Re: Avoiding useless SHA256 initialization with backup manifests, breaking base backups with FIPS
On Tue, Nov 10, 2020 at 11:00:14AM +0900, Michael Paquier wrote: > Attached is a patch that I would like to back-patch down to v13 to > avoid this useless initialization, giving users the possibility to > take base backups with FIPS when not using a backup manifest. Without > the solution in the first paragraph, you cannot make use of backup > manifests at all with OpenSSL+FIPS (one can still enforce the use of > the in-core SHA2 implementation even if building with OpenSSL), but at > least it gives an escape route with 13. Okay. Hearing nothing, I have applied that. -- Michael signature.asc Description: PGP signature
Avoiding useless SHA256 initialization with backup manifests, breaking base backups with FIPS
Hi all,
Trying to use OpenSSL with FIPS breaks if one attempts to call the
low-level SHA2 routines we currently use in sha2_openssl.c (upstream
calls that OpenSSLDie()), forcing a crash of PG. The actual way to
fix that is to use EVP as I solved here:
https://commitfest.postgresql.org/30/2762/
Unfortunately, this enforces an ABI breakage so this is not
backpatchable material. Now, if one attempts to use OpenSSL with
FIPS, the initialization of backup manifests in
InitializeBackupManifest() enforces a call to pg_sha256_init() for the
manifest file itself even if pg_basebackup, or anything requesting a
base backup with the replication protocol, does *not* want a backup
manifest. One can for example enforce to not use a backup manifest
with --no-manifest in pg_basebackup, but even if you specify that base
backups cause the backend to crash on HEAD if using FIPS in OpenSSL.
Looking at the code, the checksum of the manifest file is updated or
finalized only if IsManifestEnabled() is satisfied, meaning that if
the caller does not want a manifest we do its initialization, but
we have no use for it.
Attached is a patch that I would like to back-patch down to v13 to
avoid this useless initialization, giving users the possibility to
take base backups with FIPS when not using a backup manifest. Without
the solution in the first paragraph, you cannot make use of backup
manifests at all with OpenSSL+FIPS (one can still enforce the use of
the in-core SHA2 implementation even if building with OpenSSL), but at
least it gives an escape route with 13.
Thoughts?
--
Michael
diff --git a/src/backend/replication/backup_manifest.c b/src/backend/replication/backup_manifest.c
index 556e6b5040..bab5e2f53b 100644
--- a/src/backend/replication/backup_manifest.c
+++ b/src/backend/replication/backup_manifest.c
@@ -57,12 +57,17 @@ InitializeBackupManifest(backup_manifest_info *manifest,
backup_manifest_option want_manifest,
pg_checksum_type manifest_checksum_type)
{
+ memset(manifest, 0, sizeof(backup_manifest_info));
+ manifest->checksum_type = manifest_checksum_type;
+
if (want_manifest == MANIFEST_OPTION_NO)
manifest->buffile = NULL;
else
+ {
manifest->buffile = BufFileCreateTemp(false);
- manifest->checksum_type = manifest_checksum_type;
- pg_sha256_init(>manifest_ctx);
+ pg_sha256_init(>manifest_ctx);
+ }
+
manifest->manifest_size = UINT64CONST(0);
manifest->force_encode = (want_manifest == MANIFEST_OPTION_FORCE_ENCODE);
manifest->first_file = true;
signature.asc
Description: PGP signature
Re: Documentation patch for backup manifests in protocol.sgml
Am Montag, den 31.08.2020, 18:48 -0400 schrieb Bruce Momjian: > > So confirmed. > > > Patch applied through 13. Thanks!
Re: Documentation patch for backup manifests in protocol.sgml
On Mon, Aug 31, 2020 at 06:48:53PM -0400, Bruce Momjian wrote: > Patch applied through 13. Thanks. -- Michael signature.asc Description: PGP signature
Re: Documentation patch for backup manifests in protocol.sgml
On Mon, Aug 24, 2020 at 04:58:34PM +0900, Michael Paquier wrote: > On Fri, Aug 21, 2020 at 06:03:32PM -0400, Bruce Momjian wrote: > > On Tue, Aug 18, 2020 at 02:41:09PM +0200, Bernd Helmle wrote: > >> protocol.sgml describes the protocol messages received by a BASE_BACKUP > >> streaming command, but doesn't tell anything about the additional > >> CopyResponse data message containing the contents of the backup > >> manifest (if requested) after having received the tar files. So i > >> propose the attached to give a little more detail in this paragraph. > > > > If someone can confirm this, I will apply it? Magnus? > > The reason why backup manifests are sent at the end of a base backup > is that they include the start and stop positions of the backup (see > caller of AddWALInfoToBackupManifest() in perform_base_backup()). > Once this is done, an extra CopyOutResponse message is indeed sent > within SendBackupManifest() in backup_manifest.c. > > So confirmed. Patch applied through 13. -- Bruce Momjian https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
Re: Documentation patch for backup manifests in protocol.sgml
On Fri, Aug 21, 2020 at 06:03:32PM -0400, Bruce Momjian wrote: > On Tue, Aug 18, 2020 at 02:41:09PM +0200, Bernd Helmle wrote: >> protocol.sgml describes the protocol messages received by a BASE_BACKUP >> streaming command, but doesn't tell anything about the additional >> CopyResponse data message containing the contents of the backup >> manifest (if requested) after having received the tar files. So i >> propose the attached to give a little more detail in this paragraph. > > If someone can confirm this, I will apply it? Magnus? The reason why backup manifests are sent at the end of a base backup is that they include the start and stop positions of the backup (see caller of AddWALInfoToBackupManifest() in perform_base_backup()). Once this is done, an extra CopyOutResponse message is indeed sent within SendBackupManifest() in backup_manifest.c. So confirmed. -- Michael signature.asc Description: PGP signature
Re: Documentation patch for backup manifests in protocol.sgml
On Tue, Aug 18, 2020 at 02:41:09PM +0200, Bernd Helmle wrote: > Hi, > > protocol.sgml describes the protocol messages received by a BASE_BACKUP > streaming command, but doesn't tell anything about the additional > CopyResponse data message containing the contents of the backup > manifest (if requested) after having received the tar files. So i > propose the attached to give a little more detail in this paragraph. > > Thanks, Bernd > > diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml > index 8b00235a516..31918144b37 100644 > --- a/doc/src/sgml/protocol.sgml > +++ b/doc/src/sgml/protocol.sgml > @@ -2665,8 +2665,10 @@ The commands accepted in replication mode are: >ustar interchange format specified in the POSIX > 1003.1-2008 >standard) dump of the tablespace contents, except that the two trailing >blocks of zeroes specified in the standard are omitted. > - After the tar data is complete, a final ordinary result set will be > sent, > - containing the WAL end position of the backup, in the same format as > + After the tar data is complete, and if a backup manifest was requested, > + another CopyResponse result is sent, containing the manifest data for > the > + current base backup. In any case, a final ordinary result set will be > + sent, containing the WAL end position of the backup, in the same > format as >the start position. > If someone can confirm this, I will apply it? Magnus? -- Bruce Momjian https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
Documentation patch for backup manifests in protocol.sgml
Hi, protocol.sgml describes the protocol messages received by a BASE_BACKUP streaming command, but doesn't tell anything about the additional CopyResponse data message containing the contents of the backup manifest (if requested) after having received the tar files. So i propose the attached to give a little more detail in this paragraph. Thanks, Bernd diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 8b00235a516..31918144b37 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -2665,8 +2665,10 @@ The commands accepted in replication mode are: ustar interchange format specified in the POSIX 1003.1-2008 standard) dump of the tablespace contents, except that the two trailing blocks of zeroes specified in the standard are omitted. - After the tar data is complete, a final ordinary result set will be sent, - containing the WAL end position of the backup, in the same format as + After the tar data is complete, and if a backup manifest was requested, + another CopyResponse result is sent, containing the manifest data for the + current base backup. In any case, a final ordinary result set will be + sent, containing the WAL end position of the backup, in the same format as the start position.
Re: backup manifests
On Thu, Apr 23, 2020 at 5:16 PM Andres Freund wrote:
> Do you not see a warning when compiling with optimizations enabled?
No, I don't. I tried it with -O{0,1,2,3} and I always use -Wall
-Werror. No warnings.
[rhaas pgsql]$ clang -v
clang version 5.0.2 (tags/RELEASE_502/final)
Target: x86_64-apple-darwin19.4.0
Thread model: posix
InstalledDir: /opt/local/libexec/llvm-5.0/bin
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Re: backup manifests
Hi, On 2020-04-23 08:57:39 -0400, Robert Haas wrote: > On Sun, Apr 5, 2020 at 3:31 PM Andres Freund wrote: > > The warnings don't seem too unreasonable. The compiler can't see that > > the error_cb inside json_manifest_parse_failure() is not expected to > > return. Probably worth adding a wrapper around the calls to > > context->error_cb and mark that as noreturn. > > Eh, how? The callback is declared as: > > typedef void (*json_manifest_error_callback)(JsonManifestParseContext *, > char > *fmt, ...) pg_attribute_printf(2, 3); > > I don't know of a way to create a wrapper around that, because of the > variable argument list. Didn't think that far... > We could change the callback to take va_list, I guess. I'd argue that that'd be a good idea anyway, otherwise there's no way to wrap the invocation anywhere in the code. But that's an independent consideration, as: > Does it work for you to just add pg_attribute_noreturn() to this > typedef, as in the attached? does fix the problem for me, cool. Do you not see a warning when compiling with optimizations enabled? Greetings, Andres Freund
Re: backup manifests
On Sun, Apr 5, 2020 at 3:31 PM Andres Freund wrote: > The warnings don't seem too unreasonable. The compiler can't see that > the error_cb inside json_manifest_parse_failure() is not expected to > return. Probably worth adding a wrapper around the calls to > context->error_cb and mark that as noreturn. Eh, how? The callback is declared as: typedef void (*json_manifest_error_callback)(JsonManifestParseContext *, char *fmt, ...) pg_attribute_printf(2, 3); I don't know of a way to create a wrapper around that, because of the variable argument list. We could change the callback to take va_list, I guess. Does it work for you to just add pg_attribute_noreturn() to this typedef, as in the attached? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company noreturn.patch Description: Binary data
Re: backup manifests
On 2020/04/23 1:28, Robert Haas wrote:
On Wed, Apr 22, 2020 at 12:21 PM Fujii Masao
wrote:
I found three minor issues in pg_verifybackup.
+ {"print-parse-wal", no_argument, NULL, 'p'},
This is unused option, so this line should be removed.
+ printf(_(" -m, --manifest=PATH use specified path for
manifest\n"));
Typo: --manifest should be --manifest-path
pg_verifybackup accepts --quiet option, but its usage() doesn't
print any message for --quiet option.
Attached is the patch that fixes those issues.
Thanks; LGTM.
Thanks for the review! Pushed.
Regards,
--
Fujii Masao
Advanced Computing Technology Center
Research and Development Headquarters
NTT DATA CORPORATION
Re: backup manifests
On Wed, Apr 22, 2020 at 12:21 PM Fujii Masao
wrote:
> I found three minor issues in pg_verifybackup.
>
> + {"print-parse-wal", no_argument, NULL, 'p'},
>
> This is unused option, so this line should be removed.
>
> + printf(_(" -m, --manifest=PATH use specified path for
> manifest\n"));
>
> Typo: --manifest should be --manifest-path
>
> pg_verifybackup accepts --quiet option, but its usage() doesn't
> print any message for --quiet option.
>
> Attached is the patch that fixes those issues.
Thanks; LGTM.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Re: backup manifests
On 2020/04/15 11:18, Fujii Masao wrote:
On 2020/04/14 0:15, Robert Haas wrote:
On Sun, Apr 12, 2020 at 10:09 PM Fujii Masao
wrote:
I found other minor issues.
I think these are all correct fixes. Thanks for the post-commit
review, and sorry for this mistakes.
Thanks for the review, Michael and Robert. Pushed the patches!
I found three minor issues in pg_verifybackup.
+ {"print-parse-wal", no_argument, NULL, 'p'},
This is unused option, so this line should be removed.
+ printf(_(" -m, --manifest=PATH use specified path for
manifest\n"));
Typo: --manifest should be --manifest-path
pg_verifybackup accepts --quiet option, but its usage() doesn't
print any message for --quiet option.
Attached is the patch that fixes those issues.
Regards,
--
Fujii Masao
Advanced Computing Technology Center
Research and Development Headquarters
NTT DATA CORPORATION
diff --git a/src/bin/pg_verifybackup/pg_verifybackup.c
b/src/bin/pg_verifybackup/pg_verifybackup.c
index 9c0a8c5550..340765526d 100644
--- a/src/bin/pg_verifybackup/pg_verifybackup.c
+++ b/src/bin/pg_verifybackup/pg_verifybackup.c
@@ -162,7 +162,6 @@ main(int argc, char **argv)
{"ignore", required_argument, NULL, 'i'},
{"manifest-path", required_argument, NULL, 'm'},
{"no-parse-wal", no_argument, NULL, 'n'},
- {"print-parse-wal", no_argument, NULL, 'p'},
{"quiet", no_argument, NULL, 'q'},
{"skip-checksums", no_argument, NULL, 's'},
{"wal-directory", required_argument, NULL, 'w'},
@@ -894,8 +893,9 @@ usage(void)
printf(_("Options:\n"));
printf(_(" -e, --exit-on-error exit immediately on error\n"));
printf(_(" -i, --ignore=RELATIVE_PATH ignore indicated path\n"));
- printf(_(" -m, --manifest=PATH use specified path for
manifest\n"));
+ printf(_(" -m, --manifest-path=PATHuse specified path for
manifest\n"));
printf(_(" -n, --no-parse-wal do not try to parse WAL
files\n"));
+ printf(_(" -q, --quiet do not print any output, except
for errors\n"));
printf(_(" -s, --skip-checksumsskip checksum verification\n"));
printf(_(" -w, --wal-directory=PATHuse specified path for WAL
files\n"));
printf(_(" -V, --version output version information,
then exit\n"));
Re: backup manifests
On 2020/04/14 0:15, Robert Haas wrote: On Sun, Apr 12, 2020 at 10:09 PM Fujii Masao wrote: I found other minor issues. I think these are all correct fixes. Thanks for the post-commit review, and sorry for this mistakes. Thanks for the review, Michael and Robert. Pushed the patches! Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION
Re: backup manifests
On Sun, Apr 12, 2020 at 10:09 PM Fujii Masao wrote: > I found other minor issues. I think these are all correct fixes. Thanks for the post-commit review, and sorry for this mistakes. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
On Mon, Apr 13, 2020 at 11:09:34AM +0900, Fujii Masao wrote:
> - while ((c = getopt_long(argc, argv,
> "CD:F:r:RS:T:X:l:nNzZ:d:c:h:p:U:s:wWkvP",
> + while ((c = getopt_long(argc, argv,
> "CD:F:r:RS:T:X:l:nNzZ:d:c:h:p:U:s:wWkvPm:",
>
> "m:" seems unnecessary, so should be removed?
> Patch attached.
Smells like some remnant diff from a previous version.
> + if (strcmp(basedir, "-") == 0)
> + {
> + charheader[512];
> + PQExpBufferData buf;
> +
> + initPQExpBuffer();
> + ReceiveBackupManifestInMemory(conn, );
>
> backup_manifest should be received only when the manifest is enabled,
> so ISTM that the flag "manifest" should be checked in the above if-condition.
> Thought? Patch attached.
