PostgreSQL Source Code  git master
postmaster.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * postmaster.c
4  * This program acts as a clearing house for requests to the
5  * POSTGRES system. Frontend programs send a startup message
6  * to the Postmaster and the postmaster uses the info in the
7  * message to setup a backend process.
8  *
9  * The postmaster also manages system-wide operations such as
10  * startup and shutdown. The postmaster itself doesn't do those
11  * operations, mind you --- it just forks off a subprocess to do them
12  * at the right times. It also takes care of resetting the system
13  * if a backend crashes.
14  *
15  * The postmaster process creates the shared memory and semaphore
16  * pools during startup, but as a rule does not touch them itself.
17  * In particular, it is not a member of the PGPROC array of backends
18  * and so it cannot participate in lock-manager operations. Keeping
19  * the postmaster away from shared memory operations makes it simpler
20  * and more reliable. The postmaster is almost always able to recover
21  * from crashes of individual backends by resetting shared memory;
22  * if it did much with shared memory then it would be prone to crashing
23  * along with the backends.
24  *
25  * When a request message is received, we now fork() immediately.
26  * The child process performs authentication of the request, and
27  * then becomes a backend if successful. This allows the auth code
28  * to be written in a simple single-threaded style (as opposed to the
29  * crufty "poor man's multitasking" code that used to be needed).
30  * More importantly, it ensures that blockages in non-multithreaded
31  * libraries like SSL or PAM cannot cause denial of service to other
32  * clients.
33  *
34  *
35  * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
36  * Portions Copyright (c) 1994, Regents of the University of California
37  *
38  *
39  * IDENTIFICATION
40  * src/backend/postmaster/postmaster.c
41  *
42  * NOTES
43  *
44  * Initialization:
45  * The Postmaster sets up shared memory data structures
46  * for the backends.
47  *
48  * Synchronization:
49  * The Postmaster shares memory with the backends but should avoid
50  * touching shared memory, so as not to become stuck if a crashing
51  * backend screws up locks or shared memory. Likewise, the Postmaster
52  * should never block on messages from frontend clients.
53  *
54  * Garbage Collection:
55  * The Postmaster cleans up after backends if they have an emergency
56  * exit and/or core dump.
57  *
58  * Error Reporting:
59  * Use write_stderr() only for reporting "interactive" errors
60  * (essentially, bogus arguments on the command line). Once the
61  * postmaster is launched, use ereport().
62  *
63  *-------------------------------------------------------------------------
64  */
65 
66 #include "postgres.h"
67 
68 #include <unistd.h>
69 #include <signal.h>
70 #include <time.h>
71 #include <sys/wait.h>
72 #include <ctype.h>
73 #include <sys/stat.h>
74 #include <sys/socket.h>
75 #include <fcntl.h>
76 #include <sys/param.h>
77 #include <netdb.h>
78 #include <limits.h>
79 
80 #ifdef HAVE_SYS_SELECT_H
81 #include <sys/select.h>
82 #endif
83 
84 #ifdef USE_BONJOUR
85 #include <dns_sd.h>
86 #endif
87 
88 #ifdef USE_SYSTEMD
89 #include <systemd/sd-daemon.h>
90 #endif
91 
92 #ifdef HAVE_PTHREAD_IS_THREADED_NP
93 #include <pthread.h>
94 #endif
95 
96 #include "access/transam.h"
97 #include "access/xlog.h"
98 #include "catalog/pg_control.h"
99 #include "common/file_perm.h"
100 #include "common/ip.h"
101 #include "common/pg_prng.h"
102 #include "common/string.h"
103 #include "lib/ilist.h"
104 #include "libpq/auth.h"
105 #include "libpq/libpq.h"
106 #include "libpq/pqformat.h"
107 #include "libpq/pqsignal.h"
108 #include "pg_getopt.h"
109 #include "pgstat.h"
110 #include "port/pg_bswap.h"
111 #include "postmaster/autovacuum.h"
112 #include "postmaster/auxprocess.h"
114 #include "postmaster/fork_process.h"
115 #include "postmaster/interrupt.h"
116 #include "postmaster/pgarch.h"
117 #include "postmaster/postmaster.h"
118 #include "postmaster/syslogger.h"
120 #include "replication/walsender.h"
121 #include "storage/fd.h"
122 #include "storage/ipc.h"
123 #include "storage/pg_shmem.h"
124 #include "storage/pmsignal.h"
125 #include "storage/proc.h"
126 #include "tcop/tcopprot.h"
127 #include "utils/builtins.h"
128 #include "utils/datetime.h"
129 #include "utils/memutils.h"
130 #include "utils/pidfile.h"
131 #include "utils/ps_status.h"
132 #include "utils/queryjumble.h"
133 #include "utils/timeout.h"
134 #include "utils/timestamp.h"
135 #include "utils/varlena.h"
136 
137 #ifdef EXEC_BACKEND
138 #include "storage/spin.h"
139 #endif
140 
141 
142 /*
143  * Possible types of a backend. Beyond being the possible bkend_type values in
144  * struct bkend, these are OR-able request flag bits for SignalSomeChildren()
145  * and CountChildren().
146  */
147 #define BACKEND_TYPE_NORMAL 0x0001 /* normal backend */
148 #define BACKEND_TYPE_AUTOVAC 0x0002 /* autovacuum worker process */
149 #define BACKEND_TYPE_WALSND 0x0004 /* walsender process */
150 #define BACKEND_TYPE_BGWORKER 0x0008 /* bgworker process */
151 #define BACKEND_TYPE_ALL 0x000F /* OR of all the above */
152 
153 /*
154  * List of active backends (or child processes anyway; we don't actually
155  * know whether a given child has become a backend or is still in the
156  * authorization phase). This is used mainly to keep track of how many
157  * children we have and send them appropriate signals when necessary.
158  *
159  * As shown in the above set of backend types, this list includes not only
160  * "normal" client sessions, but also autovacuum workers, walsenders, and
161  * background workers. (Note that at the time of launch, walsenders are
162  * labeled BACKEND_TYPE_NORMAL; we relabel them to BACKEND_TYPE_WALSND
163  * upon noticing they've changed their PMChildFlags entry. Hence that check
164  * must be done before any operation that needs to distinguish walsenders
165  * from normal backends.)
166  *
167  * Also, "dead_end" children are in it: these are children launched just for
168  * the purpose of sending a friendly rejection message to a would-be client.
169  * We must track them because they are attached to shared memory, but we know
170  * they will never become live backends. dead_end children are not assigned a
171  * PMChildSlot. dead_end children have bkend_type NORMAL.
172  *
173  * "Special" children such as the startup, bgwriter and autovacuum launcher
174  * tasks are not in this list. They are tracked via StartupPID and other
175  * pid_t variables below. (Thus, there can't be more than one of any given
176  * "special" child process type. We use BackendList entries for any child
177  * process there can be more than one of.)
178  */
179 typedef struct bkend
180 {
181  pid_t pid; /* process id of backend */
182  int32 cancel_key; /* cancel key for cancels for this backend */
183  int child_slot; /* PMChildSlot for this backend, if any */
184  int bkend_type; /* child process flavor, see above */
185  bool dead_end; /* is it going to send an error and quit? */
186  bool bgworker_notify; /* gets bgworker start/stop notifications */
187  dlist_node elem; /* list link in BackendList */
189 
191 
192 #ifdef EXEC_BACKEND
193 static Backend *ShmemBackendArray;
194 #endif
195 
197 
198 
199 
200 /* The socket number we are listening for connections on */
202 
203 /* The directory names for Unix socket(s) */
205 
206 /* The TCP listen address(es) */
208 
209 /*
210  * ReservedBackends is the number of backends reserved for superuser use.
211  * This number is taken out of the pool size given by MaxConnections so
212  * number of backend slots available to non-superusers is
213  * (MaxConnections - ReservedBackends). Note what this really means is
214  * "if there are <= ReservedBackends connections available, only superusers
215  * can make new connections" --- pre-existing superuser connections don't
216  * count against the limit.
217  */
219 
220 /* The socket(s) we're listening to. */
221 #define MAXLISTEN 64
223 
224 /*
225  * These globals control the behavior of the postmaster in case some
226  * backend dumps core. Normally, it kills all peers of the dead backend
227  * and reinitializes shared memory. By specifying -s or -n, we can have
228  * the postmaster stop (rather than kill) peers and not reinitialize
229  * shared data structures. (Reinit is currently dead code, though.)
230  */
231 static bool Reinit = true;
232 static int SendStop = false;
233 
234 /* still more option variables */
235 bool EnableSSL = false;
236 
237 int PreAuthDelay = 0;
239 
240 bool log_hostname; /* for ps display and logging */
241 bool Log_connections = false;
242 bool Db_user_namespace = false;
243 
244 bool enable_bonjour = false;
248 
249 /* PIDs of special child processes; 0 when not running */
250 static pid_t StartupPID = 0,
259 
260 /* Startup process's status */
261 typedef enum
262 {
265  STARTUP_SIGNALED, /* we sent it a SIGQUIT or SIGKILL */
268 
270 
271 /* Startup/shutdown state */
272 #define NoShutdown 0
273 #define SmartShutdown 1
274 #define FastShutdown 2
275 #define ImmediateShutdown 3
276 
277 static int Shutdown = NoShutdown;
278 
279 static bool FatalError = false; /* T if recovering from backend crash */
280 
281 /*
282  * We use a simple state machine to control startup, shutdown, and
283  * crash recovery (which is rather like shutdown followed by startup).
284  *
285  * After doing all the postmaster initialization work, we enter PM_STARTUP
286  * state and the startup process is launched. The startup process begins by
287  * reading the control file and other preliminary initialization steps.
288  * In a normal startup, or after crash recovery, the startup process exits
289  * with exit code 0 and we switch to PM_RUN state. However, archive recovery
290  * is handled specially since it takes much longer and we would like to support
291  * hot standby during archive recovery.
292  *
293  * When the startup process is ready to start archive recovery, it signals the
294  * postmaster, and we switch to PM_RECOVERY state. The background writer and
295  * checkpointer are launched, while the startup process continues applying WAL.
296  * If Hot Standby is enabled, then, after reaching a consistent point in WAL
297  * redo, startup process signals us again, and we switch to PM_HOT_STANDBY
298  * state and begin accepting connections to perform read-only queries. When
299  * archive recovery is finished, the startup process exits with exit code 0
300  * and we switch to PM_RUN state.
301  *
302  * Normal child backends can only be launched when we are in PM_RUN or
303  * PM_HOT_STANDBY state. (connsAllowed can also restrict launching.)
304  * In other states we handle connection requests by launching "dead_end"
305  * child processes, which will simply send the client an error message and
306  * quit. (We track these in the BackendList so that we can know when they
307  * are all gone; this is important because they're still connected to shared
308  * memory, and would interfere with an attempt to destroy the shmem segment,
309  * possibly leading to SHMALL failure when we try to make a new one.)
310  * In PM_WAIT_DEAD_END state we are waiting for all the dead_end children
311  * to drain out of the system, and therefore stop accepting connection
312  * requests at all until the last existing child has quit (which hopefully
313  * will not be very long).
314  *
315  * Notice that this state variable does not distinguish *why* we entered
316  * states later than PM_RUN --- Shutdown and FatalError must be consulted
317  * to find that out. FatalError is never true in PM_RECOVERY, PM_HOT_STANDBY,
318  * or PM_RUN states, nor in PM_SHUTDOWN states (because we don't enter those
319  * states when trying to recover from a crash). It can be true in PM_STARTUP
320  * state, because we don't clear it until we've successfully started WAL redo.
321  */
322 typedef enum
323 {
324  PM_INIT, /* postmaster starting */
325  PM_STARTUP, /* waiting for startup subprocess */
326  PM_RECOVERY, /* in archive recovery mode */
327  PM_HOT_STANDBY, /* in hot standby mode */
328  PM_RUN, /* normal "database is alive" state */
329  PM_STOP_BACKENDS, /* need to stop remaining backends */
330  PM_WAIT_BACKENDS, /* waiting for live backends to exit */
331  PM_SHUTDOWN, /* waiting for checkpointer to do shutdown
332  * ckpt */
333  PM_SHUTDOWN_2, /* waiting for archiver and walsenders to
334  * finish */
335  PM_WAIT_DEAD_END, /* waiting for dead_end children to exit */
336  PM_NO_CHILDREN /* all important children have exited */
338 
340 
341 /*
342  * While performing a "smart shutdown", we restrict new connections but stay
343  * in PM_RUN or PM_HOT_STANDBY state until all the client backends are gone.
344  * connsAllowed is a sub-state indicator showing the active restriction.
345  * It is of no interest unless pmState is PM_RUN or PM_HOT_STANDBY.
346  */
347 typedef enum
348 {
349  ALLOW_ALL_CONNS, /* normal not-shutting-down state */
350  ALLOW_SUPERUSER_CONNS, /* only superusers can connect */
351  ALLOW_NO_CONNS /* no new connections allowed, period */
353 
355 
356 /* Start time of SIGKILL timeout during immediate shutdown or child crash */
357 /* Zero means timeout is not running */
358 static time_t AbortStartTime = 0;
359 
360 /* Length of said timeout */
361 #define SIGKILL_CHILDREN_AFTER_SECS 5
362 
363 static bool ReachedNormalRunning = false; /* T if we've reached PM_RUN */
364 
365 bool ClientAuthInProgress = false; /* T during new-client
366  * authentication */
367 
368 bool redirection_done = false; /* stderr redirected for syslogger? */
369 
370 /* received START_AUTOVAC_LAUNCHER signal */
371 static volatile sig_atomic_t start_autovac_launcher = false;
372 
373 /* the launcher needs to be signaled to communicate some condition */
374 static volatile bool avlauncher_needs_signal = false;
375 
376 /* received START_WALRECEIVER signal */
377 static volatile sig_atomic_t WalReceiverRequested = false;
378 
379 /* set when there's a worker that needs to be started up */
380 static volatile bool StartWorkerNeeded = true;
381 static volatile bool HaveCrashedWorker = false;
382 
383 #ifdef USE_SSL
384 /* Set when and if SSL has been initialized properly */
385 static bool LoadedSSL = false;
386 #endif
387 
388 #ifdef USE_BONJOUR
389 static DNSServiceRef bonjour_sdref = NULL;
390 #endif
391 
392 /*
393  * postmaster.c - function prototypes
394  */
395 static void CloseServerPorts(int status, Datum arg);
396 static void unlink_external_pid_file(int status, Datum arg);
397 static void getInstallationPaths(const char *argv0);
398 static void checkControlFile(void);
399 static Port *ConnCreate(int serverFd);
400 static void ConnFree(Port *port);
401 static void reset_shared(void);
402 static void SIGHUP_handler(SIGNAL_ARGS);
403 static void pmdie(SIGNAL_ARGS);
404 static void reaper(SIGNAL_ARGS);
405 static void sigusr1_handler(SIGNAL_ARGS);
407 static void dummy_handler(SIGNAL_ARGS);
408 static void StartupPacketTimeoutHandler(void);
409 static void CleanupBackend(int pid, int exitstatus);
410 static bool CleanupBackgroundWorker(int pid, int exitstatus);
411 static void HandleChildCrash(int pid, int exitstatus, const char *procname);
412 static void LogChildExit(int lev, const char *procname,
413  int pid, int exitstatus);
414 static void PostmasterStateMachine(void);
415 static void BackendInitialize(Port *port);
416 static void BackendRun(Port *port) pg_attribute_noreturn();
417 static void ExitPostmaster(int status) pg_attribute_noreturn();
418 static int ServerLoop(void);
419 static int BackendStartup(Port *port);
420 static int ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done);
421 static void SendNegotiateProtocolVersion(List *unrecognized_protocol_options);
422 static void processCancelRequest(Port *port, void *pkt);
423 static int initMasks(fd_set *rmask);
424 static void report_fork_failure_to_client(Port *port, int errnum);
425 static CAC_state canAcceptConnections(int backend_type);
426 static bool RandomCancelKey(int32 *cancel_key);
427 static void signal_child(pid_t pid, int signal);
428 static bool SignalSomeChildren(int signal, int targets);
429 static void TerminateChildren(int signal);
430 
431 #define SignalChildren(sig) SignalSomeChildren(sig, BACKEND_TYPE_ALL)
432 
433 static int CountChildren(int target);
435 static void maybe_start_bgworkers(void);
436 static bool CreateOptsFile(int argc, char *argv[], char *fullprogname);
437 static pid_t StartChildProcess(AuxProcType type);
438 static void StartAutovacuumWorker(void);
439 static void MaybeStartWalReceiver(void);
440 static void InitPostmasterDeathWatchHandle(void);
441 
442 /*
443  * Archiver is allowed to start up at the current postmaster state?
444  *
445  * If WAL archiving is enabled always, we are allowed to start archiver
446  * even during recovery.
447  */
448 #define PgArchStartupAllowed() \
449  (((XLogArchivingActive() && pmState == PM_RUN) || \
450  (XLogArchivingAlways() && \
451  (pmState == PM_RECOVERY || pmState == PM_HOT_STANDBY))) && \
452  PgArchCanRestart())
453 
454 #ifdef EXEC_BACKEND
455 
456 #ifdef WIN32
457 #define WNOHANG 0 /* ignored, so any integer value will do */
458 
459 static pid_t waitpid(pid_t pid, int *exitstatus, int options);
460 static void WINAPI pgwin32_deadchild_callback(PVOID lpParameter, BOOLEAN TimerOrWaitFired);
461 
462 static HANDLE win32ChildQueue;
463 
464 typedef struct
465 {
466  HANDLE waitHandle;
467  HANDLE procHandle;
468  DWORD procId;
469 } win32_deadchild_waitinfo;
470 #endif /* WIN32 */
471 
472 static pid_t backend_forkexec(Port *port);
473 static pid_t internal_forkexec(int argc, char *argv[], Port *port);
474 
475 /* Type for a socket that can be inherited to a client process */
476 #ifdef WIN32
477 typedef struct
478 {
479  SOCKET origsocket; /* Original socket value, or PGINVALID_SOCKET
480  * if not a socket */
481  WSAPROTOCOL_INFO wsainfo;
482 } InheritableSocket;
483 #else
484 typedef int InheritableSocket;
485 #endif
486 
487 /*
488  * Structure contains all variables passed to exec:ed backends
489  */
490 typedef struct
491 {
492  Port port;
493  InheritableSocket portsocket;
494  char DataDir[MAXPGPATH];
497  int MyPMChildSlot;
498 #ifndef WIN32
499  unsigned long UsedShmemSegID;
500 #else
501  void *ShmemProtectiveRegion;
502  HANDLE UsedShmemSegID;
503 #endif
504  void *UsedShmemSegAddr;
507  Backend *ShmemBackendArray;
508 #ifndef HAVE_SPINLOCKS
510 #endif
519  InheritableSocket pgStatSock;
520  pid_t PostmasterPid;
524  bool redirection_done;
525  bool IsBinaryUpgrade;
526  bool query_id_enabled;
527  int max_safe_fds;
528  int MaxBackends;
529 #ifdef WIN32
530  HANDLE PostmasterHandle;
531  HANDLE initial_signal_pipe;
532  HANDLE syslogPipe[2];
533 #else
534  int postmaster_alive_fds[2];
535  int syslogPipe[2];
536 #endif
537  char my_exec_path[MAXPGPATH];
538  char pkglib_path[MAXPGPATH];
539 } BackendParameters;
540 
541 static void read_backend_variables(char *id, Port *port);
542 static void restore_backend_variables(BackendParameters *param, Port *port);
543 
544 #ifndef WIN32
545 static bool save_backend_variables(BackendParameters *param, Port *port);
546 #else
547 static bool save_backend_variables(BackendParameters *param, Port *port,
548  HANDLE childProcess, pid_t childPid);
549 #endif
550 
551 static void ShmemBackendArrayAdd(Backend *bn);
552 static void ShmemBackendArrayRemove(Backend *bn);
553 #endif /* EXEC_BACKEND */
554 
555 #define StartupDataBase() StartChildProcess(StartupProcess)
556 #define StartArchiver() StartChildProcess(ArchiverProcess)
557 #define StartBackgroundWriter() StartChildProcess(BgWriterProcess)
558 #define StartCheckpointer() StartChildProcess(CheckpointerProcess)
559 #define StartWalWriter() StartChildProcess(WalWriterProcess)
560 #define StartWalReceiver() StartChildProcess(WalReceiverProcess)
561 
562 /* Macros to check exit status of a child process */
563 #define EXIT_STATUS_0(st) ((st) == 0)
564 #define EXIT_STATUS_1(st) (WIFEXITED(st) && WEXITSTATUS(st) == 1)
565 #define EXIT_STATUS_3(st) (WIFEXITED(st) && WEXITSTATUS(st) == 3)
566 
567 #ifndef WIN32
568 /*
569  * File descriptors for pipe used to monitor if postmaster is alive.
570  * First is POSTMASTER_FD_WATCH, second is POSTMASTER_FD_OWN.
571  */
572 int postmaster_alive_fds[2] = {-1, -1};
573 #else
574 /* Process handle of postmaster used for the same purpose on Windows */
575 HANDLE PostmasterHandle;
576 #endif
577 
578 /*
579  * Postmaster main entry point
580  */
581 void
582 PostmasterMain(int argc, char *argv[])
583 {
584  int opt;
585  int status;
586  char *userDoption = NULL;
587  bool listen_addr_saved = false;
588  int i;
589  char *output_config_variable = NULL;
590 
592 
594 
596 
597  /*
598  * Start our win32 signal implementation
599  */
600 #ifdef WIN32
602 #endif
603 
604  /*
605  * We should not be creating any files or directories before we check the
606  * data directory (see checkDataDir()), but just in case set the umask to
607  * the most restrictive (owner-only) permissions.
608  *
609  * checkDataDir() will reset the umask based on the data directory
610  * permissions.
611  */
612  umask(PG_MODE_MASK_OWNER);
613 
614  /*
615  * By default, palloc() requests in the postmaster will be allocated in
616  * the PostmasterContext, which is space that can be recycled by backends.
617  * Allocated data that needs to be available to backends should be
618  * allocated in TopMemoryContext.
619  */
621  "Postmaster",
624 
625  /* Initialize paths to installation files */
626  getInstallationPaths(argv[0]);
627 
628  /*
629  * Set up signal handlers for the postmaster process.
630  *
631  * In the postmaster, we use pqsignal_pm() rather than pqsignal() (which
632  * is used by all child processes and client processes). That has a
633  * couple of special behaviors:
634  *
635  * 1. Except on Windows, we tell sigaction() to block all signals for the
636  * duration of the signal handler. This is faster than our old approach
637  * of blocking/unblocking explicitly in the signal handler, and it should
638  * also prevent excessive stack consumption if signals arrive quickly.
639  *
640  * 2. We do not set the SA_RESTART flag. This is because signals will be
641  * blocked at all times except when ServerLoop is waiting for something to
642  * happen, and during that window, we want signals to exit the select(2)
643  * wait so that ServerLoop can respond if anything interesting happened.
