1 /*-------------------------------------------------------------------------
2 *
3 * postinit.c
4 * postgres initialization utilities
5 *
6 * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
8 *
9 *
10 * IDENTIFICATION
11 * src/backend/utils/init/postinit.c
12 *
13 *
14 *-------------------------------------------------------------------------
15 */
16 #include "postgres.h"
17
18 #include <ctype.h>
19 #include <fcntl.h>
20 #include <unistd.h>
21
22 #include "access/genam.h"
23 #include "access/heapam.h"
24 #include "access/htup_details.h"
25 #include "access/session.h"
26 #include "access/sysattr.h"
27 #include "access/tableam.h"
28 #include "access/xact.h"
29 #include "access/xlog.h"
30 #include "catalog/catalog.h"
31 #include "catalog/namespace.h"
32 #include "catalog/pg_authid.h"
33 #include "catalog/pg_database.h"
34 #include "catalog/pg_db_role_setting.h"
35 #include "catalog/pg_tablespace.h"
36 #include "libpq/auth.h"
37 #include "libpq/libpq-be.h"
38 #include "mb/pg_wchar.h"
39 #include "miscadmin.h"
40 #include "pgstat.h"
41 #include "postmaster/autovacuum.h"
42 #include "postmaster/postmaster.h"
43 #include "replication/walsender.h"
44 #include "storage/bufmgr.h"
45 #include "storage/fd.h"
46 #include "storage/ipc.h"
47 #include "storage/lmgr.h"
48 #include "storage/proc.h"
49 #include "storage/procarray.h"
50 #include "storage/procsignal.h"
51 #include "storage/sinvaladt.h"
52 #include "storage/smgr.h"
53 #include "storage/sync.h"
54 #include "tcop/tcopprot.h"
55 #include "utils/acl.h"
56 #include "utils/fmgroids.h"
57 #include "utils/guc.h"
58 #include "utils/memutils.h"
59 #include "utils/pg_locale.h"
60 #include "utils/portal.h"
61 #include "utils/ps_status.h"
62 #include "utils/snapmgr.h"
63 #include "utils/syscache.h"
64 #include "utils/timeout.h"
65
66 static HeapTuple GetDatabaseTuple(const char *dbname);
67 static HeapTuple GetDatabaseTupleByOid(Oid dboid);
68 static void PerformAuthentication(Port *port);
69 static void CheckMyDatabase(const char *name, bool am_superuser, bool override_allow_connections);
70 static void InitCommunication(void);
71 static void ShutdownPostgres(int code, Datum arg);
72 static void StatementTimeoutHandler(void);
73 static void LockTimeoutHandler(void);
74 static void IdleInTransactionSessionTimeoutHandler(void);
75 static void IdleSessionTimeoutHandler(void);
76 static void ClientCheckTimeoutHandler(void);
77 static bool ThereIsAtLeastOneRole(void);
78 static void process_startup_options(Port *port, bool am_superuser);
79 static void process_settings(Oid databaseid, Oid roleid);
80
81
82 /*** InitPostgres support ***/
83
84
85 /*
86 * GetDatabaseTuple -- fetch the pg_database row for a database
87 *
88 * This is used during backend startup when we don't yet have any access to
89 * system catalogs in general. In the worst case, we can seqscan pg_database
90 * using nothing but the hard-wired descriptor that relcache.c creates for
91 * pg_database. In more typical cases, relcache.c was able to load
92 * descriptors for both pg_database and its indexes from the shared relcache
93 * cache file, and so we can do an indexscan. criticalSharedRelcachesBuilt
94 * tells whether we got the cached descriptors.
95 */
96 static HeapTuple
GetDatabaseTuple(const char * dbname)97 GetDatabaseTuple(const char *dbname)
98 {
99 HeapTuple tuple;
100 Relation relation;
101 SysScanDesc scan;
102 ScanKeyData key[1];
103
104 /*
105 * form a scan key
106 */
107 ScanKeyInit(&key[0],
108 Anum_pg_database_datname,
109 BTEqualStrategyNumber, F_NAMEEQ,
110 CStringGetDatum(dbname));
111
112 /*
113 * Open pg_database and fetch a tuple. Force heap scan if we haven't yet
114 * built the critical shared relcache entries (i.e., we're starting up
115 * without a shared relcache cache file).
116 */
117 relation = table_open(DatabaseRelationId, AccessShareLock);
118 scan = systable_beginscan(relation, DatabaseNameIndexId,
119 criticalSharedRelcachesBuilt,
120 NULL,
121 1, key);
122
123 tuple = systable_getnext(scan);
124
125 /* Must copy tuple before releasing buffer */
126 if (HeapTupleIsValid(tuple))
127 tuple = heap_copytuple(tuple);
128
129 /* all done */
130 systable_endscan(scan);
131 table_close(relation, AccessShareLock);
132
133 return tuple;
134 }
135
136 /*
137 * GetDatabaseTupleByOid -- as above, but search by database OID
138 */
139 static HeapTuple
GetDatabaseTupleByOid(Oid dboid)140 GetDatabaseTupleByOid(Oid dboid)
141 {
142 HeapTuple tuple;
143 Relation relation;
144 SysScanDesc scan;
145 ScanKeyData key[1];
146
147 /*
148 * form a scan key
149 */
150 ScanKeyInit(&key[0],
151 Anum_pg_database_oid,
152 BTEqualStrategyNumber, F_OIDEQ,
153 ObjectIdGetDatum(dboid));
154
155 /*
156 * Open pg_database and fetch a tuple. Force heap scan if we haven't yet
157 * built the critical shared relcache entries (i.e., we're starting up
158 * without a shared relcache cache file).
