624  cmdLine[sizeof(cmdLine) - 1] = '\0';
4625  cmdLine[sizeof(cmdLine) - 2] = '\0';
4626  snprintf(cmdLine, sizeof(cmdLine) - 1, "\"%s\"", postgres_exec_path);
4627  i = 0;
4628  while (argv[++i] != NULL)
4629  {
4630  j = strlen(cmdLine);
4631  snprintf(cmdLine + j, sizeof(cmdLine) - 1 - j, " \"%s\"", argv[i]);
4632  }
4633  if (cmdLine[sizeof(cmdLine) - 2] != '\0')
4634  {
4635  elog(LOG, "subprocess command line too long");
4636  return -1;
4637  }
4638 
4639  memset(&pi, 0, sizeof(pi));
4640  memset(&si, 0, sizeof(si));
4641  si.cb = sizeof(si);
4642 
4643  /*
4644  * Create the subprocess in a suspended state. This will be resumed later,
4645  * once we have written out the parameter file.
4646  */
4647  if (!CreateProcess(NULL, cmdLine, NULL, NULL, TRUE, CREATE_SUSPENDED,
4648  NULL, NULL, &si, &pi))
4649  {
4650  elog(LOG, "CreateProcess call failed: %m (error code %lu)",
4651  GetLastError());
4652  return -1;
4653  }
4654 
4655  if (!save_backend_variables(param, port, pi.hProcess, pi.dwProcessId))
4656  {
4657  /*
4658  * log made by save_backend_variables, but we have to clean up the
4659  * mess with the half-started process
4660  */
4661  if (!TerminateProcess(pi.hProcess, 255))
4662  ereport(LOG,
4663  (errmsg_internal("could not terminate unstarted process: error code %lu",
4664  GetLastError())));
4665  CloseHandle(pi.hProcess);
4666  CloseHandle(pi.hThread);
4667  return -1; /* log made by save_backend_variables */
4668  }
4669 
4670  /* Drop the parameter shared memory that is now inherited to the backend */
4671  if (!UnmapViewOfFile(param))
4672  elog(LOG, "could not unmap view of backend parameter file: error code %lu",
4673  GetLastError());
4674  if (!CloseHandle(paramHandle))
4675  elog(LOG, "could not close handle to backend parameter file: error code %lu",
4676  GetLastError());
4677 
4678  /*
4679  * Reserve the memory region used by our main shared memory segment before
4680  * we resume the child process. Normally this should succeed, but if ASLR
4681  * is active then it might sometimes fail due to the stack or heap having
4682  * gotten mapped into that range. In that case, just terminate the
4683  * process and retry.
4684  */
4685  if (!pgwin32_ReserveSharedMemoryRegion(pi.hProcess))
4686  {
4687  /* pgwin32_ReserveSharedMemoryRegion already made a log entry */
4688  if (!TerminateProcess(pi.hProcess, 255))
4689  ereport(LOG,
4690  (errmsg_internal("could not terminate process that failed to reserve memory: error code %lu",
4691  GetLastError())));
4692  CloseHandle(pi.hProcess);
4693  CloseHandle(pi.hThread);
4694  if (++retry_count < 100)
4695  goto retry;
4696  ereport(LOG,
4697  (errmsg("giving up after too many tries to reserve shared memory"),
4698  errhint("This might be caused by ASLR or antivirus software.")));
4699  return -1;
4700  }
4701 
4702  /*
4703  * Now that the backend variables are written out, we start the child
4704  * thread so it can start initializing while we set up the rest of the
4705  * parent state.
4706  */
4707  if (ResumeThread(pi.hThread) == -1)
4708  {
4709  if (!TerminateProcess(pi.hProcess, 255))
4710  {
4711  ereport(LOG,
4712  (errmsg_internal("could not terminate unstartable process: error code %lu",
4713  GetLastError())));
4714  CloseHandle(pi.hProcess);
4715  CloseHandle(pi.hThread);
4716  return -1;
4717  }
4718  CloseHandle(pi.hProcess);
4719  CloseHandle(pi.hThread);
4720  ereport(LOG,
4721  (errmsg_internal("could not resume thread of unstarted process: error code %lu",
4722  GetLastError())));
4723  return -1;
4724  }
4725 
4726  /*
4727  * Queue a waiter for to signal when this child dies. The wait will be
4728  * handled automatically by an operating system thread pool.
4729  *
4730  * Note: use malloc instead of palloc, since it needs to be thread-safe.
4731  * Struct will be free():d from the callback function that runs on a
4732  * different thread.