>
> - if (strcmp(basedir, "-") == 0)
> + if (strcmp(basedir, "-") == 0 && manifest)
> {
> charheader[512];
> PQExpBufferData buf;
Indeed. Using the tar format with --no-manifest causes a failure:
pg_basebackup -D - --format=t --wal-method=none \
--no-manifest > /dev/null
The doc changes look right to me. Nice catches.
--
Michael
signature.asc
Description: PGP signature
Re: backup manifests
On 2020/04/09 23:06, Fujii Masao wrote:
On 2020/04/09 2:35, Robert Haas wrote:
On Wed, Apr 8, 2020 at 1:15 AM Fujii Masao wrote:
When there is a backup_manifest in the database cluster, it's included in
the backup even when --no-manifest is specified. ISTM that this is problematic
because the backup_manifest is obviously not valid for the backup.
So, isn't it better to always exclude the *existing* backup_manifest in the
cluster from the backup, like backup_label/tablespace_map? Patch attached.
Also I found the typo in the document. Patch attached.
Both patches look good. The second one is definitely a mistake on my
part, and the first one seems like a totally reasonable change.
Thanks!
Thanks for reviewing them! I pushed them.
I found other minor issues.
+ When this option is specified with a value of yes
+ or force-escape, a backup manifest is created
force-escape should be force-encode.
Patch attached.
- while ((c = getopt_long(argc, argv,
"CD:F:r:RS:T:X:l:nNzZ:d:c:h:p:U:s:wWkvP",
+ while ((c = getopt_long(argc, argv,
"CD:F:r:RS:T:X:l:nNzZ:d:c:h:p:U:s:wWkvPm:",
"m:" seems unnecessary, so should be removed?
Patch attached.
+ if (strcmp(basedir, "-") == 0)
+ {
+ charheader[512];
+ PQExpBufferData buf;
+
+ initPQExpBuffer();
+ ReceiveBackupManifestInMemory(conn, );
backup_manifest should be received only when the manifest is enabled,
so ISTM that the flag "manifest" should be checked in the above if-condition.
Thought? Patch attached.
Regards,
--
Fujii Masao
Advanced Computing Technology Center
Research and Development Headquarters
NTT DATA CORPORATION
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 536de9a698..87292739b5 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -2578,19 +2578,19 @@ The commands accepted in replication mode are:
-MANIFEST
+MANIFEST
manifest_option
When this option is specified with a value of yes
- or force-escape, a backup manifest is created
+ or force-encode, a backup manifest is created
and sent along with the backup. The manifest is a list of every
file present in the backup with the exception of any WAL files that
may be included. It also stores the size, last modification time, and
an optional checksum for each file.
- A value of force-escape forces all filenames
+ A value of force-encode forces all filenames
to be hex-encoded; otherwise, this type of encoding is performed only
for files whose names are non-UTF8 octet sequences.
- force-escape is intended primarily for testing
+ force-encode is intended primarily for testing
purposes, to be sure that clients which read the backup manifest
can handle this case. For compatibility with previous releases,
the default is MANIFEST 'no'.
@@ -2599,7 +2599,7 @@ The commands accepted in replication mode are:
-MANIFEST_CHECKSUMS
+MANIFEST_CHECKSUMS
checksum_algorithm
Specifies the algorithm that should be applied to each file included
diff --git a/src/bin/pg_basebackup/pg_basebackup.c
b/src/bin/pg_basebackup/pg_basebackup.c
index de098b3558..f1af8f904a 100644
--- a/src/bin/pg_basebackup/pg_basebackup.c
+++ b/src/bin/pg_basebackup/pg_basebackup.c
@@ -2271,7 +2271,7 @@ main(int argc, char **argv)
atexit(cleanup_directories_atexit);
- while ((c = getopt_long(argc, argv,
"CD:F:r:RS:T:X:l:nNzZ:d:c:h:p:U:s:wWkvPm:",
+ while ((c = getopt_long(argc, argv,
"CD:F:r:RS:T:X:l:nNzZ:d:c:h:p:U:s:wWkvP",
long_options,
_index)) != -1)
{
switch (c)
diff --git a/src/bin/pg_basebackup/pg_basebackup.c
b/src/bin/pg_basebackup/pg_basebackup.c
index f1af8f904a..65ca1b16f0 100644
--- a/src/bin/pg_basebackup/pg_basebackup.c
+++ b/src/bin/pg_basebackup/pg_basebackup.c
@@ -1211,7 +1211,7 @@ ReceiveTarFile(PGconn *conn, PGresult *res, int rownum)
* we're writing a tarfile to stdout, we don't have that option, so
* include it in the one tarfile we've got.
*/
- if (strcmp(basedir, "-") == 0)
+ if (strcmp(basedir, "-") == 0 && manifest)
{
charheader[512];
PQExpBufferData buf;
Re: backup manifests
On 2020/04/09 23:10, Stephen Frost wrote: Greetings, * Fujii Masao (masao.fu...@oss.nttdata.com) wrote: On 2020/04/09 2:35, Robert Haas wrote: On Wed, Apr 8, 2020 at 1:15 AM Fujii Masao wrote: When there is a backup_manifest in the database cluster, it's included in the backup even when --no-manifest is specified. ISTM that this is problematic because the backup_manifest is obviously not valid for the backup. So, isn't it better to always exclude the *existing* backup_manifest in the cluster from the backup, like backup_label/tablespace_map? Patch attached. Also I found the typo in the document. Patch attached. Both patches look good. The second one is definitely a mistake on my part, and the first one seems like a totally reasonable change. Thanks! Thanks for reviewing them! I pushed them. Please note that the commit messages have not been delivered to pgsql-committers yet. They've been released and your address whitelisted. Many thanks!! Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION
Re: backup manifests
Greetings, * Fujii Masao (masao.fu...@oss.nttdata.com) wrote: > On 2020/04/09 2:35, Robert Haas wrote: > >On Wed, Apr 8, 2020 at 1:15 AM Fujii Masao > >wrote: > >>When there is a backup_manifest in the database cluster, it's included in > >>the backup even when --no-manifest is specified. ISTM that this is > >>problematic > >>because the backup_manifest is obviously not valid for the backup. > >>So, isn't it better to always exclude the *existing* backup_manifest in the > >>cluster from the backup, like backup_label/tablespace_map? Patch attached. > >> > >>Also I found the typo in the document. Patch attached. > > > >Both patches look good. The second one is definitely a mistake on my > >part, and the first one seems like a totally reasonable change. > >Thanks! > > Thanks for reviewing them! I pushed them. > > Please note that the commit messages have not been delivered to > pgsql-committers yet. They've been released and your address whitelisted. Thanks, Stephen signature.asc Description: PGP signature
Re: backup manifests
On 2020/04/09 2:35, Robert Haas wrote: On Wed, Apr 8, 2020 at 1:15 AM Fujii Masao wrote: When there is a backup_manifest in the database cluster, it's included in the backup even when --no-manifest is specified. ISTM that this is problematic because the backup_manifest is obviously not valid for the backup. So, isn't it better to always exclude the *existing* backup_manifest in the cluster from the backup, like backup_label/tablespace_map? Patch attached. Also I found the typo in the document. Patch attached. Both patches look good. The second one is definitely a mistake on my part, and the first one seems like a totally reasonable change. Thanks! Thanks for reviewing them! I pushed them. Please note that the commit messages have not been delivered to pgsql-committers yet. Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION
Re: backup manifests and contemporaneous buildfarm failures
Andrew Dunstan writes:
> On 4/8/20 3:41 PM, Robert Haas wrote:
>> I don't understand what the local $ENV{MSYS2_ARG_CONV_EXCL} =
>> $source_ts_prefix does,
> You don't want to know
> See for the
> gory details.
I don't want to know either, but maybe that reference should be cited
somewhere near where we use this sort of hack.
regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
On 4/8/20 3:41 PM, Robert Haas wrote:
> On Wed, Apr 8, 2020 at 1:59 PM Tom Lane wrote:
>> I guess we could commit it and find out. I'm all for the simpler
>> coding if it works.
> I don't understand what the local $ENV{MSYS2_ARG_CONV_EXCL} =
> $source_ts_prefix does,
You don't want to know
See for the
gory details.
It's the tablespace map parameter that is upsetting it.
> but the remove/unlink condition was suggested
> by Amit Kapila on the basis of testing on his Windows development
> environment, so I suspect that's actually needed on at least some
> systems. I just work here, though.
>
Yeah, drongo doesn't like it, so we'll have to tweak the logic.
I'll update after some more testing.
cheers
andrew
--
Andrew Dunstanhttps://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: backup manifests and contemporaneous buildfarm failures
On Wed, Apr 8, 2020 at 1:59 PM Tom Lane wrote:
> I guess we could commit it and find out. I'm all for the simpler
> coding if it works.
I don't understand what the local $ENV{MSYS2_ARG_CONV_EXCL} =
$source_ts_prefix does, but the remove/unlink condition was suggested
by Amit Kapila on the basis of testing on his Windows development
environment, so I suspect that's actually needed on at least some
systems. I just work here, though.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Re: backup manifests and contemporaneous buildfarm failures
Andrew Dunstan writes: > OK, tricky, but here's what I did to get this working on fairywren. > First, on Msys2 there is a problem with name mangling. We've had to fix > this before by telling it to ignore certain argument prefixes. > Second, once that was fixed rmdir was failing on the tablespace. On > Windows this is a junction, so unlink is the correct thing to do, I > believe, just as it is on Unix where it's a symlink. Hmm, no opinion about the name mangling business, but the other part seems like it might break jacana and/or bowerbird, which are currently happy with this test? (AFAICS we only have four Windows animals running the TAP tests, and the fourth (drongo) hasn't reported in for awhile.) I guess we could commit it and find out. I'm all for the simpler coding if it works. regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
On 4/7/20 9:42 AM, Andrew Dunstan wrote:
> On Tue, Apr 7, 2020 at 12:37 AM Tom Lane wrote:
>> Robert Haas writes:
>>> Taking stock of the situation this morning, most of the buildfarm is
>>> now green. There are three failures, on eelpout (6 hours ago),
>>> fairywren (17 hours ago), and hyrax (3 days, 7 hours ago).
>> fairywren has now done this twice in the pg_validatebackupCheck step:
>>
>> exec failed: Bad address at
>> /home/pgrunner/bf/root/HEAD/pgsql.build/../pgsql/src/test/perl/TestLib.pm
>> line 340.
>> at
>> /home/pgrunner/bf/root/HEAD/pgsql.build/../pgsql/src/test/perl/TestLib.pm
>> line 340.
>>
>> I'm a tad suspicious that it needs another perl2host()
>> somewhere, but the log isn't very clear as to where.
>>
>> More generally, I wonder if we ought to be trying to
>> centralize those perl2host() calls instead of sticking
>> them into individual test cases.
>>
>>
>
> Not sure about that. I'll see if I can run it by hand and get some
> more info. What's quite odd is that jacana (a very similar setup) is
> passing this happily.
>
OK, tricky, but here's what I did to get this working on fairywren.
First, on Msys2 there is a problem with name mangling. We've had to fix
this before by telling it to ignore certain argument prefixes.
Second, once that was fixed rmdir was failing on the tablespace. On
Windows this is a junction, so unlink is the correct thing to do, I
believe, just as it is on Unix where it's a symlink.
cheers
andrew
--
Andrew Dunstanhttps://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
diff --git a/src/bin/pg_validatebackup/t/003_corruption.pl b/src/bin/pg_validatebackup/t/003_corruption.pl
index 7a09d02e6c..fe717dfc73 100644
--- a/src/bin/pg_validatebackup/t/003_corruption.pl
+++ b/src/bin/pg_validatebackup/t/003_corruption.pl
@@ -16,6 +16,8 @@ $master->start;
# Include a user-defined tablespace in the hopes of detecting problems in that
# area.
my $source_ts_path = TestLib::perl2host(TestLib::tempdir_short());
+my $source_ts_prefix = $source_ts_path;
+$source_ts_prefix =~ s!([^A-Z]:/[^/]*)/.*!$1!;
$master->safe_psql('postgres', command_ok(['pg_basebackup', '-D', $backup_path, '--no-sync',
'-T', "${source_ts_path}=${backup_ts_path}"],
"base backup ok");
@@ -177,14 +180,7 @@ sub mutilate_missing_tablespace
my ($tsoid) = grep { $_ ne '.' && $_ ne '..' }
slurp_dir("$backup_path/pg_tblspc");
my $pathname = "$backup_path/pg_tblspc/$tsoid";
- if ($windows_os)
- {
- rmdir($pathname) || die "$pathname: $!";
- }
- else
- {
- unlink($pathname) || die "$pathname: $!";
- }
+ unlink($pathname) || die "$pathname: $!";
return;
}
Re: backup manifests
On Wed, Apr 8, 2020 at 1:15 AM Fujii Masao wrote: > When there is a backup_manifest in the database cluster, it's included in > the backup even when --no-manifest is specified. ISTM that this is problematic > because the backup_manifest is obviously not valid for the backup. > So, isn't it better to always exclude the *existing* backup_manifest in the > cluster from the backup, like backup_label/tablespace_map? Patch attached. > > Also I found the typo in the document. Patch attached. Both patches look good. The second one is definitely a mistake on my part, and the first one seems like a totally reasonable change. Thanks! -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
On 2020/04/04 4:22, Robert Haas wrote:
On Thu, Apr 2, 2020 at 4:34 PM David Steele wrote:
+1. These would be great tests to have and a win for pg_basebackup
overall but I don't think they should be a prerequisite for this commit.
Not to mention the server. I can't say that I have a lot of confidence
that all of the server behavior in this area is well-understood and
sane.
I've pushed all the patches.
When there is a backup_manifest in the database cluster, it's included in
the backup even when --no-manifest is specified. ISTM that this is problematic
because the backup_manifest is obviously not valid for the backup.
So, isn't it better to always exclude the *existing* backup_manifest in the
cluster from the backup, like backup_label/tablespace_map? Patch attached.
Also I found the typo in the document. Patch attached.
Regards,
--
Fujii Masao
Advanced Computing Technology Center
Research and Development Headquarters
NTT DATA CORPORATION
diff --git a/src/backend/replication/basebackup.c
b/src/backend/replication/basebackup.c
index 5d94b9c229..de77534fec 100644
--- a/src/backend/replication/basebackup.c
+++ b/src/backend/replication/basebackup.c
@@ -266,6 +266,13 @@ static const struct exclude_list_item excludeFiles[] =
{BACKUP_LABEL_FILE, false},
{TABLESPACE_MAP, false},
+ /*
+* If there's a backup_manifest, it belongs to a backup that was used
+* to start this server. It is *not* correct for this backup. Our
+* backup_manifest is injected into the backup separately if users want
it.
+*/
+ {"backup_manifest", false},
+
{"postmaster.pid", false},
{"postmaster.opts", false},
diff --git a/src/bin/pg_rewind/filemap.c b/src/bin/pg_rewind/filemap.c
index 9088f1f80f..daaefa751c 100644
--- a/src/bin/pg_rewind/filemap.c
+++ b/src/bin/pg_rewind/filemap.c
@@ -113,6 +113,13 @@ static const struct exclude_list_item excludeFiles[] =
{"backup_label", false},/* defined as BACKUP_LABEL_FILE */
{"tablespace_map", false}, /* defined as TABLESPACE_MAP */
+ /*
+* If there's a backup_manifest, it belongs to a backup that was used
+* to start this server. It is *not* correct for this backup. Our
+* backup_manifest is injected into the backup separately if users want
it.