159 */
160 relation = table_open(DatabaseRelationId, AccessShareLock);
161 scan = systable_beginscan(relation, DatabaseOidIndexId,
162 criticalSharedRelcachesBuilt,
163 NULL,
164 1, key);
165
166 tuple = systable_getnext(scan);
167
168 /* Must copy tuple before releasing buffer */
169 if (HeapTupleIsValid(tuple))
170 tuple = heap_copytuple(tuple);
171
172 /* all done */
173 systable_endscan(scan);
174 table_close(relation, AccessShareLock);
175
176 return tuple;
177 }
178
179
180 /*
181 * PerformAuthentication -- authenticate a remote client
182 *
183 * returns: nothing. Will not return at all if there's any failure.
184 */
185 static void
PerformAuthentication(Port * port)186 PerformAuthentication(Port *port)
187 {
188 /* This should be set already, but let's make sure */
189 ClientAuthInProgress = true; /* limit visibility of log messages */
190
191 /*
192 * In EXEC_BACKEND case, we didn't inherit the contents of pg_hba.conf
193 * etcetera from the postmaster, and have to load them ourselves.
194 *
195 * FIXME: [fork/exec] Ugh. Is there a way around this overhead?
196 */
197 #ifdef EXEC_BACKEND
198
199 /*
200 * load_hba() and load_ident() want to work within the PostmasterContext,
201 * so create that if it doesn't exist (which it won't). We'll delete it
202 * again later, in PostgresMain.
203 */
204 if (PostmasterContext == NULL)
205 PostmasterContext = AllocSetContextCreate(TopMemoryContext,
206 "Postmaster",
207 ALLOCSET_DEFAULT_SIZES);
208
209 if (!load_hba())
210 {
211 /*
212 * It makes no sense to continue if we fail to load the HBA file,
213 * since there is no way to connect to the database in this case.
214 */
215 ereport(FATAL,
216 (errmsg("could not load pg_hba.conf")));
217 }
218
219 if (!load_ident())
220 {
221 /*
222 * It is ok to continue if we fail to load the IDENT file, although it
223 * means that you cannot log in using any of the authentication
224 * methods that need a user name mapping. load_ident() already logged
225 * the details of error to the log.
226 */
227 }
228 #endif
229
230 /*
231 * Set up a timeout in case a buggy or malicious client fails to respond
232 * during authentication. Since we're inside a transaction and might do
233 * database access, we have to use the statement_timeout infrastructure.
234 */
235 enable_timeout_after(STATEMENT_TIMEOUT, AuthenticationTimeout * 1000);
236
237 /*
238 * Now perform authentication exchange.
239 */
240 set_ps_display("authentication");
241 ClientAuthentication(port); /* might not return, if failure */
242
243 /*
244 * Done with authentication. Disable the timeout, and log if needed.
245 */
246 disable_timeout(STATEMENT_TIMEOUT, false);
247
248 if (Log_connections)
249 {
250 StringInfoData logmsg;
251
252 initStringInfo(&logmsg);
253 if (am_walsender)
254 appendStringInfo(&logmsg, _("replication connection authorized: user=%s"),
255 port->user_name);
256 else
257 appendStringInfo(&logmsg, _("connection authorized: user=%s"),
258 port->user_name);
259 if (!am_walsender)
260 appendStringInfo(&logmsg, _(" database=%s"), port->database_name);
261
262 if (port->application_name != NULL)
263 appendStringInfo(&logmsg, _(" application_name=%s"),
264 port->application_name);
265
266 #ifdef USE_SSL
267 if (port->ssl_in_use)
268 appendStringInfo(&logmsg, _(" SSL enabled (protocol=%s, cipher=%s, bits=%d)"),
269 be_tls_get_version(port),
270 be_tls_get_cipher(port),
271 be_tls_get_cipher_bits(port));
272 #endif
273 #ifdef ENABLE_GSS
274 if (port->gss)
275 {
276 const char *princ = be_gssapi_get_princ(port);
277
278 if (princ)
279 appendStringInfo(&logmsg,
280 _(" GSS (authenticated=%s, encrypted=%s, principal=%s)"),
281 be_gssapi_get_auth(port) ? _("yes") : _("no"),
282 be_gssapi_get_enc(port) ? _("yes") : _("no"),
283 princ);
284 else
285 appendStringInfo(&logmsg,
286 _(" GSS (authenticated=%s, encrypted=%s)"),
287 be_gssapi_get_auth(port) ? _("yes") : _("no"),
288 be_gssapi_get_enc(port) ? _("yes") : _("no"));
289 }
290 #endif
291
292 ereport(LOG, errmsg_internal("%s", logmsg.data));
293 pfree(logmsg.data);
294 }
295
296 set_ps_display("startup");
297
298 ClientAuthInProgress = false; /* client_min_messages is active now */
299 }
300
301
302 /*
303 * CheckMyDatabase -- fetch information from the pg_database entry for our DB
304 */
305 static void
CheckMyDatabase(const char * name,bool am_superuser,bool override_allow_connections)306 CheckMyDatabase(const char *name, bool am_superuser, bool override_allow_connections)
307 {
308 HeapTuple tup;
309 Form_pg_database dbform;
310 char *collate;
311 char *ctype;
312
313 /* Fetch our pg_database row normally, via syscache */
314 tup = SearchSysCache1(DATABASEOID, ObjectIdGetDatum(MyDatabaseId));
315 if (!HeapTupleIsValid(tup))
316 elog(ERROR, "cache lookup failed for database %u", MyDatabaseId);
317 dbform = (Form_pg_database) GETSTRUCT(tup);
318
319 /* This recheck is strictly paranoia */
320 if (strcmp(name, NameStr(dbform->datname)) != 0)
321 ereport(FATAL,
322 (errcode(ERRCODE_UNDEFINED_DATABASE),
323 errmsg("database \"%s\" has disappeared from pg_database",
324 name),
325 errdetail("Database OID %u now seems to belong to \"%s\".",
326 MyDatabaseId, NameStr(dbform->datname))));
327
328 /*
329 * Check permissions to connect to the database.