4733  */
4734  childinfo = malloc(sizeof(win32_deadchild_waitinfo));
4735  if (!childinfo)
4736  ereport(FATAL,
4737  (errcode(ERRCODE_OUT_OF_MEMORY),
4738  errmsg("out of memory")));
4739 
4740  childinfo->procHandle = pi.hProcess;
4741  childinfo->procId = pi.dwProcessId;
4742 
4743  if (!RegisterWaitForSingleObject(&childinfo->waitHandle,
4744  pi.hProcess,
4745  pgwin32_deadchild_callback,
4746  childinfo,
4747  INFINITE,
4748  WT_EXECUTEONLYONCE | WT_EXECUTEINWAITTHREAD))
4749  ereport(FATAL,
4750  (errmsg_internal("could not register process for wait: error code %lu",
4751  GetLastError())));
4752 
4753  /* Don't close pi.hProcess here - the wait thread needs access to it */
4754 
4755  CloseHandle(pi.hThread);
4756 
4757  return pi.dwProcessId;
4758 }
4759 #endif /* WIN32 */
4760 
4761 
4762 /*
4763  * SubPostmasterMain -- Get the fork/exec'd process into a state equivalent
4764  * to what it would be if we'd simply forked on Unix, and then
4765  * dispatch to the appropriate place.
4766  *
4767  * The first two command line arguments are expected to be "--forkFOO"
4768  * (where FOO indicates which postmaster child we are to become), and
4769  * the name of a variables file that we can read to load data that would
4770  * have been inherited by fork() on Unix. Remaining arguments go to the
4771  * subprocess FooMain() routine.
4772  */
4773 void
4774 SubPostmasterMain(int argc, char *argv[])
4775 {
4776  Port port;
4777 
4778  /* In EXEC_BACKEND case we will not have inherited these settings */
4779  IsPostmasterEnvironment = true;
4781 
4782  /* Setup as postmaster child */
4784 
4785  /* Setup essential subsystems (to ensure elog() behaves sanely) */
4787 
4788  /* Check we got appropriate args */
4789  if (argc < 3)
4790  elog(FATAL, "invalid subpostmaster invocation");
4791 
4792  /* Read in the variables file */
4793  memset(&port, 0, sizeof(Port));
4794  read_backend_variables(argv[2], &port);
4795 
4796  /* Close the postmaster's sockets (as soon as we know them) */
4797  ClosePostmasterPorts(strcmp(argv[1], "--forklog") == 0);
4798 
4799  /*
4800  * Set reference point for stack-depth checking
4801  */
4802  set_stack_base();
4803 
4804  /*
4805  * Set up memory area for GSS information. Mirrors the code in ConnCreate
4806  * for the non-exec case.
4807  */
4808 #if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
4809  port.gss = (pg_gssinfo *) calloc(1, sizeof(pg_gssinfo));
4810  if (!port.gss)
4811  ereport(FATAL,
4812  (errcode(ERRCODE_OUT_OF_MEMORY),
4813  errmsg("out of memory")));
4814 #endif
4815 
4816  /*
4817  * If appropriate, physically re-attach to shared memory segment. We want
4818  * to do this before going any further to ensure that we can attach at the
4819  * same address the postmaster used. On the other hand, if we choose not
4820  * to re-attach, we may have other cleanup to do.
4821  *
4822  * If testing EXEC_BACKEND on Linux, you should run this as root before
4823  * starting the postmaster:
4824  *
4825  * echo 0 >/proc/sys/kernel/randomize_va_space
4826  *
4827  * This prevents using randomized stack and code addresses that cause the
4828  * child process's memory map to be different from the parent's, making it
4829  * sometimes impossible to attach to shared memory at the desired address.
4830  * Return the setting to its old value (usually '1' or '2') when finished.
4831  */
4832  if (strcmp(argv[1], "--forkbackend") == 0 ||
4833  strcmp(argv[1], "--forkavlauncher") == 0 ||
4834  strcmp(argv[1], "--forkavworker") == 0 ||
4835  strcmp(argv[1], "--forkboot") == 0 ||
4836  strncmp(argv[1], "--forkbgworker=", 15) == 0)
4838  else
4840 
4841  /* autovacuum needs this set before calling InitProcess */
4842  if (strcmp(argv[1], "--forkavlauncher") == 0)
4843  AutovacuumLauncherIAm();
4844  if (strcmp(argv[1], "--forkavworker") == 0)
4845  AutovacuumWorkerIAm();
4846 
4847  /*
4848  * Start our win32 signal implementation. This has to be done after we
4849  * read the backend variables, because we need to pick up the signal pipe
4850  * from the parent process.