+*/
+ {"backup_manifest", false},
+
{"postmaster.pid", false},
{"postmaster.opts", false},
diff --git a/doc/src/sgml/ref/pg_validatebackup.sgml
b/doc/src/sgml/ref/pg_validatebackup.sgml
index 19888dc196..20d445efb8 100644
--- a/doc/src/sgml/ref/pg_validatebackup.sgml
+++ b/doc/src/sgml/ref/pg_validatebackup.sgml
@@ -132,7 +132,7 @@ PostgreSQL documentation
Exit as soon as a problem with the backup is detected. If this option
-is not specified, pg_basebackup will continue
+is not specified, pg_validatebackup will continue
checking the backup even after a problem has been detected, and will
report all problems detected as errors.
Re: pgsql: Generate backup manifests for base backups, and validate them.
On 4/7/20 12:44 PM, Robert Haas wrote: On Tue, Apr 7, 2020 at 5:51 AM Peter Eisentraut wrote: On 2020-04-03 21:07, Robert Haas wrote: A new tool called pg_validatebackup can validate a backup against the manifest. In software engineering, "verify" and "validate" have standardized distinct meanings. I'm not going to try to explain them here, but you can easily find them online. I haven't formed an opinion on which one of them this tool is doing, but I notice that both the man page and the messages produced by the tool use the two terms seemingly interchangeably. We should try to pick the correct term and use it consistently. The tool is trying to make sure that we have the same backup that we're supposed to have, and that the associated WAL is present and sane. Looking at https://en.wikipedia.org/wiki/Verification_and_validation, that sounds more like verification than validation, but I confess that this distinction is new to me. When I searched I found a two different definitions for validation and verification. One for software development (as in the link above and what I think Peter meant) and another for data (see https://en.wikipedia.org/wiki/Data_validation, https://en.wikipedia.org/wiki/Data_verification, https://www.differencebetween.com/difference-between-data-validation-and-vs-data-verification/) It seems that validation vs. verify as defined in PMBOK (the former sense) does not really apply here, though. That leaves only the latter sense which appears less well-documented but points to "verify" as the better option. Regards, -- -David da...@pgmasters.net
Re: pgsql: Generate backup manifests for base backups, and validate them.
On Tue, Apr 7, 2020 at 5:51 AM Peter Eisentraut wrote: > On 2020-04-03 21:07, Robert Haas wrote: > > A new tool called pg_validatebackup can validate a backup against the > > manifest. > > In software engineering, "verify" and "validate" have standardized > distinct meanings. I'm not going to try to explain them here, but you > can easily find them online. I haven't formed an opinion on which one > of them this tool is doing, but I notice that both the man page and the > messages produced by the tool use the two terms seemingly > interchangeably. We should try to pick the correct term and use it > consistently. The tool is trying to make sure that we have the same backup that we're supposed to have, and that the associated WAL is present and sane. Looking at https://en.wikipedia.org/wiki/Verification_and_validation, that sounds more like verification than validation, but I confess that this distinction is new to me. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests and contemporaneous buildfarm failures
On Tue, Apr 7, 2020 at 12:37 AM Tom Lane wrote: > > Robert Haas writes: > > Taking stock of the situation this morning, most of the buildfarm is > > now green. There are three failures, on eelpout (6 hours ago), > > fairywren (17 hours ago), and hyrax (3 days, 7 hours ago). > > fairywren has now done this twice in the pg_validatebackupCheck step: > > exec failed: Bad address at > /home/pgrunner/bf/root/HEAD/pgsql.build/../pgsql/src/test/perl/TestLib.pm > line 340. > at /home/pgrunner/bf/root/HEAD/pgsql.build/../pgsql/src/test/perl/TestLib.pm > line 340. > > I'm a tad suspicious that it needs another perl2host() > somewhere, but the log isn't very clear as to where. > > More generally, I wonder if we ought to be trying to > centralize those perl2host() calls instead of sticking > them into individual test cases. > > Not sure about that. I'll see if I can run it by hand and get some more info. What's quite odd is that jacana (a very similar setup) is passing this happily. cheers andrew -- Andrew Dunstanhttps://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: backup manifests and contemporaneous buildfarm failures
On Mon, Apr 6, 2020 at 1:18 AM Fabien COELHO wrote:
>
>
> Hello,
>
> >> Do I need to precede those with some recursive chmod commands? Perhaps
> >> the client should refuse to run if there is still something left after
> >> these.
> >
> > I think the latter would be a very good idea, just so that this sort of
> > failure is less obscure. Not sure about whether a recursive chmod is
> > really going to be worth the cycles. (On the other hand, the normal
> > case should be that there's nothing there anyway, so maybe it's not
> > going to be costly.)
>
> Could it be a two-stage process to minimize cost but still be resilient?
>
>rmtree
>if (-d $DIR) {
> emit warning
> chmodtree
> rmtree again
> if (-d $DIR)
>emit error
>}
>
I thought about doing that. However, it's not really necessary. In the
normal course of events these directories should have been removed at
the end of the previous run, so we're only dealing with exceptional
cases here.
cheers
andrew
--
Andrew Dunstanhttps://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: pgsql: Generate backup manifests for base backups, and validate them.
On 2020-04-03 21:07, Robert Haas wrote: A new tool called pg_validatebackup can validate a backup against the manifest. In software engineering, "verify" and "validate" have standardized distinct meanings. I'm not going to try to explain them here, but you can easily find them online. I haven't formed an opinion on which one of them this tool is doing, but I notice that both the man page and the messages produced by the tool use the two terms seemingly interchangeably. We should try to pick the correct term and use it consistently. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: backup manifests and contemporaneous buildfarm failures
Robert Haas writes: > Taking stock of the situation this morning, most of the buildfarm is > now green. There are three failures, on eelpout (6 hours ago), > fairywren (17 hours ago), and hyrax (3 days, 7 hours ago). fairywren has now done this twice in the pg_validatebackupCheck step: exec failed: Bad address at /home/pgrunner/bf/root/HEAD/pgsql.build/../pgsql/src/test/perl/TestLib.pm line 340. at /home/pgrunner/bf/root/HEAD/pgsql.build/../pgsql/src/test/perl/TestLib.pm line 340. I'm a tad suspicious that it needs another perl2host() somewhere, but the log isn't very clear as to where. More generally, I wonder if we ought to be trying to centralize those perl2host() calls instead of sticking them into individual test cases. regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
On 4/6/20 7:53 AM, Robert Haas wrote: > On Sun, Apr 5, 2020 at 4:07 PM Andrew Dunstan > wrote: >> Do I need to precede those with some recursive chmod commands? > +1. > >> Perhaps >> the client should refuse to run if there is still something left after >> these. > +1 to that, too. > See https://github.com/PGBuildFarm/client-code/commit/0ef76bb1e2629713898631b9a3380d02d41c60ad This will be in the next release, probably fairly soon. cheers andrew -- Andrew Dunstanhttps://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: backup manifests and contemporaneous buildfarm failures
On Sun, Apr 5, 2020 at 4:07 PM Andrew Dunstan wrote: > Do I need to precede those with some recursive chmod commands? +1. > Perhaps > the client should refuse to run if there is still something left after > these. +1 to that, too. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests and contemporaneous buildfarm failures
Hello,
Do I need to precede those with some recursive chmod commands? Perhaps
the client should refuse to run if there is still something left after
these.
I think the latter would be a very good idea, just so that this sort of
failure is less obscure. Not sure about whether a recursive chmod is
really going to be worth the cycles. (On the other hand, the normal
case should be that there's nothing there anyway, so maybe it's not
going to be costly.)
Could it be a two-stage process to minimize cost but still be resilient?
rmtree
if (-d $DIR) {
emit warning
chmodtree
rmtree again
if (-d $DIR)
emit error
}
--
Fabien.
Re: backup manifests and contemporaneous buildfarm failures
Andrew Dunstan writes:
> Hmm, the buildfarm client does this at the beginning of each run to
> remove anything that might be left over from a previous run:
> rmtree("inst");
> rmtree("$pgsql") unless ($from_source && !$use_vpath);
Right, the point is precisely that some versions of rmtree() fail
to remove a mode-0 subdirectory.
> Do I need to precede those with some recursive chmod commands? Perhaps
> the client should refuse to run if there is still something left after
> these.
I think the latter would be a very good idea, just so that this sort of
failure is less obscure. Not sure about whether a recursive chmod is
really going to be worth the cycles. (On the other hand, the normal
case should be that there's nothing there anyway, so maybe it's not
going to be costly.)
regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
On 4/5/20 9:10 AM, Mikael Kjellström wrote:
> On 2020-04-04 04:43, Robert Haas wrote:
>
>> I think I've done about as much as I can do for tonight, though. Most
>> things are green now, and the ones that aren't are failing because of
>> stuff that is at least plausibly fixed. By morning it should be
>> clearer how much broken stuff is left, although that will be somewhat
>> complicated by at least sidewinder and seawasp needing manual
>> intervention to get back on track.
>
> I fixed sidewinder I think. Should clear up the next time it runs.
>
> It was the mode on the directory it couldn't handle- A regular rm -rf
> didn't work I had to do a chmod -R 700 on all directories to be able
> to manually remove it.
>
>
Hmm, the buildfarm client does this at the beginning of each run to
remove anything that might be left over from a previous run:
rmtree("inst");
rmtree("$pgsql") unless ($from_source && !$use_vpath);
Do I need to precede those with some recursive chmod commands? Perhaps
the client should refuse to run if there is still something left after
these.
cheers
andrew
--
Andrew Dunstanhttps://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: backup manifests
Hi, On 2020-04-03 15:22:23 -0400, Robert Haas wrote: > I've pushed all the patches. Seeing new warnings in an optimized build /home/andres/src/postgresql-master/src/bin/pg_validatebackup/parse_manifest.c: In function 'json_manifest_object_end': /home/andres/src/postgresql-master/src/bin/pg_validatebackup/parse_manifest.c:591:2: warning: 'end_lsn' may be used uninitialized in this function [-Wmaybe-uninitialized] 591 | context->perwalrange_cb(context, tli, start_lsn, end_lsn); | ^ /home/andres/src/postgresql-master/src/bin/pg_validatebackup/parse_manifest.c:567:5: note: 'end_lsn' was declared here 567 | end_lsn; | ^~~ /home/andres/src/postgresql-master/src/bin/pg_validatebackup/parse_manifest.c:591:2: warning: 'start_lsn' may be used uninitialized in this function [-Wmaybe-uninitialized] 591 | context->perwalrange_cb(context, tli, start_lsn, end_lsn); | ^ /home/andres/src/postgresql-master/src/bin/pg_validatebackup/parse_manifest.c:566:13: note: 'start_lsn' was declared here 566 | XLogRecPtr start_lsn, | ^ The warnings don't seem too unreasonable. The compiler can't see that the error_cb inside json_manifest_parse_failure() is not expected to return. Probably worth adding a wrapper around the calls to context->error_cb and mark that as noreturn. - Andres
Re: backup manifests and contemporaneous buildfarm failures
On 2020-04-04 04:43, Robert Haas wrote: I think I've done about as much as I can do for tonight, though. Most things are green now, and the ones that aren't are failing because of stuff that is at least plausibly fixed. By morning it should be clearer how much broken stuff is left, although that will be somewhat complicated by at least sidewinder and seawasp needing manual intervention to get back on track. I fixed sidewinder I think. Should clear up the next time it runs. It was the mode on the directory it couldn't handle- A regular rm -rf didn't work I had to do a chmod -R 700 on all directories to be able to manually remove it. /Mikael
Re: backup manifests and contemporaneous buildfarm failures
On Sun, Apr 5, 2020 at 2:36 AM Robert Haas wrote: > eelpout is unhappy because: > > +WARNING: could not remove shared memory segment > "/PostgreSQL.248989127": No such file or directory > +WARNING: could not remove shared memory segment > "/PostgreSQL.1450751626": No such file or directory Seems to have fixed itself while I was sleeping. I did happen run apt-get upgrade on that box some time yesterday-ish, but I don't understand what mechanism would trash my /dev/shm in that process. /me eyes systemd with suspicion
Re: backup manifests and contemporaneous buildfarm failures
Robert Haas writes: > On Sat, Apr 4, 2020 at 10:57 AM Tom Lane wrote: >> What is odd is that >> (AFAIR) we've never seen this before. Maybe somebody recently added >> an error cursor callback in a place that didn't have it before, and >> is involved in SQL-function processing? None of the commits leading >> up to the earlier failure look promising for that, though. > The relevant range of commits (e8b1774fc2 to a7b9d24e4e) includes an > ereport change (bda6dedbea) and a couple of "simple expression" > changes (8f59f6b9c0, fbc7a71608) but I don't know exactly why they > would have caused this. When I first noticed hyrax's failure, some days ago, I immediately thought of the "simple expression" patch. But that should not have affected SQL-function processing in any way: the bulk of the changes were in plpgsql, and even the changes in plancache could not be relevant, because functions.c does not use the plancache. As for ereport, you'd think that that would only matter once you were already doing an ereport. The point at which the stack overflow check triggers should be in normal code, not error recovery. > It seems at least possible, though, that > changing the return type of functions involved in error reporting > would slightly change the amount of stack space used; Right, but if it's down to that sort of phase-of-the-moon codegen difference, you'd think this failure would have been coming and going for years. I still suppose that some fairly recent change must be contributing to this, but haven't had time to investigate. > Other than experimenting on > that machine, I'm not sure how we could really determine the relevant > factors here. We don't have a lot of CCA buildfarm machines, so I'm suspecting that it's probably not that hard to repro if you build with CCA. regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
On Sat, Apr 4, 2020 at 10:57 AM Tom Lane wrote: > It's not so surprising that we could get a different result that way > from a CLOBBER_CACHE_ALWAYS animal like hyrax, since CCA-forced > cache reloads would cause extra stack expenditure at a lot of places. > And it could vary depending on totally random details, like the number > of local variables in seemingly unrelated code. Oh, yeah. That's unfortunate. > What is odd is that > (AFAIR) we've never seen this before. Maybe somebody recently added > an error cursor callback in a place that didn't have it before, and > is involved in SQL-function processing? None of the commits leading > up to the earlier failure look promising for that, though. The relevant range of commits (e8b1774fc2 to a7b9d24e4e) includes an ereport change (bda6dedbea) and a couple of "simple expression" changes (8f59f6b9c0, fbc7a71608) but I don't know exactly why they would have caused this. It seems at least possible, though, that changing the return type of functions involved in error reporting would slightly change the amount of stack space used; and the others are related to SQL-function processing. Other than experimenting on that machine, I'm not sure how we could really determine the relevant factors here. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests and contemporaneous buildfarm failures