330 *
331 * These checks are not enforced when in standalone mode, so that there is
332 * a way to recover from disabling all access to all databases, for
333 * example "UPDATE pg_database SET datallowconn = false;".
334 *
335 * We do not enforce them for autovacuum worker processes either.
336 */
337 if (IsUnderPostmaster && !IsAutoVacuumWorkerProcess())
338 {
339 /*
340 * Check that the database is currently allowing connections.
341 */
342 if (!dbform->datallowconn && !override_allow_connections)
343 ereport(FATAL,
344 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
345 errmsg("database \"%s\" is not currently accepting connections",
346 name)));
347
348 /*
349 * Check privilege to connect to the database. (The am_superuser test
350 * is redundant, but since we have the flag, might as well check it
351 * and save a few cycles.)
352 */
353 if (!am_superuser &&
354 pg_database_aclcheck(MyDatabaseId, GetUserId(),
355 ACL_CONNECT) != ACLCHECK_OK)
356 ereport(FATAL,
357 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
358 errmsg("permission denied for database \"%s\"", name),
359 errdetail("User does not have CONNECT privilege.")));
360
361 /*
362 * Check connection limit for this database.
363 *
364 * There is a race condition here --- we create our PGPROC before
365 * checking for other PGPROCs. If two backends did this at about the
366 * same time, they might both think they were over the limit, while
367 * ideally one should succeed and one fail. Getting that to work
368 * exactly seems more trouble than it is worth, however; instead we
369 * just document that the connection limit is approximate.
370 */
371 if (dbform->datconnlimit >= 0 &&
372 !am_superuser &&
373 CountDBConnections(MyDatabaseId) > dbform->datconnlimit)
374 ereport(FATAL,
375 (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
376 errmsg("too many connections for database \"%s\"",
377 name)));
378 }
379
380 /*
381 * OK, we're golden. Next to-do item is to save the encoding info out of
382 * the pg_database tuple.
383 */
384 SetDatabaseEncoding(dbform->encoding);
385 /* Record it as a GUC internal option, too */
386 SetConfigOption("server_encoding", GetDatabaseEncodingName(),
387 PGC_INTERNAL, PGC_S_OVERRIDE);
388 /* If we have no other source of client_encoding, use server encoding */
389 SetConfigOption("client_encoding", GetDatabaseEncodingName(),
390 PGC_BACKEND, PGC_S_DYNAMIC_DEFAULT);
391
392 /* assign locale variables */
393 collate = NameStr(dbform->datcollate);
394 ctype = NameStr(dbform->datctype);
395
396 if (pg_perm_setlocale(LC_COLLATE, collate) == NULL)
397 ereport(FATAL,
398 (errmsg("database locale is incompatible with operating system"),
399 errdetail("The database was initialized with LC_COLLATE \"%s\", "
400 " which is not recognized by setlocale().", collate),
401 errhint("Recreate the database with another locale or install the missing locale.")));
402
403 if (pg_perm_setlocale(LC_CTYPE, ctype) == NULL)
404 ereport(FATAL,
405 (errmsg("database locale is incompatible with operating system"),
406 errdetail("The database was initialized with LC_CTYPE \"%s\", "
407 " which is not recognized by setlocale().", ctype),
408 errhint("Recreate the database with another locale or install the missing locale.")));
409
410 /* Make the locale settings visible as GUC variables, too */
411 SetConfigOption("lc_collate", collate, PGC_INTERNAL, PGC_S_OVERRIDE);
412 SetConfigOption("lc_ctype", ctype, PGC_INTERNAL, PGC_S_OVERRIDE);
413
414 check_strxfrm_bug();
415
416 ReleaseSysCache(tup);
417 }
418
419
420
421 /* --------------------------------
422 * InitCommunication
423 *
424 * This routine initializes stuff needed for ipc, locking, etc.
425 * it should be called something more informative.
426 * --------------------------------
427 */
428 static void
InitCommunication(void)429 InitCommunication(void)
430 {
431 /*
432 * initialize shared memory and semaphores appropriately.
433 */
434 if (!IsUnderPostmaster) /* postmaster already did this */
435 {
436 /*
437 * We're running a postgres bootstrap process or a standalone backend,
438 * so we need to set up shmem.
439 */
440 CreateSharedMemoryAndSemaphores();
441 }
442 }
443
444
445 /*
446 * pg_split_opts -- split a string of options and append it to an argv array
447 *
448 * The caller is responsible for ensuring the argv array is large enough. The
449 * maximum possible number of arguments added by this routine is
450 * (strlen(optstr) + 1) / 2.
451 *
452 * Because some option values can contain spaces we allow escaping using
453 * backslashes, with \\ representing a literal backslash.
454 */
455 void
pg_split_opts(char ** argv,int * argcp,const char * optstr)456 pg_split_opts(char **argv, int *argcp, const char *optstr)
457 {
458 StringInfoData s;
459
460 initStringInfo(&s);
461
462 while (*optstr)
463 {
464 bool last_was_escape = false;
465
466 resetStringInfo(&s);
467
468 /* skip over leading space */
469 while (isspace((unsigned char) *optstr))
470 optstr++;
471
472 if (*optstr == '\0')
473 break;
474
475 /*
476 * Parse a single option, stopping at the first space, unless it's
477 * escaped.