644  * On some platforms, signals marked SA_RESTART would not cause the
645  * select() wait to end.
646  *
647  * Child processes will generally want SA_RESTART, so pqsignal() sets that
648  * flag. We expect children to set up their own handlers before
649  * unblocking signals.
650  *
651  * CAUTION: when changing this list, check for side-effects on the signal
652  * handling setup of child processes. See tcop/postgres.c,
653  * bootstrap/bootstrap.c, postmaster/bgwriter.c, postmaster/walwriter.c,
654  * postmaster/autovacuum.c, postmaster/pgarch.c, postmaster/pgstat.c,
655  * postmaster/syslogger.c, postmaster/bgworker.c and
656  * postmaster/checkpointer.c.
657  */
658  pqinitmask();
660 
661  pqsignal_pm(SIGHUP, SIGHUP_handler); /* reread config file and have
662  * children do same */
663  pqsignal_pm(SIGINT, pmdie); /* send SIGTERM and shut down */
664  pqsignal_pm(SIGQUIT, pmdie); /* send SIGQUIT and die */
665  pqsignal_pm(SIGTERM, pmdie); /* wait for children and shut down */
666  pqsignal_pm(SIGALRM, SIG_IGN); /* ignored */
667  pqsignal_pm(SIGPIPE, SIG_IGN); /* ignored */
668  pqsignal_pm(SIGUSR1, sigusr1_handler); /* message from child process */
669  pqsignal_pm(SIGUSR2, dummy_handler); /* unused, reserve for children */
670  pqsignal_pm(SIGCHLD, reaper); /* handle child termination */
671 
672 #ifdef SIGURG
673 
674  /*
675  * Ignore SIGURG for now. Child processes may change this (see
676  * InitializeLatchSupport), but they will not receive any such signals
677  * until they wait on a latch.
678  */
679  pqsignal_pm(SIGURG, SIG_IGN); /* ignored */
680 #endif
681 
682  /*
683  * No other place in Postgres should touch SIGTTIN/SIGTTOU handling. We
684  * ignore those signals in a postmaster environment, so that there is no
685  * risk of a child process freezing up due to writing to stderr. But for
686  * a standalone backend, their default handling is reasonable. Hence, all
687  * child processes should just allow the inherited settings to stand.
688  */
689 #ifdef SIGTTIN
690  pqsignal_pm(SIGTTIN, SIG_IGN); /* ignored */
691 #endif
692 #ifdef SIGTTOU
693  pqsignal_pm(SIGTTOU, SIG_IGN); /* ignored */
694 #endif
695 
696  /* ignore SIGXFSZ, so that ulimit violations work like disk full */
697 #ifdef SIGXFSZ
698  pqsignal_pm(SIGXFSZ, SIG_IGN); /* ignored */
699 #endif
700 
701  /*
702  * Options setup
703  */
705 
706  opterr = 1;
707 
708  /*
709  * Parse command-line options. CAUTION: keep this in sync with
710  * tcop/postgres.c (the option sets should not conflict) and with the
711  * common help() function in main/main.c.
712  */
713  while ((opt = getopt(argc, argv, "B:bc:C:D:d:EeFf:h:ijk:lN:nOPp:r:S:sTt:W:-:")) != -1)
714  {
715  switch (opt)
716  {
717  case 'B':
718  SetConfigOption("shared_buffers", optarg, PGC_POSTMASTER, PGC_S_ARGV);
719  break;
720 
721  case 'b':
722  /* Undocumented flag used for binary upgrades */
723  IsBinaryUpgrade = true;
724  break;
725 
726  case 'C':
727  output_config_variable = strdup(optarg);
728  break;
729 
730  case 'D':
731  userDoption = strdup(optarg);
732  break;
733 
734  case 'd':
736  break;
737 
738  case 'E':
739  SetConfigOption("log_statement", "all", PGC_POSTMASTER, PGC_S_ARGV);
740  break;
741 
742  case 'e':
743  SetConfigOption("datestyle", "euro", PGC_POSTMASTER, PGC_S_ARGV);
744  break;
745 
746  case 'F':
747  SetConfigOption("fsync", "false", PGC_POSTMASTER, PGC_S_ARGV);
748  break;
749 
750  case 'f':
752  {
753  write_stderr("%s: invalid argument for option -f: \"%s\"\n",
754  progname, optarg);
755  ExitPostmaster(1);
756  }
757  break;
758 
759  case 'h':
760  SetConfigOption("listen_addresses", optarg, PGC_POSTMASTER, PGC_S_ARGV);
761  break;
762 
763  case 'i':
764  SetConfigOption("listen_addresses", "*", PGC_POSTMASTER, PGC_S_ARGV);
765  break;
766 
767  case 'j':
768  /* only used by interactive backend */
769  break;
770 
771  case 'k':
772  SetConfigOption("unix_socket_directories", optarg, PGC_POSTMASTER, PGC_S_ARGV);
773  break;
774 
775  case 'l':
776  SetConfigOption("ssl", "true", PGC_POSTMASTER, PGC_S_ARGV);
777  break;
778 
779  case 'N':
780  SetConfigOption("max_connections", optarg, PGC_POSTMASTER, PGC_S_ARGV);
781  break;
782 
783  case 'n':
784  /* Don't reinit shared mem after abnormal exit */
785  Reinit = false;
786  break;
787 
788  case 'O':
789  SetConfigOption("allow_system_table_mods", "true", PGC_POSTMASTER, PGC_S_ARGV);
790  break;
791 
792  case 'P':
793  SetConfigOption("ignore_system_indexes", "true", PGC_POSTMASTER, PGC_S_ARGV);
794  break;
795 
796  case 'p':
798  break;
799 
800  case 'r':
801  /* only used by single-user backend */
802  break;
803 
804  case 'S':
806  break;
807 
808  case 's':
809  SetConfigOption("log_statement_stats", "true", PGC_POSTMASTER, PGC_S_ARGV);
810  break;
811 
812  case 'T':
813 
814  /*
815  * In the event that some backend dumps core, send SIGSTOP,
816  * rather than SIGQUIT, to all its peers. This lets the wily
817  * post_hacker collect core dumps from everyone.
818  */
819  SendStop = true;
820  break;
821 
822  case 't':
823  {
824  const char *tmp = get_stats_option_name(optarg);
825 
826  if (tmp)
827  {
829  }
830  else
831  {
832  write_stderr("%s: invalid argument for option -t: \"%s\"\n",
833  progname, optarg);
834  ExitPostmaster(1);
835  }
836  break;
837  }
838 
839  case 'W':
840  SetConfigOption("post_auth_delay", optarg, PGC_POSTMASTER, PGC_S_ARGV);
841  break;
842 
843  case 'c':
844  case '-':
845  {
846  char *name,
847  *value;
848 
850  if (!value)
851  {
852  if (opt == '-')
853  ereport(ERROR,
854  (errcode(ERRCODE_SYNTAX_ERROR),
855  errmsg("--%s requires a value",
856  optarg)));
857  else
858  ereport(ERROR,
859  (errcode(ERRCODE_SYNTAX_ERROR),
860  errmsg("-c %s requires a value",
861  optarg)));
862  }
863 
865  free(name);
866  if (value)
867  free(value);
868  break;
869  }
870 
871  default:
872  write_stderr("Try \"%s --help\" for more information.\n",
873  progname);
874  ExitPostmaster(1);
875  }
876  }
877 
878  /*
879  * Postmaster accepts no non-option switch arguments.
880  */
881  if (optind < argc)
882  {
883  write_stderr("%s: invalid argument: \"%s\"\n",
884  progname, argv[optind]);
885  write_stderr("Try \"%s --help\" for more information.\n",
886  progname);
887  ExitPostmaster(1);
888  }
889 
890  /*
891  * Locate the proper configuration files and data directory, and read
892  * postgresql.conf for the first time.
893  */
895  ExitPostmaster(2);
896 
897  if (output_config_variable != NULL)
898  {
899  /*
900  * If this is a runtime-computed GUC, it hasn't yet been initialized,
901  * and the present value is not useful. However, this is a convenient
902  * place to print the value for most GUCs because it is safe to run
903  * postmaster startup to this point even if the server is already
904  * running. For the handful of runtime-computed GUCs that we cannot
905  * provide meaningful values for yet, we wait until later in
906  * postmaster startup to print the value. We won't be able to use -C
907  * on running servers for those GUCs, but using this option now would
908  * lead to incorrect results for them.
909  */
910  int flags = GetConfigOptionFlags(output_config_variable, true);
911 
912  if ((flags & GUC_RUNTIME_COMPUTED) == 0)
913  {
914  /*
915  * "-C guc" was specified, so print GUC's value and exit. No
916  * extra permission check is needed because the user is reading
917  * inside the data dir.
918  */
919  const char *config_val = GetConfigOption(output_config_variable,
920  false, false);
921 
922  puts(config_val ? config_val : "");
923  ExitPostmaster(0);
924  }
925  }
926 
927  /* Verify that DataDir looks reasonable */
928  checkDataDir();
929 
930  /* Check that pg_control exists */
932 
933  /* And switch working directory into it */
934  ChangeToDataDir();
935 
936  /*
937  * Check for invalid combinations of GUC settings.
938  */
940  {
941  write_stderr("%s: superuser_reserved_connections (%d) must be less than max_connections (%d)\n",
942  progname,
944  ExitPostmaster(1);
945  }
947  ereport(ERROR,
948  (errmsg("WAL archival cannot be enabled when wal_level is \"minimal\"")));
950  ereport(ERROR,
951  (errmsg("WAL streaming (max_wal_senders > 0) requires wal_level \"replica\" or \"logical\"")));
952 
953  /*
954  * Other one-time internal sanity checks can go here, if they are fast.
955  * (Put any slow processing further down, after postmaster.pid creation.)
956  */
957  if (!CheckDateTokenTables())
958  {
959  write_stderr("%s: invalid datetoken tables, please fix\n", progname);
960  ExitPostmaster(1);
961  }
962 
963  /*
964  * Now that we are done processing the postmaster arguments, reset
965  * getopt(3) library so that it will work correctly in subprocesses.
966  */
967  optind = 1;
968 #ifdef HAVE_INT_OPTRESET
969  optreset = 1; /* some systems need this too */
970 #endif
971 
972  /* For debugging: display postmaster environment */
973  {
974  extern char **environ;
975  char **p;
976 
977  ereport(DEBUG3,
978  (errmsg_internal("%s: PostmasterMain: initial environment dump:",
979  progname)));
980  ereport(DEBUG3,
981  (errmsg_internal("-----------------------------------------")));
982  for (p = environ; *p; ++p)
983  ereport(DEBUG3,
984  (errmsg_internal("\t%s", *p)));
985  ereport(DEBUG3,
986  (errmsg_internal("-----------------------------------------")));
987  }
988 
989  /*
990  * Create lockfile for data directory.
991  *
992  * We want to do this before we try to grab the input sockets, because the
993  * data directory interlock is more reliable than the socket-file
994  * interlock (thanks to whoever decided to put socket files in /tmp :-().
995  * For the same reason, it's best to grab the TCP socket(s) before the
996  * Unix socket(s).
997  *
998  * Also note that this internally sets up the on_proc_exit function that
999  * is responsible for removing both data directory and socket lockfiles;
1000  * so it must happen before opening sockets so that at exit, the socket
1001  * lockfiles go away after CloseServerPorts runs.
1002  */
1003  CreateDataDirLockFile(true);
1004 
1005  /*
1006  * Read the control file (for error checking and config info).
1007  *
1008  * Since we verify the control file's CRC, this has a useful side effect
1009  * on machines where we need a run-time test for CRC support instructions.
1010  * The postmaster will do the test once at startup, and then its child
1011  * processes will inherit the correct function pointer and not need to
1012  * repeat the test.
1013  */
1014  LocalProcessControlFile(false);
1015 
1016  /*
1017  * Register the apply launcher. Since it registers a background worker,
1018  * it needs to be called before InitializeMaxBackends(), and it's probably
1019  * a good idea to call it before any modules had chance to take the
1020  * background worker slots.
1021  */
1023 
1024  /*
1025  * process any libraries that should be preloaded at postmaster start
1026  */
1028 
1029  /*
1030  * Initialize SSL library, if specified.
1031  */
1032 #ifdef USE_SSL
1033  if (EnableSSL)
1034  {
1035  (void) secure_initialize(true);
1036  LoadedSSL = true;
1037  }
1038 #endif
1039 
1040  /*
1041  * Now that loadable modules have had their chance to register background
1042  * workers, calculate MaxBackends.
1043  */
1045 
1046  /*
1047  * Now that loadable modules have had their chance to request additional
1048  * shared memory, determine the value of any runtime-computed GUCs that
1049  * depend on the amount of shared memory required.
1050  */
1052 
1053  /*
1054  * If -C was specified with a runtime-computed GUC, we held off printing
1055  * the value earlier, as the GUC was not yet initialized. We handle -C
1056  * for most GUCs before we lock the data directory so that the option may
1057  * be used on a running server. However, a handful of GUCs are runtime-
1058  * computed and do not have meaningful values until after locking the data
1059  * directory, and we cannot safely calculate their values earlier on a
1060  * running server. At this point, such GUCs should be properly
1061  * initialized, and we haven't yet set up shared memory, so this is a good
1062  * time to handle the -C option for these special GUCs.
1063  */
1064  if (output_config_variable != NULL)
1065  {
1066  const char *config_val = GetConfigOption(output_config_variable,
1067  false, false);
1068 
1069  puts(config_val ? config_val : "");
1070  ExitPostmaster(0);
1071  }
1072 
1073  /*
1074  * Set up shared memory and semaphores.
1075  */
1076  reset_shared();
1077 
1078  /*
1079  * Estimate number of openable files. This must happen after setting up
1080  * semaphores, because on some platforms semaphores count as open files.
1081  */
1082  set_max_safe_fds();
1083 
1084  /*
1085  * Set reference point for stack-depth checking.
1086  */
1087  set_stack_base();
1088 
1089  /*
1090  * Initialize pipe (or process handle on Windows) that allows children to
1091  * wake up from sleep on postmaster death.
1092  */
1094 
1095 #ifdef WIN32
1096 
1097  /*
1098  * Initialize I/O completion port used to deliver list of dead children.
1099  */
1100  win32ChildQueue = CreateIoCompletionPort(INVALID_HANDLE_VALUE, NULL, 0, 1);
1101  if (win32ChildQueue == NULL)
1102  ereport(FATAL,
1103  (errmsg("could not create I/O completion port for child queue")));
1104 #endif
1105 
1106 #ifdef EXEC_BACKEND
1107  /* Write out nondefault GUC settings for child processes to use */
1108  write_nondefault_variables(PGC_POSTMASTER);
1109 
1110  /*
1111  * Clean out the temp directory used to transmit parameters to child
1112  * processes (see internal_forkexec, below). We must do this before
1113  * launching any child processes, else we have a race condition: we could
1114  * remove a parameter file before the child can read it. It should be
1115  * safe to do so now, because we verified earlier that there are no
1116  * conflicting Postgres processes in this data directory.
1117  */
1119 #endif
1120 
1121  /*
1122  * Forcibly remove the files signaling a standby promotion request.
1123  * Otherwise, the existence of those files triggers a promotion too early,
1124  * whether a user wants that or not.
1125  *
1126  * This removal of files is usually unnecessary because they can exist
1127  * only during a few moments during a standby promotion. However there is
1128  * a race condition: if pg_ctl promote is executed and creates the files
1129  * during a promotion, the files can stay around even after the server is
1130  * brought up to be the primary. Then, if a new standby starts by using
1131  * the backup taken from the new primary, the files can exist at server
1132  * startup and must be removed in order to avoid an unexpected promotion.
1133  *
1134  * Note that promotion signal files need to be removed before the startup
1135  * process is invoked. Because, after that, they can be used by
1136  * postmaster's SIGUSR1 signal handler.
1137  */
1139 
1140  /* Do the same for logrotate signal file */
1142 
1143  /* Remove any outdated file holding the current log filenames. */
1144  if (unlink(LOG_METAINFO_DATAFILE) < 0 && errno != ENOENT)
1145  ereport(LOG,
1147  errmsg("could not remove file \"%s\": %m",
1149 
1150  /*
1151  * If enabled, start up syslogger collection subprocess
1152  */
1154 
1155  /*
1156  * Reset whereToSendOutput from DestDebug (its starting state) to
1157  * DestNone. This stops ereport from sending log messages to stderr unless
1158  * Log_destination permits. We don't do this until the postmaster is
1159  * fully launched, since startup failures may as well be reported to
1160  * stderr.
1161  *
1162  * If we are in fact disabling logging to stderr, first emit a log message
1163  * saying so, to provide a breadcrumb trail for users who may not remember
1164  * that their logging is configured to go somewhere else.
1165  */
1167  ereport(LOG,
1168  (errmsg("ending log output to stderr"),
1169  errhint("Future log output will go to log destination \"%s\".",
1171 
1173 
1174  /*
1175  * Report server startup in log. While we could emit this much earlier,
1176  * it seems best to do so after starting the log collector, if we intend
1177  * to use one.
1178  */
1179  ereport(LOG,
1180  (errmsg("starting %s", PG_VERSION_STR)));
1181 
1182  /*
1183  * Establish input sockets.
1184  *
1185  * First, mark them all closed, and set up an on_proc_exit function that's
1186  * charged with closing the sockets again at postmaster shutdown.
1187  */
1188  for (i = 0; i < MAXLISTEN; i++)
1190 
1192 
1193  if (ListenAddresses)
1194  {
1195  char *rawstring;
1196  List *elemlist;
1197  ListCell *l;
1198  int success = 0;
1199 
1200  /* Need a modifiable copy of ListenAddresses */
1201  rawstring = pstrdup(ListenAddresses);
1202 
1203  /* Parse string into list of hostnames */
1204  if (!SplitGUCList(rawstring, ',', &elemlist))
1205  {
1206  /* syntax error in list */
1207  ereport(FATAL,
1208  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1209  errmsg("invalid list syntax in parameter \"%s\"",
1210  "listen_addresses")));
1211  }
1212 
1213  foreach(l, elemlist)
1214  {
1215  char *curhost = (char *) lfirst(l);
1216 
1217  if (strcmp(curhost, "*") == 0)
1218  status = StreamServerPort(AF_UNSPEC, NULL,
1219  (unsigned short) PostPortNumber,
1220  NULL,
1222  else
1223  status = StreamServerPort(AF_UNSPEC, curhost,
1224  (unsigned short) PostPortNumber,
1225  NULL,
1227 
1228  if (status == STATUS_OK)
1229  {
1230  success++;
1231  /* record the first successful host addr in lockfile */
1232  if (!listen_addr_saved)
1233  {
1235  listen_addr_saved = true;
1236  }
1237  }
1238  else
1239  ereport(WARNING,
1240  (errmsg("could not create listen socket for \"%s\"",
1241  curhost)));
1242  }
1243 
1244  if (!success && elemlist != NIL)
1245  ereport(FATAL,
1246  (errmsg("could not create any TCP/IP sockets")));
1247 
1248  list_free(elemlist);
1249  pfree(rawstring);
1250  }
1251 
1252 #ifdef USE_BONJOUR
1253  /* Register for Bonjour only if we opened TCP socket(s) */
1255  {
1256  DNSServiceErrorType err;
1257 
1258  /*
1259  * We pass 0 for interface_index, which will result in registering on
1260  * all "applicable" interfaces. It's not entirely clear from the
1261  * DNS-SD docs whether this would be appropriate if we have bound to
1262  * just a subset of the available network interfaces.
1263  */
1264  err = DNSServiceRegister(&bonjour_sdref,
1265  0,
1266  0,
1267  bonjour_name,
1268  "_postgresql._tcp.",
1269  NULL,
1270  NULL,
1272  0,
1273  NULL,
1274  NULL,
1275  NULL);
1276  if (err != kDNSServiceErr_NoError)
1277  ereport(LOG,
1278  (errmsg("DNSServiceRegister() failed: error code %ld",
1279  (long) err)));
1280 
1281  /*
1282  * We don't bother to read the mDNS daemon's reply, and we expect that
1283  * it will automatically terminate our registration when the socket is
1284  * closed at postmaster termination. So there's nothing more to be
1285  * done here. However, the bonjour_sdref is kept around so that
1286  * forked children can close their copies of the socket.
1287  */
1288  }
1289 #endif
1290 
1291 #ifdef HAVE_UNIX_SOCKETS
1293  {
1294  char *rawstring;
1295  List *elemlist;
1296  ListCell *l;
1297  int success = 0;
1298 
1299  /* Need a modifiable copy of Unix_socket_directories */
1300  rawstring = pstrdup(Unix_socket_directories);
1301 
1302  /* Parse string into list of directories */
1303  if (!SplitDirectoriesString(rawstring, ',', &elemlist))
1304  {
1305  /* syntax error in list */
1306  ereport(FATAL,
1307  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1308  errmsg("invalid list syntax in parameter \"%s\"",
1309  "unix_socket_directories")));
1310  }
1311 
1312  foreach(l, elemlist)
1313  {
1314  char *socketdir = (char *) lfirst(l);
1315 
1316  status = StreamServerPort(AF_UNIX, NULL,
1317  (unsigned short) PostPortNumber,
1318  socketdir,
1320 
1321  if (status == STATUS_OK)
1322  {
1323  success++;
1324  /* record the first successful Unix socket in lockfile */
1325  if (success == 1)
1327  }
1328  else
1329  ereport(WARNING,
1330  (errmsg("could not create Unix-domain socket in directory \"%s\"",
1331  socketdir)));
1332  }
1333 
1334  if (!success && elemlist != NIL)
1335  ereport(FATAL,
1336  (errmsg("could not create any Unix-domain sockets")));
1337 
1338  list_free_deep(elemlist);
1339  pfree(rawstring);
1340  }
1341 #endif
1342 
1343  /*
1344  * check that we have some socket to listen on
1345  */
1346  if (ListenSocket[0] == PGINVALID_SOCKET)
1347  ereport(FATAL,
1348  (errmsg("no socket created for listening")));
1349 
1350  /*
1351  * If no valid TCP ports, write an empty line for listen address,
1352  * indicating the Unix socket must be used. Note that this line is not
1353  * added to the lock file until there is a socket backing it.
1354  */
1355  if (!listen_addr_saved)
1357 
1358  /*
1359  * Record postmaster options. We delay this till now to avoid recording
1360  * bogus options (eg, unusable port number).