Robert Haas writes: > hyrax's last run was before any of this happened, so it seems to have > an unrelated problem. The last two runs, three and six days ago, both > failed like this: > -ERROR: stack depth limit exceeded > +ERROR: stack depth limit exceeded at character 8 > Not sure what that's about. What it looks like is that hyrax is managing to detect stack overflow at a point where an errcontext callback is active that adds an error cursor to the failure. It's not so surprising that we could get a different result that way from a CLOBBER_CACHE_ALWAYS animal like hyrax, since CCA-forced cache reloads would cause extra stack expenditure at a lot of places. And it could vary depending on totally random details, like the number of local variables in seemingly unrelated code. What is odd is that (AFAIR) we've never seen this before. Maybe somebody recently added an error cursor callback in a place that didn't have it before, and is involved in SQL-function processing? None of the commits leading up to the earlier failure look promising for that, though. regards, tom lane
Re: backup manifests
Robert Haas writes: > On Fri, Apr 3, 2020 at 8:18 PM Tom Lane wrote: >> I suppose that judicious s/time_t/pg_time_t/ would fix this. > I think you sent this email just after I pushed > db1531cae00941bfe4f6321fdef1e1ef355b6bed, or maybe after I'd committed > it locally and just before I pushed it. If you prefer a different fix > than what I did there, I can certainly whack it around some more. Yeah, that commit showed up moments after I sent this. Your fix seems fine -- at least prairiedog and gaur are OK with it. (I did verify that gaur was reproducibly crashing at that new pg_strftime call, so we know it was that and not some on-again- off-again issue.) regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
On Fri, Apr 3, 2020 at 10:43 PM Robert Haas wrote: > I think I've done about as much as I can do for tonight, though. Most > things are green now, and the ones that aren't are failing because of > stuff that is at least plausibly fixed. By morning it should be > clearer how much broken stuff is left, although that will be somewhat > complicated by at least sidewinder and seawasp needing manual > intervention to get back on track. Taking stock of the situation this morning, most of the buildfarm is now green. There are three failures, on eelpout (6 hours ago), fairywren (17 hours ago), and hyrax (3 days, 7 hours ago). eelpout is unhappy because: +WARNING: could not remove shared memory segment "/PostgreSQL.248989127": No such file or directory +WARNING: could not remove shared memory segment "/PostgreSQL.1450751626": No such file or directory multibatch f @@ -861,22 +863,15 @@ select length(max(s.t)) from wide left join (select id, coalesce(t, '') || '' as t from wide) s using (id); - length - - 32 -(1 row) - +ERROR: could not open shared memory segment "/PostgreSQL.605707657": No such file or directory +CONTEXT: parallel worker I'm not sure what caused that exactly, but it sorta looks like operator intervention. Thomas, any ideas? fairywren's last run was on 21dc488, and commit 460314db08e8688e1a54a0a26657941e058e45c5 was an attempt to fix what broken there. I guess we'll find out whether that worked the next time it runs. hyrax's last run was before any of this happened, so it seems to have an unrelated problem. The last two runs, three and six days ago, both failed like this: -ERROR: stack depth limit exceeded +ERROR: stack depth limit exceeded at character 8 Not sure what that's about. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
On Fri, Apr 3, 2020 at 8:18 PM Tom Lane wrote: > BTW, some of the buildfarm is showing a simpler portability problem: > they think you were too cavalier about the difference between time_t > and pg_time_t. (On a platform with 32-bit time_t, that's an actual > bug, probably.) lapwing is actually failing: > > https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=lapwing=2020-04-03%2021%3A41%3A49 > > ccache gcc -std=gnu99 -Wall -Wmissing-prototypes -Wpointer-arith > -Wdeclaration-after-statement -Werror=vla -Wendif-labels > -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv > -fexcess-precision=standard -g -O2 -Werror -I. -I. -I../../../src/include > -DENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS -D_GNU_SOURCE > -I/usr/include/libxml2 -I/usr/include/et -c -o basebackup.o basebackup.c > basebackup.c: In function 'AddFileToManifest': > basebackup.c:1199:10: error: passing argument 1 of 'pg_gmtime' from > incompatible pointer type [-Werror] > In file included from ../../../src/include/access/xlog_internal.h:26:0, > from basebackup.c:20: > ../../../src/include/pgtime.h:49:22: note: expected 'const pg_time_t *' but > argument is of type 'time_t *' > cc1: all warnings being treated as errors > make[3]: *** [basebackup.o] Error 1 > > but some others are showing it as a warning. > > I suppose that judicious s/time_t/pg_time_t/ would fix this. I think you sent this email just after I pushed db1531cae00941bfe4f6321fdef1e1ef355b6bed, or maybe after I'd committed it locally and just before I pushed it. If you prefer a different fix than what I did there, I can certainly whack it around some more. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests and contemporaneous buildfarm failures
On Fri, Apr 3, 2020 at 11:06 PM Andres Freund wrote: > On 2020-04-03 20:48:09 -0400, Robert Haas wrote: > > 'serinus' is also failing. This is less obviously related: > > Hm. Tests passed once since then. Yeah, but conchuela also failed once in what I think was a similar way. I suspect the fix I pushed last night (3e0d80fd8d3dd4f999e0d3aa3e591f480d8ad1fd) may have been enough to clear this up. > That already seems suspicious. I checked the following (successful) run > and I did not see that in the stage's logs. Yeah, the behavior of the test case doesn't seem to be entirely deterministic. > I, again, have to say that the amount of stuff that was done as part of > > commit 7c4f52409a8c7d85ed169bbbc1f6092274d03920 > Author: Peter Eisentraut > Date: 2017-03-23 08:36:36 -0400 > > Logical replication support for initial data copy > > is insane. Adding support for running sql over replication connections > and extending CREATE_REPLICATION_SLOT with new options (without even > mentioning that in the commit message!) as part of a commit described as > "Logical replication support for initial data copy" shouldn't happen. I agreed then and still do. > So I'm a bit confused here. The best approach is probably to try to > reproduce this by adding an artifical delay into backend shutdown. I was able to reproduce an assertion failure by starting a transaction, running a replication command that failed, and then exiting the backend. 3e0d80fd8d3dd4f999e0d3aa3e591f480d8ad1fd made that go away. I had wrongly assumed that there was no other way for a walsender to have a ResourceOwner, and in the face of SQL commands also being executed by walsenders, that's clearly not true. I'm not sure *precisely* how that lead to the BF failures, but it was really clear that it was wrong. > > (I still really dislike the fact that we have this evil hack allowing > > one connection to mix and match those sets of commands...) > > FWIW, I think the opposite. We should get rid of the difference as much > as possible. Well, that's another approach. It's OK to have one system and it's OK to have two systems, but one and a half is not ideal. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests and contemporaneous buildfarm failures
On 04/04/2020 05:06, Andres Freund wrote: Hi, Peter, Petr, CCed you because it's probably a bug somewhere around the initial copy code for logical replication. On 2020-04-03 20:48:09 -0400, Robert Haas wrote: 'serinus' is also failing. This is less obviously related: Hm. Tests passed once since then. 2020-04-04 02:08:57.299 CEST [5e87d019.506c1:4] LOG: received replication command: CREATE_REPLICATION_SLOT "tap_sub_16390_sync_16384" TEMPORARY LOGICAL pgoutput USE_SNAPSHOT 2020-04-04 02:08:57.299 CEST [5e87d019.506c1:5] ERROR: replication slot "tap_sub_16390_sync_16384" already exists That already seems suspicious. I checked the following (successful) run and I did not see that in the stage's logs. Looking at the failing log, it fails because for some reason there's rounds (once due to a refresh, once due to an intention replication failure) of copying the relation. Each creates its own temporary slot. first time: 2020-04-04 02:08:57.276 CEST [5e87d019.506bd:1] LOG: connection received: host=[local] 2020-04-04 02:08:57.278 CEST [5e87d019.506bd:4] LOG: received replication command: CREATE_REPLICATION_SLOT "tap_sub_16390_sync_16384" TEMPORARY LOGICAL pgoutput USE_SNAPSHOT 2020-04-04 02:08:57.282 CEST [5e87d019.506bd:9] LOG: statement: COPY public.tab_rep TO STDOUT 2020-04-04 02:08:57.284 CEST [5e87d019.506bd:10] LOG: disconnection: session time: 0:00:00.007 user=bf database=postgres host=[local] second time: 2020-04-04 02:08:57.288 CEST [5e87d019.506bf:1] LOG: connection received: host=[local] 2020-04-04 02:08:57.289 CEST [5e87d019.506bf:4] LOG: received replication command: CREATE_REPLICATION_SLOT "tap_sub_16390_sync_16384" TEMPORARY LOGICAL pgoutput USE_SNAPSHOT 2020-04-04 02:08:57.293 CEST [5e87d019.506bf:9] LOG: statement: COPY public.tab_rep TO STDOUT third time: 2020-04-04 02:08:57.297 CEST [5e87d019.506c1:1] LOG: connection received: host=[local] 2020-04-04 02:08:57.299 CEST [5e87d019.506c1:4] LOG: received replication command: CREATE_REPLICATION_SLOT "tap_sub_16390_sync_16384" TEMPORARY LOGICAL pgoutput USE_SNAPSHOT 2020-04-04 02:08:57.299 CEST [5e87d019.506c1:5] ERROR: replication slot "tap_sub_16390_sync_16384" already exists Note that the connection from the second attempt has not yet disconnected. Hence the error about the replication slot already existing - it's a temporary replication slot that'd otherwise already have been dropped. Seems the logical rep code needs to do something about this race? The downstream: 2020-04-04 02:08:57.275 CEST [5e87d019.506bc:1] LOG: logical replication table synchronization worker for subscription "tap_sub", table "tab_rep" has started 2020-04-04 02:08:57.282 CEST [5e87d019.506bc:2] ERROR: duplicate key value violates unique constraint "tab_rep_pkey" 2020-04-04 02:08:57.282 CEST [5e87d019.506bc:3] DETAIL: Key (a)=(1) already exists. 2020-04-04 02:08:57.282 CEST [5e87d019.506bc:4] CONTEXT: COPY tab_rep, line 1 2020-04-04 02:08:57.283 CEST [5e87d018.50689:5] LOG: background worker "logical replication worker" (PID 329404) exited with exit code 1 2020-04-04 02:08:57.287 CEST [5e87d019.506be:1] LOG: logical replication table synchronization worker for subscription "tap_sub", table "tab_rep" has started 2020-04-04 02:08:57.293 CEST [5e87d019.506be:2] ERROR: duplicate key value violates unique constraint "tab_rep_pkey" 2020-04-04 02:08:57.293 CEST [5e87d019.506be:3] DETAIL: Key (a)=(1) already exists. 2020-04-04 02:08:57.293 CEST [5e87d019.506be:4] CONTEXT: COPY tab_rep, line 1 2020-04-04 02:08:57.295 CEST [5e87d018.50689:6] LOG: background worker "logical replication worker" (PID 329406) exited with exit code 1 2020-04-04 02:08:57.297 CEST [5e87d019.506c0:1] LOG: logical replication table synchronization worker for subscription "tap_sub", table "tab_rep" has started 2020-04-04 02:08:57.299 CEST [5e87d019.506c0:2] ERROR: could not create replication slot "tap_sub_16390_sync_16384": ERROR: replication slot "tap_sub_16390_sync_16384" already exists 2020-04-04 02:08:57.300 CEST [5e87d018.50689:7] LOG: background worker "logical replication worker" (PID 329408) exited with exit code Looks like we are simply retrying so fast that upstream will not have finished cleanup after second try by the time we already run the third one. The last_start_times is supposed to protect against that so I guess there is some issue with how that works. -- Petr Jelinek 2ndQuadrant - PostgreSQL Solutions for the Enterprise https://www.2ndQuadrant.com/
Re: backup manifests and contemporaneous buildfarm failures
Hi,
Peter, Petr, CCed you because it's probably a bug somewhere around the
initial copy code for logical replication.
On 2020-04-03 20:48:09 -0400, Robert Haas wrote:
> 'serinus' is also failing. This is less obviously related:
Hm. Tests passed once since then.
> 2020-04-04 02:08:57.299 CEST [5e87d019.506c1:4] LOG: received
> replication command: CREATE_REPLICATION_SLOT
> "tap_sub_16390_sync_16384" TEMPORARY LOGICAL pgoutput USE_SNAPSHOT
> 2020-04-04 02:08:57.299 CEST [5e87d019.506c1:5] ERROR: replication
> slot "tap_sub_16390_sync_16384" already exists
That already seems suspicious. I checked the following (successful) run
and I did not see that in the stage's logs.
Looking at the failing log, it fails because for some reason there's
rounds (once due to a refresh, once due to an intention replication
failure) of copying the relation. Each creates its own temporary slot.
first time:
2020-04-04 02:08:57.276 CEST [5e87d019.506bd:1] LOG: connection received:
host=[local]
2020-04-04 02:08:57.278 CEST [5e87d019.506bd:4] LOG: received replication
command: CREATE_REPLICATION_SLOT "tap_sub_16390_sync_16384" TEMPORARY LOGICAL
pgoutput USE_SNAPSHOT
2020-04-04 02:08:57.282 CEST [5e87d019.506bd:9] LOG: statement: COPY
public.tab_rep TO STDOUT
2020-04-04 02:08:57.284 CEST [5e87d019.506bd:10] LOG: disconnection: session
time: 0:00:00.007 user=bf database=postgres host=[local]
second time:
2020-04-04 02:08:57.288 CEST [5e87d019.506bf:1] LOG: connection received:
host=[local]
2020-04-04 02:08:57.289 CEST [5e87d019.506bf:4] LOG: received replication
command: CREATE_REPLICATION_SLOT "tap_sub_16390_sync_16384" TEMPORARY LOGICAL
pgoutput USE_SNAPSHOT
2020-04-04 02:08:57.293 CEST [5e87d019.506bf:9] LOG: statement: COPY
public.tab_rep TO STDOUT
third time:
2020-04-04 02:08:57.297 CEST [5e87d019.506c1:1] LOG: connection received:
host=[local]
2020-04-04 02:08:57.299 CEST [5e87d019.506c1:4] LOG: received replication
command: CREATE_REPLICATION_SLOT "tap_sub_16390_sync_16384" TEMPORARY LOGICAL
pgoutput USE_SNAPSHOT
2020-04-04 02:08:57.299 CEST [5e87d019.506c1:5] ERROR: replication slot
"tap_sub_16390_sync_16384" already exists
Note that the connection from the second attempt has not yet
disconnected. Hence the error about the replication slot already
existing - it's a temporary replication slot that'd otherwise already
have been dropped.
Seems the logical rep code needs to do something about this race?
About the assertion failure:
TRAP: FailedAssertion("owner->bufferarr.nitems == 0", File:
"/home/bf/build/buildfarm-serinus/HEAD/pgsql.build/../pgsql/src/backend/utils/resowner/resowner.c",
Line: 718)
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(ExceptionalCondition+0x5c)[0x9a13ac]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(ResourceOwnerDelete+0x295)[0x9db8e5]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)[0x54c61f]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(AbortOutOfAnyTransaction+0x122)[0x550e32]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)[0x9b3bc9]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(shmem_exit+0x35)[0x80db45]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)[0x80dc77]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(proc_exit+0x8)[0x80dd08]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(PostgresMain+0x59f)[0x83bd0f]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)[0x7a0264]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(PostmasterMain+0xbfc)[0x7a2b8c]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(main+0x6fb)[0x49749b]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb)[0x7fc52d83]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(_start+0x2a)[0x49753a]
2020-04-04 02:08:57.302 CEST [5e87d018.5066b:4] LOG: server process (PID
329409) was terminated by signal 6: Aborted
Due to the log_line_prefix used, I was at first not entirely sure the
backend that crashed was the one with the ERROR. But it appears we print
the pid as hex for '%c' (why?), so it indeed is the one.
I, again, have to say that the amount of stuff that was done as part of
commit 7c4f52409a8c7d85ed169bbbc1f6092274d03920
Author: Peter Eisentraut
Date: 2017-03-23 08:36:36 -0400
Logical replication support for initial data copy
is insane. Adding support for running sql over replication connections
and extending CREATE_REPLICATION_SLOT with new options (without even
mentioning that in the commit message!) as part of a commit described as
"Logical replication support for initial data copy" shouldn't happen.