478 */
479 while (*optstr)
480 {
481 if (isspace((unsigned char) *optstr) && !last_was_escape)
482 break;
483
484 if (!last_was_escape && *optstr == '\\')
485 last_was_escape = true;
486 else
487 {
488 last_was_escape = false;
489 appendStringInfoChar(&s, *optstr);
490 }
491
492 optstr++;
493 }
494
495 /* now store the option in the next argv[] position */
496 argv[(*argcp)++] = pstrdup(s.data);
497 }
498
499 pfree(s.data);
500 }
501
502 /*
503 * Initialize MaxBackends value from config options.
504 *
505 * This must be called after modules have had the chance to register background
506 * workers in shared_preload_libraries, and before shared memory size is
507 * determined.
508 *
509 * Note that in EXEC_BACKEND environment, the value is passed down from
510 * postmaster to subprocesses via BackendParameters in SubPostmasterMain; only
511 * postmaster itself and processes not under postmaster control should call
512 * this.
513 */
514 void
InitializeMaxBackends(void)515 InitializeMaxBackends(void)
516 {
517 Assert(MaxBackends == 0);
518
519 /* the extra unit accounts for the autovacuum launcher */
520 MaxBackends = MaxConnections + autovacuum_max_workers + 1 +
521 max_worker_processes + max_wal_senders;
522
523 /* internal error because the values were all checked previously */
524 if (MaxBackends > MAX_BACKENDS)
525 elog(ERROR, "too many backends configured");
526 }
527
528 /*
529 * Early initialization of a backend (either standalone or under postmaster).
530 * This happens even before InitPostgres.
531 *
532 * This is separate from InitPostgres because it is also called by auxiliary
533 * processes, such as the background writer process, which may not call
534 * InitPostgres at all.
535 */
536 void
BaseInit(void)537 BaseInit(void)
538 {
539 /*
540 * Attach to shared memory and semaphores, and initialize our
541 * input/output/debugging file descriptors.
542 */
543 InitCommunication();
544 DebugFileOpen();
545
546 /* Do local initialization of file, storage and buffer managers */
547 InitFileAccess();
548 InitSync();
549 smgrinit();
550 InitBufferPoolAccess();
551 }
552
553
554 /* --------------------------------
555 * InitPostgres
556 * Initialize POSTGRES.
557 *
558 * The database can be specified by name, using the in_dbname parameter, or by
559 * OID, using the dboid parameter. In the latter case, the actual database
560 * name can be returned to the caller in out_dbname. If out_dbname isn't
561 * NULL, it must point to a buffer of size NAMEDATALEN.
562 *
563 * Similarly, the username can be passed by name, using the username parameter,
564 * or by OID using the useroid parameter.
565 *
566 * In bootstrap mode no parameters are used. The autovacuum launcher process
567 * doesn't use any parameters either, because it only goes far enough to be
568 * able to read pg_database; it doesn't connect to any particular database.
569 * In walsender mode only username is used.
570 *
571 * As of PostgreSQL 8.2, we expect InitProcess() was already called, so we
572 * already have a PGPROC struct ... but it's not completely filled in yet.
573 *
574 * Note:
575 * Be very careful with the order of calls in the InitPostgres function.
576 * --------------------------------
577 */
578 void
InitPostgres(const char * in_dbname,Oid dboid,const char * username,Oid useroid,char * out_dbname,bool override_allow_connections)579 InitPostgres(const char *in_dbname, Oid dboid, const char *username,
580 Oid useroid, char *out_dbname, bool override_allow_connections)
581 {
582 bool bootstrap = IsBootstrapProcessingMode();
583 bool am_superuser;
584 char *fullpath;
585 char dbname[NAMEDATALEN];
586
587 elog(DEBUG3, "InitPostgres");
588
589 /*
590 * Add my PGPROC struct to the ProcArray.
591 *
592 * Once I have done this, I am visible to other backends!
593 */
594 InitProcessPhase2();
595
596 /*
597 * Initialize my entry in the shared-invalidation manager's array of
598 * per-backend data.
599 *
600 * Sets up MyBackendId, a unique backend identifier.
601 */
602 MyBackendId = InvalidBackendId;
603
604 SharedInvalBackendInit(false);
605
606 if (MyBackendId > MaxBackends || MyBackendId <= 0)
607 elog(FATAL, "bad backend ID: %d", MyBackendId);
608
609 /* Now that we have a BackendId, we can participate in ProcSignal */
610 ProcSignalInit(MyBackendId);
611
612 /*
613 * Also set up timeout handlers needed for backend operation. We need
614 * these in every case except bootstrap.
615 */
616 if (!bootstrap)
617 {
618 RegisterTimeout(DEADLOCK_TIMEOUT, CheckDeadLockAlert);
619 RegisterTimeout(STATEMENT_TIMEOUT, StatementTimeoutHandler);
620 RegisterTimeout(LOCK_TIMEOUT, LockTimeoutHandler);
621 RegisterTimeout(IDLE_IN_TRANSACTION_SESSION_TIMEOUT,
622 IdleInTransactionSessionTimeoutHandler);
623 RegisterTimeout(IDLE_SESSION_TIMEOUT, IdleSessionTimeoutHandler);
624 RegisterTimeout(CLIENT_CONNECTION_CHECK_TIMEOUT, ClientCheckTimeoutHandler);
625 }
626
627 /*
628 * bufmgr needs another initialization call too
629 */
630 InitBufferPoolBackend();
631
632 /*
633 * Initialize local process's access to XLOG.
634 */
635 if (IsUnderPostmaster)
636 {
637 /*
638 * The postmaster already started the XLOG machinery, but we need to
639 * call InitXLOGAccess(), if the system isn't in hot-standby mode.
640 * This is handled by calling RecoveryInProgress and ignoring the
641 * result.