1361  */
1362  if (!CreateOptsFile(argc, argv, my_exec_path))
1363  ExitPostmaster(1);
1364 
1365  /*
1366  * Write the external PID file if requested
1367  */
1368  if (external_pid_file)
1369  {
1370  FILE *fpidfile = fopen(external_pid_file, "w");
1371 
1372  if (fpidfile)
1373  {
1374  fprintf(fpidfile, "%d\n", MyProcPid);
1375  fclose(fpidfile);
1376 
1377  /* Make PID file world readable */
1378  if (chmod(external_pid_file, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) != 0)
1379  write_stderr("%s: could not change permissions of external PID file \"%s\": %s\n",
1381  }
1382  else
1383  write_stderr("%s: could not write external PID file \"%s\": %s\n",
1385 
1387  }
1388 
1389  /*
1390  * Remove old temporary files. At this point there can be no other
1391  * Postgres processes running in this directory, so this should be safe.
1392  */
1394 
1395  /*
1396  * Initialize stats collection subsystem (this does NOT start the
1397  * collector process!)
1398  */
1399  pgstat_init();
1400 
1401  /*
1402  * Initialize the autovacuum subsystem (again, no process start yet)
1403  */
1404  autovac_init();
1405 
1406  /*
1407  * Load configuration files for client authentication.
1408  */
1409  if (!load_hba())
1410  {
1411  /*
1412  * It makes no sense to continue if we fail to load the HBA file,
1413  * since there is no way to connect to the database in this case.
1414  */
1415  ereport(FATAL,
1416  (errmsg("could not load pg_hba.conf")));
1417  }
1418  if (!load_ident())
1419  {
1420  /*
1421  * We can start up without the IDENT file, although it means that you
1422  * cannot log in using any of the authentication methods that need a
1423  * user name mapping. load_ident() already logged the details of error
1424  * to the log.
1425  */
1426  }
1427 
1428 #ifdef HAVE_PTHREAD_IS_THREADED_NP
1429 
1430  /*
1431  * On macOS, libintl replaces setlocale() with a version that calls
1432  * CFLocaleCopyCurrent() when its second argument is "" and every relevant
1433  * environment variable is unset or empty. CFLocaleCopyCurrent() makes
1434  * the process multithreaded. The postmaster calls sigprocmask() and
1435  * calls fork() without an immediate exec(), both of which have undefined
1436  * behavior in a multithreaded program. A multithreaded postmaster is the
1437  * normal case on Windows, which offers neither fork() nor sigprocmask().
1438  */
1439  if (pthread_is_threaded_np() != 0)
1440  ereport(FATAL,
1441  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1442  errmsg("postmaster became multithreaded during startup"),
1443  errhint("Set the LC_ALL environment variable to a valid locale.")));
1444 #endif
1445 
1446  /*
1447  * Remember postmaster startup time
1448  */
1450 
1451  /*
1452  * Report postmaster status in the postmaster.pid file, to allow pg_ctl to
1453  * see what's happening.
1454  */
1456 
1457  /* Start bgwriter and checkpointer so they can help with recovery */
1458  if (CheckpointerPID == 0)
1460  if (BgWriterPID == 0)
1462 
1463  /*
1464  * We're ready to rock and roll...
1465  */
1467  Assert(StartupPID != 0);
1469  pmState = PM_STARTUP;
1470 
1471  /* Some workers may be scheduled to start now */
1473 
1474  status = ServerLoop();
1475 
1476  /*
1477  * ServerLoop probably shouldn't ever return, but if it does, close down.
1478  */
1480 
1481  abort(); /* not reached */
1482 }
1483 
1484 
1485 /*
1486  * on_proc_exit callback to close server's listen sockets
1487  */
1488 static void
1490 {
1491  int i;
1492 
1493  /*
1494  * First, explicitly close all the socket FDs. We used to just let this
1495  * happen implicitly at postmaster exit, but it's better to close them
1496  * before we remove the postmaster.pid lockfile; otherwise there's a race
1497  * condition if a new postmaster wants to re-use the TCP port number.
1498  */
1499  for (i = 0; i < MAXLISTEN; i++)
1500  {
1502  {
1505  }
1506  }
1507 
1508  /*
1509  * Next, remove any filesystem entries for Unix sockets. To avoid race
1510  * conditions against incoming postmasters, this must happen after closing
1511  * the sockets and before removing lock files.
1512  */
1514 
1515  /*
1516  * We don't do anything about socket lock files here; those will be
1517  * removed in a later on_proc_exit callback.
1518  */
1519 }
1520 
1521 /*
1522  * on_proc_exit callback to delete external_pid_file
1523  */
1524 static void
1526 {
1527  if (external_pid_file)
1528  unlink(external_pid_file);
1529 }
1530 
1531 
1532 /*
1533  * Compute and check the directory paths to files that are part of the
1534  * installation (as deduced from the postgres executable's own location)
1535  */
1536 static void
1538 {
1539  DIR *pdir;
1540 
1541  /* Locate the postgres executable itself */
1542  if (find_my_exec(argv0, my_exec_path) < 0)
1543  ereport(FATAL,
1544  (errmsg("%s: could not locate my own executable path", argv0)));
1545 
1546 #ifdef EXEC_BACKEND
1547  /* Locate executable backend before we change working directory */
1548  if (find_other_exec(argv0, "postgres", PG_BACKEND_VERSIONSTR,
1549  postgres_exec_path) < 0)
1550  ereport(FATAL,
1551  (errmsg("%s: could not locate matching postgres executable",
1552  argv0)));
1553 #endif
1554 
1555  /*
1556  * Locate the pkglib directory --- this has to be set early in case we try
1557  * to load any modules from it in response to postgresql.conf entries.
1558  */
1560 
1561  /*
1562  * Verify that there's a readable directory there; otherwise the Postgres
1563  * installation is incomplete or corrupt. (A typical cause of this
1564  * failure is that the postgres executable has been moved or hardlinked to
1565  * some directory that's not a sibling of the installation lib/
1566  * directory.)
1567  */
1568  pdir = AllocateDir(pkglib_path);
1569  if (pdir == NULL)
1570  ereport(ERROR,
1572  errmsg("could not open directory \"%s\": %m",
1573  pkglib_path),
1574  errhint("This may indicate an incomplete PostgreSQL installation, or that the file \"%s\" has been moved away from its proper location.",
1575  my_exec_path)));
1576  FreeDir(pdir);
1577 
1578  /*
1579  * XXX is it worth similarly checking the share/ directory? If the lib/
1580  * directory is there, then share/ probably is too.
1581  */
1582 }
1583 
1584 /*
1585  * Check that pg_control exists in the correct location in the data directory.
1586  *
1587  * No attempt is made to validate the contents of pg_control here. This is
1588  * just a sanity check to see if we are looking at a real data directory.
1589  */
1590 static void
1592 {
1593  char path[MAXPGPATH];
1594  FILE *fp;
1595 
1596  snprintf(path, sizeof(path), "%s/global/pg_control", DataDir);
1597 
1598  fp = AllocateFile(path, PG_BINARY_R);
1599  if (fp == NULL)
1600  {
1601  write_stderr("%s: could not find the database system\n"
1602  "Expected to find it in the directory \"%s\",\n"
1603  "but could not open file \"%s\": %s\n",
1604  progname, DataDir, path, strerror(errno));
1605  ExitPostmaster(2);
1606  }
1607  FreeFile(fp);
1608 }
1609 
1610 /*
1611  * Determine how long should we let ServerLoop sleep.
1612  *
1613  * In normal conditions we wait at most one minute, to ensure that the other
1614  * background tasks handled by ServerLoop get done even when no requests are
1615  * arriving. However, if there are background workers waiting to be started,
1616  * we don't actually sleep so that they are quickly serviced. Other exception
1617  * cases are as shown in the code.
1618  */
1619 static void
1620 DetermineSleepTime(struct timeval *timeout)
1621 {
1622  TimestampTz next_wakeup = 0;
1623 
1624  /*
1625  * Normal case: either there are no background workers at all, or we're in
1626  * a shutdown sequence (during which we ignore bgworkers altogether).
1627  */
1628  if (Shutdown > NoShutdown ||
1630  {
1631  if (AbortStartTime != 0)
1632  {
1633  /* time left to abort; clamp to 0 in case it already expired */
1634  timeout->tv_sec = SIGKILL_CHILDREN_AFTER_SECS -
1635  (time(NULL) - AbortStartTime);
1636  timeout->tv_sec = Max(timeout->tv_sec, 0);
1637  timeout->tv_usec = 0;
1638  }
1639  else
1640  {
1641  timeout->tv_sec = 60;
1642  timeout->tv_usec = 0;
1643  }
1644  return;
1645  }
1646 
1647  if (StartWorkerNeeded)
1648  {
1649  timeout->tv_sec = 0;
1650  timeout->tv_usec = 0;
1651  return;
1652  }
1653 
1654  if (HaveCrashedWorker)
1655  {
1656  slist_mutable_iter siter;
1657 
1658  /*
1659  * When there are crashed bgworkers, we sleep just long enough that
1660  * they are restarted when they request to be. Scan the list to
1661  * determine the minimum of all wakeup times according to most recent
1662  * crash time and requested restart interval.
1663  */
1665  {
1666  RegisteredBgWorker *rw;
1667  TimestampTz this_wakeup;
1668 
1669  rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
1670 
1671  if (rw->rw_crashed_at == 0)
1672  continue;
1673 
1675  || rw->rw_terminate)
1676  {
1677  ForgetBackgroundWorker(&siter);
1678  continue;
1679  }
1680 
1681  this_wakeup = TimestampTzPlusMilliseconds(rw->rw_crashed_at,
1682  1000L * rw->rw_worker.bgw_restart_time);
1683  if (next_wakeup == 0 || this_wakeup < next_wakeup)
1684  next_wakeup = this_wakeup;
1685  }
1686  }
1687 
1688  if (next_wakeup != 0)
1689  {
1690  long secs;
1691  int microsecs;
1692 
1694  &secs, &microsecs);
1695  timeout->tv_sec = secs;
1696  timeout->tv_usec = microsecs;
1697 
1698  /* Ensure we don't exceed one minute */
1699  if (timeout->tv_sec > 60)
1700  {
1701  timeout->tv_sec = 60;
1702  timeout->tv_usec = 0;
1703  }
1704  }
1705  else
1706  {
1707  timeout->tv_sec = 60;
1708  timeout->tv_usec = 0;
1709  }
1710 }
1711 
1712 /*
1713  * Main idle loop of postmaster
1714  *
1715  * NB: Needs to be called with signals blocked
1716  */
1717 static int
1719 {
1720  fd_set readmask;
1721  int nSockets;
1722  time_t last_lockfile_recheck_time,
1723  last_touch_time;
1724 
1725  last_lockfile_recheck_time = last_touch_time = time(NULL);
1726 
1727  nSockets = initMasks(&readmask);
1728 
1729  for (;;)
1730  {
1731  fd_set rmask;
1732  int selres;
1733  time_t now;
1734 
1735  /*
1736  * Wait for a connection request to arrive.
1737  *
1738  * We block all signals except while sleeping. That makes it safe for
1739  * signal handlers, which again block all signals while executing, to
1740  * do nontrivial work.
1741  *
1742  * If we are in PM_WAIT_DEAD_END state, then we don't want to accept
1743  * any new connections, so we don't call select(), and just sleep.
1744  */
1745  memcpy((char *) &rmask, (char *) &readmask, sizeof(fd_set));
1746 
1747  if (pmState == PM_WAIT_DEAD_END)
1748  {
1750 
1751  pg_usleep(100000L); /* 100 msec seems reasonable */
1752  selres = 0;
1753 
1754  PG_SETMASK(&BlockSig);
1755  }
1756  else
1757  {
1758  /* must set timeout each time; some OSes change it! */
1759  struct timeval timeout;
1760 
1761  /* Needs to run with blocked signals! */
1762  DetermineSleepTime(&timeout);
1763 
1765 
1766  selres = select(nSockets, &rmask, NULL, NULL, &timeout);
1767 
1768  PG_SETMASK(&BlockSig);
1769  }
1770 
1771  /* Now check the select() result */
1772  if (selres < 0)
1773  {
1774  if (errno != EINTR && errno != EWOULDBLOCK)
1775  {
1776  ereport(LOG,
1778  errmsg("select() failed in postmaster: %m")));
1779  return STATUS_ERROR;
1780  }
1781  }
1782 
1783  /*
1784  * New connection pending on any of our sockets? If so, fork a child
1785  * process to deal with it.
1786  */
1787  if (selres > 0)
1788  {
1789  int i;
1790 
1791  for (i = 0; i < MAXLISTEN; i++)
1792  {
1794  break;
1795  if (FD_ISSET(ListenSocket[i], &rmask))
1796  {
1797  Port *port;
1798 
1800  if (port)
1801  {
1803 
1804  /*
1805  * We no longer need the open socket or port structure
1806  * in this process
1807  */
1808  StreamClose(port->sock);
1809  ConnFree(port);
1810  }
1811  }
1812  }
1813  }
1814 
1815  /* If we have lost the log collector, try to start a new one */
1816  if (SysLoggerPID == 0 && Logging_collector)
1818 
1819  /*
1820  * If no background writer process is running, and we are not in a
1821  * state that prevents it, start one. It doesn't matter if this
1822  * fails, we'll just try again later. Likewise for the checkpointer.
1823  */
1824  if (pmState == PM_RUN || pmState == PM_RECOVERY ||
1826  {
1827  if (CheckpointerPID == 0)
1829  if (BgWriterPID == 0)
1831  }
1832 
1833  /*
1834  * Likewise, if we have lost the walwriter process, try to start a new
1835  * one. But this is needed only in normal operation (else we cannot
1836  * be writing any new WAL).
1837  */
1838  if (WalWriterPID == 0 && pmState == PM_RUN)
1840 
1841  /*
1842  * If we have lost the autovacuum launcher, try to start a new one. We
1843  * don't want autovacuum to run in binary upgrade mode because
1844  * autovacuum might update relfrozenxid for empty tables before the
1845  * physical files are put in place.
1846  */
1847  if (!IsBinaryUpgrade && AutoVacPID == 0 &&
1849  pmState == PM_RUN)
1850  {
1852  if (AutoVacPID != 0)
1853  start_autovac_launcher = false; /* signal processed */
1854  }
1855 
1856  /* If we have lost the stats collector, try to start a new one */
1857  if (PgStatPID == 0 &&
1858  (pmState == PM_RUN || pmState == PM_HOT_STANDBY))
1859  PgStatPID = pgstat_start();
1860 
1861  /* If we have lost the archiver, try to start a new one. */
1862  if (PgArchPID == 0 && PgArchStartupAllowed())
1864 
1865  /* If we need to signal the autovacuum launcher, do so now */
1867  {
1868  avlauncher_needs_signal = false;
1869  if (AutoVacPID != 0)
1871  }
1872 
1873  /* If we need to start a WAL receiver, try to do that now */
1876 
1877  /* Get other worker processes running, if needed */
1880 
1881 #ifdef HAVE_PTHREAD_IS_THREADED_NP
1882 
1883  /*
1884  * With assertions enabled, check regularly for appearance of
1885  * additional threads. All builds check at start and exit.
1886  */
1887  Assert(pthread_is_threaded_np() == 0);
1888 #endif
1889 
1890  /*
1891  * Lastly, check to see if it's time to do some things that we don't
1892  * want to do every single time through the loop, because they're a
1893  * bit expensive. Note that there's up to a minute of slop in when
1894  * these tasks will be performed, since DetermineSleepTime() will let
1895  * us sleep at most that long; except for SIGKILL timeout which has
1896  * special-case logic there.
1897  */
1898  now = time(NULL);
1899 
1900  /*
1901  * If we already sent SIGQUIT to children and they are slow to shut
1902  * down, it's time to send them SIGKILL. This doesn't happen
1903  * normally, but under certain conditions backends can get stuck while
1904  * shutting down. This is a last measure to get them unwedged.
1905  *
1906  * Note we also do this during recovery from a process crash.
1907  */
1908  if ((Shutdown >= ImmediateShutdown || (FatalError && !SendStop)) &&
1909  AbortStartTime != 0 &&
1911  {
1912  /* We were gentle with them before. Not anymore */
1913  ereport(LOG,
1914  (errmsg("issuing SIGKILL to recalcitrant children")));
1916  /* reset flag so we don't SIGKILL again */
1917  AbortStartTime = 0;
1918  }
1919 
1920  /*
1921  * Once a minute, verify that postmaster.pid hasn't been removed or
1922  * overwritten. If it has, we force a shutdown. This avoids having
1923  * postmasters and child processes hanging around after their database
1924  * is gone, and maybe causing problems if a new database cluster is
1925  * created in the same place. It also provides some protection
1926  * against a DBA foolishly removing postmaster.pid and manually
1927  * starting a new postmaster. Data corruption is likely to ensue from
1928  * that anyway, but we can minimize the damage by aborting ASAP.
1929  */
1930  if (now - last_lockfile_recheck_time >= 1 * SECS_PER_MINUTE)
1931  {
1932  if (!RecheckDataDirLockFile())
1933  {
1934  ereport(LOG,
1935  (errmsg("performing immediate shutdown because data directory lock file is invalid")));
1937  }
1938  last_lockfile_recheck_time = now;
1939  }
1940 
1941  /*
1942  * Touch Unix socket and lock files every 58 minutes, to ensure that
1943  * they are not removed by overzealous /tmp-cleaning tasks. We assume
1944  * no one runs cleaners with cutoff times of less than an hour ...
1945  */
1946  if (now - last_touch_time >= 58 * SECS_PER_MINUTE)
1947  {
1948  TouchSocketFiles();
1950  last_touch_time = now;
1951  }
1952  }
1953 }
1954 
1955 /*
1956  * Initialise the masks for select() for the ports we are listening on.
1957  * Return the number of sockets to listen on.
1958  */
1959 static int
1960 initMasks(fd_set *rmask)
1961 {
1962  int maxsock = -1;
1963  int i;
1964 
1965  FD_ZERO(rmask);
1966 
1967  for (i = 0; i < MAXLISTEN; i++)
1968  {
1969  int fd = ListenSocket[i];
1970 
1971  if (fd == PGINVALID_SOCKET)
1972  break;
1973  FD_SET(fd, rmask);
1974 
1975  if (fd > maxsock)
1976  maxsock = fd;
1977  }
1978 
1979  return maxsock + 1;
1980 }
1981 
1982 
1983 /*
1984  * Read a client's startup packet and do something according to it.
1985  *
1986  * Returns STATUS_OK or STATUS_ERROR, or might call ereport(FATAL) and
1987  * not return at all.
1988  *
1989  * (Note that ereport(FATAL) stuff is sent to the client, so only use it
1990  * if that's what you want. Return STATUS_ERROR if you don't want to
1991  * send anything to the client, which would typically be appropriate
1992  * if we detect a communications failure.)
1993  *
1994  * Set ssl_done and/or gss_done when negotiation of an encrypted layer
1995  * (currently, TLS or GSSAPI) is completed. A successful negotiation of either
1996  * encryption layer sets both flags, but a rejected negotiation sets only the
1997  * flag for that layer, since the client may wish to try the other one. We
1998  * should make no assumption here about the order in which the client may make
1999  * requests.
2000  */
2001 static int
2002 ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
2003 {
2004  int32 len;
2005  char *buf;
2006  ProtocolVersion proto;
2007  MemoryContext oldcontext;
2008 
2009  pq_startmsgread();
2010 
2011  /*
2012  * Grab the first byte of the length word separately, so that we can tell
2013  * whether we have no data at all or an incomplete packet. (This might
2014  * sound inefficient, but it's not really, because of buffering in
2015  * pqcomm.c.)
2016  */
2017  if (pq_getbytes((char *) &len, 1) == EOF)
2018  {
2019  /*
2020  * If we get no data at all, don't clutter the log with a complaint;
2021  * such cases often occur for legitimate reasons. An example is that
2022  * we might be here after responding to NEGOTIATE_SSL_CODE, and if the
2023  * client didn't like our response, it'll probably just drop the
2024  * connection. Service-monitoring software also often just opens and
2025  * closes a connection without sending anything. (So do port
2026  * scanners, which may be less benign, but it's not really our job to
2027  * notice those.)
2028  */
2029  return STATUS_ERROR;
2030  }
2031 
2032  if (pq_getbytes(((char *) &len) + 1, 3) == EOF)
2033  {
2034  /* Got a partial length word, so bleat about that */
2035  if (!ssl_done && !gss_done)
2037  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2038  errmsg("incomplete startup packet")));
2039  return STATUS_ERROR;
2040  }
2041 
2042  len = pg_ntoh32(len);
2043  len -= 4;
2044 
2045  if (len < (int32) sizeof(ProtocolVersion) ||
2047  {
2049  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2050  errmsg("invalid length of startup packet")));
2051  return STATUS_ERROR;
2052  }
2053 
2054  /*
2055  * Allocate space to hold the startup packet, plus one extra byte that's
2056  * initialized to be zero. This ensures we will have null termination of
2057  * all strings inside the packet.
2058  */
2059  buf = palloc(len + 1);
2060  buf[len] = '\0';
2061 
2062  if (pq_getbytes(buf, len) == EOF)
2063  {
2065  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2066  errmsg("incomplete startup packet")));
2067  return STATUS_ERROR;
2068  }
2069  pq_endmsgread();
2070 
2071  /*
2072  * The first field is either a protocol version number or a special
2073  * request code.
2074  */
2075  port->proto = proto = pg_ntoh32(*((ProtocolVersion *) buf));
2076 
2077  if (proto == CANCEL_REQUEST_CODE)
2078  {
2080  /* Not really an error, but we don't want to proceed further */
2081  return STATUS_ERROR;
2082  }
2083 
2084  if (proto == NEGOTIATE_SSL_CODE && !ssl_done)
2085  {
2086  char SSLok;
2087 
2088 #ifdef USE_SSL
2089  /* No SSL when disabled or on Unix sockets */
2090  if (!LoadedSSL || IS_AF_UNIX(port->laddr.addr.ss_family))
2091  SSLok = 'N';
2092  else
2093  SSLok = 'S'; /* Support for SSL */
2094 #else
2095  SSLok = 'N'; /* No support for SSL */
2096 #endif
2097 
2098 retry1:
2099  if (send(port->sock, &SSLok, 1, 0) != 1)
2100  {
2101  if (errno == EINTR)
2102  goto retry1; /* if interrupted, just retry */
2105  errmsg("failed to send SSL negotiation response: %m")));
2106  return STATUS_ERROR; /* close the connection */
2107  }
2108 
2109 #ifdef USE_SSL
2110  if (SSLok == 'S' && secure_open_server(port) == -1)
2111  return STATUS_ERROR;
2112 #endif
2113 
2114  /*
2115  * At this point we should have no data already buffered. If we do,
2116  * it was received before we performed the SSL handshake, so it wasn't
2117  * encrypted and indeed may have been injected by a man-in-the-middle.
2118  * We report this case to the client.