4851  */
4852 #ifdef WIN32
4854 #endif
4855 
4856  /* In EXEC_BACKEND case we will not have inherited these settings */
4857  pqinitmask();
4858  PG_SETMASK(&BlockSig);
4859 
4860  /* Read in remaining GUC variables */
4861  read_nondefault_variables();
4862 
4863  /*
4864  * (re-)read control file, as it contains config. The postmaster will
4865  * already have read this, but this process doesn't know about that.
4866  */
4867  LocalProcessControlFile(false);
4868 
4869  /*
4870  * Reload any libraries that were preloaded by the postmaster. Since we
4871  * exec'd this process, those libraries didn't come along with us; but we
4872  * should load them into all child processes to be consistent with the
4873  * non-EXEC_BACKEND behavior.
4874  */
4876 
4877  /* Run backend or appropriate child */
4878  if (strcmp(argv[1], "--forkbackend") == 0)
4879  {
4880  Assert(argc == 3); /* shouldn't be any more args */
4881 
4882  /*
4883  * Need to reinitialize the SSL library in the backend, since the
4884  * context structures contain function pointers and cannot be passed
4885  * through the parameter file.
4886  *
4887  * If for some reason reload fails (maybe the user installed broken
4888  * key files), soldier on without SSL; that's better than all
4889  * connections becoming impossible.
4890  *
4891  * XXX should we do this in all child processes? For the moment it's
4892  * enough to do it in backend children.
4893  */
4894 #ifdef USE_SSL
4895  if (EnableSSL)
4896  {
4897  if (secure_initialize(false) == 0)
4898  LoadedSSL = true;
4899  else
4900  ereport(LOG,
4901  (errmsg("SSL configuration could not be loaded in child process")));
4902  }
4903 #endif
4904 
4905  /*
4906  * Perform additional initialization and collect startup packet.
4907  *
4908  * We want to do this before InitProcess() for a couple of reasons: 1.
4909  * so that we aren't eating up a PGPROC slot while waiting on the
4910  * client. 2. so that if InitProcess() fails due to being out of
4911  * PGPROC slots, we have already initialized libpq and are able to
4912  * report the error to the client.
4913  */
4914  BackendInitialize(&port);
4915 
4916  /* Restore basic shared memory pointers */
4918 
4919  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4920  InitProcess();
4921 
4922  /* Attach process to shared data structures */
4924 
4925  /* And run the backend */
4926  BackendRun(&port); /* does not return */
4927  }
4928  if (strcmp(argv[1], "--forkboot") == 0)
4929  {
4930  /* Restore basic shared memory pointers */
4932 
4933  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4935 
4936  /* Attach process to shared data structures */
4938 
4939  AuxiliaryProcessMain(argc - 2, argv + 2); /* does not return */
4940  }
4941  if (strcmp(argv[1], "--forkavlauncher") == 0)
4942  {
4943  /* Restore basic shared memory pointers */
4945 
4946  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4947  InitProcess();
4948 
4949  /* Attach process to shared data structures */
4951 
4952  AutoVacLauncherMain(argc - 2, argv + 2); /* does not return */
4953  }
4954  if (strcmp(argv[1], "--forkavworker") == 0)
4955  {
4956  /* Restore basic shared memory pointers */
4958 
4959  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4960  InitProcess();
4961 
4962  /* Attach process to shared data structures */
4964 
4965  AutoVacWorkerMain(argc - 2, argv + 2); /* does not return */
4966  }
4967  if (strncmp(argv[1], "--forkbgworker=", 15) == 0)
4968  {
4969  int shmem_slot;
4970 
4971  /* do this as early as possible; in particular, before InitProcess() */
4972  IsBackgroundWorker = true;
4973 
4974  /* Restore basic shared memory pointers */
4976 
4977  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
4978  InitProcess();
4979 
4980  /* Attach process to shared data structures */
4982 
4983  /* Fetch MyBgworkerEntry from shared memory */
4984  shmem_slot = atoi(argv[1] + 15);
4985  MyBgworkerEntry = BackgroundWorkerEntry(shmem_slot);
4986 
4988  }
4989  if (strcmp(argv[1], "--forkarch") == 0)
4990  {
4991  /* Do not want to attach to shared memory */
4992 
4993  PgArchiverMain(argc, argv); /* does not return */
4994  }
4995  if (strcmp(argv[1], "--forkcol") == 0)
4996  {
4997  /* Do not want to attach to shared memory */
4998 
4999  PgstatCollectorMain(argc, argv); /* does not return */
5000  }
5001  if (strcmp(argv[1], "--forklog") == 0)
5002  {
5003  /* Do not want to attach to shared memory */
5004 
5005  SysLoggerMain(argc, argv); /* does not return */
5006  }
5007 
5008  abort(); /* shouldn't get here */
5009 }
5010 #endif /* EXEC_BACKEND */
5011 
5012 
5013 /*
5014  * ExitPostmaster -- cleanup
5015  *
5016  * Do NOT call exit() directly --- always go through here!