642 */
643 (void) RecoveryInProgress();
644 }
645 else
646 {
647 /*
648 * We are either a bootstrap process or a standalone backend. Either
649 * way, start up the XLOG machinery, and register to have it closed
650 * down at exit.
651 *
652 * We don't yet have an aux-process resource owner, but StartupXLOG
653 * and ShutdownXLOG will need one. Hence, create said resource owner
654 * (and register a callback to clean it up after ShutdownXLOG runs).
655 */
656 CreateAuxProcessResourceOwner();
657
658 StartupXLOG();
659 /* Release (and warn about) any buffer pins leaked in StartupXLOG */
660 ReleaseAuxProcessResources(true);
661 /* Reset CurrentResourceOwner to nothing for the moment */
662 CurrentResourceOwner = NULL;
663
664 on_shmem_exit(ShutdownXLOG, 0);
665 }
666
667 /*
668 * Initialize the relation cache and the system catalog caches. Note that
669 * no catalog access happens here; we only set up the hashtable structure.
670 * We must do this before starting a transaction because transaction abort
671 * would try to touch these hashtables.
672 */
673 RelationCacheInitialize();
674 InitCatalogCache();
675 InitPlanCache();
676
677 /* Initialize portal manager */
678 EnablePortalManager();
679
680 /* Initialize stats collection --- must happen before first xact */
681 if (!bootstrap)
682 pgstat_initialize();
683
684 /* Initialize status reporting */
685 if (!bootstrap)
686 pgstat_beinit();
687
688 /*
689 * Load relcache entries for the shared system catalogs. This must create
690 * at least entries for pg_database and catalogs used for authentication.
691 */
692 RelationCacheInitializePhase2();
693
694 /*
695 * Set up process-exit callback to do pre-shutdown cleanup. This is the
696 * first before_shmem_exit callback we register; thus, this will be the
697 * last thing we do before low-level modules like the buffer manager begin
698 * to close down. We need to have this in place before we begin our first
699 * transaction --- if we fail during the initialization transaction, as is
700 * entirely possible, we need the AbortTransaction call to clean up.
701 */
702 before_shmem_exit(ShutdownPostgres, 0);
703
704 /* The autovacuum launcher is done here */
705 if (IsAutoVacuumLauncherProcess())
706 {
707 /* report this backend in the PgBackendStatus array */
708 pgstat_bestart();
709
710 return;
711 }
712
713 /*
714 * Start a new transaction here before first access to db, and get a
715 * snapshot. We don't have a use for the snapshot itself, but we're
716 * interested in the secondary effect that it sets RecentGlobalXmin. (This
717 * is critical for anything that reads heap pages, because HOT may decide
718 * to prune them even if the process doesn't attempt to modify any
719 * tuples.)
720 *
721 * FIXME: This comment is inaccurate / the code buggy. A snapshot that is
722 * not pushed/active does not reliably prevent HOT pruning (->xmin could
723 * e.g. be cleared when cache invalidations are processed).
724 */
725 if (!bootstrap)
726 {
727 /* statement_timestamp must be set for timeouts to work correctly */
728 SetCurrentStatementStartTimestamp();
729 StartTransactionCommand();
730
731 /*
732 * transaction_isolation will have been set to the default by the
733 * above. If the default is "serializable", and we are in hot
734 * standby, we will fail if we don't change it to something lower.
735 * Fortunately, "read committed" is plenty good enough.
736 */
737 XactIsoLevel = XACT_READ_COMMITTED;
738
739 (void) GetTransactionSnapshot();
740 }
741
742 /*
743 * Perform client authentication if necessary, then figure out our
744 * postgres user ID, and see if we are a superuser.
745 *
746 * In standalone mode and in autovacuum worker processes, we use a fixed
747 * ID, otherwise we figure it out from the authenticated user name.
748 */
749 if (bootstrap || IsAutoVacuumWorkerProcess())
750 {
751 InitializeSessionUserIdStandalone();
752 am_superuser = true;
753 }
754 else if (!IsUnderPostmaster)
755 {
756 InitializeSessionUserIdStandalone();
757 am_superuser = true;
758 if (!ThereIsAtLeastOneRole())
759 ereport(WARNING,
760 (errcode(ERRCODE_UNDEFINED_OBJECT),
761 errmsg("no roles are defined in this database system"),
762 errhint("You should immediately run CREATE USER \"%s\" SUPERUSER;.",
763 username != NULL ? username : "postgres")));
764 }
765 else if (IsBackgroundWorker)
766 {
767 if (username == NULL && !OidIsValid(useroid))
768 {
769 InitializeSessionUserIdStandalone();
770 am_superuser = true;
771 }
772 else
773 {
774 InitializeSessionUserId(username, useroid);
775 am_superuser = superuser();
776 }
777 }
778 else
779 {
780 /* normal multiuser case */
781 Assert(MyProcPort != NULL);
782 PerformAuthentication(MyProcPort);
783 InitializeSessionUserId(username, useroid);
784 am_superuser = superuser();
785 }
786
787 /*
788 * If we're trying to shut down, only superusers can connect, and new
789 * replication connections are not allowed.
790 */
791 if ((!am_superuser || am_walsender) &&
792 MyProcPort != NULL &&
793 MyProcPort->canAcceptConnections == CAC_SUPERUSER)
794 {
795 if (am_walsender)
796 ereport(FATAL,
797 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
798 errmsg("new replication connections are not allowed during database shutdown")));
799 else
800 ereport(FATAL,
801 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
802 errmsg("must be superuser to connect during database shutdown")));
803 }
804
805 /*
806 * Binary upgrades only allowed super-user connections
807 */
808 if (IsBinaryUpgrade && !am_superuser)
809 {
810 ereport(FATAL,
811 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
812 errmsg("must be superuser to connect in binary upgrade mode")));
813 }
814
815 /*
816 * The last few connection slots are reserved for superusers. Replication
817 * connections are drawn from slots reserved with max_wal_senders and not
818 * limited by max_connections or superuser_reserved_connections.