2119  */
2120  if (pq_buffer_has_data())
2121  ereport(FATAL,
2122  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2123  errmsg("received unencrypted data after SSL request"),
2124  errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
2125 
2126  /*
2127  * regular startup packet, cancel, etc packet should follow, but not
2128  * another SSL negotiation request, and a GSS request should only
2129  * follow if SSL was rejected (client may negotiate in either order)
2130  */
2131  return ProcessStartupPacket(port, true, SSLok == 'S');
2132  }
2133  else if (proto == NEGOTIATE_GSS_CODE && !gss_done)
2134  {
2135  char GSSok = 'N';
2136 
2137 #ifdef ENABLE_GSS
2138  /* No GSSAPI encryption when on Unix socket */
2139  if (!IS_AF_UNIX(port->laddr.addr.ss_family))
2140  GSSok = 'G';
2141 #endif
2142 
2143  while (send(port->sock, &GSSok, 1, 0) != 1)
2144  {
2145  if (errno == EINTR)
2146  continue;
2149  errmsg("failed to send GSSAPI negotiation response: %m")));
2150  return STATUS_ERROR; /* close the connection */
2151  }
2152 
2153 #ifdef ENABLE_GSS
2154  if (GSSok == 'G' && secure_open_gssapi(port) == -1)
2155  return STATUS_ERROR;
2156 #endif
2157 
2158  /*
2159  * At this point we should have no data already buffered. If we do,
2160  * it was received before we performed the GSS handshake, so it wasn't
2161  * encrypted and indeed may have been injected by a man-in-the-middle.
2162  * We report this case to the client.
2163  */
2164  if (pq_buffer_has_data())
2165  ereport(FATAL,
2166  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2167  errmsg("received unencrypted data after GSSAPI encryption request"),
2168  errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
2169 
2170  /*
2171  * regular startup packet, cancel, etc packet should follow, but not
2172  * another GSS negotiation request, and an SSL request should only
2173  * follow if GSS was rejected (client may negotiate in either order)
2174  */
2175  return ProcessStartupPacket(port, GSSok == 'G', true);
2176  }
2177 
2178  /* Could add additional special packet types here */
2179 
2180  /*
2181  * Set FrontendProtocol now so that ereport() knows what format to send if
2182  * we fail during startup.
2183  */
2184  FrontendProtocol = proto;
2185 
2186  /* Check that the major protocol version is in range. */
2189  ereport(FATAL,
2190  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2191  errmsg("unsupported frontend protocol %u.%u: server supports %u.0 to %u.%u",
2192  PG_PROTOCOL_MAJOR(proto), PG_PROTOCOL_MINOR(proto),
2196 
2197  /*
2198  * Now fetch parameters out of startup packet and save them into the Port
2199  * structure. All data structures attached to the Port struct must be
2200  * allocated in TopMemoryContext so that they will remain available in a
2201  * running backend (even after PostmasterContext is destroyed). We need
2202  * not worry about leaking this storage on failure, since we aren't in the
2203  * postmaster process anymore.
2204  */
2206 
2207  /* Handle protocol version 3 startup packet */
2208  {
2209  int32 offset = sizeof(ProtocolVersion);
2210  List *unrecognized_protocol_options = NIL;
2211 
2212  /*
2213  * Scan packet body for name/option pairs. We can assume any string
2214  * beginning within the packet body is null-terminated, thanks to
2215  * zeroing extra byte above.
2216  */
2217  port->guc_options = NIL;
2218 
2219  while (offset < len)
2220  {
2221  char *nameptr = buf + offset;
2222  int32 valoffset;
2223  char *valptr;
2224 
2225  if (*nameptr == '\0')
2226  break; /* found packet terminator */
2227  valoffset = offset + strlen(nameptr) + 1;
2228  if (valoffset >= len)
2229  break; /* missing value, will complain below */
2230  valptr = buf + valoffset;
2231 
2232  if (strcmp(nameptr, "database") == 0)
2233  port->database_name = pstrdup(valptr);
2234  else if (strcmp(nameptr, "user") == 0)
2235  port->user_name = pstrdup(valptr);
2236  else if (strcmp(nameptr, "options") == 0)
2237  port->cmdline_options = pstrdup(valptr);
2238  else if (strcmp(nameptr, "replication") == 0)
2239  {
2240  /*
2241  * Due to backward compatibility concerns the replication
2242  * parameter is a hybrid beast which allows the value to be
2243  * either boolean or the string 'database'. The latter
2244  * connects to a specific database which is e.g. required for
2245  * logical decoding while.
2246  */
2247  if (strcmp(valptr, "database") == 0)
2248  {
2249  am_walsender = true;
2250  am_db_walsender = true;
2251  }
2252  else if (!parse_bool(valptr, &am_walsender))
2253  ereport(FATAL,
2254  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
2255  errmsg("invalid value for parameter \"%s\": \"%s\"",
2256  "replication",
2257  valptr),
2258  errhint("Valid values are: \"false\", 0, \"true\", 1, \"database\".")));
2259  }
2260  else if (strncmp(nameptr, "_pq_.", 5) == 0)
2261  {
2262  /*
2263  * Any option beginning with _pq_. is reserved for use as a
2264  * protocol-level option, but at present no such options are
2265  * defined.
2266  */
2267  unrecognized_protocol_options =
2268  lappend(unrecognized_protocol_options, pstrdup(nameptr));
2269  }
2270  else
2271  {
2272  /* Assume it's a generic GUC option */
2273  port->guc_options = lappend(port->guc_options,
2274  pstrdup(nameptr));
2275  port->guc_options = lappend(port->guc_options,
2276  pstrdup(valptr));
2277 
2278  /*
2279  * Copy application_name to port if we come across it. This
2280  * is done so we can log the application_name in the
2281  * connection authorization message. Note that the GUC would
2282  * be used but we haven't gone through GUC setup yet.
2283  */
2284  if (strcmp(nameptr, "application_name") == 0)
2285  {
2286  char *tmp_app_name = pstrdup(valptr);
2287 
2288  pg_clean_ascii(tmp_app_name);
2289 
2290  port->application_name = tmp_app_name;
2291  }
2292  }
2293  offset = valoffset + strlen(valptr) + 1;
2294  }
2295 
2296  /*
2297  * If we didn't find a packet terminator exactly at the end of the
2298  * given packet length, complain.
2299  */
2300  if (offset != len - 1)
2301  ereport(FATAL,
2302  (errcode(ERRCODE_PROTOCOL_VIOLATION),
2303  errmsg("invalid startup packet layout: expected terminator as last byte")));
2304 
2305  /*
2306  * If the client requested a newer protocol version or if the client
2307  * requested any protocol options we didn't recognize, let them know
2308  * the newest minor protocol version we do support and the names of
2309  * any unrecognized options.
2310  */
2312  unrecognized_protocol_options != NIL)
2313  SendNegotiateProtocolVersion(unrecognized_protocol_options);
2314  }
2315 
2316  /* Check a user name was given. */
2317  if (port->user_name == NULL || port->user_name[0] == '\0')
2318  ereport(FATAL,
2319  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
2320  errmsg("no PostgreSQL user name specified in startup packet")));
2321 
2322  /* The database defaults to the user name. */
2323  if (port->database_name == NULL || port->database_name[0] == '\0')
2324  port->database_name = pstrdup(port->user_name);
2325 
2326  if (Db_user_namespace)
2327  {
2328  /*
2329  * If user@, it is a global user, remove '@'. We only want to do this
2330  * if there is an '@' at the end and no earlier in the user string or
2331  * they may fake as a local user of another database attaching to this
2332  * database.
2333  */
2334  if (strchr(port->user_name, '@') ==
2335  port->user_name + strlen(port->user_name) - 1)
2336  *strchr(port->user_name, '@') = '\0';
2337  else
2338  {
2339  /* Append '@' and dbname */
2340  port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
2341  }
2342  }
2343 
2344  /*
2345  * Truncate given database and user names to length of a Postgres name.
2346  * This avoids lookup failures when overlength names are given.
2347  */
2348  if (strlen(port->database_name) >= NAMEDATALEN)
2349  port->database_name[NAMEDATALEN - 1] = '\0';
2350  if (strlen(port->user_name) >= NAMEDATALEN)
2351  port->user_name[NAMEDATALEN - 1] = '\0';
2352 
2353  if (am_walsender)
2355  else
2357 
2358  /*
2359  * Normal walsender backends, e.g. for streaming replication, are not
2360  * connected to a particular database. But walsenders used for logical
2361  * replication need to connect to a specific database. We allow streaming
2362  * replication commands to be issued even if connected to a database as it
2363  * can make sense to first make a basebackup and then stream changes
2364  * starting from that.
2365  */
2366  if (am_walsender && !am_db_walsender)
2367  port->database_name[0] = '\0';
2368 
2369  /*
2370  * Done putting stuff in TopMemoryContext.
2371  */
2372  MemoryContextSwitchTo(oldcontext);
2373 
2374  /*
2375  * If we're going to reject the connection due to database state, say so
2376  * now instead of wasting cycles on an authentication exchange. (This also
2377  * allows a pg_ping utility to be written.)
2378  */
2379  switch (port->canAcceptConnections)
2380  {
2381  case CAC_STARTUP:
2382  ereport(FATAL,
2384  errmsg("the database system is starting up")));
2385  break;
2386  case CAC_NOTCONSISTENT:
2387  if (EnableHotStandby)
2388  ereport(FATAL,
2390  errmsg("the database system is not yet accepting connections"),
2391  errdetail("Consistent recovery state has not been yet reached.")));
2392  else
2393  ereport(FATAL,
2395  errmsg("the database system is not accepting connections"),
2396  errdetail("Hot standby mode is disabled.")));
2397  break;
2398  case CAC_SHUTDOWN:
2399  ereport(FATAL,
2401  errmsg("the database system is shutting down")));
2402  break;
2403  case CAC_RECOVERY:
2404  ereport(FATAL,
2406  errmsg("the database system is in recovery mode")));
2407  break;
2408  case CAC_TOOMANY:
2409  ereport(FATAL,
2410  (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
2411  errmsg("sorry, too many clients already")));
2412  break;
2413  case CAC_SUPERUSER:
2414  /* OK for now, will check in InitPostgres */
2415  break;
2416  case CAC_OK:
2417  break;
2418  }
2419 
2420  return STATUS_OK;
2421 }
2422 
2423 /*
2424  * Send a NegotiateProtocolVersion to the client. This lets the client know
2425  * that they have requested a newer minor protocol version than we are able
2426  * to speak. We'll speak the highest version we know about; the client can,
2427  * of course, abandon the connection if that's a problem.
2428  *
2429  * We also include in the response a list of protocol options we didn't
2430  * understand. This allows clients to include optional parameters that might
2431  * be present either in newer protocol versions or third-party protocol
2432  * extensions without fear of having to reconnect if those options are not
2433  * understood, while at the same time making certain that the client is aware
2434  * of which options were actually accepted.
2435  */
2436 static void
2437 SendNegotiateProtocolVersion(List *unrecognized_protocol_options)
2438 {
2440  ListCell *lc;
2441 
2442  pq_beginmessage(&buf, 'v'); /* NegotiateProtocolVersion */
2444  pq_sendint32(&buf, list_length(unrecognized_protocol_options));
2445  foreach(lc, unrecognized_protocol_options)
2446  pq_sendstring(&buf, lfirst(lc));
2447  pq_endmessage(&buf);
2448 
2449  /* no need to flush, some other message will follow */
2450 }
2451 
2452 /*
2453  * The client has sent a cancel request packet, not a normal
2454  * start-a-new-connection packet. Perform the necessary processing.
2455  * Nothing is sent back to the client.
2456  */
2457 static void
2459 {
2460  CancelRequestPacket *canc = (CancelRequestPacket *) pkt;
2461  int backendPID;
2462  int32 cancelAuthCode;
2463  Backend *bp;
2464 
2465 #ifndef EXEC_BACKEND
2466  dlist_iter iter;
2467 #else
2468  int i;
2469 #endif
2470 
2471  backendPID = (int) pg_ntoh32(canc->backendPID);
2472  cancelAuthCode = (int32) pg_ntoh32(canc->cancelAuthCode);
2473 
2474  /*
2475  * See if we have a matching backend. In the EXEC_BACKEND case, we can no
2476  * longer access the postmaster's own backend list, and must rely on the
2477  * duplicate array in shared memory.
2478  */
2479 #ifndef EXEC_BACKEND
2480  dlist_foreach(iter, &BackendList)
2481  {
2482  bp = dlist_container(Backend, elem, iter.cur);
2483 #else
2484  for (i = MaxLivePostmasterChildren() - 1; i >= 0; i--)
2485  {
2486  bp = (Backend *) &ShmemBackendArray[i];
2487 #endif
2488  if (bp->pid == backendPID)
2489  {
2490  if (bp->cancel_key == cancelAuthCode)
2491  {
2492  /* Found a match; signal that backend to cancel current op */
2493  ereport(DEBUG2,
2494  (errmsg_internal("processing cancel request: sending SIGINT to process %d",
2495  backendPID)));
2496  signal_child(bp->pid, SIGINT);
2497  }
2498  else
2499  /* Right PID, wrong key: no way, Jose */
2500  ereport(LOG,
2501  (errmsg("wrong key in cancel request for process %d",
2502  backendPID)));
2503  return;
2504  }
2505 #ifndef EXEC_BACKEND /* make GNU Emacs 26.1 see brace balance */
2506  }
2507 #else
2508  }
2509 #endif
2510 
2511  /* No matching backend */
2512  ereport(LOG,
2513  (errmsg("PID %d in cancel request did not match any process",
2514  backendPID)));
2515 }
2516 
2517 /*
2518  * canAcceptConnections --- check to see if database state allows connections
2519  * of the specified type. backend_type can be BACKEND_TYPE_NORMAL,
2520  * BACKEND_TYPE_AUTOVAC, or BACKEND_TYPE_BGWORKER. (Note that we don't yet
2521  * know whether a NORMAL connection might turn into a walsender.)
2522  */
2523 static CAC_state
2524 canAcceptConnections(int backend_type)
2525 {
2526  CAC_state result = CAC_OK;
2527 
2528  /*
2529  * Can't start backends when in startup/shutdown/inconsistent recovery
2530  * state. We treat autovac workers the same as user backends for this
2531  * purpose. However, bgworkers are excluded from this test; we expect
2532  * bgworker_should_start_now() decided whether the DB state allows them.
2533  */
2534  if (pmState != PM_RUN && pmState != PM_HOT_STANDBY &&
2535  backend_type != BACKEND_TYPE_BGWORKER)
2536  {
2537  if (Shutdown > NoShutdown)
2538  return CAC_SHUTDOWN; /* shutdown is pending */
2539  else if (!FatalError && pmState == PM_STARTUP)
2540  return CAC_STARTUP; /* normal startup */
2541  else if (!FatalError && pmState == PM_RECOVERY)
2542  return CAC_NOTCONSISTENT; /* not yet at consistent recovery
2543  * state */
2544  else
2545  return CAC_RECOVERY; /* else must be crash recovery */
2546  }
2547 
2548  /*
2549  * "Smart shutdown" restrictions are applied only to normal connections,
2550  * not to autovac workers or bgworkers. When only superusers can connect,
2551  * we return CAC_SUPERUSER to indicate that superuserness must be checked
2552  * later. Note that neither CAC_OK nor CAC_SUPERUSER can safely be
2553  * returned until we have checked for too many children.
2554  */
2555  if (connsAllowed != ALLOW_ALL_CONNS &&
2556  backend_type == BACKEND_TYPE_NORMAL)
2557  {
2559  result = CAC_SUPERUSER; /* allow superusers only */
2560  else
2561  return CAC_SHUTDOWN; /* shutdown is pending */
2562  }
2563 
2564  /*
2565  * Don't start too many children.
2566  *
2567  * We allow more connections here than we can have backends because some
2568  * might still be authenticating; they might fail auth, or some existing
2569  * backend might exit before the auth cycle is completed. The exact
2570  * MaxBackends limit is enforced when a new backend tries to join the
2571  * shared-inval backend array.
2572  *
2573  * The limit here must match the sizes of the per-child-process arrays;
2574  * see comments for MaxLivePostmasterChildren().
2575  */
2577  result = CAC_TOOMANY;
2578 
2579  return result;
2580 }
2581 
2582 
2583 /*
2584  * ConnCreate -- create a local connection data structure
2585  *
2586  * Returns NULL on failure, other than out-of-memory which is fatal.
2587  */
2588 static Port *
2589 ConnCreate(int serverFd)
2590 {
2591  Port *port;
2592 
2593  if (!(port = (Port *) calloc(1, sizeof(Port))))
2594  {
2595  ereport(LOG,
2596  (errcode(ERRCODE_OUT_OF_MEMORY),
2597  errmsg("out of memory")));
2598  ExitPostmaster(1);
2599  }
2600 
2601  if (StreamConnection(serverFd, port) != STATUS_OK)
2602  {
2603  if (port->sock != PGINVALID_SOCKET)
2604  StreamClose(port->sock);
2605  ConnFree(port);
2606  return NULL;
2607  }
2608 
2609  return port;
2610 }
2611 
2612 
2613 /*
2614  * ConnFree -- free a local connection data structure
2615  *
2616  * Caller has already closed the socket if any, so there's not much
2617  * to do here.
2618  */
2619 static void
2621 {
2622  free(conn);
2623 }
2624 
2625 
2626 /*
2627  * ClosePostmasterPorts -- close all the postmaster's open sockets
2628  *
2629  * This is called during child process startup to release file descriptors
2630  * that are not needed by that child process. The postmaster still has
2631  * them open, of course.
2632  *
2633  * Note: we pass am_syslogger as a boolean because we don't want to set
2634  * the global variable yet when this is called.
2635  */
2636 void
2637 ClosePostmasterPorts(bool am_syslogger)
2638 {
2639  int i;
2640 
2641 #ifndef WIN32
2642 
2643  /*
2644  * Close the write end of postmaster death watch pipe. It's important to
2645  * do this as early as possible, so that if postmaster dies, others won't
2646  * think that it's still running because we're holding the pipe open.
2647  */
2649  ereport(FATAL,
2651  errmsg_internal("could not close postmaster death monitoring pipe in child process: %m")));
2653  /* Notify fd.c that we released one pipe FD. */
2655 #endif
2656 
2657  /*
2658  * Close the postmaster's listen sockets. These aren't tracked by fd.c,
2659  * so we don't call ReleaseExternalFD() here.
2660  */
2661  for (i = 0; i < MAXLISTEN; i++)
2662  {
2664  {
2667  }
2668  }
2669 
2670  /*
2671  * If using syslogger, close the read side of the pipe. We don't bother
2672  * tracking this in fd.c, either.
2673  */
2674  if (!am_syslogger)
2675  {
2676 #ifndef WIN32
2677  if (syslogPipe[0] >= 0)
2678  close(syslogPipe[0]);
2679  syslogPipe[0] = -1;
2680 #else
2681  if (syslogPipe[0])
2682  CloseHandle(syslogPipe[0]);
2683  syslogPipe[0] = 0;
2684 #endif
2685  }
2686 
2687 #ifdef USE_BONJOUR
2688  /* If using Bonjour, close the connection to the mDNS daemon */
2689  if (bonjour_sdref)
2690  close(DNSServiceRefSockFD(bonjour_sdref));
2691 #endif
2692 }
2693 
2694 
2695 /*
2696  * InitProcessGlobals -- set MyProcPid, MyStartTime[stamp], random seeds
2697  *
2698  * Called early in the postmaster and every backend.
2699  */
2700 void
2702 {
2703  MyProcPid = getpid();
2706 
2707  /*
2708  * Set a different global seed in every process. We want something
2709  * unpredictable, so if possible, use high-quality random bits for the
2710  * seed. Otherwise, fall back to a seed based on timestamp and PID.
2711  */
2713  {
2714  uint64 rseed;
2715 
2716  /*
2717  * Since PIDs and timestamps tend to change more frequently in their
2718  * least significant bits, shift the timestamp left to allow a larger
2719  * total number of seeds in a given time period. Since that would
2720  * leave only 20 bits of the timestamp that cycle every ~1 second,
2721  * also mix in some higher bits.
2722  */
2723  rseed = ((uint64) MyProcPid) ^
2724  ((uint64) MyStartTimestamp << 12) ^
2725  ((uint64) MyStartTimestamp >> 20);
2726 
2728  }
2729 
2730  /*
2731  * Also make sure that we've set a good seed for random(3). Use of that
2732  * is deprecated in core Postgres, but extensions might use it.
2733  */
2734 #ifndef WIN32
2736 #endif
2737 }
2738 
2739 
2740 /*
2741  * reset_shared -- reset shared memory and semaphores
2742  */
2743 static void
2745 {
2746  /*
2747  * Create or re-create shared memory and semaphores.
2748  *
2749  * Note: in each "cycle of life" we will normally assign the same IPC keys
2750  * (if using SysV shmem and/or semas). This helps ensure that we will
2751  * clean up dead IPC objects if the postmaster crashes and is restarted.
2752  */
2754 }
2755 
2756 
2757 /*
2758  * SIGHUP -- reread config files, and tell children to do same
2759  */
2760 static void
2762 {
2763  int save_errno = errno;
2764 
2765  /*
2766  * We rely on the signal mechanism to have blocked all signals ... except
2767  * on Windows, which lacks sigaction(), so we have to do it manually.
2768  */
2769 #ifdef WIN32
2770  PG_SETMASK(&BlockSig);
2771 #endif
2772 
2773  if (Shutdown <= SmartShutdown)
2774  {
2775  ereport(LOG,
2776  (errmsg("received SIGHUP, reloading configuration files")));
2779  if (StartupPID != 0)
2781  if (BgWriterPID != 0)
2783  if (CheckpointerPID != 0)
2785  if (WalWriterPID != 0)
2787  if (WalReceiverPID != 0)
2789  if (AutoVacPID != 0)
2791  if (PgArchPID != 0)
2793  if (SysLoggerPID != 0)
2795  if (PgStatPID != 0)
2797 
2798  /* Reload authentication config files too */
2799  if (!load_hba())
2800  ereport(LOG,
2801  /* translator: %s is a configuration file */
2802  (errmsg("%s was not reloaded", "pg_hba.conf")));
2803 
2804  if (!load_ident())
2805  ereport(LOG,
2806  (errmsg("%s was not reloaded", "pg_ident.conf")));
2807 
2808 #ifdef USE_SSL
2809  /* Reload SSL configuration as well */
2810  if (EnableSSL)
2811  {
2812  if (secure_initialize(false) == 0)
2813  LoadedSSL = true;
2814  else
2815  ereport(LOG,
2816  (errmsg("SSL configuration was not reloaded")));
2817  }
2818  else
2819  {
2820  secure_destroy();
2821  LoadedSSL = false;
2822  }
2823 #endif
2824 
2825 #ifdef EXEC_BACKEND
2826  /* Update the starting-point file for future children */
2827  write_nondefault_variables(PGC_SIGHUP);
2828 #endif
2829  }
2830 
2831 #ifdef WIN32
2833 #endif
2834 
2835  errno = save_errno;
2836 }
2837 
2838 
2839 /*
2840  * pmdie -- signal handler for processing various postmaster signals.