5017  */
5018 static void
5020 {
5021 #ifdef HAVE_PTHREAD_IS_THREADED_NP
5022 
5023  /*
5024  * There is no known cause for a postmaster to become multithreaded after
5025  * startup. Recheck to account for the possibility of unknown causes.
5026  * This message uses LOG level, because an unclean shutdown at this point
5027  * would usually not look much different from a clean shutdown.
5028  */
5029  if (pthread_is_threaded_np() != 0)
5030  ereport(LOG,
5031  (errcode(ERRCODE_INTERNAL_ERROR),
5032  errmsg_internal("postmaster became multithreaded"),
5033  errdetail("Please report this to <pgsql-bugs@postgresql.org>.")));
5034 #endif
5035 
5036  /* should cleanup shared memory and kill all backends */
5037 
5038  /*
5039  * Not sure of the semantics here. When the Postmaster dies, should the
5040  * backends all be killed? probably not.
5041  *
5042  * MUST -- vadim 05-10-1999
5043  */
5044 
5045  proc_exit(status);
5046 }
5047 
5048 /*
5049  * sigusr1_handler - handle signal conditions from child processes
5050  */
5051 static void
5053 {
5054  int save_errno = errno;
5055 
5056  PG_SETMASK(&BlockSig);
5057 
5058  /* Process background worker state change. */
5060  {
5062  StartWorkerNeeded = true;
5063  }
5064 
5065  /*
5066  * RECOVERY_STARTED and BEGIN_HOT_STANDBY signals are ignored in
5067  * unexpected states. If the startup process quickly starts up, completes
5068  * recovery, exits, we might process the death of the startup process
5069  * first. We don't want to go back to recovery in that case.
5070  */
5073  {
5074  /* WAL redo has started. We're out of reinitialization. */
5075  FatalError = false;
5076  Assert(AbortStartTime == 0);
5077 
5078  /*
5079  * Crank up the background tasks. It doesn't matter if this fails,
5080  * we'll just try again later.
5081  */
5082  Assert(CheckpointerPID == 0);
5084  Assert(BgWriterPID == 0);
5086 
5087  /*
5088  * Start the archiver if we're responsible for (re-)archiving received
5089  * files.
5090  */
5091  Assert(PgArchPID == 0);
5092  if (XLogArchivingAlways())
5093  PgArchPID = pgarch_start();
5094 
5095  /*
5096  * If we aren't planning to enter hot standby mode later, treat
5097  * RECOVERY_STARTED as meaning we're out of startup, and report status
5098  * accordingly.
5099  */
5100  if (!EnableHotStandby)
5101  {
5103 #ifdef USE_SYSTEMD
5104  sd_notify(0, "READY=1");
5105 #endif
5106  }
5107 
5108  pmState = PM_RECOVERY;
5109  }
5112  {
5113  /*
5114  * Likewise, start other special children as needed.
5115  */
5116  Assert(PgStatPID == 0);
5117  PgStatPID = pgstat_start();
5118 
5119  ereport(LOG,
5120  (errmsg("database system is ready to accept read only connections")));
5121 
5122  /* Report status */
5124 #ifdef USE_SYSTEMD
5125  sd_notify(0, "READY=1");
5126 #endif
5127 
5129  /* Some workers may be scheduled to start now */
5130  StartWorkerNeeded = true;
5131  }
5132 
5135 
5137  PgArchPID != 0)
5138  {
5139  /*
5140  * Send SIGUSR1 to archiver process, to wake it up and begin archiving
5141  * next WAL file.
5142  */
5144  }
5145 
5147  SysLoggerPID != 0)
5148  {
5149  /* Tell syslogger to rotate logfile */
5151  }
5152 
5154  Shutdown == NoShutdown)
5155  {
5156  /*
5157  * Start one iteration of the autovacuum daemon, even if autovacuuming
5158  * is nominally not enabled. This is so we can have an active defense
5159  * against transaction ID wraparound. We set a flag for the main loop
5160  * to do it rather than trying to do it here --- this is because the
5161  * autovac process itself may send the signal, and we want to handle
5162  * that by launching another iteration as soon as the current one
5163  * completes.
5164  */
5165  start_autovac_launcher = true;
5166  }
5167 
5169  Shutdown == NoShutdown)
5170  {
5171  /* The autovacuum launcher wants us to start a worker process. */
5173  }
5174 
5176  {
5177  /* Startup Process wants us to start the walreceiver process. */
5178  /* Start immediately if possible, else remember request for later. */
5179  WalReceiverRequested = true;
5181  }
5182 
5185  {
5186  /* Advance postmaster's state machine */
5188  }
5189 
5190  if (CheckPromoteSignal() && StartupPID != 0 &&
5191  (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
5193  {
5194  /* Tell startup process to finish recovery */
5196  }
5197 
5199 
5200  errno = save_errno;
5201 }
5202 
5203 /*
5204  * SIGTERM or SIGQUIT while processing startup packet.