It's not obvious to me what buffer pins could be held at this point. I
wonder if this could be somehow related to
commit
Re: backup manifests and contemporaneous buildfarm failures
On Fri, Apr 3, 2020 at 9:52 PM Tom Lane wrote: > Robert Haas writes: > > 'prairiedog' is also unhappy, and it looks related: > > Yeah, gaur also failed in the same place. Both of those are > alignment-picky 32-bit hardware, so I'm thinking the problem is > pg_gmtime() trying to fetch a 64-bit pg_time_t from an insufficiently > aligned address. I'm trying to confirm that on gaur's host right now, > but it's a slow machine ... You might just want to wait until tomorrow and see whether it clears up in newer runs. I just pushed yet another fix that might be relevant. I think I've done about as much as I can do for tonight, though. Most things are green now, and the ones that aren't are failing because of stuff that is at least plausibly fixed. By morning it should be clearer how much broken stuff is left, although that will be somewhat complicated by at least sidewinder and seawasp needing manual intervention to get back on track. I apologize to everyone who has been or will be inconvenienced by all of this. So far I've pushed 4 test case fixes, 2 bug fixes, and 1 makefile fix, which I'm pretty sure is over quota for one patch. :-( -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests and contemporaneous buildfarm failures
Robert Haas writes: > Interestingly, on my machine, rmtree coped with a mode 0 directory > just fine, but mode 0400 was more than its tiny brain could handle, so > the originally committed fix had code to revert 0400 back to 0700, but > I didn't add similar code to revert from 0 back to 0700 because that > was working fine. It seems really odd that an implementation could cope with mode-0 but not mode-400. Not sure I care enough to dig into the Perl library code, though. regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
Robert Haas writes: > 'prairiedog' is also unhappy, and it looks related: Yeah, gaur also failed in the same place. Both of those are alignment-picky 32-bit hardware, so I'm thinking the problem is pg_gmtime() trying to fetch a 64-bit pg_time_t from an insufficiently aligned address. I'm trying to confirm that on gaur's host right now, but it's a slow machine ... > 'serinus' is also failing. This is less obviously related: Dunno about this one. regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
On Fri, Apr 3, 2020 at 8:12 PM Tom Lane wrote: > Yeah, so it would seem. The buildfarm script uses rmtree to clean out > the old build tree. The man page for File::Path suggests (but can't > quite bring itself to say in so many words) that by default, rmtree > will adjust the permissions on target directories to allow the deletion > to succeed. But that's very clearly not happening on some platforms. > (Maybe that represents a local patch on the part of some packagers > who thought it was too unsafe?) Interestingly, on my machine, rmtree coped with a mode 0 directory just fine, but mode 0400 was more than its tiny brain could handle, so the originally committed fix had code to revert 0400 back to 0700, but I didn't add similar code to revert from 0 back to 0700 because that was working fine. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests and contemporaneous buildfarm failures
On Fri, Apr 3, 2020 at 6:13 PM Tom Lane wrote:
> Locally, I observe that "make clean" in src/bin/pg_validatebackup fails
> to clean up the tmp_check directory left behind by "make check".
Fixed.
I also tried to fix 'lapwing', which was complaining about about a
call to pg_gmtime, saying that it "expected 'const pg_time_t *' but
argument is of type 'time_t *'". I was thinking that the problem had
something to do with const, but Thomas pointed out to me that
pg_time_t != time_t, so I pushed a fix which assumes that was the
issue. (It was certainly *an* issue.)
'prairiedog' is also unhappy, and it looks related:
/bin/sh ../../../../config/install-sh -c -d
'/Users/buildfarm/bf-data/HEAD/pgsql.build/src/test/modules/commit_ts'/tmp_check
cd . &&
TESTDIR='/Users/buildfarm/bf-data/HEAD/pgsql.build/src/test/modules/commit_ts'
PATH="/Users/buildfarm/bf-data/HEAD/pgsql.build/tmp_install/Users/buildfarm/bf-data/HEAD/inst/bin:$PATH"
DYLD_LIBRARY_PATH="/Users/buildfarm/bf-data/HEAD/pgsql.build/tmp_install/Users/buildfarm/bf-data/HEAD/inst/lib:$DYLD_LIBRARY_PATH"
PGPORT='65678'
PG_REGRESS='/Users/buildfarm/bf-data/HEAD/pgsql.build/src/test/modules/commit_ts/../../../../src/test/regress/pg_regress'
REGRESS_SHLIB='/Users/buildfarm/bf-data/HEAD/pgsql.build/src/test/regress/regress.so'
/usr/local/perl5.8.3/bin/prove -I ../../../../src/test/perl/ -I .
t/*.pl
t/001_base.ok
t/002_standby..FAILED--Further testing stopped: system pg_basebackup failed
make: *** [check] Error 25
Unfortunately, that error message is not very informative and for some
reason the TAP logs don't seem to be included in the buildfarm output
in this case, so it's hard to tell exactly what went wrong. This
appears to be another 32-bit critter, which may be related somehow,
but I don't know how exactly.
'serinus' is also failing. This is less obviously related:
[02:08:55] t/003_constraints.pl .. ok 2048 ms ( 0.01 usr 0.00 sys
+ 1.28 cusr 0.38 csys = 1.67 CPU)
# poll_query_until timed out executing this query:
# SELECT count(1) = 0 FROM pg_subscription_rel WHERE srsubstate NOT IN
('r', 's');
# expecting this output:
# t
# last actual query output:
# f
# with stderr:
But there's also this:
2020-04-04 02:08:57.297 CEST [5e87d019.506c1:1] LOG: connection
received: host=[local]
2020-04-04 02:08:57.298 CEST [5e87d019.506c1:2] LOG: replication
connection authorized: user=bf
application_name=tap_sub_16390_sync_16384
2020-04-04 02:08:57.299 CEST [5e87d019.506c1:3] LOG: statement: BEGIN
READ ONLY ISOLATION LEVEL REPEATABLE READ
2020-04-04 02:08:57.299 CEST [5e87d019.506c1:4] LOG: received
replication command: CREATE_REPLICATION_SLOT
"tap_sub_16390_sync_16384" TEMPORARY LOGICAL pgoutput USE_SNAPSHOT
2020-04-04 02:08:57.299 CEST [5e87d019.506c1:5] ERROR: replication
slot "tap_sub_16390_sync_16384" already exists
TRAP: FailedAssertion("owner->bufferarr.nitems == 0", File:
"/home/bf/build/buildfarm-serinus/HEAD/pgsql.build/../pgsql/src/backend/utils/resowner/resowner.c",
Line: 718)
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(ExceptionalCondition+0x5c)[0x9a13ac]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(ResourceOwnerDelete+0x295)[0x9db8e5]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)[0x54c61f]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(AbortOutOfAnyTransaction+0x122)[0x550e32]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)[0x9b3bc9]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(shmem_exit+0x35)[0x80db45]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)[0x80dc77]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(proc_exit+0x8)[0x80dd08]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(PostgresMain+0x59f)[0x83bd0f]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)[0x7a0264]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(PostmasterMain+0xbfc)[0x7a2b8c]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(main+0x6fb)[0x49749b]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb)[0x7fc52d83]
postgres: publisher: walsender bf [local] idle in transaction
(aborted)(_start+0x2a)[0x49753a]
2020-04-04 02:08:57.302 CEST [5e87d018.5066b:4] LOG: server process
(PID 329409) was terminated by signal 6: Aborted
2020-04-04 02:08:57.302 CEST [5e87d018.5066b:5] DETAIL: Failed
process was running: BEGIN READ ONLY ISOLATION LEVEL REPEATABLE READ
That might well be related. I note in passing that the DETAIL emitted
by the postmaster shows the previous SQL command rather than the
more-recent replication command, which seems like something to fix. (I
still really dislike the fact that we have this evil hack allowing one
connection to mix and match those sets of commands...)
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL
Re: backup manifests
BTW, some of the buildfarm is showing a simpler portability problem: they think you were too cavalier about the difference between time_t and pg_time_t. (On a platform with 32-bit time_t, that's an actual bug, probably.) lapwing is actually failing: https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=lapwing=2020-04-03%2021%3A41%3A49 ccache gcc -std=gnu99 -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Werror=vla -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fexcess-precision=standard -g -O2 -Werror -I. -I. -I../../../src/include -DENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS -D_GNU_SOURCE -I/usr/include/libxml2 -I/usr/include/et -c -o basebackup.o basebackup.c basebackup.c: In function 'AddFileToManifest': basebackup.c:1199:10: error: passing argument 1 of 'pg_gmtime' from incompatible pointer type [-Werror] In file included from ../../../src/include/access/xlog_internal.h:26:0, from basebackup.c:20: ../../../src/include/pgtime.h:49:22: note: expected 'const pg_time_t *' but argument is of type 'time_t *' cc1: all warnings being treated as errors make[3]: *** [basebackup.o] Error 1 but some others are showing it as a warning. I suppose that judicious s/time_t/pg_time_t/ would fix this. regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
Robert Haas writes:
> On Fri, Apr 3, 2020 at 6:48 PM Tom Lane wrote:
>> I'm guessing that we're looking at a platform-specific difference in
>> whether "rm -rf" fails outright on an unreadable subdirectory, or
>> just tries to carry on by unlinking it anyway.
> My intention was that it would be cleaned by the TAP framework itself,
> since the temporary directories it creates are marked for cleanup. But
> it may be that there's a platform dependency in the behavior of Perl's
> File::Path::rmtree, too.
Yeah, so it would seem. The buildfarm script uses rmtree to clean out
the old build tree. The man page for File::Path suggests (but can't
quite bring itself to say in so many words) that by default, rmtree
will adjust the permissions on target directories to allow the deletion
to succeed. But that's very clearly not happening on some platforms.
(Maybe that represents a local patch on the part of some packagers
who thought it was too unsafe?)
Anyway, the end state presumably is that the pgsql.build directory
is still there at the end of the buildfarm run, and the next run's
attempt to also rmtree it fares no better. Then look what it does
to set up the new build:
system("cp -R -p $target $build_path 2>&1");
Of course, if $build_path already exists, then cp copies to a subdirectory
of the target not the target itself. So that explains the symptom
"./configure does not exist" --- it exists all right, but in a
subdirectory below the one where the buildfarm expects it to be.
It looks to me like the same problem would occur with VPATH or no.
The lack of failures among the VPATH-using critters probably has
more to do with whether their rmtree is willing to deal with this
case than with VPATH.
Anyway, it's evident that the buildfarm critters that are busted
will need manual cleanup, because the script is not going to be
able to get out of this by itself. I remain of the opinion that
the hazard of that happening again in the future (eg, if a buildfarm
animal loses power during the test) is sufficient reason to remove
this test case.
regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
On Fri, Apr 3, 2020 at 5:58 PM Fabien COELHO wrote: > seawasp just failed the same way. Good news, I can see "configure" under > "HEAD/pgsql". Ah, good. > The only strange thing under buildroot I found is: > > HEAD/pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans/ Huh. I wonder how that got left behind ... it should've been cleaned up by the TAP test framework. But I pushed a commit to change the permissions back explicitly before exiting. As Tom says, I probably need to remove that entire test, but I'm going to try this first. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests and contemporaneous buildfarm failures
On Fri, Apr 3, 2020 at 6:48 PM Tom Lane wrote: > I'm guessing that we're looking at a platform-specific difference in > whether "rm -rf" fails outright on an unreadable subdirectory, or > just tries to carry on by unlinking it anyway. My intention was that it would be cleaned by the TAP framework itself, since the temporary directories it creates are marked for cleanup. But it may be that there's a platform dependency in the behavior of Perl's File::Path::rmtree, too. > A partial fix would be to have the test script put back normal > permissions on that directory before it exits ... but any failure > partway through the script would leave a time bomb requiring manual > cleanup. Yeah. I've pushed that fix for now, but as you say, it may not survive contact with the enemy. That's kind of disappointing, because I put a lot of work into trying to make the tests cover every line of code that they possibly could, and there's no reason to suppose that pg_validatebackup is the only tool that could benefit from having code coverage of those kinds of scenarios. It's probably not even the tool that is most in need of such testing; it must be far worse if, say, pg_rewind can't cope with it. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests and contemporaneous buildfarm failures
I wrote: > I'm guessing that we're looking at a platform-specific difference in > whether "rm -rf" fails outright on an unreadable subdirectory, or > just tries to carry on by unlinking it anyway. Yeah... on my RHEL6 box, "make check" cleans up the working directories under tmp_check, but on a FreeBSD 12.1 box, not so much: I'm left with $ ls tmp_check/ log/t_003_corruption_master_data/ tgl@oldmini$ ls -R tmp_check/t_003_corruption_master_data/ backup/ tmp_check/t_003_corruption_master_data/backup: open_directory_fails/ tmp_check/t_003_corruption_master_data/backup/open_directory_fails: pg_subtrans/ tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans: ls: tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans: Permission denied I did not see any complaints printed to the terminal, but in regress_log_003_corruption there's ... ok 40 - corrupt backup fails validation: open_directory_fails: matches cannot chdir to child for /usr/home/tgl/pgsql/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans: Permission denied at t/003_corruption.pl line 126. cannot remove directory for /usr/home/tgl/pgsql/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails: Directory not empty at t/003_corruption.pl line 126. # Running: pg_basebackup -D /usr/home/tgl/pgsql/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/search_directory_fails --no-sync -T /tmp/lxaL_sLcnr=/tmp/_fegwVjoDR ok 41 - base backup ok ... This may be more of a Perl version issue than a platform issue, but either way it's a problem. Also, on the FreeBSD box, "rm -rf" isn't happy either: $ rm -rf tmp_check rm: tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans: Permission denied rm: tmp_check/t_003_corruption_master_data/backup/open_directory_fails: Directory not empty rm: tmp_check/t_003_corruption_master_data/backup: Directory not empty rm: tmp_check/t_003_corruption_master_data: Directory not empty rm: tmp_check: Directory not empty regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
Thomas Munro writes: > Same here, on elver. I see pg_subtrans has been chmod(0)'d, > presumably by the perl subroutine mutilate_open_directory_fails. I > see this in my inbox (the build farm wrote it to stderr or stdout > rather than the log file): > cannot chdir to child for > pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans: > Permission denied at ./run_build.pl line 1013. > cannot remove directory for > pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails: > Directory not empty at ./run_build.pl line 1013. I'm guessing that we're looking at a platform-specific difference in whether "rm -rf" fails outright on an unreadable subdirectory, or just tries to carry on by unlinking it anyway. A partial fix would be to have the test script put back normal permissions on that directory before it exits ... but any failure partway through the script would leave a time bomb requiring manual cleanup. On the whole, I'd argue that testing that behavior is not valuable enough to take risks of periodically breaking buildfarm members in a way that will require manual recovery --- to say nothing of annoying developers who trip over it. So my vote is to remove that part of the test and be satisfied with checking the behavior for an unreadable file. This doesn't directly explain the failure-at-next-configure behavior that we're seeing in the buildfarm, but it wouldn't be too surprising if it ends up being that the buildfarm client script doesn't manage to fully recover from the situation. regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
Greetings, * Thomas Munro (thomas.mu...@gmail.com) wrote: > On Sat, Apr 4, 2020 at 11:13 AM Tom Lane wrote: > > Fabien COELHO writes: > > > The only strange thing under buildroot I found is: > > > > > HEAD/pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans/ > > > > > this last directory perms are d- which seems to break cleanup. > > Same here, on elver. I see pg_subtrans has been chmod(0)'d, > presumably by the perl subroutine mutilate_open_directory_fails. I > see this in my inbox (the build farm wrote it to stderr or stdout > rather than the log file): Yup, saw the same here. chmod'ing it to 755 seemed to result it the next run cleaning it up, at least. Not sure how things will go on the next actual build tho. Thanks, Stephen signature.asc Description: PGP signature
Re: backup manifests and contemporaneous buildfarm failures
On Sat, Apr 4, 2020 at 11:13 AM Tom Lane wrote: > Fabien COELHO writes: > > The only strange thing under buildroot I found is: > > > HEAD/pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans/ > > > this last directory perms are d- which seems to break cleanup. Same here, on elver. I see pg_subtrans has been chmod(0)'d, presumably by the perl subroutine mutilate_open_directory_fails. I see this in my inbox (the build farm wrote it to stderr or stdout rather than the log file): cannot chdir to child for pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans: Permission denied at ./run_build.pl line 1013. cannot remove directory for pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails: Directory not empty at ./run_build.pl line 1013. cannot remove directory for pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup: Directory not empty at ./run_build.pl line 1013. cannot remove directory for pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data: Directory not empty at ./run_build.pl line 1013. cannot remove directory for pgsql.build/src/bin/pg_validatebackup/tmp_check: Directory not empty at ./run_build.pl line 1013. cannot remove directory for pgsql.build/src/bin/pg_validatebackup: Directory not empty at ./run_build.pl line 1013. cannot remove directory for pgsql.build/src/bin: Directory not empty at ./run_build.pl line 1013. cannot remove directory for pgsql.build/src: Directory not empty at ./run_build.pl line 1013. cannot remove directory for pgsql.build: Directory not empty at ./run_build.pl line 1013. cannot chdir to child for pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans: Permission denied at ./run_build.pl line 589. cannot remove directory for pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails: Directory not empty at ./run_build.pl line 589. cannot remove directory for pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup: Directory not empty at ./run_build.pl line 589. cannot remove directory for pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data: Directory not empty at ./run_build.pl line 589. cannot remove directory for pgsql.build/src/bin/pg_validatebackup/tmp_check: Directory not empty at ./run_build.pl line 589. cannot remove directory for pgsql.build/src/bin/pg_validatebackup: Directory not empty at ./run_build.pl line 589. cannot remove directory for pgsql.build/src/bin: Directory not empty at ./run_build.pl line 589. cannot remove directory for pgsql.build/src: Directory not empty at ./run_build.pl line 589. cannot remove directory for pgsql.build: Directory not empty at ./run_build.pl line 589.