2841  */
2842 static void
2844 {
2845  int save_errno = errno;
2846 
2847  /*
2848  * We rely on the signal mechanism to have blocked all signals ... except
2849  * on Windows, which lacks sigaction(), so we have to do it manually.
2850  */
2851 #ifdef WIN32
2852  PG_SETMASK(&BlockSig);
2853 #endif
2854 
2855  ereport(DEBUG2,
2856  (errmsg_internal("postmaster received signal %d",
2857  postgres_signal_arg)));
2858 
2859  switch (postgres_signal_arg)
2860  {
2861  case SIGTERM:
2862 
2863  /*
2864  * Smart Shutdown:
2865  *
2866  * Wait for children to end their work, then shut down.
2867  */
2868  if (Shutdown >= SmartShutdown)
2869  break;
2871  ereport(LOG,
2872  (errmsg("received smart shutdown request")));
2873 
2874  /* Report status */
2876 #ifdef USE_SYSTEMD
2877  sd_notify(0, "STOPPING=1");
2878 #endif
2879 
2880  /*
2881  * If we reached normal running, we have to wait for any online
2882  * backup mode to end; otherwise go straight to waiting for client
2883  * backends to exit. (The difference is that in the former state,
2884  * we'll still let in new superuser clients, so that somebody can
2885  * end the online backup mode.) If already in PM_STOP_BACKENDS or
2886  * a later state, do not change it.
2887  */
2888  if (pmState == PM_RUN)
2890  else if (pmState == PM_HOT_STANDBY)
2892  else if (pmState == PM_STARTUP || pmState == PM_RECOVERY)
2893  {
2894  /* There should be no clients, so proceed to stop children */
2896  }
2897 
2898  /*
2899  * Now wait for online backup mode to end and backends to exit. If
2900  * that is already the case, PostmasterStateMachine will take the
2901  * next step.
2902  */
2904  break;
2905 
2906  case SIGINT:
2907 
2908  /*
2909  * Fast Shutdown:
2910  *
2911  * Abort all children with SIGTERM (rollback active transactions
2912  * and exit) and shut down when they are gone.
2913  */
2914  if (Shutdown >= FastShutdown)
2915  break;
2917  ereport(LOG,
2918  (errmsg("received fast shutdown request")));
2919 
2920  /* Report status */
2922 #ifdef USE_SYSTEMD
2923  sd_notify(0, "STOPPING=1");
2924 #endif
2925 
2926  if (pmState == PM_STARTUP || pmState == PM_RECOVERY)
2927  {
2928  /* Just shut down background processes silently */
2930  }
2931  else if (pmState == PM_RUN ||
2933  {
2934  /* Report that we're about to zap live client sessions */
2935  ereport(LOG,
2936  (errmsg("aborting any active transactions")));
2938  }
2939 
2940  /*
2941  * PostmasterStateMachine will issue any necessary signals, or
2942  * take the next step if no child processes need to be killed.
2943  */
2945  break;
2946 
2947  case SIGQUIT:
2948 
2949  /*
2950  * Immediate Shutdown:
2951  *
2952  * abort all children with SIGQUIT, wait for them to exit,
2953  * terminate remaining ones with SIGKILL, then exit without
2954  * attempt to properly shut down the data base system.
2955  */
2956  if (Shutdown >= ImmediateShutdown)
2957  break;
2959  ereport(LOG,
2960  (errmsg("received immediate shutdown request")));
2961 
2962  /* Report status */
2964 #ifdef USE_SYSTEMD
2965  sd_notify(0, "STOPPING=1");
2966 #endif
2967 
2968  /* tell children to shut down ASAP */
2972 
2973  /* set stopwatch for them to die */
2974  AbortStartTime = time(NULL);
2975 
2976  /*
2977  * Now wait for backends to exit. If there are none,
2978  * PostmasterStateMachine will take the next step.
2979  */
2981  break;
2982  }
2983 
2984 #ifdef WIN32
2986 #endif
2987 
2988  errno = save_errno;
2989 }
2990 
2991 /*
2992  * Reaper -- signal handler to cleanup after a child process dies.
2993  */
2994 static void
2996 {
2997  int save_errno = errno;
2998  int pid; /* process id of dead child process */
2999  int exitstatus; /* its exit status */
3000 
3001  /*
3002  * We rely on the signal mechanism to have blocked all signals ... except
3003  * on Windows, which lacks sigaction(), so we have to do it manually.
3004  */
3005 #ifdef WIN32
3006  PG_SETMASK(&BlockSig);
3007 #endif
3008 
3009  ereport(DEBUG4,
3010  (errmsg_internal("reaping dead processes")));
3011 
3012  while ((pid = waitpid(-1, &exitstatus, WNOHANG)) > 0)
3013  {
3014  /*
3015  * Check if this child was a startup process.
3016  */
3017  if (pid == StartupPID)
3018  {
3019  StartupPID = 0;
3020 
3021  /*
3022  * Startup process exited in response to a shutdown request (or it
3023  * completed normally regardless of the shutdown request).
3024  */
3025  if (Shutdown > NoShutdown &&
3026  (EXIT_STATUS_0(exitstatus) || EXIT_STATUS_1(exitstatus)))
3027  {
3030  /* PostmasterStateMachine logic does the rest */
3031  continue;
3032  }
3033 
3034  if (EXIT_STATUS_3(exitstatus))
3035  {
3036  ereport(LOG,
3037  (errmsg("shutdown at recovery target")));
3040  TerminateChildren(SIGTERM);
3042  /* PostmasterStateMachine logic does the rest */
3043  continue;
3044  }
3045 
3046  /*
3047  * Unexpected exit of startup process (including FATAL exit)
3048  * during PM_STARTUP is treated as catastrophic. There are no
3049  * other processes running yet, so we can just exit.
3050  */
3051  if (pmState == PM_STARTUP &&
3053  !EXIT_STATUS_0(exitstatus))
3054  {
3055  LogChildExit(LOG, _("startup process"),
3056  pid, exitstatus);
3057  ereport(LOG,
3058  (errmsg("aborting startup due to startup process failure")));
3059  ExitPostmaster(1);
3060  }
3061 
3062  /*
3063  * After PM_STARTUP, any unexpected exit (including FATAL exit) of
3064  * the startup process is catastrophic, so kill other children,
3065  * and set StartupStatus so we don't try to reinitialize after
3066  * they're gone. Exception: if StartupStatus is STARTUP_SIGNALED,
3067  * then we previously sent the startup process a SIGQUIT; so
3068  * that's probably the reason it died, and we do want to try to
3069  * restart in that case.
3070  *
3071  * This stanza also handles the case where we sent a SIGQUIT
3072  * during PM_STARTUP due to some dead_end child crashing: in that
3073  * situation, if the startup process dies on the SIGQUIT, we need
3074  * to transition to PM_WAIT_BACKENDS state which will allow
3075  * PostmasterStateMachine to restart the startup process. (On the
3076  * other hand, the startup process might complete normally, if we
3077  * were too late with the SIGQUIT. In that case we'll fall
3078  * through and commence normal operations.)
3079  */
3080  if (!EXIT_STATUS_0(exitstatus))
3081  {
3083  {
3085  if (pmState == PM_STARTUP)
3087  }
3088  else
3090  HandleChildCrash(pid, exitstatus,
3091  _("startup process"));
3092  continue;
3093  }
3094 
3095  /*
3096  * Startup succeeded, commence normal operations
3097  */
3099  FatalError = false;
3100  AbortStartTime = 0;
3101  ReachedNormalRunning = true;
3102  pmState = PM_RUN;
3104 
3105  /*
3106  * Crank up the background tasks, if we didn't do that already
3107  * when we entered consistent recovery state. It doesn't matter
3108  * if this fails, we'll just try again later.
3109  */
3110  if (CheckpointerPID == 0)
3112  if (BgWriterPID == 0)
3114  if (WalWriterPID == 0)
3116 
3117  /*
3118  * Likewise, start other special children as needed. In a restart
3119  * situation, some of them may be alive already.
3120  */
3123  if (PgArchStartupAllowed() && PgArchPID == 0)
3125  if (PgStatPID == 0)
3126  PgStatPID = pgstat_start();
3127 
3128  /* workers may be scheduled to start now */
3130 
3131  /* at this point we are really open for business */
3132  ereport(LOG,
3133  (errmsg("database system is ready to accept connections")));
3134 
3135  /* Report status */
3137 #ifdef USE_SYSTEMD
3138  sd_notify(0, "READY=1");
3139 #endif
3140 
3141  continue;
3142  }
3143 
3144  /*
3145  * Was it the bgwriter? Normal exit can be ignored; we'll start a new
3146  * one at the next iteration of the postmaster's main loop, if
3147  * necessary. Any other exit condition is treated as a crash.
3148  */
3149  if (pid == BgWriterPID)
3150  {
3151  BgWriterPID = 0;
3152  if (!EXIT_STATUS_0(exitstatus))
3153  HandleChildCrash(pid, exitstatus,
3154  _("background writer process"));
3155  continue;
3156  }
3157 
3158  /*
3159  * Was it the checkpointer?
3160  */
3161  if (pid == CheckpointerPID)
3162  {
3163  CheckpointerPID = 0;
3164  if (EXIT_STATUS_0(exitstatus) && pmState == PM_SHUTDOWN)
3165  {
3166  /*
3167  * OK, we saw normal exit of the checkpointer after it's been
3168  * told to shut down. We expect that it wrote a shutdown
3169  * checkpoint. (If for some reason it didn't, recovery will
3170  * occur on next postmaster start.)
3171  *
3172  * At this point we should have no normal backend children
3173  * left (else we'd not be in PM_SHUTDOWN state) but we might
3174  * have dead_end children to wait for.
3175  *
3176  * If we have an archiver subprocess, tell it to do a last
3177  * archive cycle and quit. Likewise, if we have walsender
3178  * processes, tell them to send any remaining WAL and quit.
3179  */
3181 
3182  /* Waken archiver for the last time */
3183  if (PgArchPID != 0)
3185 
3186  /*
3187  * Waken walsenders for the last time. No regular backends
3188  * should be around anymore.
3189  */
3191 
3193 
3194  /*
3195  * We can also shut down the stats collector now; there's
3196  * nothing left for it to do.
3197  */
3198  if (PgStatPID != 0)
3200  }
3201  else
3202  {
3203  /*
3204  * Any unexpected exit of the checkpointer (including FATAL
3205  * exit) is treated as a crash.
3206  */
3207  HandleChildCrash(pid, exitstatus,
3208  _("checkpointer process"));
3209  }
3210 
3211  continue;
3212  }
3213 
3214  /*
3215  * Was it the wal writer? Normal exit can be ignored; we'll start a
3216  * new one at the next iteration of the postmaster's main loop, if
3217  * necessary. Any other exit condition is treated as a crash.
3218  */
3219  if (pid == WalWriterPID)
3220  {
3221  WalWriterPID = 0;
3222  if (!EXIT_STATUS_0(exitstatus))
3223  HandleChildCrash(pid, exitstatus,
3224  _("WAL writer process"));
3225  continue;
3226  }
3227 
3228  /*
3229  * Was it the wal receiver? If exit status is zero (normal) or one
3230  * (FATAL exit), we assume everything is all right just like normal
3231  * backends. (If we need a new wal receiver, we'll start one at the
3232  * next iteration of the postmaster's main loop.)
3233  */
3234  if (pid == WalReceiverPID)
3235  {
3236  WalReceiverPID = 0;
3237  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3238  HandleChildCrash(pid, exitstatus,
3239  _("WAL receiver process"));
3240  continue;
3241  }
3242 
3243  /*
3244  * Was it the autovacuum launcher? Normal exit can be ignored; we'll
3245  * start a new one at the next iteration of the postmaster's main
3246  * loop, if necessary. Any other exit condition is treated as a
3247  * crash.
3248  */
3249  if (pid == AutoVacPID)
3250  {
3251  AutoVacPID = 0;
3252  if (!EXIT_STATUS_0(exitstatus))
3253  HandleChildCrash(pid, exitstatus,
3254  _("autovacuum launcher process"));
3255  continue;
3256  }
3257 
3258  /*
3259  * Was it the archiver? If exit status is zero (normal) or one (FATAL
3260  * exit), we assume everything is all right just like normal backends
3261  * and just try to restart a new one so that we immediately retry
3262  * archiving remaining files. (If fail, we'll try again in future
3263  * cycles of the postmaster's main loop.) Unless we were waiting for
3264  * it to shut down; don't restart it in that case, and
3265  * PostmasterStateMachine() will advance to the next shutdown step.
3266  */
3267  if (pid == PgArchPID)
3268  {
3269  PgArchPID = 0;
3270  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3271  HandleChildCrash(pid, exitstatus,
3272  _("archiver process"));
3273  if (PgArchStartupAllowed())
3275  continue;
3276  }
3277 
3278  /*
3279  * Was it the statistics collector? If so, just try to start a new
3280  * one; no need to force reset of the rest of the system. (If fail,
3281  * we'll try again in future cycles of the main loop.)
3282  */
3283  if (pid == PgStatPID)
3284  {
3285  PgStatPID = 0;
3286  if (!EXIT_STATUS_0(exitstatus))
3287  LogChildExit(LOG, _("statistics collector process"),
3288  pid, exitstatus);
3289  if (pmState == PM_RUN || pmState == PM_HOT_STANDBY)
3290  PgStatPID = pgstat_start();
3291  continue;
3292  }
3293 
3294  /* Was it the system logger? If so, try to start a new one */
3295  if (pid == SysLoggerPID)
3296  {
3297  SysLoggerPID = 0;
3298  /* for safety's sake, launch new logger *first* */
3300  if (!EXIT_STATUS_0(exitstatus))
3301  LogChildExit(LOG, _("system logger process"),
3302  pid, exitstatus);
3303  continue;
3304  }
3305 
3306  /* Was it one of our background workers? */
3307  if (CleanupBackgroundWorker(pid, exitstatus))
3308  {
3309  /* have it be restarted */
3310  HaveCrashedWorker = true;
3311  continue;
3312  }
3313 
3314  /*
3315  * Else do standard backend child cleanup.
3316  */
3317  CleanupBackend(pid, exitstatus);
3318  } /* loop over pending child-death reports */
3319 
3320  /*
3321  * After cleaning out the SIGCHLD queue, see if we have any state changes
3322  * or actions to make.
3323  */
3325 
3326  /* Done with signal handler */
3327 #ifdef WIN32
3329 #endif
3330 
3331  errno = save_errno;
3332 }
3333 
3334 /*
3335  * Scan the bgworkers list and see if the given PID (which has just stopped
3336  * or crashed) is in it. Handle its shutdown if so, and return true. If not a
3337  * bgworker, return false.
3338  *
3339  * This is heavily based on CleanupBackend. One important difference is that
3340  * we don't know yet that the dying process is a bgworker, so we must be silent
3341  * until we're sure it is.
3342  */
3343 static bool
3345  int exitstatus) /* child's exit status */
3346 {
3347  char namebuf[MAXPGPATH];
3348  slist_mutable_iter iter;
3349 
3351  {
3352  RegisteredBgWorker *rw;
3353 
3354  rw = slist_container(RegisteredBgWorker, rw_lnode, iter.cur);
3355 
3356  if (rw->rw_pid != pid)
3357  continue;
3358 
3359 #ifdef WIN32
3360  /* see CleanupBackend */
3361  if (exitstatus == ERROR_WAIT_NO_CHILDREN)
3362  exitstatus = 0;
3363 #endif
3364 
3365  snprintf(namebuf, MAXPGPATH, _("background worker \"%s\""),
3366  rw->rw_worker.bgw_type);
3367 
3368 
3369  if (!EXIT_STATUS_0(exitstatus))
3370  {
3371  /* Record timestamp, so we know when to restart the worker. */
3373  }
3374  else
3375  {
3376  /* Zero exit status means terminate */
3377  rw->rw_crashed_at = 0;
3378  rw->rw_terminate = true;
3379  }
3380 
3381  /*
3382  * Additionally, just like a backend, any exit status other than 0 or
3383  * 1 is considered a crash and causes a system-wide restart.
3384  */
3385  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3386  {
3387  HandleChildCrash(pid, exitstatus, namebuf);
3388  return true;
3389  }
3390 
3391  /*
3392  * We must release the postmaster child slot. If the worker failed to
3393  * do so, it did not clean up after itself, requiring a crash-restart
3394  * cycle.
3395  */
3397  {
3398  HandleChildCrash(pid, exitstatus, namebuf);
3399  return true;
3400  }
3401 
3402  /* Get it out of the BackendList and clear out remaining data */
3403  dlist_delete(&rw->rw_backend->elem);
3404 #ifdef EXEC_BACKEND
3405  ShmemBackendArrayRemove(rw->rw_backend);
3406 #endif
3407 
3408  /*
3409  * It's possible that this background worker started some OTHER
3410  * background worker and asked to be notified when that worker started
3411  * or stopped. If so, cancel any notifications destined for the
3412  * now-dead backend.
3413  */
3414  if (rw->rw_backend->bgworker_notify)
3416  free(rw->rw_backend);
3417  rw->rw_backend = NULL;
3418  rw->rw_pid = 0;
3419  rw->rw_child_slot = 0;
3420  ReportBackgroundWorkerExit(&iter); /* report child death */
3421 
3422  LogChildExit(EXIT_STATUS_0(exitstatus) ? DEBUG1 : LOG,
3423  namebuf, pid, exitstatus);
3424 
3425  return true;
3426  }
3427 
3428  return false;
3429 }
3430 
3431 /*
3432  * CleanupBackend -- cleanup after terminated backend.
3433  *
3434  * Remove all local state associated with backend.
3435  *
3436  * If you change this, see also CleanupBackgroundWorker.
3437  */
3438 static void
3440  int exitstatus) /* child's exit status. */
3441 {
3442  dlist_mutable_iter iter;
3443 
3444  LogChildExit(DEBUG2, _("server process"), pid, exitstatus);
3445 
3446  /*
3447  * If a backend dies in an ugly way then we must signal all other backends
3448  * to quickdie. If exit status is zero (normal) or one (FATAL exit), we
3449  * assume everything is all right and proceed to remove the backend from
3450  * the active backend list.
3451  */
3452 
3453 #ifdef WIN32
3454 
3455  /*
3456  * On win32, also treat ERROR_WAIT_NO_CHILDREN (128) as nonfatal case,
3457  * since that sometimes happens under load when the process fails to start
3458  * properly (long before it starts using shared memory). Microsoft reports
3459  * it is related to mutex failure:
3460  * http://archives.postgresql.org/pgsql-hackers/2010-09/msg00790.php
3461  */
3462  if (exitstatus == ERROR_WAIT_NO_CHILDREN)
3463  {
3464  LogChildExit(LOG, _("server process"), pid, exitstatus);
3465  exitstatus = 0;
3466  }
3467 #endif
3468 
3469  if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
3470  {
3471  HandleChildCrash(pid, exitstatus, _("server process"));
3472  return;
3473  }
3474 
3476  {
3477  Backend *bp = dlist_container(Backend, elem, iter.cur);
3478 
3479  if (bp->pid == pid)
3480  {
3481  if (!bp->dead_end)
3482  {
3484  {
3485  /*
3486  * Uh-oh, the child failed to clean itself up. Treat as a
3487  * crash after all.
3488  */
3489  HandleChildCrash(pid, exitstatus, _("server process"));
3490  return;
3491  }
3492 #ifdef EXEC_BACKEND
3493  ShmemBackendArrayRemove(bp);
3494 #endif
3495  }
3496  if (bp->bgworker_notify)
3497  {
3498  /*
3499  * This backend may have been slated to receive SIGUSR1 when
3500  * some background worker started or stopped. Cancel those
3501  * notifications, as we don't want to signal PIDs that are not
3502  * PostgreSQL backends. This gets skipped in the (probably
3503  * very common) case where the backend has never requested any
3504  * such notifications.
3505  */
3507  }
3508  dlist_delete(iter.cur);
3509  free(bp);
3510  break;
3511  }
3512  }
3513 }
3514 
3515 /*
3516  * HandleChildCrash -- cleanup after failed backend, bgwriter, checkpointer,
3517  * walwriter, autovacuum, archiver or background worker.
3518  *
3519  * The objectives here are to clean up our local state about the child
3520  * process, and to signal all other remaining children to quickdie.
3521  */
3522 static void
3523 HandleChildCrash(int pid, int exitstatus, const char *procname)
3524 {
3525  dlist_mutable_iter iter;
3526  slist_iter siter;
3527  Backend *bp;
3528  bool take_action;
3529 
3530  /*
3531  * We only log messages and send signals if this is the first process
3532  * crash and we're not doing an immediate shutdown; otherwise, we're only
3533  * here to update postmaster's idea of live processes. If we have already
3534  * signaled children, nonzero exit status is to be expected, so don't
3535  * clutter log.
3536  */
3537  take_action = !FatalError && Shutdown != ImmediateShutdown;
3538 
3539  if (take_action)
3540  {
3541  LogChildExit(LOG, procname, pid, exitstatus);
3542  ereport(LOG,
3543  (errmsg("terminating any other active server processes")));
3545  }
3546 
3547  /* Process background workers. */
3549  {
3550  RegisteredBgWorker *rw;
3551 
3552  rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
3553  if (rw->rw_pid == 0)
3554  continue; /* not running */
3555  if (rw->rw_pid == pid)
3556  {
3557  /*
3558  * Found entry for freshly-dead worker, so remove it.
3559  */
3561  dlist_delete(&rw->rw_backend->elem);
3562 #ifdef EXEC_BACKEND
3563  ShmemBackendArrayRemove(rw->rw_backend);
3564 #endif
3565  free(rw->rw_backend);
3566  rw->rw_backend = NULL;
3567  rw->rw_pid = 0;
3568  rw->rw_child_slot = 0;
3569  /* don't reset crashed_at */
3570  /* don't report child stop, either */
3571  /* Keep looping so we can signal remaining workers */
3572  }
3573  else
3574  {
3575  /*
3576  * This worker is still alive. Unless we did so already, tell it
3577  * to commit hara-kiri.
3578  *
3579  * SIGQUIT is the special signal that says exit without proc_exit
3580  * and let the user know what's going on. But if SendStop is set
3581  * (-T on command line), then we send SIGSTOP instead, so that we
3582  * can get core dumps from all backends by hand.
3583  */
3584  if (take_action)
3585  {
3586  ereport(DEBUG2,
3587  (errmsg_internal("sending %s to process %d",
3588  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3589  (int) rw->rw_pid)));
3591  }
3592  }
3593  }
3594 
3595  /* Process regular backends */
3597  {
3598  bp = dlist_container(Backend, elem, iter.cur);
3599 
3600  if (bp->pid == pid)
3601  {
3602  /*
3603  * Found entry for freshly-dead backend, so remove it.