5205  * Clean up and exit(1).
5206  *
5207  * XXX: possible future improvement: try to send a message indicating
5208  * why we are disconnecting. Problem is to be sure we don't block while
5209  * doing so, nor mess up SSL initialization. In practice, if the client
5210  * has wedged here, it probably couldn't do anything with the message anyway.
5211  */
5212 static void
5214 {
5215  proc_exit(1);
5216 }
5217 
5218 /*
5219  * Dummy signal handler
5220  *
5221  * We use this for signals that we don't actually use in the postmaster,
5222  * but we do use in backends. If we were to SIG_IGN such signals in the
5223  * postmaster, then a newly started backend might drop a signal that arrives
5224  * before it's able to reconfigure its signal processing. (See notes in
5225  * tcop/postgres.c.)
5226  */
5227 static void
5229 {
5230 }
5231 
5232 /*
5233  * Timeout while processing startup packet.
5234  * As for startup_die(), we clean up and exit(1).
5235  */
5236 static void
5238 {
5239  proc_exit(1);
5240 }
5241 
5242 
5243 /*
5244  * Generate a random cancel key.
5245  */
5246 static bool
5248 {
5249 #ifdef HAVE_STRONG_RANDOM
5250  return pg_strong_random((char *) cancel_key, sizeof(int32));
5251 #else
5252 
5253  /*
5254  * If built with --disable-strong-random, use plain old erand48.
5255  *
5256  * We cannot use pg_backend_random() in postmaster, because it stores its
5257  * state in shared memory.
5258  */
5259  static unsigned short seed[3];
5260 
5261  /*
5262  * Select a random seed at the time of first receiving a request.
5263  */
5264  if (random_seed == 0)
5265  {
5266  struct timeval random_stop_time;
5267 
5268  gettimeofday(&random_stop_time, NULL);
5269 
5270  seed[0] = (unsigned short) random_start_time.tv_usec;
5271  seed[1] = (unsigned short) (random_stop_time.tv_usec) ^ (random_start_time.tv_usec >> 16);
5272  seed[2] = (unsigned short) (random_stop_time.tv_usec >> 16);
5273 
5274  random_seed = 1;
5275  }
5276 
5277  *cancel_key = pg_jrand48(seed);
5278 
5279  return true;
5280 #endif
5281 }
5282 
5283 /*
5284  * Count up number of child processes of specified types (dead_end children
5285  * are always excluded).
5286  */
5287 static int
5288 CountChildren(int target)
5289 {
5290  dlist_iter iter;
5291  int cnt = 0;
5292 
5293  dlist_foreach(iter, &BackendList)
5294  {
5295  Backend *bp = dlist_container(Backend, elem, iter.cur);
5296 
5297  if (bp->dead_end)
5298  continue;
5299 
5300  /*
5301  * Since target == BACKEND_TYPE_ALL is the most common case, we test
5302  * it first and avoid touching shared memory for every child.
5303  */
5304  if (target != BACKEND_TYPE_ALL)
5305  {
5306  /*
5307  * Assign bkend_type for any recently announced WAL Sender
5308  * processes.
5309  */
5310  if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
5313 
5314  if (!(target & bp->bkend_type))
5315  continue;
5316  }
5317 
5318  cnt++;
5319  }
5320  return cnt;
5321 }
5322 
5323 
5324 /*
5325  * StartChildProcess -- start an auxiliary process for the postmaster
5326  *
5327  * "type" determines what kind of child will be started. All child types
5328  * initially go to AuxiliaryProcessMain, which will handle common setup.
5329  *
5330  * Return value of StartChildProcess is subprocess' PID, or 0 if failed
5331  * to start subprocess.