819 */
820 if (!am_superuser && !am_walsender &&
821 ReservedBackends > 0 &&
822 !HaveNFreeProcs(ReservedBackends))
823 ereport(FATAL,
824 (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
825 errmsg("remaining connection slots are reserved for non-replication superuser connections")));
826
827 /* Check replication permissions needed for walsender processes. */
828 if (am_walsender)
829 {
830 Assert(!bootstrap);
831
832 if (!superuser() && !has_rolreplication(GetUserId()))
833 ereport(FATAL,
834 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
835 errmsg("must be superuser or replication role to start walsender")));
836 }
837
838 /*
839 * If this is a plain walsender only supporting physical replication, we
840 * don't want to connect to any particular database. Just finish the
841 * backend startup by processing any options from the startup packet, and
842 * we're done.
843 */
844 if (am_walsender && !am_db_walsender)
845 {
846 /* process any options passed in the startup packet */
847 if (MyProcPort != NULL)
848 process_startup_options(MyProcPort, am_superuser);
849
850 /* Apply PostAuthDelay as soon as we've read all options */
851 if (PostAuthDelay > 0)
852 pg_usleep(PostAuthDelay * 1000000L);
853
854 /* initialize client encoding */
855 InitializeClientEncoding();
856
857 /* report this backend in the PgBackendStatus array */
858 pgstat_bestart();
859
860 /* close the transaction we started above */
861 CommitTransactionCommand();
862
863 return;
864 }
865
866 /*
867 * Set up the global variables holding database id and default tablespace.
868 * But note we won't actually try to touch the database just yet.
869 *
870 * We take a shortcut in the bootstrap case, otherwise we have to look up
871 * the db's entry in pg_database.
872 */
873 if (bootstrap)
874 {
875 MyDatabaseId = TemplateDbOid;
876 MyDatabaseTableSpace = DEFAULTTABLESPACE_OID;
877 }
878 else if (in_dbname != NULL)
879 {
880 HeapTuple tuple;
881 Form_pg_database dbform;
882
883 tuple = GetDatabaseTuple(in_dbname);
884 if (!HeapTupleIsValid(tuple))
885 ereport(FATAL,
886 (errcode(ERRCODE_UNDEFINED_DATABASE),
887 errmsg("database \"%s\" does not exist", in_dbname)));
888 dbform = (Form_pg_database) GETSTRUCT(tuple);
889 MyDatabaseId = dbform->oid;
890 MyDatabaseTableSpace = dbform->dattablespace;
891 /* take database name from the caller, just for paranoia */
892 strlcpy(dbname, in_dbname, sizeof(dbname));
893 }
894 else if (OidIsValid(dboid))
895 {
896 /* caller specified database by OID */
897 HeapTuple tuple;
898 Form_pg_database dbform;
899
900 tuple = GetDatabaseTupleByOid(dboid);
901 if (!HeapTupleIsValid(tuple))
902 ereport(FATAL,
903 (errcode(ERRCODE_UNDEFINED_DATABASE),
904 errmsg("database %u does not exist", dboid)));
905 dbform = (Form_pg_database) GETSTRUCT(tuple);
906 MyDatabaseId = dbform->oid;
907 MyDatabaseTableSpace = dbform->dattablespace;
908 Assert(MyDatabaseId == dboid);
909 strlcpy(dbname, NameStr(dbform->datname), sizeof(dbname));
910 /* pass the database name back to the caller */
911 if (out_dbname)
912 strcpy(out_dbname, dbname);
913 }
914 else
915 {
916 /*
917 * If this is a background worker not bound to any particular
918 * database, we're done now. Everything that follows only makes sense
919 * if we are bound to a specific database. We do need to close the
920 * transaction we started before returning.
921 */
922 if (!bootstrap)
923 {
924 pgstat_bestart();
925 CommitTransactionCommand();
926 }
927 return;
928 }
929
930 /*
931 * Now, take a writer's lock on the database we are trying to connect to.
932 * If there is a concurrently running DROP DATABASE on that database, this
933 * will block us until it finishes (and has committed its update of
934 * pg_database).
935 *
936 * Note that the lock is not held long, only until the end of this startup
937 * transaction. This is OK since we will advertise our use of the
938 * database in the ProcArray before dropping the lock (in fact, that's the
939 * next thing to do). Anyone trying a DROP DATABASE after this point will
940 * see us in the array once they have the lock. Ordering is important for
941 * this because we don't want to advertise ourselves as being in this
942 * database until we have the lock; otherwise we create what amounts to a
943 * deadlock with CountOtherDBBackends().
944 *
945 * Note: use of RowExclusiveLock here is reasonable because we envision
946 * our session as being a concurrent writer of the database. If we had a
947 * way of declaring a session as being guaranteed-read-only, we could use
948 * AccessShareLock for such sessions and thereby not conflict against
949 * CREATE DATABASE.
950 */
951 if (!bootstrap)
952 LockSharedObject(DatabaseRelationId, MyDatabaseId, 0,
953 RowExclusiveLock);
954
955 /*
956 * Now we can mark our PGPROC entry with the database ID.
957 *
958 * We assume this is an atomic store so no lock is needed; though actually
959 * things would work fine even if it weren't atomic. Anyone searching the
960 * ProcArray for this database's ID should hold the database lock, so they
961 * would not be executing concurrently with this store. A process looking
962 * for another database's ID could in theory see a chance match if it read
963 * a partially-updated databaseId value; but as long as all such searches
964 * wait and retry, as in CountOtherDBBackends(), they will certainly see
965 * the correct value on their next try.