Re: backup manifests and contemporaneous buildfarm failures
On 2020-Apr-03, Tom Lane wrote: > I wonder if VPATH versus not-VPATH might be a relevant factor ... Oh, absolutely. The ones that failed show, in the last successful run, the configure line invoked as "./configure", while the animals that are still running are invoking configure from some other directory. -- Álvaro Herrerahttps://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: backup manifests and contemporaneous buildfarm failures
Fabien COELHO writes: > The only strange thing under buildroot I found is: > HEAD/pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans/ > this last directory perms are d- which seems to break cleanup. Locally, I observe that "make clean" in src/bin/pg_validatebackup fails to clean up the tmp_check directory left behind by "make check". So the new makefile is not fully plugged into its standard responsibilities. I don't see any unreadable subdirectories though. I wonder if VPATH versus not-VPATH might be a relevant factor ... regards, tom lane
Re: backup manifests and contemporaneous buildfarm failures
Hello Robert, Done now. Meanwhile, two more machines have reported the mysterious message: sh: ./configure: not found ...that first appeared on spurfowl a few hours ago. The other two machines are eelpout and elver, both of which list Thomas Munro as a maintainer. spurfowl lists Stephen Frost. Thomas, Stephen, can one of you check and see what's going on? spurfowl has failed this way four times now, and eelpout and elver have each failed the last two runs, but since there's no helpful information in the logs, it's hard to guess what went wrong. I'm sort of afraid that something in the new TAP tests accidentally removed way too many files during the cleanup phase - e.g. it decided the temporary directory was / and removed every file it could access, or something like that. It doesn't do that here, or I, uh, would've noticed by now. But sometimes strange things happen on other people's machines. Hopefully one of those strange things is not that my test code is single-handedly destroying the entire buildfarm, but it's possible. seawasp just failed the same way. Good news, I can see "configure" under "HEAD/pgsql". The only strange thing under buildroot I found is: HEAD/pgsql.build/src/bin/pg_validatebackup/tmp_check/t_003_corruption_master_data/backup/open_directory_fails/pg_subtrans/ this last directory perms are d- which seems to break cleanup. It may be a left over from a previous run which failed (possibly 21dc488 ?). I cannot see how this would be related to configure, though. Maybe something else fails silently and the message is about a consequence of the prior silent failure. I commented out the cron job and will try to look into it on tomorrow if the status has not changed by then. -- Fabien.
backup manifests and contemporaneous buildfarm failures
[ splitting this off into a separate thread ] On Fri, Apr 3, 2020 at 5:07 PM Robert Haas wrote: > I'lll go see about adding that. Done now. Meanwhile, two more machines have reported the mysterious message: sh: ./configure: not found ...that first appeared on spurfowl a few hours ago. The other two machines are eelpout and elver, both of which list Thomas Munro as a maintainer. spurfowl lists Stephen Frost. Thomas, Stephen, can one of you check and see what's going on? spurfowl has failed this way four times now, and eelpout and elver have each failed the last two runs, but since there's no helpful information in the logs, it's hard to guess what went wrong. I'm sort of afraid that something in the new TAP tests accidentally removed way too many files during the cleanup phase - e.g. it decided the temporary directory was / and removed every file it could access, or something like that. It doesn't do that here, or I, uh, would've noticed by now. But sometimes strange things happen on other people's machines. Hopefully one of those strange things is not that my test code is single-handedly destroying the entire buildfarm, but it's possible. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
oes not -- Justin >From 0bc8211dd325e8fec55eab4a3089ed1768563502 Mon Sep 17 00:00:00 2001 From: Justin Pryzby Date: Fri, 3 Apr 2020 16:17:28 -0500 Subject: [PATCH] docs: backup manifests commit 0d8c9c1210c44b36ec2efcb223a1dfbe897a3661 Author: Robert Haas --- doc/src/sgml/protocol.sgml | 4 ++-- doc/src/sgml/ref/pg_basebackup.sgml | 4 ++-- doc/src/sgml/ref/pg_validatebackup.sgml | 12 ++-- src/backend/replication/basebackup.c| 2 +- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 536de9a698..d84afb7b18 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -2586,7 +2586,7 @@ The commands accepted in replication mode are: and sent along with the backup. The manifest is a list of every file present in the backup with the exception of any WAL files that may be included. It also stores the size, last modification time, and - an optional checksum for each file. + optionally a checksum for each file. A value of force-escape forces all filenames to be hex-encoded; otherwise, this type of encoding is performed only for files whose names are non-UTF8 octet sequences. @@ -2602,7 +2602,7 @@ The commands accepted in replication mode are: MANIFEST_CHECKSUMS - Specifies the algorithm that should be applied to each file included + Specifies the checksum algorithm that should be applied to each file included in the backup manifest. Currently, the available algorithms are NONE, CRC32C, SHA224, SHA256, diff --git a/doc/src/sgml/ref/pg_basebackup.sgml b/doc/src/sgml/ref/pg_basebackup.sgml index c778e061f3..922688e227 100644 --- a/doc/src/sgml/ref/pg_basebackup.sgml +++ b/doc/src/sgml/ref/pg_basebackup.sgml @@ -604,7 +604,7 @@ PostgreSQL documentation not contain any checksums. Otherwise, it will contain a checksum of each file in the backup using the specified algorithm. In addition, the manifest will always contain a SHA256 -checksum of its own contents. The SHA algorithms +checksum of its own content. The SHA algorithms are significantly more CPU-intensive than CRC32C, so selecting one of them may increase the time required to complete the backup. @@ -614,7 +614,7 @@ PostgreSQL documentation of each file for users who wish to verify that the backup has not been tampered with, while the CRC32C algorithm provides a checksum which is much faster to calculate and good at catching errors due to accidental -changes but is not resistant to targeted modifications. Note that, to +changes but is not resistant to malicious modifications. Note that, to be useful against an adversary who has access to the backup, the backup manifest would need to be stored securely elsewhere or otherwise verified not to have been modified since the backup was taken. diff --git a/doc/src/sgml/ref/pg_validatebackup.sgml b/doc/src/sgml/ref/pg_validatebackup.sgml index 19888dc196..748ac439a6 100644 --- a/doc/src/sgml/ref/pg_validatebackup.sgml +++ b/doc/src/sgml/ref/pg_validatebackup.sgml @@ -41,12 +41,12 @@ PostgreSQL documentation - It is important to note that that the validation which is performed by - pg_validatebackup does not and can not include + It is important to note that the validation which is performed by + pg_validatebackup does not and cannot include every check which will be performed by a running server when attempting to make use of the backup. Even if you use this tool, you should still perform test restores and verify that the resulting databases work as - expected and that they appear to contain the correct data. However, + expected and that they contain the correct data. However, pg_validatebackup can detect many problems that commonly occur due to storage problems or user error. @@ -73,7 +73,7 @@ PostgreSQL documentation a backup_manifest file in the target directory or about anything inside pg_wal, even though these files won't be listed in the backup manifest. Only files are checked; - the presence or absence or directories is not verified, except + the presence or absence of directories is not verified, except indirectly: if a directory is missing, any files it should have contained will necessarily also be missing. @@ -84,7 +84,7 @@ PostgreSQL documentation for any files for which the computed checksum does not match the checksum stored in the manifest. This step is not performed for any files which produced errors in the previous step, since they are already known - to have problems. Also, files which were ignored in the previous step are + to have problems. Files which were ignored in the previous step are
Re: backup manifests
On Fri, Apr 3, 2020 at 4:54 PM Alvaro Herrera wrote: > Maybe it needs perl2host? *jaw drops* Wow, OK, yeah, that looks like the thing. Thanks for the suggestion; I didn't know that existed (and I kinda wish I still didn't). I'lll go see about adding that. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
On 2020-Apr-03, Robert Haas wrote:
> sub tempdir_short
> {
>
> return File::Temp::tempdir(CLEANUP => 1);
> }
>
> And File::Temp's documentation says that the temporary directory is
> picked using File::Spec's tmpdir(), which says that it knows about
> different operating systems and will DTRT on Unix, Mac, OS2, Win32,
> and VMS. Yet on fairywren it is apparently DTWT. I'm not sure why.
Maybe it needs perl2host?
--
Álvaro Herrerahttps://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: backup manifests
On Fri, Apr 3, 2020 at 3:53 PM Robert Haas wrote:
> 2. Also, a bunch of machines were super-unhappy with
> 003_corruption.pl, failing with this sort of thing:
>
> pg_basebackup: error: could not get COPY data stream: ERROR: symbolic
> link target too long for tar format: file name "pg_tblspc/16387",
> target
> "/home/fabien/pg/build-farm-11/buildroot/HEAD/pgsql.build/src/bin/pg_validatebackup/tmp_check/tmp_test_7w0w"
>
> Apparently, this is a known problem and the solution is to use
> TestLib::tempdir_short instead of TestLib::tempdir, so I pushed a fix
> to make it do that.
By and large, the buildfarm is a lot happier now, but fairywren
(Windows / Msys Server 2019 / 2 gcc 7.3.0 x86_64) failed like this:
# Postmaster PID for node "master" is 198420
error running SQL: 'psql::3: ERROR: directory
"/tmp/9peoZHrEia" does not exist'
while running 'psql -XAtq -d port=51493 host=127.0.0.1
dbname='postgres' -f - -v ON_ERROR_STOP=1' with sql 'CREATE TABLE x1
(a int);
INSERT INTO x1 VALUES (111);
CREATE TABLESPACE ts1 LOCATION '/tmp/9peoZHrEia';
CREATE TABLE x2 (a int) TABLESPACE ts1;
INSERT INTO x1 VALUES (222);
' at
/home/pgrunner/bf/root/HEAD/pgsql.build/../pgsql/src/test/perl/PostgresNode.pm
line 1531.
### Stopping node "master" using mode immediate
I wondered why this should be failing on this machine when none of the
other places where tempdir_short is used are similarly failing. The
answer appears to be that most of the TAP tests that use tempdir_short
just do this:
my $tempdir_short = TestLib::tempdir_short;
...and then ignore that variable completely for the rest of the
script. That's not ideal, and we should probably remove those calls
to avoid giving that it's actually used for something. The two TAP
tests that actually do something with it - apart from the one I just
added - are pg_basebackup's 010_pg_basebackup.pl and pg_ctl's
001_start_stop.pl. However, both of those are skipped on Windows.
Also, PostgresNode.pm itself uses it, but only when UNIX sockets are
used, so again not on Windows. So it sorta looks to me like we no
preexisting tests that meaningfully exercise TestLib::tempdir_short on
Windows.
Given that, I suppose I should consider myself lucky if this ends up
working on *any* of the Windows critters, but given the implementation
I'm kinda surprised we have a problem. That function is just:
sub tempdir_short
{
return File::Temp::tempdir(CLEANUP => 1);
}
And File::Temp's documentation says that the temporary directory is
picked using File::Spec's tmpdir(), which says that it knows about
different operating systems and will DTRT on Unix, Mac, OS2, Win32,
and VMS. Yet on fairywren it is apparently DTWT. I'm not sure why.
Any ideas?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Re: backup manifests
On Fri, Apr 3, 2020 at 3:22 PM Robert Haas wrote: > It looks like the buildfarm is unhappy though, so I guess I'd better > go look at that. I fixed two things so far, and there seems to be at least one more possible issue that I don't understand. 1. Apparently, we have an automated perlcritic run built in to the build farm, and apparently, it really hates Perl subroutines that don't end with an explicit return statement. We have that overridden to severity 5 in our Perl critic configuration. I guess I should've known this, but didn't. I've pushed a fix adding return statements. I believe I'm on record as thinking that perlcritic is a tool for complaining about a lot of things that don't really matter and very few that actually do -- but it's project style, so I'll suck it up! 2. Also, a bunch of machines were super-unhappy with 003_corruption.pl, failing with this sort of thing: pg_basebackup: error: could not get COPY data stream: ERROR: symbolic link target too long for tar format: file name "pg_tblspc/16387", target "/home/fabien/pg/build-farm-11/buildroot/HEAD/pgsql.build/src/bin/pg_validatebackup/tmp_check/tmp_test_7w0w" Apparently, this is a known problem and the solution is to use TestLib::tempdir_short instead of TestLib::tempdir, so I pushed a fix to make it do that. 3. spurfowl has failed its last two runs like this: sh: 1: ./configure: not found I am not sure how this patch could've caused that to happen, but the timing of the failures is certainly suspicious. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
On Thu, Apr 2, 2020 at 4:34 PM David Steele wrote: > +1. These would be great tests to have and a win for pg_basebackup > overall but I don't think they should be a prerequisite for this commit. Not to mention the server. I can't say that I have a lot of confidence that all of the server behavior in this area is well-understood and sane. I've pushed all the patches. Hopefully everyone is happy now, or at least not so unhappy that they're going to break quarantine to beat me up. I hope I acknowledged all of the relevant people in the commit message, but it's possible that I missed somebody; if so, my apologies. As is my usual custom, I added entries in roughly the order that people chimed in on the thread, so the ordering should not be taken as a reflection of magnitude of contribution or, well, anything other than the approximate order in which they chimed in. It looks like the buildfarm is unhappy though, so I guess I'd better go look at that. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
On 4/2/20 3:47 PM, Andres Freund wrote: On 2020-04-02 15:42:48 -0400, Robert Haas wrote: I suspect I'm not doing quite what you had in mind here... thoughts? I have some ideas, but I think it's complicated enough that I'd not put it in the "pre commit path" for now. +1. These would be great tests to have and a win for pg_basebackup overall but I don't think they should be a prerequisite for this commit. Regards, -- -David da...@pgmasters.net
Re: backup manifests
On 2020-04-02 15:42:48 -0400, Robert Haas wrote: > I suspect I'm not doing quite what you had in mind here... thoughts? I have some ideas, but I think it's complicated enough that I'd not put it in the "pre commit path" for now.