5332  */
5333 static pid_t
5335 {
5336  pid_t pid;
5337  char *av[10];
5338  int ac = 0;
5339  char typebuf[32];
5340 
5341  /*
5342  * Set up command-line arguments for subprocess
5343  */
5344  av[ac++] = "postgres";
5345 
5346 #ifdef EXEC_BACKEND
5347  av[ac++] = "--forkboot";
5348  av[ac++] = NULL; /* filled in by postmaster_forkexec */
5349 #endif
5350 
5351  snprintf(typebuf, sizeof(typebuf), "-x%d", type);
5352  av[ac++] = typebuf;
5353 
5354  av[ac] = NULL;
5355  Assert(ac < lengthof(av));
5356 
5357 #ifdef EXEC_BACKEND
5358  pid = postmaster_forkexec(ac, av);
5359 #else /* !EXEC_BACKEND */
5360  pid = fork_process();
5361 
5362  if (pid == 0) /* child */
5363  {
5365 
5366  /* Close the postmaster's sockets */
5367  ClosePostmasterPorts(false);
5368 
5369  /* Release postmaster's working memory context */
5372  PostmasterContext = NULL;
5373 
5374  AuxiliaryProcessMain(ac, av);
5375  ExitPostmaster(0);
5376  }
5377 #endif /* EXEC_BACKEND */
5378 
5379  if (pid < 0)
5380  {
5381  /* in parent, fork failed */
5382  int save_errno = errno;
5383 
5384  errno = save_errno;
5385  switch (type)
5386  {
5387  case StartupProcess:
5388  ereport(LOG,
5389  (errmsg("could not fork startup process: %m")));
5390  break;
5391  case BgWriterProcess:
5392  ereport(LOG,
5393  (errmsg("could not fork background writer process: %m")));
5394  break;
5395  case CheckpointerProcess:
5396  ereport(LOG,
5397  (errmsg("could not fork checkpointer process: %m")));
5398  break;
5399  case WalWriterProcess:
5400  ereport(LOG,
5401  (errmsg("could not fork WAL writer process: %m")));
5402  break;
5403  case WalReceiverProcess:
5404  ereport(LOG,
5405  (errmsg("could not fork WAL receiver process: %m")));
5406  break;
5407  default:
5408  ereport(LOG,
5409  (errmsg("could not fork process: %m")));
5410  break;
5411  }
5412 
5413  /*
5414  * fork failure is fatal during startup, but there's no need to choke
5415  * immediately if starting other child types fails.
5416  */
5417  if (type == StartupProcess)
5418  ExitPostmaster(1);
5419  return 0;
5420  }
5421 
5422  /*
5423  * in parent, successful fork
5424  */
5425  return pid;
5426 }
5427 
5428 /*
5429  * StartAutovacuumWorker
5430  * Start an autovac worker process.
5431  *
5432  * This function is here because it enters the resulting PID into the
5433  * postmaster's private backends list.
5434  *
5435  * NB -- this code very roughly matches BackendStartup.
5436  */
5437 static void
5439 {
5440  Backend *bn;
5441 
5442  /*
5443  * If not in condition to run a process, don't try, but handle it like a
5444  * fork failure. This does not normally happen, since the signal is only
5445  * supposed to be sent by autovacuum launcher when it's OK to do it, but
5446  * we have to check to avoid race-condition problems during DB state
5447  * changes.
5448  */
5449  if (canAcceptConnections() == CAC_OK)
5450  {
5451  /*
5452  * Compute the cancel key that will be assigned to this session. We
5453  * probably don't need cancel keys for autovac workers, but we'd
5454  * better have something random in the field to prevent unfriendly
5455  * people from sending cancels to them.
5456  */
5458  {
5459  ereport(LOG,
5460  (errcode(ERRCODE_INTERNAL_ERROR),
5461  errmsg("could not generate random cancel key")));
5462  return;
5463  }
5464 
5465  bn = (Backend *) malloc(sizeof(Backend));
5466  if (bn)
5467  {
5468  bn->cancel_key = MyCancelKey;
5469 
5470  /* Autovac workers are not dead_end and need a child slot */
5471  bn->dead_end = false;
5473  bn->bgworker_notify = false;
5474 
5475  bn->pid = StartAutoVacWorker();
5476  if (bn->pid > 0)
5477  {
5479  dlist_push_head(&BackendList, &bn->elem);
5480 #ifdef EXEC_BACKEND
5481  ShmemBackendArrayAdd(bn);
5482 #endif
5483  /* all OK */
5484  return;
5485  }
5486 
5487  /*
5488  * fork failed, fall through to report -- actual error message was
5489  * logged by StartAutoVacWorker
5490  */
5492  free(bn);
5493  }
5494  else
5495  ereport(LOG,
5496  (errcode(ERRCODE_OUT_OF_MEMORY),
5497  errmsg("out of memory")));
5498  }
5499 
5500  /*
5501  * Report the failure to the launcher, if it's running. (If it's not, we
5502  * might not even be connected to shared memory, so don't try to call
5503  * AutoVacWorkerFailed.) Note that we also need to signal it so that it
5504  * responds to the condition, but we don't do that here, instead waiting
5505  * for ServerLoop to do it. This way we avoid a ping-pong signalling in
5506  * quick succession between the autovac launcher and postmaster in case
5507  * things get ugly.