966 */
967 MyProc->databaseId = MyDatabaseId;
968
969 /*
970 * We established a catalog snapshot while reading pg_authid and/or
971 * pg_database; but until we have set up MyDatabaseId, we won't react to
972 * incoming sinval messages for unshared catalogs, so we won't realize it
973 * if the snapshot has been invalidated. Assume it's no good anymore.
974 */
975 InvalidateCatalogSnapshot();
976
977 /*
978 * Recheck pg_database to make sure the target database hasn't gone away.
979 * If there was a concurrent DROP DATABASE, this ensures we will die
980 * cleanly without creating a mess.
981 */
982 if (!bootstrap)
983 {
984 HeapTuple tuple;
985
986 tuple = GetDatabaseTuple(dbname);
987 if (!HeapTupleIsValid(tuple) ||
988 MyDatabaseId != ((Form_pg_database) GETSTRUCT(tuple))->oid ||
989 MyDatabaseTableSpace != ((Form_pg_database) GETSTRUCT(tuple))->dattablespace)
990 ereport(FATAL,
991 (errcode(ERRCODE_UNDEFINED_DATABASE),
992 errmsg("database \"%s\" does not exist", dbname),
993 errdetail("It seems to have just been dropped or renamed.")));
994 }
995
996 /*
997 * Now we should be able to access the database directory safely. Verify
998 * it's there and looks reasonable.
999 */
1000 fullpath = GetDatabasePath(MyDatabaseId, MyDatabaseTableSpace);
1001
1002 if (!bootstrap)
1003 {
1004 if (access(fullpath, F_OK) == -1)
1005 {
1006 if (errno == ENOENT)
1007 ereport(FATAL,
1008 (errcode(ERRCODE_UNDEFINED_DATABASE),
1009 errmsg("database \"%s\" does not exist",
1010 dbname),
1011 errdetail("The database subdirectory \"%s\" is missing.",
1012 fullpath)));
1013 else
1014 ereport(FATAL,
1015 (errcode_for_file_access(),
1016 errmsg("could not access directory \"%s\": %m",
1017 fullpath)));
1018 }
1019
1020 ValidatePgVersion(fullpath);
1021 }
1022
1023 SetDatabasePath(fullpath);
1024
1025 /*
1026 * It's now possible to do real access to the system catalogs.
1027 *
1028 * Load relcache entries for the system catalogs. This must create at
1029 * least the minimum set of "nailed-in" cache entries.
1030 */
1031 RelationCacheInitializePhase3();
1032
1033 /* set up ACL framework (so CheckMyDatabase can check permissions) */
1034 initialize_acl();
1035
1036 /*
1037 * Re-read the pg_database row for our database, check permissions and set
1038 * up database-specific GUC settings. We can't do this until all the
1039 * database-access infrastructure is up. (Also, it wants to know if the
1040 * user is a superuser, so the above stuff has to happen first.)
1041 */
1042 if (!bootstrap)
1043 CheckMyDatabase(dbname, am_superuser, override_allow_connections);
1044
1045 /*
1046 * Now process any command-line switches and any additional GUC variable
1047 * settings passed in the startup packet. We couldn't do this before
1048 * because we didn't know if client is a superuser.
1049 */
1050 if (MyProcPort != NULL)
1051 process_startup_options(MyProcPort, am_superuser);
1052
1053 /* Process pg_db_role_setting options */
1054 process_settings(MyDatabaseId, GetSessionUserId());
1055
1056 /* Apply PostAuthDelay as soon as we've read all options */
1057 if (PostAuthDelay > 0)
1058 pg_usleep(PostAuthDelay * 1000000L);
1059
1060 /*
1061 * Initialize various default states that can't be set up until we've
1062 * selected the active user and gotten the right GUC settings.
1063 */
1064
1065 /* set default namespace search path */
1066 InitializeSearchPath();
1067
1068 /* initialize client encoding */
1069 InitializeClientEncoding();
1070
1071 /* Initialize this backend's session state. */
1072 InitializeSession();
1073
1074 /* report this backend in the PgBackendStatus array */
1075 if (!bootstrap)
1076 pgstat_bestart();
1077
1078 /* close the transaction we started above */
1079 if (!bootstrap)
1080 CommitTransactionCommand();
1081 }
1082
1083 /*
1084 * Process any command-line switches and any additional GUC variable
1085 * settings passed in the startup packet.
1086 */
1087 static void
process_startup_options(Port * port,bool am_superuser)1088 process_startup_options(Port *port, bool am_superuser)
1089 {
1090 GucContext gucctx;
1091 ListCell *gucopts;
1092
1093 gucctx = am_superuser ? PGC_SU_BACKEND : PGC_BACKEND;
1094
1095 /*
1096 * First process any command-line switches that were included in the
1097 * startup packet, if we are in a regular backend.
1098 */
1099 if (port->cmdline_options != NULL)
1100 {
1101 /*
1102 * The maximum possible number of commandline arguments that could
1103 * come from port->cmdline_options is (strlen + 1) / 2; see
1104 * pg_split_opts().
1105 */
1106 char **av;
1107 int maxac;
1108 int ac;
1109
1110 maxac = 2 + (strlen(port->cmdline_options) + 1) / 2;
1111
1112 av = (char **) palloc(maxac * sizeof(char *));
1113 ac = 0;
1114
1115 av[ac++] = "postgres";
1116
1117 pg_split_opts(av, &ac, port->cmdline_options);
1118
1119 av[ac] = NULL;
1120
1121 Assert(ac < maxac);
1122
1123 (void) process_postgres_switches(ac, av, gucctx, NULL);
1124 }
1125
1126 /*
1127 * Process any additional GUC variable settings passed in startup packet.