Re: backup manifests
On Thu, Apr 2, 2020 at 2:55 PM Robert Haas wrote: > On Thu, Apr 2, 2020 at 2:23 PM Andres Freund wrote: > > > That might make the window fairly wide on normal systems, but I'm not > > > sure about Raspberry Pi BF members or things running > > > CLOBBER_CACHE_ALWAYS/RECURSIVELY. I guess I could try it. > > > > You can set checkpoint_timeout to be a day. If that's not enough, well, > > then I think we have other problems. > > I'm not sure that's the only issue here, but I'll try it. I ran into a few problems here. In trying to set this up manually, I always began with the following steps: # (1) create cluster initdb # (2) add to configuration file log_checkpoints=on checkpoint_timeout=1d checkpoint_completion_target=0.99 # (3) fire it up postgres createdb If at this point I do "pg_basebackup -D pgslave -R -c spread", it completes within a few seconds anyway, because there's basically nothing dirty, and no matter how slowly you write out no data, it's still pretty quick. If I run "pgbench -i" first, and then "pg_basebackup -D pgslave -R -c spread", it hangs, apparently essentially forever, because now the checkpoint has something to do, and it does it super-slowly, and "psql -c checkpoint" makes it finish immediately. However, this experiment isn't testing quite the right thing, because what I actually need is a slow backup off of a cascading standby, so that I have time to promote the parent standby before the backup completes. I tried continuing like this: # (4) set up standby pg_basebackup -D pgslave -R postgres -D pgslave -c port=5433 # (5) set up cascading standby pg_basebackup -D pgslave2 -d port=5433 -R postgres -c port=5434 -D pgslave2 # (6) dirty some pages on the master pgbench -i # (7) start a backup of the cascading standby pg_basebackup -D pgslave3 -d port=5434 -R -c spread However, the pg_basebackup in the last step completes after only a few seconds. If it were hanging, then I could continue with "pg_ctl promote -D pgslave" and that might give me what I need, but that's not what happens. I suspect I'm not doing quite what you had in mind here... thoughts? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
On Thu, Apr 2, 2020 at 3:26 PM David Steele wrote: > So, with the addition of the 0004 patch down-thread this looks > committable to me. Glad to hear it. Thank you. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
On 4/2/20 1:04 PM, Robert Haas wrote: > There are still some things that not everybody is happy about. In particular, Stephen and David are unhappy about using CRC-32C as the default algorithm, but Andres and Noah both think it's a reasonable choice, even if not as robust as everybody will want. As I agree, I'm going to stick with that choice. Yeah, I seem to be on the losing side of this argument, at least for now, so I don't think it should block the commit of this patch. It's an easy enough tweak if we change our minds. For my part, I think this is a general issue that is not really this patch's problem to solve. We have had multiple discussions over the years about reducing the number of binaries that we ship. We could have a general binary called "pg" or similar and use subcommands: pg createdb, pg basebackup, pg validatebackup, etc. I think such an approach is worth considering, though it would certainly be an adjustment for everyone. Or we might do something else. But I don't want to deal with that in this patch. I'm fine with the current name, especially now that WAL is validated. A couple of other minor suggestions have been made: (1) rejigger things to avoid message duplication related to launching external binaries, That'd be nice to have, but I think we can live without it for now. (2) maybe use appendShellString Seems like this would be good to have but I'm not going to make a fuss about it. and (3) change some details of error-reporting related to manifest parsing. I don't believe anyone views these as blockers I'd view this as later refinement once we see how the tool is being used and/or get gripes from the field. So, with the addition of the 0004 patch down-thread this looks committable to me. Regards, -- -David da...@pgmasters.net
Re: backup manifests
On 2020-04-02 14:55:19 -0400, Robert Haas wrote: > > Yes, I am asking for something to be changed: I'd like the code that > > read()s the file when computing the checksum to add up how many bytes > > were read, and compare that to the size in the manifest. And if there's > > a difference report an error about that, instead of a checksum failure. > > > > I've repeatedly seen filesystem issues lead to to earlier EOFs when > > read()ing than what stat() returns. It'll be pretty annoying to have to > > debug a general "checksum failure", rather than just knowing that > > reading stopped after 100MB of 1GB. > > Is 0004 attached like what you have in mind? Yes. Thanks! - Andres
Re: backup manifests
Hi, On 2020-04-02 14:16:27 -0400, Robert Haas wrote: > On Thu, Apr 2, 2020 at 1:23 PM Andres Freund wrote: > > I suspect its possible to control the timing by preventing the > > checkpoint at the end of recovery from completing within a relevant > > timeframe. I think configuring a large checkpoint_timeout and using a > > non-fast base backup ought to do the trick. The state can be advanced by > > separately triggering an immediate checkpoint? Or by changing the > > checkpoint_timeout? > > That might make the window fairly wide on normal systems, but I'm not > sure about Raspberry Pi BF members or things running > CLOBBER_CACHE_ALWAYS/RECURSIVELY. I guess I could try it. You can set checkpoint_timeout to be a day. If that's not enough, well, then I think we have other problems. > > FWIW, the only check I'd really like to see in this release is the > > crosscheck with the files length and the actually read data (to be able > > to disagnose FS issues). > > Not sure I understand this comment. Isn't that a subset of what the > patch already does? Are you asking for something to be changed? Yes, I am asking for something to be changed: I'd like the code that read()s the file when computing the checksum to add up how many bytes were read, and compare that to the size in the manifest. And if there's a difference report an error about that, instead of a checksum failure. I've repeatedly seen filesystem issues lead to to earlier EOFs when read()ing than what stat() returns. It'll be pretty annoying to have to debug a general "checksum failure", rather than just knowing that reading stopped after 100MB of 1GB. Greetings, Andres Freund
Re: backup manifests
On Thu, Apr 2, 2020 at 1:23 PM Andres Freund wrote: > I suspect its possible to control the timing by preventing the > checkpoint at the end of recovery from completing within a relevant > timeframe. I think configuring a large checkpoint_timeout and using a > non-fast base backup ought to do the trick. The state can be advanced by > separately triggering an immediate checkpoint? Or by changing the > checkpoint_timeout? That might make the window fairly wide on normal systems, but I'm not sure about Raspberry Pi BF members or things running CLOBBER_CACHE_ALWAYS/RECURSIVELY. I guess I could try it. > I think it might be worth looking, in a later release, at something like > blake3 for a fast cryptographic checksum. By allowing for instruction > parallelism (by independently checksuming different blocks in data, and > only advancing the "shared" checksum separately) it achieves > considerably higher throughput rates. > > I suspect we should also look at a better non-crypto hash. xxhash or > whatever. Not just for these checksums, but also for in-memory. I have no problem with that. I don't feel that I am well-placed to recommend for or against specific algorithms. Speed is easy to measure, but there's also code stability, the license under which something is released, the quality of the hashes it produces, and the extent to which it is cryptographically secure. I'm not an expert in any of that stuff, but if we get consensus on something it should be easy enough to plug it into this framework. Even changing the default would be no big deal. > FWIW, the only check I'd really like to see in this release is the > crosscheck with the files length and the actually read data (to be able > to disagnose FS issues). Not sure I understand this comment. Isn't that a subset of what the patch already does? Are you asking for something to be changed? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
Hi, On 2020-04-02 13:04:45 -0400, Robert Haas wrote: > And here's another new patch set. After some experimentation, I was > able to manually test the timeline-switch-during-a-base-backup case > and found that it had bugs in both pg_validatebackup and the code I > added to the backend's basebackup.c. So I fixed those. Cool. > It would be > nice to have automated tests, but you need a large database (so that > backing it up takes non-trivial time) and a load on the primary (so > that WAL is being replayed during the backup) and there's a race > condition (because the backup has to not finish before the cascading > standby learns that the upstream has been promoted), so I don't at > present see a practical way to automate that. I did verify, in manual > testing, that a problem with WAL files on either timeline caused a > validation failure. I also verified that the LSNs at which the standby > began replay and reached consistency matched what was stored in the > manifest. I suspect its possible to control the timing by preventing the checkpoint at the end of recovery from completing within a relevant timeframe. I think configuring a large checkpoint_timeout and using a non-fast base backup ought to do the trick. The state can be advanced by separately triggering an immediate checkpoint? Or by changing the checkpoint_timeout? > I also implemented Noah's suggestion that we should write the backup > manifest under a temporary name and then rename it afterward. > Stephen's original complaint that you could end up with a backup that > validates successfully even though we died before we got the WAL is, > at this point, moot, because pg_validatebackup is now capable of > noticing that the WAL is missing. Nevertheless, this seems like a nice > belt-and-suspenders check. Yea, it's imo generally a good idea. > I think this responds to pretty much all of the complaints that I know > about and upon which we have a reasonable degree of consensus. There > are still some things that not everybody is happy about. In > particular, Stephen and David are unhappy about using CRC-32C as the > default algorithm, but Andres and Noah both think it's a reasonable > choice, even if not as robust as everybody will want. As I agree, I'm > going to stick with that choice. I think it might be worth looking, in a later release, at something like blake3 for a fast cryptographic checksum. By allowing for instruction parallelism (by independently checksuming different blocks in data, and only advancing the "shared" checksum separately) it achieves considerably higher throughput rates. I suspect we should also look at a better non-crypto hash. xxhash or whatever. Not just for these checksums, but also for in-memory. > Also, there is still some debate about what the tool ought to be > called. My previous suggestion to rename this from pg_validatebackup > to pg_validatemanifest seems wrong now that WAL validation has been > added; in fact, given that we now have two independent sanity checks > on a backup, I'm going to argue that it would be reasonable to extend > that by adding more kinds of backup validation, perhaps even including > the permissions check that Andres suggested before. FWIW, the only check I'd really like to see in this release is the crosscheck with the files length and the actually read data (to be able to disagnose FS issues). Greetings, Andres Freund
Re: backup manifests
On 3/31/20 7:57 AM, Robert Haas wrote:
On Mon, Mar 30, 2020 at 7:24 PM David Steele wrote:
I'm confused as to why you're not seeing that. What's the exact
sequence of steps?
$ pg_basebackup -D test/backup5 --manifest-checksums=SHA256
$ vi test/backup5/backup_manifest
* Add 'X' to the checksum of backup_label
$ pg_validatebackup test/backup5
pg_validatebackup: fatal: invalid checksum for file "backup_label":
"a98e9164fd59d498d14cfdf19c67d1c2208a30e7b939d1b4a09f524c7adfc11fX"
No mention of the manifest checksum being invalid. But if I remove the
backup label file from the manifest:
pg_validatebackup: fatal: manifest checksum mismatch
Oh, I see what's happening now. If the checksum is not an even-length
string of hexademical characters, it's treated as a syntax error, so
it bails out at that point. Generally, a syntax error in the manifest
file is treated as a fatal error, and you just die right there. You'd
get the same behavior if you had malformed JSON, like a stray { or }
or [ or ] someplace that it doesn't belong according to the rules of
JSON. On the other hand, if you corrupt the checksum by adding AA or
EE or 54 or some other even-length string of hex characters, then you
have (in this code's view) a semantic error rather than a syntax
error, so it will finish loading all the manifest data and then bail
because the checksum doesn't match.
We really can't avoid bailing out early sometimes, because if the file
is totally malformed at the JSON level, there's just no way to
continue. We could cause this particular error to get treated as a
semantic error rather than a syntax error, but I don't really see much
advantage in so doing. This way was easier to code, and I don't think
it really matters which error we find first.
I think it would be good to know that the manifest checksum is bad in
all cases because that may well inform other errors.
That said, I know you have a lot on your plate with this patch so I'm
not going to make a fuss about such a minor gripe. Perhaps this can be
considered for future improvement.
Regards,
--
-David
da...@pgmasters.net
Re: backup manifests
Hi, On 2020-03-31 14:56:07 +0530, Amit Kapila wrote: > On Tue, Mar 31, 2020 at 11:10 AM Noah Misch wrote: > > On Mon, Mar 30, 2020 at 12:16:31PM -0700, Andres Freund wrote: > > > On 2020-03-30 15:04:55 -0400, Robert Haas wrote: > > > I'm mildly inclined to name it pg_validate, pg_validate_dbdir or > > > such. And eventually (definitely not this release) subsume pg_checksums > > > in it. That way we can add other checkers too. > > > > Works for me; of those two, I prefer pg_validate. > > > > pg_validate sounds like a tool with a much bigger purpose. I think > even things like amcheck could also fall under it. Intentionally so. We don't serve our users by collecting a lot of differently named commands to work with data directories. A I wrote above, the point would be to eventually have that tool also perform checksum validation etc. Potentially even in a single pass over the data directory. > This patch has two parts (a) Generate backup manifests for base > backups, and (b) Validate backup (manifest). It seems to me that > there are not many things pending for (a), can't we commit that first > or is it the case that (a) depends on (b)? This is *not* a suggestion > to leave pg_validatebackup from this release rather just to commit if > something is ready and meaningful on its own. IDK, it seems easier to be able to modify both at the same time. Greetings, Andres Freund
Re: backup manifests
Hi,
On 2020-03-31 22:15:04 -0700, Noah Misch wrote:
> On Tue, Mar 31, 2020 at 03:50:34PM -0700, Andres Freund wrote:
> > On 2020-03-31 14:10:34 -0400, Robert Haas wrote:
> > > +/*
> > > + * Attempt to parse the WAL files required to restore from backup using
> > > + * pg_waldump.
> > > + */
> > > +static void
> > > +parse_required_wal(validator_context *context, char *pg_waldump_path,
> > > +char *wal_directory, manifest_wal_range
> > > *first_wal_range)
> > > +{
> > > + manifest_wal_range *this_wal_range = first_wal_range;
> > > +
> > > + while (this_wal_range != NULL)
> > > + {
> > > + char *pg_waldump_cmd;
> > > +
> > > + pg_waldump_cmd = psprintf("\"%s\" --quiet --path=\"%s\"
> > > --timeline=%u --start=%X/%X --end=%X/%X\n",
> > > +pg_waldump_path, wal_directory, this_wal_range->tli,
> > > +(uint32) (this_wal_range->start_lsn >> 32),
> > > +(uint32) this_wal_range->start_lsn,
> > > +(uint32) (this_wal_range->end_lsn >> 32),
> > > +(uint32) this_wal_range->end_lsn);
> > > + if (system(pg_waldump_cmd) != 0)
> > > + report_backup_error(context,
> > > + "WAL parsing
> > > failed for timeline %u",
> > > +
> > > this_wal_range->tli);
> > > +
> > > + this_wal_range = this_wal_range->next;
> > > + }
> > > +}
> >
> > Should we have a function to properly escape paths in cases like this?