5508  */
5509  if (AutoVacPID != 0)
5510  {
5512  avlauncher_needs_signal = true;
5513  }
5514 }
5515 
5516 /*
5517  * MaybeStartWalReceiver
5518  * Start the WAL receiver process, if not running and our state allows.
5519  */
5520 static void
5522 {
5523  if (WalReceiverPID == 0 &&
5524  (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
5526  Shutdown == NoShutdown)
5527  {
5529  WalReceiverRequested = false;
5530  }
5531 }
5532 
5533 
5534 /*
5535  * Create the opts file
5536  */
5537 static bool
5538 CreateOptsFile(int argc, char *argv[], char *fullprogname)
5539 {
5540  FILE *fp;
5541  int i;
5542 
5543 #define OPTS_FILE "postmaster.opts"
5544 
5545  if ((fp = fopen(OPTS_FILE, "w")) == NULL)
5546  {
5547  elog(LOG, "could not create file \"%s\": %m", OPTS_FILE);
5548  return false;
5549  }
5550 
5551  fprintf(fp, "%s", fullprogname);
5552  for (i = 1; i < argc; i++)
5553  fprintf(fp, " \"%s\"", argv[i]);
5554  fputs("\n", fp);
5555 
5556  if (fclose(fp))
5557  {
5558  elog(LOG, "could not write file \"%s\": %m", OPTS_FILE);
5559  return false;
5560  }
5561 
5562  return true;
5563 }
5564 
5565 
5566 /*
5567  * MaxLivePostmasterChildren
5568  *
5569  * This reports the number of entries needed in per-child-process arrays
5570  * (the PMChildFlags array, and if EXEC_BACKEND the ShmemBackendArray).
5571  * These arrays include regular backends, autovac workers, walsenders
5572  * and background workers, but not special children nor dead_end children.
5573  * This allows the arrays to have a fixed maximum size, to wit the same
5574  * too-many-children limit enforced by canAcceptConnections(). The exact value
5575  * isn't too critical as long as it's more than MaxBackends.
5576  */
5577 int
5579 {
5580  return 2 * (MaxConnections + autovacuum_max_workers + 1 +
5582 }
5583 
5584 /*
5585  * Connect background worker to a database.
5586  */
5587 void
5589 {
5591 
5592  /* XXX is this the right errcode? */
5594  ereport(FATAL,
5595  (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
5596  errmsg("database connection requirement not indicated during registration")));
5597 
5598  InitPostgres(dbname, InvalidOid, username, InvalidOid, NULL);
5599 
5600  /* it had better not gotten out of "init" mode yet */
5601  if (!IsInitProcessingMode())
5602  ereport(ERROR,
5603  (errmsg("invalid processing mode in background worker")));
5605 }
5606 
5607 /*
5608  * Connect background worker to a database using OIDs.
5609  */
5610 void
5612 {
5614 
5615  /* XXX is this the right errcode? */
5617  ereport(FATAL,
5618  (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
5619  errmsg("database connection requirement not indicated during registration")));
5620 
5621  InitPostgres(NULL, dboid, NULL, useroid, NULL);
5622 
5623  /* it had better not gotten out of "init" mode yet */
5624  if (!IsInitProcessingMode())
5625  ereport(ERROR,
5626  (errmsg("invalid processing mode in background worker")));
5628 }
5629 
5630 /*
5631  * Block/unblock signals in a background worker
5632  */
5633 void
5635 {
5636  PG_SETMASK(&BlockSig);
5637 }
5638 
5639 void
5641 {
5643 }
5644 
5645 #ifdef EXEC_BACKEND
5646 static pid_t
5647 bgworker_forkexec(int shmem_slot)
5648 {
5649  char *av[10];
5650  int ac = 0;
5651  char forkav[MAXPGPATH];
5652 
5653  snprintf(forkav, MAXPGPATH, "--forkbgworker=%d", shmem_slot);
5654 
5655  av[ac++] = "postgres";
5656  av[ac++] = forkav;
5657  av[ac++] = NULL; /* filled in by postmaster_forkexec */
5658  av[ac] = NULL;
5659 
5660  Assert(ac < lengthof(av));
5661 
5662  return postmaster_forkexec(ac, av);
5663 }
5664 #endif
5665 
5666 /*
5667  * Start a new bgworker.
5668  * Starting time conditions must have been checked already.
5669  *
5670  * Returns true on success, false on failure.
5671  * In either case, update the RegisteredBgWorker's state appropriately.
5672  *
5673  * This code is heavily based on autovacuum.c, q.v.
5674  */
5675 static bool
5677 {
5678  pid_t worker_pid;
5679 
5680  Assert(rw->rw_pid == 0);
5681 
5682  /*
5683  * Allocate and assign the Backend element. Note we must do this before
5684  * forking, so that we can handle out of memory properly.