3604  */
3605  if (!bp->dead_end)
3606  {
3608 #ifdef EXEC_BACKEND
3609  ShmemBackendArrayRemove(bp);
3610 #endif
3611  }
3612  dlist_delete(iter.cur);
3613  free(bp);
3614  /* Keep looping so we can signal remaining backends */
3615  }
3616  else
3617  {
3618  /*
3619  * This backend is still alive. Unless we did so already, tell it
3620  * to commit hara-kiri.
3621  *
3622  * SIGQUIT is the special signal that says exit without proc_exit
3623  * and let the user know what's going on. But if SendStop is set
3624  * (-T on command line), then we send SIGSTOP instead, so that we
3625  * can get core dumps from all backends by hand.
3626  *
3627  * We could exclude dead_end children here, but at least in the
3628  * SIGSTOP case it seems better to include them.
3629  *
3630  * Background workers were already processed above; ignore them
3631  * here.
3632  */
3633  if (bp->bkend_type == BACKEND_TYPE_BGWORKER)
3634  continue;
3635 
3636  if (take_action)
3637  {
3638  ereport(DEBUG2,
3639  (errmsg_internal("sending %s to process %d",
3640  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3641  (int) bp->pid)));
3642  signal_child(bp->pid, (SendStop ? SIGSTOP : SIGQUIT));
3643  }
3644  }
3645  }
3646 
3647  /* Take care of the startup process too */
3648  if (pid == StartupPID)
3649  {
3650  StartupPID = 0;
3651  /* Caller adjusts StartupStatus, so don't touch it here */
3652  }
3653  else if (StartupPID != 0 && take_action)
3654  {
3655  ereport(DEBUG2,
3656  (errmsg_internal("sending %s to process %d",
3657  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3658  (int) StartupPID)));
3661  }
3662 
3663  /* Take care of the bgwriter too */
3664  if (pid == BgWriterPID)
3665  BgWriterPID = 0;
3666  else if (BgWriterPID != 0 && take_action)
3667  {
3668  ereport(DEBUG2,
3669  (errmsg_internal("sending %s to process %d",
3670  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3671  (int) BgWriterPID)));
3673  }
3674 
3675  /* Take care of the checkpointer too */
3676  if (pid == CheckpointerPID)
3677  CheckpointerPID = 0;
3678  else if (CheckpointerPID != 0 && take_action)
3679  {
3680  ereport(DEBUG2,
3681  (errmsg_internal("sending %s to process %d",
3682  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3683  (int) CheckpointerPID)));
3685  }
3686 
3687  /* Take care of the walwriter too */
3688  if (pid == WalWriterPID)
3689  WalWriterPID = 0;
3690  else if (WalWriterPID != 0 && take_action)
3691  {
3692  ereport(DEBUG2,
3693  (errmsg_internal("sending %s to process %d",
3694  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3695  (int) WalWriterPID)));
3697  }
3698 
3699  /* Take care of the walreceiver too */
3700  if (pid == WalReceiverPID)
3701  WalReceiverPID = 0;
3702  else if (WalReceiverPID != 0 && take_action)
3703  {
3704  ereport(DEBUG2,
3705  (errmsg_internal("sending %s to process %d",
3706  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3707  (int) WalReceiverPID)));
3709  }
3710 
3711  /* Take care of the autovacuum launcher too */
3712  if (pid == AutoVacPID)
3713  AutoVacPID = 0;
3714  else if (AutoVacPID != 0 && take_action)
3715  {
3716  ereport(DEBUG2,
3717  (errmsg_internal("sending %s to process %d",
3718  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3719  (int) AutoVacPID)));
3721  }
3722 
3723  /* Take care of the archiver too */
3724  if (pid == PgArchPID)
3725  PgArchPID = 0;
3726  else if (PgArchPID != 0 && take_action)
3727  {
3728  ereport(DEBUG2,
3729  (errmsg_internal("sending %s to process %d",
3730  (SendStop ? "SIGSTOP" : "SIGQUIT"),
3731  (int) PgArchPID)));
3733  }
3734 
3735  /*
3736  * Force a power-cycle of the pgstat process too. (This isn't absolutely
3737  * necessary, but it seems like a good idea for robustness, and it
3738  * simplifies the state-machine logic in the case where a shutdown request
3739  * arrives during crash processing.)
3740  */
3741  if (PgStatPID != 0 && take_action)
3742  {
3743  ereport(DEBUG2,
3744  (errmsg_internal("sending %s to process %d",
3745  "SIGQUIT",
3746  (int) PgStatPID)));
3749  }
3750 
3751  /* We do NOT restart the syslogger */
3752 
3753  if (Shutdown != ImmediateShutdown)
3754  FatalError = true;
3755 
3756  /* We now transit into a state of waiting for children to die */
3757  if (pmState == PM_RECOVERY ||
3758  pmState == PM_HOT_STANDBY ||
3759  pmState == PM_RUN ||
3761  pmState == PM_SHUTDOWN)
3763 
3764  /*
3765  * .. and if this doesn't happen quickly enough, now the clock is ticking
3766  * for us to kill them without mercy.
3767  */
3768  if (AbortStartTime == 0)
3769  AbortStartTime = time(NULL);
3770 }
3771 
3772 /*
3773  * Log the death of a child process.
3774  */
3775 static void
3776 LogChildExit(int lev, const char *procname, int pid, int exitstatus)
3777 {
3778  /*
3779  * size of activity_buffer is arbitrary, but set equal to default
3780  * track_activity_query_size
3781  */
3782  char activity_buffer[1024];
3783  const char *activity = NULL;
3784 
3785  if (!EXIT_STATUS_0(exitstatus))
3786  activity = pgstat_get_crashed_backend_activity(pid,
3787  activity_buffer,
3788  sizeof(activity_buffer));
3789 
3790  if (WIFEXITED(exitstatus))
3791  ereport(lev,
3792 
3793  /*------
3794  translator: %s is a noun phrase describing a child process, such as
3795  "server process" */
3796  (errmsg("%s (PID %d) exited with exit code %d",
3797  procname, pid, WEXITSTATUS(exitstatus)),
3798  activity ? errdetail("Failed process was running: %s", activity) : 0));
3799  else if (WIFSIGNALED(exitstatus))
3800  {
3801 #if defined(WIN32)
3802  ereport(lev,
3803 
3804  /*------
3805  translator: %s is a noun phrase describing a child process, such as
3806  "server process" */
3807  (errmsg("%s (PID %d) was terminated by exception 0x%X",
3808  procname, pid, WTERMSIG(exitstatus)),
3809  errhint("See C include file \"ntstatus.h\" for a description of the hexadecimal value."),
3810  activity ? errdetail("Failed process was running: %s", activity) : 0));
3811 #else
3812  ereport(lev,
3813 
3814  /*------
3815  translator: %s is a noun phrase describing a child process, such as
3816  "server process" */
3817  (errmsg("%s (PID %d) was terminated by signal %d: %s",
3818  procname, pid, WTERMSIG(exitstatus),
3819  pg_strsignal(WTERMSIG(exitstatus))),
3820  activity ? errdetail("Failed process was running: %s", activity) : 0));
3821 #endif
3822  }
3823  else
3824  ereport(lev,
3825 
3826  /*------
3827  translator: %s is a noun phrase describing a child process, such as
3828  "server process" */
3829  (errmsg("%s (PID %d) exited with unrecognized status %d",
3830  procname, pid, exitstatus),
3831  activity ? errdetail("Failed process was running: %s", activity) : 0));
3832 }
3833 
3834 /*
3835  * Advance the postmaster's state machine and take actions as appropriate
3836  *
3837  * This is common code for pmdie(), reaper() and sigusr1_handler(), which
3838  * receive the signals that might mean we need to change state.
3839  */
3840 static void
3842 {
3843  /* If we're doing a smart shutdown, try to advance that state. */
3844  if (pmState == PM_RUN || pmState == PM_HOT_STANDBY)
3845  {
3847  {
3848  /*
3849  * ALLOW_SUPERUSER_CONNS state ends as soon as online backup mode
3850  * is not active.
3851  */
3852  if (!BackupInProgress())
3854  }
3855 
3857  {
3858  /*
3859  * ALLOW_NO_CONNS state ends when we have no normal client
3860  * backends running. Then we're ready to stop other children.
3861  */
3864  }
3865  }
3866 
3867  /*
3868  * If we're ready to do so, signal child processes to shut down. (This
3869  * isn't a persistent state, but treating it as a distinct pmState allows
3870  * us to share this code across multiple shutdown code paths.)
3871  */
3872  if (pmState == PM_STOP_BACKENDS)
3873  {
3874  /*
3875  * Forget any pending requests for background workers, since we're no
3876  * longer willing to launch any new workers. (If additional requests
3877  * arrive, BackgroundWorkerStateChange will reject them.)
3878  */
3880 
3881  /* Signal all backend children except walsenders */
3882  SignalSomeChildren(SIGTERM,
3884  /* and the autovac launcher too */
3885  if (AutoVacPID != 0)
3886  signal_child(AutoVacPID, SIGTERM);
3887  /* and the bgwriter too */
3888  if (BgWriterPID != 0)
3889  signal_child(BgWriterPID, SIGTERM);
3890  /* and the walwriter too */
3891  if (WalWriterPID != 0)
3892  signal_child(WalWriterPID, SIGTERM);
3893  /* If we're in recovery, also stop startup and walreceiver procs */
3894  if (StartupPID != 0)
3895  signal_child(StartupPID, SIGTERM);
3896  if (WalReceiverPID != 0)
3897  signal_child(WalReceiverPID, SIGTERM);
3898  /* checkpointer, archiver, stats, and syslogger may continue for now */
3899 
3900  /* Now transition to PM_WAIT_BACKENDS state to wait for them to die */
3902  }
3903 
3904  /*
3905  * If we are in a state-machine state that implies waiting for backends to
3906  * exit, see if they're all gone, and change state if so.
3907  */
3908  if (pmState == PM_WAIT_BACKENDS)
3909  {
3910  /*
3911  * PM_WAIT_BACKENDS state ends when we have no regular backends
3912  * (including autovac workers), no bgworkers (including unconnected
3913  * ones), and no walwriter, autovac launcher or bgwriter. If we are
3914  * doing crash recovery or an immediate shutdown then we expect the
3915  * checkpointer to exit as well, otherwise not. The stats and
3916  * syslogger processes are disregarded since they are not connected to
3917  * shared memory; we also disregard dead_end children here. Walsenders
3918  * and archiver are also disregarded, they will be terminated later
3919  * after writing the checkpoint record.
3920  */
3922  StartupPID == 0 &&
3923  WalReceiverPID == 0 &&
3924  BgWriterPID == 0 &&
3925  (CheckpointerPID == 0 ||
3927  WalWriterPID == 0 &&
3928  AutoVacPID == 0)
3929  {
3931  {
3932  /*
3933  * Start waiting for dead_end children to die. This state
3934  * change causes ServerLoop to stop creating new ones.
3935  */
3937 
3938  /*
3939  * We already SIGQUIT'd the archiver and stats processes, if
3940  * any, when we started immediate shutdown or entered
3941  * FatalError state.
3942  */
3943  }
3944  else
3945  {
3946  /*
3947  * If we get here, we are proceeding with normal shutdown. All
3948  * the regular children are gone, and it's time to tell the
3949  * checkpointer to do a shutdown checkpoint.
3950  */
3952  /* Start the checkpointer if not running */
3953  if (CheckpointerPID == 0)
3955  /* And tell it to shut down */
3956  if (CheckpointerPID != 0)
3957  {
3959  pmState = PM_SHUTDOWN;
3960  }
3961  else
3962  {
3963  /*
3964  * If we failed to fork a checkpointer, just shut down.
3965  * Any required cleanup will happen at next restart. We
3966  * set FatalError so that an "abnormal shutdown" message
3967  * gets logged when we exit.
3968  */
3969  FatalError = true;
3971 
3972  /* Kill the walsenders, archiver and stats collector too */
3974  if (PgArchPID != 0)
3976  if (PgStatPID != 0)
3978  }
3979  }
3980  }
3981  }
3982 
3983  if (pmState == PM_SHUTDOWN_2)
3984  {
3985  /*
3986  * PM_SHUTDOWN_2 state ends when there's no other children than
3987  * dead_end children left. There shouldn't be any regular backends
3988  * left by now anyway; what we're really waiting for is walsenders and
3989  * archiver.
3990  */
3991  if (PgArchPID == 0 && CountChildren(BACKEND_TYPE_ALL) == 0)
3992  {
3994  }
3995  }
3996 
3997  if (pmState == PM_WAIT_DEAD_END)
3998  {
3999  /*
4000  * PM_WAIT_DEAD_END state ends when the BackendList is entirely empty
4001  * (ie, no dead_end children remain), and the archiver and stats
4002  * collector are gone too.
4003  *
4004  * The reason we wait for those two is to protect them against a new
4005  * postmaster starting conflicting subprocesses; this isn't an
4006  * ironclad protection, but it at least helps in the
4007  * shutdown-and-immediately-restart scenario. Note that they have
4008  * already been sent appropriate shutdown signals, either during a
4009  * normal state transition leading up to PM_WAIT_DEAD_END, or during
4010  * FatalError processing.
4011  */
4012  if (dlist_is_empty(&BackendList) &&
4013  PgArchPID == 0 && PgStatPID == 0)
4014  {
4015  /* These other guys should be dead already */
4016  Assert(StartupPID == 0);
4017  Assert(WalReceiverPID == 0);
4018  Assert(BgWriterPID == 0);
4019  Assert(CheckpointerPID == 0);
4020  Assert(WalWriterPID == 0);
4021  Assert(AutoVacPID == 0);
4022  /* syslogger is not considered here */
4024  }
4025  }
4026 
4027  /*
4028  * If we've been told to shut down, we exit as soon as there are no
4029  * remaining children. If there was a crash, cleanup will occur at the
4030  * next startup. (Before PostgreSQL 8.3, we tried to recover from the
4031  * crash before exiting, but that seems unwise if we are quitting because
4032  * we got SIGTERM from init --- there may well not be time for recovery
4033  * before init decides to SIGKILL us.)
4034  *
4035  * Note that the syslogger continues to run. It will exit when it sees
4036  * EOF on its input pipe, which happens when there are no more upstream
4037  * processes.
4038  */
4040  {
4041  if (FatalError)
4042  {
4043  ereport(LOG, (errmsg("abnormal database system shutdown")));
4044  ExitPostmaster(1);
4045  }
4046  else
4047  {
4048  /*
4049  * Terminate exclusive backup mode to avoid recovery after a clean
4050  * fast shutdown. Since an exclusive backup can only be taken
4051  * during normal running (and not, for example, while running
4052  * under Hot Standby) it only makes sense to do this if we reached
4053  * normal running. If we're still in recovery, the backup file is
4054  * one we're recovering *from*, and we must keep it around so that
4055  * recovery restarts from the right place.
4056  */
4058  CancelBackup();
4059 
4060  /*
4061  * Normal exit from the postmaster is here. We don't need to log
4062  * anything here, since the UnlinkLockFiles proc_exit callback
4063  * will do so, and that should be the last user-visible action.
4064  */
4065  ExitPostmaster(0);
4066  }
4067  }
4068 
4069  /*
4070  * If the startup process failed, or the user does not want an automatic
4071  * restart after backend crashes, wait for all non-syslogger children to
4072  * exit, and then exit postmaster. We don't try to reinitialize when the
4073  * startup process fails, because more than likely it will just fail again
4074  * and we will keep trying forever.
4075  */
4076  if (pmState == PM_NO_CHILDREN)
4077  {
4079  {
4080  ereport(LOG,
4081  (errmsg("shutting down due to startup process failure")));
4082  ExitPostmaster(1);
4083  }
4084  if (!restart_after_crash)
4085  {
4086  ereport(LOG,
4087  (errmsg("shutting down because restart_after_crash is off")));
4088  ExitPostmaster(1);
4089  }
4090  }
4091 
4092  /*
4093  * If we need to recover from a crash, wait for all non-syslogger children
4094  * to exit, then reset shmem and StartupDataBase.
4095  */
4096  if (FatalError && pmState == PM_NO_CHILDREN)
4097  {
4098  ereport(LOG,
4099  (errmsg("all server processes terminated; reinitializing")));
4100 
4101  /* remove leftover temporary files after a crash */
4104 
4105  /* allow background workers to immediately restart */
4107 
4108  shmem_exit(1);
4109 
4110  /* re-read control file into local memory */
4112 
4113  reset_shared();
4114 
4116  Assert(StartupPID != 0);
4118  pmState = PM_STARTUP;
4119  /* crash recovery started, reset SIGKILL flag */
4120  AbortStartTime = 0;
4121  }
4122 }
4123 
4124 
4125 /*
4126  * Send a signal to a postmaster child process
4127  *
4128  * On systems that have setsid(), each child process sets itself up as a
4129  * process group leader. For signals that are generally interpreted in the
4130  * appropriate fashion, we signal the entire process group not just the
4131  * direct child process. This allows us to, for example, SIGQUIT a blocked
4132  * archive_recovery script, or SIGINT a script being run by a backend via
4133  * system().
4134  *
4135  * There is a race condition for recently-forked children: they might not
4136  * have executed setsid() yet. So we signal the child directly as well as
4137  * the group. We assume such a child will handle the signal before trying
4138  * to spawn any grandchild processes. We also assume that signaling the
4139  * child twice will not cause any problems.
4140  */
4141 static void
4142 signal_child(pid_t pid, int signal)
4143 {
4144  if (kill(pid, signal) < 0)
4145  elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) pid, signal);
4146 #ifdef HAVE_SETSID
4147  switch (signal)
4148  {
4149  case SIGINT:
4150  case SIGTERM:
4151  case SIGQUIT:
4152  case SIGSTOP:
4153  case SIGKILL:
4154  if (kill(-pid, signal) < 0)
4155  elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) (-pid), signal);
4156  break;
4157  default:
4158  break;
4159  }
4160 #endif
4161 }
4162 
4163 /*
4164  * Send a signal to the targeted children (but NOT special children;
4165  * dead_end children are never signaled, either).
4166  */
4167 static bool
4168 SignalSomeChildren(int signal, int target)
4169 {
4170  dlist_iter iter;
4171  bool signaled = false;
4172 
4173  dlist_foreach(iter, &BackendList)
4174  {
4175  Backend *bp = dlist_container(Backend, elem, iter.cur);
4176 
4177  if (bp->dead_end)
4178  continue;
4179 
4180  /*
4181  * Since target == BACKEND_TYPE_ALL is the most common case, we test
4182  * it first and avoid touching shared memory for every child.
4183  */
4184  if (target != BACKEND_TYPE_ALL)
4185  {
4186  /*
4187  * Assign bkend_type for any recently announced WAL Sender
4188  * processes.
4189  */
4190  if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
4193 
4194  if (!(target & bp->bkend_type))
4195  continue;
4196  }
4197 
4198  ereport(DEBUG4,
4199  (errmsg_internal("sending signal %d to process %d",
4200  signal, (int) bp->pid)));
4201  signal_child(bp->pid, signal);
4202  signaled = true;
4203  }
4204  return signaled;
4205 }
4206 
4207 /*
4208  * Send a termination signal to children. This considers all of our children
4209  * processes, except syslogger and dead_end backends.
4210  */
4211 static void
4213 {
4214  SignalChildren(signal);
4215  if (StartupPID != 0)
4216  {
4217  signal_child(StartupPID, signal);
4218  if (signal == SIGQUIT || signal == SIGKILL)
4220  }
4221  if (BgWriterPID != 0)
4222  signal_child(BgWriterPID, signal);
4223  if (CheckpointerPID != 0)
4224  signal_child(CheckpointerPID, signal);
4225  if (WalWriterPID != 0)
4226  signal_child(WalWriterPID, signal);
4227  if (WalReceiverPID != 0)
4228  signal_child(WalReceiverPID, signal);
4229  if (AutoVacPID != 0)
4230  signal_child(AutoVacPID, signal);
4231  if (PgArchPID != 0)
4232  signal_child(PgArchPID, signal);
4233  if (PgStatPID != 0)
4234  signal_child(PgStatPID, signal);
4235 }
4236 
4237 /*
4238  * BackendStartup -- start backend process
4239  *
4240  * returns: STATUS_ERROR if the fork failed, STATUS_OK otherwise.
4241  *
4242  * Note: if you change this code, also consider StartAutovacuumWorker.
4243  */
4244 static int
4246 {
4247  Backend *bn; /* for backend cleanup */
4248  pid_t pid;
4249 
4250  /*
4251  * Create backend data structure. Better before the fork() so we can
4252  * handle failure cleanly.
4253  */
4254  bn = (Backend *) malloc(sizeof(Backend));
4255  if (!bn)
4256  {
4257  ereport(LOG,
4258  (errcode(ERRCODE_OUT_OF_MEMORY),
4259  errmsg("out of memory")));
4260  return STATUS_ERROR;
4261  }
4262 
4263  /*
4264  * Compute the cancel key that will be assigned to this backend. The
4265  * backend will have its own copy in the forked-off process' value of
4266  * MyCancelKey, so that it can transmit the key to the frontend.
4267  */
4269  {
4270  free(bn);
4271  ereport(LOG,
4272  (errcode(ERRCODE_INTERNAL_ERROR),
4273  errmsg("could not generate random cancel key")));
4274  return STATUS_ERROR;
4275  }
4276 
4277  bn->cancel_key = MyCancelKey;
4278 
4279  /* Pass down canAcceptConnections state */
4280  port->canAcceptConnections = canAcceptConnections(BACKEND_TYPE_NORMAL);
4281  bn->dead_end = (port->canAcceptConnections != CAC_OK &&
4282  port->canAcceptConnections != CAC_SUPERUSER);
4283 
4284  /*
4285  * Unless it's a dead_end child, assign it a child slot number
4286  */
4287  if (!bn->dead_end)
4289  else
4290  bn->child_slot = 0;
4291 
4292  /* Hasn't asked to be notified about any bgworkers yet */
4293  bn->bgworker_notify = false;
4294 
4295 #ifdef EXEC_BACKEND
4296  pid = backend_forkexec(port);
4297 #else /* !EXEC_BACKEND */
4298  pid = fork_process();
4299  if (pid == 0) /* child */
4300  {
4301  free(bn);
4302 
4303  /* Detangle from postmaster */
4305 
4306  /* Close the postmaster's sockets */
4307  ClosePostmasterPorts(false);
4308 
4309  /* Perform additional initialization and collect startup packet */
4311 
4312  /*
4313  * Create a per-backend PGPROC struct in shared memory. We must do
4314  * this before we can use LWLocks. In the !EXEC_BACKEND case (here)
4315  * this could be delayed a bit further, but EXEC_BACKEND needs to do
4316  * stuff with LWLocks before PostgresMain(), so we do it here as well
4317  * for symmetry.