1128 * These are handled exactly like command-line variables.
1129 */
1130 gucopts = list_head(port->guc_options);
1131 while (gucopts)
1132 {
1133 char *name;
1134 char *value;
1135
1136 name = lfirst(gucopts);
1137 gucopts = lnext(port->guc_options, gucopts);
1138
1139 value = lfirst(gucopts);
1140 gucopts = lnext(port->guc_options, gucopts);
1141
1142 SetConfigOption(name, value, gucctx, PGC_S_CLIENT);
1143 }
1144 }
1145
1146 /*
1147 * Load GUC settings from pg_db_role_setting.
1148 *
1149 * We try specific settings for the database/role combination, as well as
1150 * general for this database and for this user.
1151 */
1152 static void
process_settings(Oid databaseid,Oid roleid)1153 process_settings(Oid databaseid, Oid roleid)
1154 {
1155 Relation relsetting;
1156 Snapshot snapshot;
1157
1158 if (!IsUnderPostmaster)
1159 return;
1160
1161 relsetting = table_open(DbRoleSettingRelationId, AccessShareLock);
1162
1163 /* read all the settings under the same snapshot for efficiency */
1164 snapshot = RegisterSnapshot(GetCatalogSnapshot(DbRoleSettingRelationId));
1165
1166 /* Later settings are ignored if set earlier. */
1167 ApplySetting(snapshot, databaseid, roleid, relsetting, PGC_S_DATABASE_USER);
1168 ApplySetting(snapshot, InvalidOid, roleid, relsetting, PGC_S_USER);
1169 ApplySetting(snapshot, databaseid, InvalidOid, relsetting, PGC_S_DATABASE);
1170 ApplySetting(snapshot, InvalidOid, InvalidOid, relsetting, PGC_S_GLOBAL);
1171
1172 UnregisterSnapshot(snapshot);
1173 table_close(relsetting, AccessShareLock);
1174 }
1175
1176 /*
1177 * Backend-shutdown callback. Do cleanup that we want to be sure happens
1178 * before all the supporting modules begin to nail their doors shut via
1179 * their own callbacks.
1180 *
1181 * User-level cleanup, such as temp-relation removal and UNLISTEN, happens
1182 * via separate callbacks that execute before this one. We don't combine the
1183 * callbacks because we still want this one to happen if the user-level
1184 * cleanup fails.
1185 */
1186 static void
ShutdownPostgres(int code,Datum arg)1187 ShutdownPostgres(int code, Datum arg)
1188 {
1189 /* Make sure we've killed any active transaction */
1190 AbortOutOfAnyTransaction();
1191
1192 /*
1193 * User locks are not released by transaction end, so be sure to release
1194 * them explicitly.
1195 */
1196 LockReleaseAll(USER_LOCKMETHOD, true);
1197 }
1198
1199
1200 /*
1201 * STATEMENT_TIMEOUT handler: trigger a query-cancel interrupt.
1202 */
1203 static void
StatementTimeoutHandler(void)1204 StatementTimeoutHandler(void)
1205 {
1206 int sig = SIGINT;
1207
1208 /*
1209 * During authentication the timeout is used to deal with
1210 * authentication_timeout - we want to quit in response to such timeouts.
1211 */
1212 if (ClientAuthInProgress)
1213 sig = SIGTERM;
1214
1215 #ifdef HAVE_SETSID
1216 /* try to signal whole process group */
1217 kill(-MyProcPid, sig);
1218 #endif
1219 kill(MyProcPid, sig);
1220 }
1221
1222 /*
1223 * LOCK_TIMEOUT handler: trigger a query-cancel interrupt.
1224 */
1225 static void
LockTimeoutHandler(void)1226 LockTimeoutHandler(void)
1227 {
1228 #ifdef HAVE_SETSID
1229 /* try to signal whole process group */
1230 kill(-MyProcPid, SIGINT);
1231 #endif
1232 kill(MyProcPid, SIGINT);
1233 }
1234
1235 static void
IdleInTransactionSessionTimeoutHandler(void)1236 IdleInTransactionSessionTimeoutHandler(void)
1237 {
1238 IdleInTransactionSessionTimeoutPending = true;
1239 InterruptPending = true;
1240 SetLatch(MyLatch);
1241 }
1242
1243 static void
IdleSessionTimeoutHandler(void)1244 IdleSessionTimeoutHandler(void)
1245 {
1246 IdleSessionTimeoutPending = true;
1247 InterruptPending = true;
1248 SetLatch(MyLatch);
1249 }
1250
1251 static void
ClientCheckTimeoutHandler(void)1252 ClientCheckTimeoutHandler(void)
1253 {
1254 CheckClientConnectionPending = true;
1255 InterruptPending = true;
1256 SetLatch(MyLatch);
1257 }
1258
1259 /*
1260 * Returns true if at least one role is defined in this database cluster.
1261 */
1262 static bool
ThereIsAtLeastOneRole(void)1263 ThereIsAtLeastOneRole(void)
1264 {
1265 Relation pg_authid_rel;
1266 TableScanDesc scan;
1267 bool result;
1268
1269 pg_authid_rel = table_open(AuthIdRelationId, AccessShareLock);
1270
1271 scan = table_beginscan_catalog(pg_authid_rel, 0, NULL);
1272 result = (heap_getnext(scan, ForwardScanDirection) != NULL);
1273
1274 table_endscan(scan);
1275 table_close(pg_authid_rel, AccessShareLock);
1276
1277 return result;
1278 }
1279