5685  *
5686  * Treat failure as though the worker had crashed. That way, the
5687  * postmaster will wait a bit before attempting to start it again; if it
5688  * tried again right away, most likely it'd find itself repeating the
5689  * out-of-memory or fork failure condition.
5690  */
5691  if (!assign_backendlist_entry(rw))
5692  {
5694  return false;
5695  }
5696 
5697  ereport(DEBUG1,
5698  (errmsg("starting background worker process \"%s\"",
5699  rw->rw_worker.bgw_name)));
5700 
5701 #ifdef EXEC_BACKEND
5702  switch ((worker_pid = bgworker_forkexec(rw->rw_shmem_slot)))
5703 #else
5704  switch ((worker_pid = fork_process()))
5705 #endif
5706  {
5707  case -1:
5708  /* in postmaster, fork failed ... */
5709  ereport(LOG,
5710  (errmsg("could not fork worker process: %m")));
5711  /* undo what assign_backendlist_entry did */
5713  rw->rw_child_slot = 0;
5714  free(rw->rw_backend);
5715  rw->rw_backend = NULL;
5716  /* mark entry as crashed, so we'll try again later */
5718  break;
5719 
5720 #ifndef EXEC_BACKEND
5721  case 0:
5722  /* in postmaster child ... */
5724 
5725  /* Close the postmaster's sockets */
5726  ClosePostmasterPorts(false);
5727 
5728  /*
5729  * Before blowing away PostmasterContext, save this bgworker's
5730  * data where it can find it.
5731  */
5732  MyBgworkerEntry = (BackgroundWorker *)
5734  memcpy(MyBgworkerEntry, &rw->rw_worker, sizeof(BackgroundWorker));
5735 
5736  /* Release postmaster's working memory context */
5739  PostmasterContext = NULL;
5740 
5742 
5743  exit(1); /* should not get here */
5744  break;
5745 #endif
5746  default:
5747  /* in postmaster, fork successful ... */
5748  rw->rw_pid = worker_pid;
5749  rw->rw_backend->pid = rw->rw_pid;
5751  /* add new worker to lists of backends */
5752  dlist_push_head(&BackendList, &rw->rw_backend->elem);
5753 #ifdef EXEC_BACKEND
5754  ShmemBackendArrayAdd(rw->rw_backend);
5755 #endif
5756  return true;
5757  }
5758 
5759  return false;
5760 }
5761 
5762 /*
5763  * Does the current postmaster state require starting a worker with the
5764  * specified start_time?
5765  */
5766 static bool
5768 {
5769  switch (pmState)
5770  {
5771  case PM_NO_CHILDREN:
5772  case PM_WAIT_DEAD_END:
5773  case PM_SHUTDOWN_2:
5774  case PM_SHUTDOWN:
5775  case PM_WAIT_BACKENDS:
5776  case PM_WAIT_READONLY:
5777  case PM_WAIT_BACKUP:
5778  break;
5779 
5780  case PM_RUN:
5781  if (start_time == BgWorkerStart_RecoveryFinished)
5782  return true;
5783  /* fall through */
5784 
5785  case PM_HOT_STANDBY:
5786  if (start_time == BgWorkerStart_ConsistentState)
5787  return true;
5788  /* fall through */
5789 
5790  case PM_RECOVERY:
5791  case PM_STARTUP:
5792  case PM_INIT:
5793  if (start_time == BgWorkerStart_PostmasterStart)
5794  return true;
5795  /* fall through */
5796 
5797  }
5798 
5799  return false;
5800 }
5801 
5802 /*
5803  * Allocate the Backend struct for a connected background worker, but don't
5804  * add it to the list of backends just yet.
5805  *
5806  * On failure, return false without changing any worker state.
5807  *
5808  * Some info from the Backend is copied into the passed rw.
5809  */
5810 static bool
5812 {
5813  Backend *bn;
5814 
5815  /*
5816  * Compute the cancel key that will be assigned to this session. We
5817  * probably don't need cancel keys for background workers, but we'd better
5818  * have something random in the field to prevent unfriendly people from
5819  * sending cancels to them.
5820  */
5822  {
5823  ereport(LOG,
5824  (errcode(ERRCODE_INTERNAL_ERROR),
5825  errmsg("could not generate random cancel key")));
5826  return false;
5827  }
5828 
5829  bn = malloc(sizeof(Backend));
5830  if (bn == NULL)
5831  {
5832  ereport(LOG,
5833  (errcode(ERRCODE_OUT_OF_MEMORY),
5834  errmsg("out of memory")));
5835  return false;
5836  }
5837 
5838  bn->cancel_key = MyCancelKey;
5841  bn->