4318  */
4319  InitProcess();
4320 
4321  /* And run the backend */
4322  BackendRun(port);
4323  }
4324 #endif /* EXEC_BACKEND */
4325 
4326  if (pid < 0)
4327  {
4328  /* in parent, fork failed */
4329  int save_errno = errno;
4330 
4331  if (!bn->dead_end)
4333  free(bn);
4334  errno = save_errno;
4335  ereport(LOG,
4336  (errmsg("could not fork new process for connection: %m")));
4337  report_fork_failure_to_client(port, save_errno);
4338  return STATUS_ERROR;
4339  }
4340 
4341  /* in parent, successful fork */
4342  ereport(DEBUG2,
4343  (errmsg_internal("forked new backend, pid=%d socket=%d",
4344  (int) pid, (int) port->sock)));
4345 
4346  /*
4347  * Everything's been successful, it's safe to add this backend to our list
4348  * of backends.
4349  */
4350  bn->pid = pid;
4351  bn->bkend_type = BACKEND_TYPE_NORMAL; /* Can change later to WALSND */
4353 
4354 #ifdef EXEC_BACKEND
4355  if (!bn->dead_end)
4356  ShmemBackendArrayAdd(bn);
4357 #endif
4358 
4359  return STATUS_OK;
4360 }
4361 
4362 /*
4363  * Try to report backend fork() failure to client before we close the
4364  * connection. Since we do not care to risk blocking the postmaster on
4365  * this connection, we set the connection to non-blocking and try only once.
4366  *
4367  * This is grungy special-purpose code; we cannot use backend libpq since
4368  * it's not up and running.
4369  */
4370 static void
4372 {
4373  char buffer[1000];
4374  int rc;
4375 
4376  /* Format the error message packet (always V2 protocol) */
4377  snprintf(buffer, sizeof(buffer), "E%s%s\n",
4378  _("could not fork new process for connection: "),
4379  strerror(errnum));
4380 
4381  /* Set port to non-blocking. Don't do send() if this fails */
4382  if (!pg_set_noblock(port->sock))
4383  return;
4384 
4385  /* We'll retry after EINTR, but ignore all other failures */
4386  do
4387  {
4388  rc = send(port->sock, buffer, strlen(buffer) + 1, 0);
4389  } while (rc < 0 && errno == EINTR);
4390 }
4391 
4392 
4393 /*
4394  * BackendInitialize -- initialize an interactive (postmaster-child)
4395  * backend process, and collect the client's startup packet.
4396  *
4397  * returns: nothing. Will not return at all if there's any failure.
4398  *
4399  * Note: this code does not depend on having any access to shared memory.
4400  * Indeed, our approach to SIGTERM/timeout handling *requires* that
4401  * shared memory not have been touched yet; see comments within.
4402  * In the EXEC_BACKEND case, we are physically attached to shared memory
4403  * but have not yet set up most of our local pointers to shmem structures.
4404  */
4405 static void
4407 {
4408  int status;
4409  int ret;
4410  char remote_host[NI_MAXHOST];
4411  char remote_port[NI_MAXSERV];
4412  StringInfoData ps_data;
4413 
4414  /* Save port etc. for ps status */
4415  MyProcPort = port;
4416 
4417  /* Tell fd.c about the long-lived FD associated with the port */
4419 
4420  /*
4421  * PreAuthDelay is a debugging aid for investigating problems in the
4422  * authentication cycle: it can be set in postgresql.conf to allow time to
4423  * attach to the newly-forked backend with a debugger. (See also
4424  * PostAuthDelay, which we allow clients to pass through PGOPTIONS, but it
4425  * is not honored until after authentication.)
4426  */
4427  if (PreAuthDelay > 0)
4428  pg_usleep(PreAuthDelay * 1000000L);
4429 
4430  /* This flag will remain set until InitPostgres finishes authentication */
4431  ClientAuthInProgress = true; /* limit visibility of log messages */
4432 
4433  /* set these to empty in case they are needed before we set them up */
4434  port->remote_host = "";
4435  port->remote_port = "";
4436 
4437  /*
4438  * Initialize libpq and enable reporting of ereport errors to the client.
4439  * Must do this now because authentication uses libpq to send messages.
4440  */
4441  pq_init(); /* initialize libpq to talk to client */
4442  whereToSendOutput = DestRemote; /* now safe to ereport to client */
4443 
4444  /*
4445  * We arrange to do _exit(1) if we receive SIGTERM or timeout while trying
4446  * to collect the startup packet; while SIGQUIT results in _exit(2).
4447  * Otherwise the postmaster cannot shutdown the database FAST or IMMED
4448  * cleanly if a buggy client fails to send the packet promptly.
4449  *
4450  * Exiting with _exit(1) is only possible because we have not yet touched
4451  * shared memory; therefore no outside-the-process state needs to get
4452  * cleaned up.
4453  */
4455  /* SIGQUIT handler was already set up by InitPostmasterChild */
4456  InitializeTimeouts(); /* establishes SIGALRM handler */
4458 
4459  /*
4460  * Get the remote host name and port for logging and status display.
4461  */
4462  remote_host[0] = '\0';
4463  remote_port[0] = '\0';
4464  if ((ret = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
4465  remote_host, sizeof(remote_host),
4466  remote_port, sizeof(remote_port),
4467  (log_hostname ? 0 : NI_NUMERICHOST) | NI_NUMERICSERV)) != 0)
4468  ereport(WARNING,
4469  (errmsg_internal("pg_getnameinfo_all() failed: %s",
4470  gai_strerror(ret))));
4471 
4472  /*
4473  * Save remote_host and remote_port in port structure (after this, they
4474  * will appear in log_line_prefix data for log messages).
4475  */
4476  port->remote_host = strdup(remote_host);
4477  port->remote_port = strdup(remote_port);
4478 
4479  /* And now we can issue the Log_connections message, if wanted */
4480  if (Log_connections)
4481  {
4482  if (remote_port[0])
4483  ereport(LOG,
4484  (errmsg("connection received: host=%s port=%s",
4485  remote_host,
4486  remote_port)));
4487  else
4488  ereport(LOG,
4489  (errmsg("connection received: host=%s",
4490  remote_host)));
4491  }
4492 
4493  /*
4494  * If we did a reverse lookup to name, we might as well save the results
4495  * rather than possibly repeating the lookup during authentication.
4496  *
4497  * Note that we don't want to specify NI_NAMEREQD above, because then we'd
4498  * get nothing useful for a client without an rDNS entry. Therefore, we
4499  * must check whether we got a numeric IPv4 or IPv6 address, and not save
4500  * it into remote_hostname if so. (This test is conservative and might
4501  * sometimes classify a hostname as numeric, but an error in that
4502  * direction is safe; it only results in a possible extra lookup.)
4503  */
4504  if (log_hostname &&
4505  ret == 0 &&
4506  strspn(remote_host, "0123456789.") < strlen(remote_host) &&
4507  strspn(remote_host, "0123456789ABCDEFabcdef:") < strlen(remote_host))
4508  port->remote_hostname = strdup(remote_host);
4509 
4510  /*
4511  * Ready to begin client interaction. We will give up and _exit(1) after
4512  * a time delay, so that a broken client can't hog a connection
4513  * indefinitely. PreAuthDelay and any DNS interactions above don't count
4514  * against the time limit.
4515  *
4516  * Note: AuthenticationTimeout is applied here while waiting for the
4517  * startup packet, and then again in InitPostgres for the duration of any
4518  * authentication operations. So a hostile client could tie up the
4519  * process for nearly twice AuthenticationTimeout before we kick him off.
4520  *
4521  * Note: because PostgresMain will call InitializeTimeouts again, the
4522  * registration of STARTUP_PACKET_TIMEOUT will be lost. This is okay
4523  * since we never use it again after this function.
4524  */
4527 
4528  /*
4529  * Receive the startup packet (which might turn out to be a cancel request
4530  * packet).
4531  */
4532  status = ProcessStartupPacket(port, false, false);
4533 
4534  /*
4535  * Disable the timeout, and prevent SIGTERM again.
4536  */
4538  PG_SETMASK(&BlockSig);
4539 
4540  /*
4541  * As a safety check that nothing in startup has yet performed
4542  * shared-memory modifications that would need to be undone if we had
4543  * exited through SIGTERM or timeout above, check that no on_shmem_exit
4544  * handlers have been registered yet. (This isn't terribly bulletproof,
4545  * since someone might misuse an on_proc_exit handler for shmem cleanup,
4546  * but it's a cheap and helpful check. We cannot disallow on_proc_exit
4547  * handlers unfortunately, since pq_init() already registered one.)
4548  */
4550 
4551  /*
4552  * Stop here if it was bad or a cancel packet. ProcessStartupPacket
4553  * already did any appropriate error reporting.
4554  */
4555  if (status != STATUS_OK)
4556  proc_exit(0);
4557 
4558  /*
4559  * Now that we have the user and database name, we can set the process
4560  * title for ps. It's good to do this as early as possible in startup.
4561  */
4562  initStringInfo(&ps_data);
4563  if (am_walsender)
4565  appendStringInfo(&ps_data, "%s ", port->user_name);
4566  if (!am_walsender)
4567  appendStringInfo(&ps_data, "%s ", port->database_name);
4568  appendStringInfo(&ps_data, "%s", port->remote_host);
4569  if (port->remote_port[0] != '\0')
4570  appendStringInfo(&ps_data, "(%s)", port->remote_port);
4571 
4572  init_ps_display(ps_data.data);
4573  pfree(ps_data.data);
4574 
4575  set_ps_display("initializing");
4576 }
4577 
4578 
4579 /*
4580  * BackendRun -- set up the backend's argument list and invoke PostgresMain()
4581  *
4582  * returns:
4583  * Doesn't return at all.
4584  */
4585 static void
4587 {
4588  /*
4589  * Make sure we aren't in PostmasterContext anymore. (We can't delete it
4590  * just yet, though, because InitPostgres will need the HBA data.)
4591  */
4593 
4594  PostgresMain(port->database_name, port->user_name);
4595 }
4596 
4597 
4598 #ifdef EXEC_BACKEND
4599 
4600 /*
4601  * postmaster_forkexec -- fork and exec a postmaster subprocess
4602  *
4603  * The caller must have set up the argv array already, except for argv[2]
4604  * which will be filled with the name of the temp variable file.
4605  *
4606  * Returns the child process PID, or -1 on fork failure (a suitable error
4607  * message has been logged on failure).
4608  *
4609  * All uses of this routine will dispatch to SubPostmasterMain in the
4610  * child process.
4611  */
4612 pid_t
4613 postmaster_forkexec(int argc, char *argv[])
4614 {
4615  Port port;
4616 
4617  /* This entry point passes dummy values for the Port variables */
4618  memset(&port, 0, sizeof(port));
4619  return internal_forkexec(argc, argv, &port);
4620 }
4621 
4622 /*
4623  * backend_forkexec -- fork/exec off a backend process
4624  *
4625  * Some operating systems (WIN32) don't have fork() so we have to simulate
4626  * it by storing parameters that need to be passed to the child and
4627  * then create a new child process.
4628  *
4629  * returns the pid of the fork/exec'd process, or -1 on failure
4630  */
4631 static pid_t
4632 backend_forkexec(Port *port)
4633 {
4634  char *av[4];
4635  int ac = 0;
4636 
4637  av[ac++] = "postgres";
4638  av[ac++] = "--forkbackend";
4639  av[ac++] = NULL; /* filled in by internal_forkexec */
4640 
4641  av[ac] = NULL;
4642  Assert(ac < lengthof(av));
4643 
4644  return internal_forkexec(ac, av, port);
4645 }
4646 
4647 #ifndef WIN32
4648 
4649 /*
4650  * internal_forkexec non-win32 implementation
4651  *
4652  * - writes out backend variables to the parameter file
4653  * - fork():s, and then exec():s the child process
4654  */
4655 static pid_t
4656 internal_forkexec(int argc, char *argv[], Port *port)
4657 {
4658  static unsigned long tmpBackendFileNum = 0;
4659  pid_t pid;
4660  char tmpfilename[MAXPGPATH];
4661  BackendParameters param;
4662  FILE *fp;
4663 
4664  if (!save_backend_variables(&param, port))
4665  return -1; /* log made by save_backend_variables */
4666 
4667  /* Calculate name for temp file */
4668  snprintf(tmpfilename, MAXPGPATH, "%s/%s.backend_var.%d.%lu",
4670  MyProcPid, ++tmpBackendFileNum);
4671 
4672  /* Open file */
4673  fp = AllocateFile(tmpfilename, PG_BINARY_W);
4674  if (!fp)
4675  {
4676  /*
4677  * As in OpenTemporaryFileInTablespace, try to make the temp-file
4678  * directory, ignoring errors.
4679  */
4681 
4682  fp = AllocateFile(tmpfilename, PG_BINARY_W);
4683  if (!fp)
4684  {
4685  ereport(LOG,
4687  errmsg("could not create file \"%s\": %m",
4688  tmpfilename)));
4689  return -1;
4690  }
4691  }
4692 
4693  if (fwrite(&param, sizeof(param), 1, fp) != 1)
4694  {
4695  ereport(LOG,
4697  errmsg("could not write to file \"%s\": %m", tmpfilename)));
4698  FreeFile(fp);
4699  return -1;
4700  }
4701 
4702  /* Release file */
4703  if (FreeFile(fp))
4704  {
4705  ereport(LOG,
4707  errmsg("could not write to file \"%s\": %m", tmpfilename)));
4708  return -1;
4709  }
4710 
4711  /* Make sure caller set up argv properly */
4712  Assert(argc >= 3);
4713  Assert(argv[argc] == NULL);
4714  Assert(strncmp(argv[1], "--fork", 6) == 0);
4715  Assert(argv[2] == NULL);
4716 
4717  /* Insert temp file name after --fork argument */
4718  argv[2] = tmpfilename;
4719 
4720  /* Fire off execv in child */
4721  if ((pid = fork_process()) == 0)
4722  {
4723  if (execv(postgres_exec_path, argv) < 0)
4724  {
4725  ereport(LOG,
4726  (errmsg("could not execute server process \"%s\": %m",
4727  postgres_exec_path)));
4728  /* We're already in the child process here, can't return */
4729  exit(1);
4730  }
4731  }
4732 
4733  return pid; /* Parent returns pid, or -1 on fork failure */
4734 }
4735 #else /* WIN32 */
4736 
4737 /*
4738  * internal_forkexec win32 implementation
4739  *
4740  * - starts backend using CreateProcess(), in suspended state
4741  * - writes out backend variables to the parameter file
4742  * - during this, duplicates handles and sockets required for
4743  * inheritance into the new process
4744  * - resumes execution of the new process once the backend parameter
4745  * file is complete.
4746  */
4747 static pid_t
4748 internal_forkexec(int argc, char *argv[], Port *port)
4749 {
4750  int retry_count = 0;
4751  STARTUPINFO si;
4752  PROCESS_INFORMATION pi;
4753  int i;
4754  int j;
4755  char cmdLine[MAXPGPATH * 2];
4756  HANDLE paramHandle;
4757  BackendParameters *param;
4758  SECURITY_ATTRIBUTES sa;
4759  char paramHandleStr[32];
4760  win32_deadchild_waitinfo *childinfo;
4761 
4762  /* Make sure caller set up argv properly */
4763  Assert(argc >= 3);
4764  Assert(argv[argc] == NULL);
4765  Assert(strncmp(argv[1], "--fork", 6) == 0);
4766  Assert(argv[2] == NULL);
4767 
4768  /* Resume here if we need to retry */
4769 retry:
4770 
4771  /* Set up shared memory for parameter passing */
4772  ZeroMemory(&sa, sizeof(sa));
4773  sa.nLength = sizeof(sa);
4774  sa.bInheritHandle = TRUE;
4775  paramHandle = CreateFileMapping(INVALID_HANDLE_VALUE,
4776  &sa,
4777  PAGE_READWRITE,
4778  0,
4779  sizeof(BackendParameters),
4780  NULL);
4781  if (paramHandle == INVALID_HANDLE_VALUE)
4782  {
4783  ereport(LOG,
4784  (errmsg("could not create backend parameter file mapping: error code %lu",
4785  GetLastError())));
4786  return -1;
4787  }
4788 
4789  param = MapViewOfFile(paramHandle, FILE_MAP_WRITE, 0, 0, sizeof(BackendParameters));
4790  if (!param)
4791  {
4792  ereport(LOG,
4793  (errmsg("could not map backend parameter memory: error code %lu",
4794  GetLastError())));
4795  CloseHandle(paramHandle);
4796  return -1;
4797  }
4798 
4799  /* Insert temp file name after --fork argument */
4800 #ifdef _WIN64
4801  sprintf(paramHandleStr, "%llu", (LONG_PTR) paramHandle);
4802 #else
4803  sprintf(paramHandleStr, "%lu", (DWORD) paramHandle);
4804 #endif
4805  argv[2] = paramHandleStr;
4806 
4807  /* Format the cmd line */
4808  cmdLine[sizeof(cmdLine) - 1] = '\0';
4809  cmdLine[sizeof(cmdLine) - 2] = '\0';
4810  snprintf(cmdLine, sizeof(cmdLine) - 1, "\"%s\"", postgres_exec_path);
4811  i = 0;
4812  while (argv[++i] != NULL)
4813  {
4814  j = strlen(cmdLine);
4815  snprintf(cmdLine + j, sizeof(cmdLine) - 1 - j, " \"%s\"", argv[i]);
4816  }
4817  if (cmdLine[sizeof(cmdLine) - 2] != '\0')
4818  {
4819  ereport(LOG,
4820  (errmsg("subprocess command line too long")));
4821  UnmapViewOfFile(param);
4822  CloseHandle(paramHandle);
4823  return -1;
4824  }
4825 
4826  memset(&pi, 0, sizeof(pi));
4827  memset(&si, 0, sizeof(si));
4828  si.cb = sizeof(si);
4829 
4830  /*
4831  * Create the subprocess in a suspended state. This will be resumed later,
4832  * once we have written out the parameter file.
4833  */
4834  if (!CreateProcess(NULL, cmdLine, NULL, NULL, TRUE, CREATE_SUSPENDED,
4835  NULL, NULL, &si, &pi))
4836  {
4837  ereport(LOG,
4838  (errmsg("CreateProcess() call failed: %m (error code %lu)",
4839  GetLastError())));
4840  UnmapViewOfFile(param);
4841  CloseHandle(paramHandle);
4842  return -1;
4843  }
4844 
4845  if (!save_backend_variables(param, port, pi.hProcess, pi.dwProcessId))
4846  {
4847  /*
4848  * log made by save_backend_variables, but we have to clean up the
4849  * mess with the half-started process
4850  */
4851  if (!TerminateProcess(pi.hProcess, 255))
4852  ereport(LOG,
4853  (errmsg_internal("could not terminate unstarted process: error code %lu",
4854  GetLastError())));
4855  CloseHandle(pi.hProcess);
4856  CloseHandle(pi.hThread);
4857  UnmapViewOfFile(param);
4858  CloseHandle(paramHandle);
4859  return -1; /* log made by save_backend_variables */
4860  }
4861 
4862  /* Drop the parameter shared memory that is now inherited to the backend */
4863  if (!UnmapViewOfFile(param))
4864  ereport(LOG,
4865  (errmsg("could not unmap view of backend parameter file: error code %lu",
4866  GetLastError())));
4867  if (!CloseHandle(paramHandle))
4868  ereport(LOG,
4869  (errmsg("could not close handle to backend parameter file: error code %lu",
4870  GetLastError())));
4871 
4872  /*
4873  * Reserve the memory region used by our main shared memory segment before
4874  * we resume the child process. Normally this should succeed, but if ASLR
4875  * is active then it might sometimes fail due to the stack or heap having
4876  * gotten mapped into that range. In that case, just terminate the
4877  * process and retry.
4878  */
4879  if (!pgwin32_ReserveSharedMemoryRegion(pi.hProcess))
4880  {
4881  /* pgwin32_ReserveSharedMemoryRegion already made a log entry */
4882  if (!TerminateProcess(pi.hProcess, 255))
4883  ereport(LOG,
4884  (errmsg_internal("could not terminate process that failed to reserve memory: error code %lu",
4885  GetLastError())));
4886  CloseHandle(pi.hProcess);
4887  CloseHandle(pi.hThread);
4888  if (++retry_count < 100)
4889  goto retry;
4890  ereport(LOG,
4891  (errmsg("giving up after too many tries to reserve shared memory"),
4892  errhint("This might be caused by ASLR or antivirus software.")));
4893  return -1;
4894  }
4895 
4896  /*
4897  * Now that the backend variables are written out, we start the child
4898  * thread so it can start initializing while we set up the rest of the
4899  * parent state.
4900  */
4901  if (ResumeThread(pi.hThread) == -1)
4902  {
4903  if (!TerminateProcess(pi.hProcess, 255))
4904  {
4905  ereport(LOG,
4906  (errmsg_internal("could not terminate unstartable process: error code %lu",
4907  GetLastError())));
4908  CloseHandle(pi.hProcess);
4909  CloseHandle(pi.hThread);
4910  return -1;
4911  }
4912  CloseHandle(pi.hProcess);
4913  CloseHandle(pi.hThread);
4914  ereport(LOG,
4915  (errmsg_internal("could not resume thread of unstarted process: error code %lu",
4916  GetLastError())));
4917  return -1;
4918  }
4919 
4920  /*
4921  * Queue a waiter to signal when this child dies. The wait will be handled
4922  * automatically by an operating system thread pool.
4923  *
4924  * Note: use malloc instead of palloc, since it needs to be thread-safe.
4925  * Struct will be free():d from the callback function that runs on a
4926  * different thread.
4927  */
4928  childinfo = malloc(sizeof(win32_deadchild_waitinfo));
4929  if (!childinfo)
4930  ereport(FATAL,
4931  (errcode(ERRCODE_OUT_OF_MEMORY),
4932  errmsg("out of memory")));
4933 
4934  childinfo->procHandle = pi.hProcess;
4935  childinfo->procId = pi.dwProcessId;
4936 
4937  if (!RegisterWaitForSingleObject(&childinfo->waitHandle,
4938  pi.hProcess,
4939  pgwin32_deadchild_callback,
4940  childinfo,
4941  INFINITE,
4942  WT_EXECUTEONLYONCE | WT_EXECUTEINWAITTHREAD))
4943  ereport(FATAL,
4944  (errmsg_internal("could not register process for wait: error code %lu",
4945  GetLastError())));
4946 
4947  /* Don't close pi.hProcess here - the wait thread needs access to it */
4948 
4949  CloseHandle(pi.hThread);
4950 
4951  return pi.dwProcessId;
4952 }
4953 #endif /* WIN32 */
4954 
4955 
4956 /*
4957  * SubPostmasterMain -- Get the fork/exec'd process into a state equivalent
4958  * to what it would be if we'd simply forked on Unix, and then
4959  * dispatch to the appropriate place.
4960  *
4961  * The first two command line arguments are expected to be "--forkFOO"
4962  * (where FOO indicates which postmaster child we are to become), and
4963  * the name of a variables file that we can read to load data that would
4964  * have been inherited by fork() on Unix. Remaining arguments go to the
4965  * subprocess FooMain() routine.
4966  */
4967 void
4968 SubPostmasterMain(int argc, char *argv[])
4969 {
4970  Port port;
4971 
4972  /* In EXEC_BACKEND case we will not have inherited these settings */
4973  IsPostmasterEnvironment = true;
4975 
4976  /* Setup essential subsystems (to ensure elog() behaves sanely) */
4978 
4979  /* Check we got appropriate args */
4980  if (argc < 3)
4981  elog(FATAL, "invalid subpostmaster invocation");
4982 
4983  /* Read in the variables file */
4984  memset(&port, 0, sizeof(Port));
4985  read_backend_variables(argv[2], &port);
4986 
4987  /* Close the postmaster's sockets (as soon as we know them) */
4988  ClosePostmasterPorts(strcmp(argv[1], "--forklog") == 0);
4989 
4990  /* Setup as postmaster child */
4992 
4993  /*
4994  * If appropriate, physically re-attach to shared memory segment. We want
4995  * to do this before going any further to ensure that we can attach at the
4996  * same address the postmaster used. On the other hand, if we choose not
4997  * to re-attach, we may have other cleanup to do.
4998  *
4999  * If testing EXEC_BACKEND on Linux, you should run this as root before
5000  * starting the postmaster:
5001  *
5002  * echo 0 >/proc/sys/kernel/randomize_va_space
5003  *
5004  * This prevents using randomized stack and code addresses that cause the
5005  * child process's memory map to be different from the parent's, making it
5006  * sometimes impossible to attach to shared memory at the desired address.
5007  * Return the setting to its old value (usually '1' or '2') when finished.
5008  */
5009  if (strcmp(argv[1], "--forkbackend") == 0 ||
5010  strcmp(argv[1], "--forkavlauncher") == 0 ||
5011  strcmp(argv[1], "--forkavworker") == 0 ||
5012  strcmp(argv[1], "--forkaux") == 0 ||
5013  strncmp(argv[1], "--forkbgworker=", 15) == 0)
5015  else
5017 
5018  /* autovacuum needs this set before calling InitProcess */
5019  if (strcmp(argv[1], "--forkavlauncher") == 0)
5020  AutovacuumLauncherIAm();
5021  if (strcmp(argv[1], "--forkavworker") == 0)
5022  AutovacuumWorkerIAm();
5023 
5024  /* Read in remaining GUC variables */
5025  read_nondefault_variables();
5026 
5027  /*
5028  * Check that the data directory looks valid, which will also check the
5029  * privileges on the data directory and update our umask and file/group
5030  * variables for creating files later. Note: this should really be done
5031  * before we create any files or directories.
5032  */
5033  checkDataDir();
5034 
5035  /*
5036  * (re-)read control file, as it contains config. The postmaster will
5037  * already have read this, but this process doesn't know about that.
5038  */
5039  LocalProcessControlFile(false);
5040 
5041  /*
5042  * Reload any libraries that were preloaded by the postmaster. Since we
5043  * exec'd this process, those libraries didn't come along with us; but we
5044  * should load them into all child processes to be consistent with the
5045  * non-EXEC_BACKEND behavior.
5046  */
5048 
5049  /* Run backend or appropriate child */
5050  if (strcmp(argv[1], "--forkbackend") == 0)
5051  {
5052  Assert(argc == 3); /* shouldn't be any more args */
5053 
5054  /*
5055  * Need to reinitialize the SSL library in the backend, since the
5056  * context structures contain function pointers and cannot be passed
5057  * through the parameter file.
5058  *
5059  * If for some reason reload fails (maybe the user installed broken
5060  * key files), soldier on without SSL; that's better than all
5061  * connections becoming impossible.
5062  *
5063  * XXX should we do this in all child processes? For the moment it's
5064  * enough to do it in backend children.
5065  */
5066 #ifdef USE_SSL
5067  if (EnableSSL)
5068  {
5069  if (secure_initialize(false) == 0)
5070  LoadedSSL = true;
5071  else
5072  ereport(LOG,
5073  (errmsg("SSL configuration could not be loaded in child process")));
5074  }
5075 #endif
5076 
5077  /*
5078  * Perform additional initialization and collect startup packet.
5079  *
5080  * We want to do this before InitProcess() for a couple of reasons: 1.
5081  * so that we aren't eating up a PGPROC slot while waiting on the
5082  * client. 2. so that if InitProcess() fails due to being out of
5083  * PGPROC slots, we have already initialized libpq and are able to
5084  * report the error to the client.
5085  */
5087 
5088  /* Restore basic shared memory pointers */
5090 
5091  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
5092  InitProcess();
5093 
5094  /* Attach process to shared data structures */
5096 
5097  /* And run the backend */
5098  BackendRun(&port); /* does not return */
5099  }
5100  if (strcmp(argv[1], "--forkaux") == 0)
5101  {
5102  AuxProcType auxtype;
5103 
5104  Assert(argc == 4);
5105 
5106  /* Restore basic shared memory pointers */
5108 
5109  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
5111 
5112  /* Attach process to shared data structures */
5114 
5115  auxtype = atoi(argv[3]);
5116  AuxiliaryProcessMain(auxtype); /* does not return */
5117  }
5118  if (strcmp(argv[1], "--forkavlauncher") == 0)
5119  {
5120  /* Restore basic shared memory pointers */
5122 
5123  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
5124  InitProcess();
5125 
5126  /* Attach process to shared data structures */
5128 
5129  AutoVacLauncherMain(argc - 2, argv + 2); /* does not return */
5130  }
5131  if (strcmp(argv[1], "--forkavworker") == 0)
5132  {
5133  /* Restore basic shared memory pointers */
5135 
5136  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
5137  InitProcess();
5138 
5139  /* Attach process to shared data structures */
5141 
5142  AutoVacWorkerMain(argc - 2, argv + 2); /* does not return */
5143  }
5144  if (strncmp(argv[1], "--forkbgworker=", 15) == 0)
5145  {
5146  int shmem_slot;
5147 
5148  /* do this as early as possible; in particular, before InitProcess() */
5149  IsBackgroundWorker = true;
5150 
5151  /* Restore basic shared memory pointers */
5153 
5154  /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
5155  InitProcess();
5156 
5157  /* Attach process to shared data structures */
5159 
5160  /* Fetch MyBgworkerEntry from shared memory */
5161  shmem_slot = atoi(argv[1] + 15);
5162  MyBgworkerEntry = BackgroundWorkerEntry(shmem_slot);
5163 
5165  }
5166  if (strcmp(argv[1], "--forkcol") == 0)
5167  {
5168  /* Do not want to attach to shared memory */
5169 
5170  PgstatCollectorMain(argc, argv); /* does not return */
5171  }
5172  if (strcmp(argv[1], "--forklog") == 0)
5173  {
5174  /* Do not want to attach to shared memory */
5175 
5176  SysLoggerMain(argc, argv); /* does not return */
5177  }
5178 
5179  abort(); /* shouldn't get here */
5180 }
5181 #endif /* EXEC_BACKEND */
5182 
5183 
5184 /*
5185  * ExitPostmaster -- cleanup
5186  *
5187  * Do NOT call exit() directly --- always go through here!
5188  */
5189 static void
5191 {
5192 #ifdef HAVE_PTHREAD_IS_THREADED_NP
5193 
5194  /*
5195  * There is no known cause for a postmaster to become multithreaded after
5196  * startup. Recheck to account for the possibility of unknown causes.
5197  * This message uses LOG level, because an unclean shutdown at this point
5198  * would usually not look much different from a clean shutdown.
5199  */
5200  if (pthread_is_threaded_np() != 0)
5201  ereport(LOG,
5202  (errcode(ERRCODE_INTERNAL_ERROR),
5203  errmsg_internal("postmaster became multithreaded"),
5204  errdetail("Please report this to <%s>.", PACKAGE_BUGREPORT)));
5205 #endif
5206 
5207  /* should cleanup shared memory and kill all backends */
5208 
5209  /*
5210  * Not sure of the semantics here. When the Postmaster dies, should the
5211  * backends all be killed? probably not.
5212  *
5213  * MUST -- vadim 05-10-1999
5214  */
5215 
5216  proc_exit(status);
5217 }
5218 
5219 /*
5220  * sigusr1_handler - handle signal conditions from child processes
5221  */
5222 static void
5224 {
5225  int save_errno = errno;
5226 
5227  /*
5228  * We rely on the signal mechanism to have blocked all signals ... except
5229  * on Windows, which lacks sigaction(), so we have to do it manually.
5230  */
5231 #ifdef WIN32
5232  PG_SETMASK(&BlockSig);
5233 #endif
5234 
5235  /*
5236  * RECOVERY_STARTED and BEGIN_HOT_STANDBY signals are ignored in
5237  * unexpected states. If the startup process quickly starts up, completes
5238  * recovery, exits, we might process the death of the startup process
5239  * first. We don't want to go back to recovery in that case.
5240  */
5243  {
5244  /* WAL redo has started. We're out of reinitialization. */
5245  FatalError = false;
5246  AbortStartTime = 0;
5247 
5248  /*
5249  * Start the archiver if we're responsible for (re-)archiving received
5250  * files.
5251  */
5252  Assert(PgArchPID == 0);
5253  if (XLogArchivingAlways())
5255 
5256  /*
5257  * If we aren't planning to enter hot standby mode later, treat
5258  * RECOVERY_STARTED as meaning we're out of startup, and report status
5259  * accordingly.
5260  */
5261  if (!EnableHotStandby)
5262  {
5264 #ifdef USE_SYSTEMD
5265  sd_notify(0, "READY=1");
5266 #endif
5267  }
5268 
5269  pmState = PM_RECOVERY;
5270  }
5271 
5274  {
5275  /*
5276  * Likewise, start other special children as needed.
5277  */
5278  Assert(PgStatPID == 0);
5279  PgStatPID = pgstat_start();
5280 
5281  ereport(LOG,
5282  (errmsg("database system is ready to accept read-only connections")));
5283 
5284  /* Report status */
5286 #ifdef USE_SYSTEMD
5287  sd_notify(0, "READY=1");
5288 #endif
5289 
5292 
5293  /* Some workers may be scheduled to start now */
5294  StartWorkerNeeded = true;
5295  }
5296 
5297  /* Process background worker state changes. */
5299  {
5300  /* Accept new worker requests only if not stopping. */
5302  StartWorkerNeeded = true;
5303  }
5304 
5307 
5308  /* Tell syslogger to rotate logfile if requested */
5309  if (SysLoggerPID != 0)
5310  {
5311  if (CheckLogrotateSignal())
5312  {
5315  }
5317  {
5319  }
5320  }
5321 
5324  {
5325  /*
5326  * Start one iteration of the autovacuum daemon, even if autovacuuming
5327  * is nominally not enabled. This is so we can have an active defense
5328  * against transaction ID wraparound. We set a flag for the main loop
5329  * to do it rather than trying to do it here --- this is because the
5330  * autovac process itself may send the signal, and we want to handle
5331  * that by launching another iteration as soon as the current one
5332  * completes.
5333  */
5334  start_autovac_launcher = true;
5335  }
5336 
5339  {
5340  /* The autovacuum launcher wants us to start a worker process. */
5342  }
5343 
5345  {
5346  /* Startup Process wants us to start the walreceiver process. */
5347  /* Start immediately if possible, else remember request for later. */
5348  WalReceiverRequested = true;
5350  }
5351 
5352  /*
5353  * Try to advance postmaster's state machine, if a child requests it.
5354  *
5355  * Be careful about the order of this action relative to sigusr1_handler's
5356  * other actions. Generally, this should be after other actions, in case
5357  * they have effects PostmasterStateMachine would need to know about.
5358  * However, we should do it before the CheckPromoteSignal step, which
5359  * cannot have any (immediate) effect on the state machine, but does
5360  * depend on what state we're in now.
5361  */
5363  {
5365  }
5366 
5367  if (StartupPID != 0 &&
5368  (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
5369  pmState == PM_HOT_STANDBY) &&
5371  {
5372  /*
5373  * Tell startup process to finish recovery.
5374  *
5375  * Leave the promote signal file in place and let the Startup process
5376  * do the unlink.
5377  */
5379  }
5380 
5381 #ifdef WIN32
5383 #endif
5384 
5385  errno = save_errno;
5386 }
5387 
5388 /*
5389  * SIGTERM while processing startup packet.
5390  *
5391  * Running proc_exit() from a signal handler would be quite unsafe.
5392  * However, since we have not yet touched shared memory, we can just
5393  * pull the plug and exit without running any atexit handlers.
5394  *
5395  * One might be tempted to try to send a message, or log one, indicating
5396  * why we are disconnecting. However, that would be quite unsafe in itself.
5397  * Also, it seems undesirable to provide clues about the database's state
5398  * to a client that has not yet completed authentication, or even sent us
5399  * a startup packet.
5400  */
5401 static void
5403 {
5404  _exit(1);
5405 }
5406 
5407 /*
5408  * Dummy signal handler
5409  *
5410  * We use this for signals that we don't actually use in the postmaster,
5411  * but we do use in backends. If we were to SIG_IGN such signals in the
5412  * postmaster, then a newly started backend might drop a signal that arrives
5413  * before it's able to reconfigure its signal processing. (See notes in
5414  * tcop/postgres.c.)
5415  */
5416 static void
5418 {
5419 }
5420 
5421 /*
5422  * Timeout while processing startup packet.
5423  * As for process_startup_packet_die(), we exit via _exit(1).
5424  */
5425 static void
5427 {
5428  _exit(1);
5429 }
5430 
5431 
5432 /*
5433  * Generate a random cancel key.
5434  */
5435 static bool
5437 {
5438  return pg_strong_random(cancel_key, sizeof(int32));
5439 }
5440 
5441 /*
5442  * Count up number of child processes of specified types (dead_end children
5443  * are always excluded).
5444  */
5445 static int
5446 CountChildren(int target)
5447 {
5448  dlist_iter iter;
5449  int cnt = 0;
5450 
5451  dlist_foreach(iter, &BackendList)
5452  {
5453  Backend *bp = dlist_container(Backend, elem, iter.cur);
5454 
5455  if (bp->dead_end)
5456  continue;
5457 
5458  /*
5459  * Since target == BACKEND_TYPE_ALL is the most common case, we test
5460  * it first and avoid touching shared memory for every child.
5461  */
5462  if (target != BACKEND_TYPE_ALL)
5463  {
5464  /*
5465  * Assign bkend_type for any recently announced WAL Sender
5466  * processes.
5467  */
5468  if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
5471 
5472  if (!(target & bp->bkend_type))
5473  continue;
5474  }
5475 
5476  cnt++;
5477  }
5478  return cnt;
5479 }
5480 
5481 
5482 /*
5483  * StartChildProcess -- start an auxiliary process for the postmaster
5484  *
5485  * "type" determines what kind of child will be started. All child types
5486  * initially go to AuxiliaryProcessMain, which will handle common setup.
5487  *
5488  * Return value of StartChildProcess is subprocess' PID, or 0 if failed
5489  * to start subprocess.
5490  */
5491 static pid_t
5493 {
5494  pid_t pid;
5495 
5496 #ifdef EXEC_BACKEND
5497  {
5498  char *av[10];
5499  int ac = 0;
5500  char typebuf[32];
5501 
5502  /*
5503  * Set up command-line arguments for subprocess
5504  */
5505  av[ac++] = "postgres";
5506  av[ac++] = "--forkaux";
5507  av[ac++] = NULL; /* filled in by postmaster_forkexec */
5508 
5509  snprintf(typebuf, sizeof(typebuf), "%d", type);
5510  av[ac++] = typebuf;
5511 
5512  av[ac] = NULL;
5513  Assert(ac < lengthof(av));
5514 
5515  pid = postmaster_forkexec(ac, av);
5516  }
5517 #else /* !EXEC_BACKEND */
5518  pid = fork_process();
5519 
5520  if (pid == 0) /* child */
5521  {
5523 
5524  /* Close the postmaster's sockets */
5525  ClosePostmasterPorts(false);
5526 
5527  /* Release postmaster's working memory context */
5530  PostmasterContext = NULL;
5531 
5532  AuxiliaryProcessMain(type); /* does not return */
5533  }
5534 #endif /* EXEC_BACKEND */
5535 
5536  if (pid < 0)
5537  {
5538  /* in parent, fork failed */
5539  int save_errno = errno;
5540 
5541  errno = save_errno;
5542  switch (type)
5543  {
5544  case StartupProcess:
5545  ereport(LOG,
5546  (errmsg("could not fork startup process: %m")));
5547  break;
5548  case ArchiverProcess:
5549  ereport(LOG,
5550  (errmsg("could not fork archiver process: %m")));
5551  break;
5552  case BgWriterProcess:
5553  ereport(LOG,
5554  (errmsg("could not fork background writer process: %m")));
5555  break;
5556  case CheckpointerProcess:
5557  ereport(LOG,
5558  (errmsg("could not fork checkpointer process: %m")));
5559  break;
5560  case WalWriterProcess:
5561  ereport(LOG,
5562  (errmsg("could not fork WAL writer process: %m")));
5563  break;
5564  case WalReceiverProcess:
5565  ereport(LOG,
5566  (errmsg("could not fork WAL receiver process: %m")));
5567  break;
5568  default:
5569  ereport(LOG,
5570  (errmsg("could not fork process: %m")));
5571  break;
5572  }
5573 
5574  /*
5575  * fork failure is fatal during startup, but there's no need to choke
5576  * immediately if starting other child types fails.
5577  */
5578  if (type == StartupProcess)
5579  ExitPostmaster(1);
5580  return 0;
5581  }
5582 
5583  /*
5584  * in parent, successful fork
5585  */
5586  return pid;
5587 }
5588 
5589 /*
5590  * StartAutovacuumWorker
5591  * Start an autovac worker process.
5592  *
5593  * This function is here because it enters the resulting PID into the
5594  * postmaster's private backends list.
5595  *
5596  * NB -- this code very roughly matches BackendStartup.
5597  */
5598 static void
5600 {
5601  Backend *bn;
5602 
5603  /*
5604  * If not in condition to run a process, don't try, but handle it like a
5605  * fork failure. This does not normally happen, since the signal is only
5606  * supposed to be sent by autovacuum launcher when it's OK to do it, but
5607  * we have to check to avoid race-condition problems during DB state
5608  * changes.
5609  */
5611  {
5612  /*
5613  * Compute the cancel key that will be assigned to this session. We
5614  * probably don't need cancel keys for autovac workers, but we'd
5615  * better have something random in the field to prevent unfriendly
5616  * people from sending cancels to them.
5617  */
5619  {
5620  ereport(LOG,
5621  (errcode(ERRCODE_INTERNAL_ERROR),
5622  errmsg("could not generate random cancel key")));
5623  return;
5624  }
5625 
5626  bn = (Backend *) malloc(sizeof(Backend));
5627  if (bn)
5628  {
5629  bn->cancel_key = MyCancelKey;
5630 
5631  /* Autovac workers are not dead_end and need a child slot */
5632  bn->dead_end = false;
5634  bn->bgworker_notify = false;
5635 
5636  bn->pid = StartAutoVacWorker();
5637  if (bn->pid > 0)
5638  {
5641 #ifdef EXEC_BACKEND
5642  ShmemBackendArrayAdd(bn);
5643 #endif
5644  /* all OK */
5645  return;
5646  }
5647 
5648  /*
5649  * fork failed, fall through to report -- actual error message was
5650  * logged by StartAutoVacWorker
5651  */
5653  free(bn);
5654  }
5655  else
5656  ereport(LOG,
5657  (errcode(ERRCODE_OUT_OF_MEMORY),
5658  errmsg("out of memory")));
5659  }
5660 
5661  /*
5662  * Report the failure to the launcher, if it's running. (If it's not, we
5663  * might not even be connected to shared memory, so don't try to call
5664  * AutoVacWorkerFailed.) Note that we also need to signal it so that it
5665  * responds to the condition, but we don't do that here, instead waiting
5666  * for ServerLoop to do it. This way we avoid a ping-pong signaling in
5667  * quick succession between the autovac launcher and postmaster in case
5668  * things get ugly.
5669  */
5670  if (AutoVacPID != 0)
5671  {
5673  avlauncher_needs_signal = true;
5674  }
5675 }
5676 
5677 /*
5678  * MaybeStartWalReceiver
5679  * Start the WAL receiver process, if not running and our state allows.
5680  *
5681  * Note: if WalReceiverPID is already nonzero, it might seem that we should
5682  * clear WalReceiverRequested. However, there's a race condition if the
5683  * walreceiver terminates and the startup process immediately requests a new
5684  * one: it's quite possible to get the signal for the request before reaping
5685  * the dead walreceiver process. Better to risk launching an extra
5686  * walreceiver than to miss launching one we need. (The walreceiver code
5687  * has logic to recognize that it should go away if not needed.)
5688  */
5689 static void
5691 {
5692  if (WalReceiverPID == 0 &&
5693  (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
5694  pmState == PM_HOT_STANDBY) &&
5696  {
5698  if (WalReceiverPID != 0)
5699  WalReceiverRequested = false;
5700  /* else leave the flag set, so we'll try again later */
5701  }
5702 }
5703 
5704 
5705 /*
5706  * Create the opts file
5707  */
5708 static bool
5709 CreateOptsFile(int argc, char *argv[], char *fullprogname)
5710 {
5711  FILE *fp;
5712  int i;
5713 
5714 #define OPTS_FILE "postmaster.opts"
5715 
5716  if ((fp = fopen(OPTS_FILE, "w")) == NULL)
5717  {
5718  ereport(LOG,
5720  errmsg("could not create file \"%s\": %m", OPTS_FILE)));
5721  return false;
5722  }
5723 
5724  fprintf(fp, "%s", fullprogname);
5725  for (i = 1; i < argc; i++)
5726  fprintf(fp, " \"%s\"", argv[i]);
5727  fputs("\n", fp);
5728 
5729  if (fclose(fp))
5730  {
5731  ereport(LOG,
5733  errmsg("could not write file \"%s\": %m", OPTS_FILE)));
5734  return false;
5735  }
5736 
5737  return true;
5738 }
5739 
5740 
5741 /*
5742  * MaxLivePostmasterChildren
5743  *
5744  * This reports the number of entries needed in per-child-process arrays
5745  * (the PMChildFlags array, and if EXEC_BACKEND the ShmemBackendArray).
5746  * These arrays include regular backends, autovac workers, walsenders
5747  * and background workers, but not special children nor dead_end children.
5748  * This allows the arrays to have a fixed maximum size, to wit the same
5749  * too-many-children limit enforced by canAcceptConnections(). The exact value
5750  * isn't too critical as long as it's more than MaxBackends.
5751  */
5752 int
5754 {
5755  return 2 * (MaxConnections + autovacuum_max_workers + 1 +
5757 }
5758 
5759 /*
5760  * Connect background worker to a database.
5761  */
5762 void