> > Not that it's likely or really problematic, but the quoting for path
> > could be "circumvented".
>
> Are you looking for appendShellString(), or something different?
Looks like that'd be it. Thanks.
Greetings,
Andres Freund
Re: backup manifests
On Tue, Mar 31, 2020 at 03:50:34PM -0700, Andres Freund wrote:
> On 2020-03-31 14:10:34 -0400, Robert Haas wrote:
> > +/*
> > + * Attempt to parse the WAL files required to restore from backup using
> > + * pg_waldump.
> > + */
> > +static void
> > +parse_required_wal(validator_context *context, char *pg_waldump_path,
> > + char *wal_directory, manifest_wal_range
> > *first_wal_range)
> > +{
> > + manifest_wal_range *this_wal_range = first_wal_range;
> > +
> > + while (this_wal_range != NULL)
> > + {
> > + char *pg_waldump_cmd;
> > +
> > + pg_waldump_cmd = psprintf("\"%s\" --quiet --path=\"%s\"
> > --timeline=%u --start=%X/%X --end=%X/%X\n",
> > + pg_waldump_path, wal_directory, this_wal_range->tli,
> > + (uint32) (this_wal_range->start_lsn >> 32),
> > + (uint32) this_wal_range->start_lsn,
> > + (uint32) (this_wal_range->end_lsn >> 32),
> > + (uint32) this_wal_range->end_lsn);
> > + if (system(pg_waldump_cmd) != 0)
> > + report_backup_error(context,
> > + "WAL parsing
> > failed for timeline %u",
> > +
> > this_wal_range->tli);
> > +
> > + this_wal_range = this_wal_range->next;
> > + }
> > +}
>
> Should we have a function to properly escape paths in cases like this?
> Not that it's likely or really problematic, but the quoting for path
> could be "circumvented".
Are you looking for appendShellString(), or something different?
Re: backup manifests
Hi,
On 2020-03-31 14:10:34 -0400, Robert Haas wrote:
> I made an attempt to implement this.
Awesome!
> In the attached patch set, 0001 I'm going to work on those things. I
> would appreciate *very timely* feedback on anything people do or do
> not like about this, because I want to commit this patch set by the
> end of the work week and that isn't very far away. I would also
> appreciate if people would bear in mind the principle that half a loaf
> is better than none, and further improvements can be made in future
> releases.
>
> As part of my light testing, I tried promoting a standby that was
> running pg_basebackup, and found that pg_basebackup failed like this:
>
> pg_basebackup: error: could not get COPY data stream: ERROR: the
> standby was promoted during online backup
> HINT: This means that the backup being taken is corrupt and should
> not be used. Try taking another online backup.
> pg_basebackup: removing data directory "/Users/rhaas/pgslave2"
>
> My first thought was that this error message is hard to reconcile with
> this comment:
>
> /*
> * Send timeline history files too. Only the latest timeline history
> * file is required for recovery, and even that only if there happens
> * to be a timeline switch in the first WAL segment that contains the
> * checkpoint record, or if we're taking a base backup from a standby
> * server and the target timeline changes while the backup is taken.
> * But they are small and highly useful for debugging purposes, so
> * better include them all, always.
> */
>
> But then it occurred to me that this might be a cascading standby.
Yea. The check just prevents the walsender's database from being
promoted:
/*
* Check if the postmaster has signaled us to exit, and abort
with an
* error in that case. The error handler further up will call
* do_pg_abort_backup() for us. Also check that if the backup
was
* started while still in recovery, the server wasn't promoted.
* do_pg_stop_backup() will check that too, but it's better to
stop
* the backup early than continue to the end and fail there.
*/
CHECK_FOR_INTERRUPTS();
if (RecoveryInProgress() != backup_started_in_recovery)
ereport(ERROR,
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
errmsg("the standby was promoted
during online backup"),
errhint("This means that the backup
being taken is corrupt "
"and should not be
used. "
"Try taking another
online backup.")));
and
if (strcmp(backupfrom, "standby") == 0 && !backup_started_in_recovery)
ereport(ERROR,
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
errmsg("the standby was promoted during online
backup"),
errhint("This means that the backup being
taken is corrupt "
"and should not be used. "
"Try taking another online
backup.")));
So that just prevents promotions of the current node, afaict.
> Regardless, it seems like a really good idea to store a list of WAL
> ranges rather than a single start/end/timeline, because even if it's
> impossible today it might become possible in the future.
Indeed.
> Still, unless there's an easy way to set up a test scenario where
> multiple WAL ranges need to be verified, it may be hard to test that
> this code actually behaves properly.
I think it'd be possible to test without a fully cascading setup, by
creating an initial base backup, then do some work to create a bunch of
new timelines, and then start the initial base backup. That'd have to
follow all those timelines. Not sure that's better than a cascading
setup though.
> +/*
> + * Add information about the WAL that will need to be replayed when restoring
> + * this backup to the manifest.
> + */
> +static void
> +AddWALInfoToManifest(manifest_info *manifest, XLogRecPtr startptr,
> + TimeLineID starttli, XLogRecPtr
> endptr, TimeLineID endtli)
> +{
> + List *timelines = readTimeLineHistory(endtli);
should probably happen after the manifest->buffile check.
> + ListCell *lc;
> + boolfirst_wal_range = true;
> + boolfound_ending_tli = false;
> +
> + /* If there is no buffile, then the user doesn't want a manifest. */
> + if (manifest->buffile == NULL)
> + return;
Not really about this patch/function specifically: I wonder if this'd
look
Re: backup manifests
Greetings, * Amit Kapila (amit.kapil...@gmail.com) wrote: > On Tue, Mar 31, 2020 at 11:10 AM Noah Misch wrote: > > On Mon, Mar 30, 2020 at 12:16:31PM -0700, Andres Freund wrote: > > > On 2020-03-30 15:04:55 -0400, Robert Haas wrote: > > > > I guess I'd like to be clear here that I have no fundamental > > > > disagreement with taking this tool in any direction that people would > > > > like it to go. For me it's just a question of timing. Feature freeze > > > > is now a week or so away, and nothing complicated is going to get done > > > > in that time. If we can all agree on something simple based on > > > > Andres's recent proposal, cool, but I'm not yet sure that will be the > > > > case, so what's plan B? We could decide that what I have here is just > > > > too little to be a viable facility on its own, but I think Stephen is > > > > the only one taking that position. We could release it as > > > > pg_validatemanifest with a plan to rename it if other backup-related > > > > checks are added later. We could release it as pg_validatebackup with > > > > the idea to avoid having to rename it when more backup-related checks > > > > are added later, but with a greater possibility of confusion in the > > > > meantime and no hard guarantee that anyone will actually develop such > > > > checks. We could put it in to pg_checksums, but I think that's really > > > > backing ourselves into a corner: if backup validation develops other > > > > checks that are not checksum-related, what then? I'd much rather > > > > gamble on keeping things together by topic (backup) than technology > > > > used internally (checksum). Putting it into pg_basebackup is another > > > > option, and would avoid that problem, but it's not my preferred > > > > option, because as I noted before, I think the command-line options > > > > will get confusing. > > > > > > I'm mildly inclined to name it pg_validate, pg_validate_dbdir or > > > such. And eventually (definitely not this release) subsume pg_checksums > > > in it. That way we can add other checkers too. > > > > Works for me; of those two, I prefer pg_validate. > > pg_validate sounds like a tool with a much bigger purpose. I think > even things like amcheck could also fall under it. Yeah, I tend to agree with this. > This patch has two parts (a) Generate backup manifests for base > backups, and (b) Validate backup (manifest). It seems to me that > there are not many things pending for (a), can't we commit that first > or is it the case that (a) depends on (b)? This is *not* a suggestion > to leave pg_validatebackup from this release rather just to commit if > something is ready and meaningful on its own. I suspect the idea here is that we don't really want to commit something that nothing is actually using, and that's understandable and justified here- consider that even in this recent discussion there was talk that maybe we should have included permissions and ownership in the manifest, or starting and ending WAL positions, so that they'd be able to be checked by this tool more easily (and because it's just useful to have all that info in one place... I don't really agree with the concerns that it's an issue for static information like that to be duplicated). In other words, while the manifest creation code might be something we could commit, without a tool to use it (which does all the things that we think it needs to, to perform some high-level task, such as "validate a backup") we don't know that the manifest that's actually generated is really up to snuff and has what it needs to have to perform that task. I had been hoping that the discussion Andres was leading regarding leveraging pg_waldump (or maybe just code from it..) would get us to a point where pg_validatebackup would check that we have all of the WAL needed for the backup to be consistent and that it would then verify the internal checksums of the WAL. That would certainly be a good solution for this time around, in my view, and is already all existing client-side code. I do think we'd want to have a note about how we verify pg_wal differently from the other files which are in the manifest. Thanks, Stephen signature.asc Description: PGP signature
Re: backup manifests
On Mon, Mar 30, 2020 at 7:24 PM David Steele wrote:
> > I'm confused as to why you're not seeing that. What's the exact
> > sequence of steps?
>
> $ pg_basebackup -D test/backup5 --manifest-checksums=SHA256
>
> $ vi test/backup5/backup_manifest
> * Add 'X' to the checksum of backup_label
>
> $ pg_validatebackup test/backup5
> pg_validatebackup: fatal: invalid checksum for file "backup_label":
> "a98e9164fd59d498d14cfdf19c67d1c2208a30e7b939d1b4a09f524c7adfc11fX"
>
> No mention of the manifest checksum being invalid. But if I remove the
> backup label file from the manifest:
>
> pg_validatebackup: fatal: manifest checksum mismatch
Oh, I see what's happening now. If the checksum is not an even-length
string of hexademical characters, it's treated as a syntax error, so
it bails out at that point. Generally, a syntax error in the manifest
file is treated as a fatal error, and you just die right there. You'd
get the same behavior if you had malformed JSON, like a stray { or }
or [ or ] someplace that it doesn't belong according to the rules of
JSON. On the other hand, if you corrupt the checksum by adding AA or
EE or 54 or some other even-length string of hex characters, then you
have (in this code's view) a semantic error rather than a syntax
error, so it will finish loading all the manifest data and then bail
because the checksum doesn't match.
We really can't avoid bailing out early sometimes, because if the file
is totally malformed at the JSON level, there's just no way to
continue. We could cause this particular error to get treated as a
semantic error rather than a syntax error, but I don't really see much
advantage in so doing. This way was easier to code, and I don't think
it really matters which error we find first.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Re: backup manifests
On Tue, Mar 31, 2020 at 11:10 AM Noah Misch wrote: > > On Mon, Mar 30, 2020 at 12:16:31PM -0700, Andres Freund wrote: > > On 2020-03-30 15:04:55 -0400, Robert Haas wrote: > > > I guess I'd like to be clear here that I have no fundamental > > > disagreement with taking this tool in any direction that people would > > > like it to go. For me it's just a question of timing. Feature freeze > > > is now a week or so away, and nothing complicated is going to get done > > > in that time. If we can all agree on something simple based on > > > Andres's recent proposal, cool, but I'm not yet sure that will be the > > > case, so what's plan B? We could decide that what I have here is just > > > too little to be a viable facility on its own, but I think Stephen is > > > the only one taking that position. We could release it as > > > pg_validatemanifest with a plan to rename it if other backup-related > > > checks are added later. We could release it as pg_validatebackup with > > > the idea to avoid having to rename it when more backup-related checks > > > are added later, but with a greater possibility of confusion in the > > > meantime and no hard guarantee that anyone will actually develop such > > > checks. We could put it in to pg_checksums, but I think that's really > > > backing ourselves into a corner: if backup validation develops other > > > checks that are not checksum-related, what then? I'd much rather > > > gamble on keeping things together by topic (backup) than technology > > > used internally (checksum). Putting it into pg_basebackup is another > > > option, and would avoid that problem, but it's not my preferred > > > option, because as I noted before, I think the command-line options > > > will get confusing. > > > > I'm mildly inclined to name it pg_validate, pg_validate_dbdir or > > such. And eventually (definitely not this release) subsume pg_checksums > > in it. That way we can add other checkers too. > > Works for me; of those two, I prefer pg_validate. > pg_validate sounds like a tool with a much bigger purpose. I think even things like amcheck could also fall under it. This patch has two parts (a) Generate backup manifests for base backups, and (b) Validate backup (manifest). It seems to me that there are not many things pending for (a), can't we commit that first or is it the case that (a) depends on (b)? This is *not* a suggestion to leave pg_validatebackup from this release rather just to commit if something is ready and meaningful on its own. -- With Regards, Amit Kapila. EnterpriseDB: http://www.enterprisedb.com
Re: backup manifests
On Mon, Mar 30, 2020 at 12:16:31PM -0700, Andres Freund wrote: > On 2020-03-30 15:04:55 -0400, Robert Haas wrote: > > I guess I'd like to be clear here that I have no fundamental > > disagreement with taking this tool in any direction that people would > > like it to go. For me it's just a question of timing. Feature freeze > > is now a week or so away, and nothing complicated is going to get done > > in that time. If we can all agree on something simple based on > > Andres's recent proposal, cool, but I'm not yet sure that will be the > > case, so what's plan B? We could decide that what I have here is just > > too little to be a viable facility on its own, but I think Stephen is > > the only one taking that position. We could release it as > > pg_validatemanifest with a plan to rename it if other backup-related > > checks are added later. We could release it as pg_validatebackup with > > the idea to avoid having to rename it when more backup-related checks > > are added later, but with a greater possibility of confusion in the > > meantime and no hard guarantee that anyone will actually develop such > > checks. We could put it in to pg_checksums, but I think that's really > > backing ourselves into a corner: if backup validation develops other > > checks that are not checksum-related, what then? I'd much rather > > gamble on keeping things together by topic (backup) than technology > > used internally (checksum). Putting it into pg_basebackup is another > > option, and would avoid that problem, but it's not my preferred > > option, because as I noted before, I think the command-line options > > will get confusing. > > I'm mildly inclined to name it pg_validate, pg_validate_dbdir or > such. And eventually (definitely not this release) subsume pg_checksums > in it. That way we can add other checkers too. Works for me; of those two, I prefer pg_validate.
Re: backup manifests
On 3/30/20 4:16 PM, Robert Haas wrote:
On Fri, Mar 27, 2020 at 3:51 PM David Steele wrote:
> { "Path": "backup_label", "Size": 224, "Last-Modified": "2020-03-27
18:33:18 GMT", "Checksum-Algorithm": "CRC32C", "Checksum": "b914bec9" },
Storing the checksum type with each file seems pretty redundant.
Perhaps that could go in the header? You could always override if a
specific file had a different checksum type, though that seems unlikely.
In general it might be good to go with shorter keys: "mod", "chk", etc.
Manifests can get pretty big and that's a lot of extra bytes.
I'm also partial to using epoch time in the manifest because it is
generally easier for programs to work with. But, human-readable doesn't
suck, either.
It doesn't seem impossible for it to come up; for example, consider a
file-level incremental backup facility. You might retain whatever
checksums you have for the unchanged files (to avoid rereading them)
and add checksums for modified or added files.
OK.
I am not convinced that minimizing the size of the file here is a
particularly important goal, because I don't think it's going to get
that big in normal cases. I also think having the keys and values be
easily understandable by human being is a plus. If we really want a
minimal format without redundancy, we should've gone with what I
proposed before (though admittedly that could've been tamped down even
further if we'd cared to squeeze, which I didn't think was important
then either).
Well, normal cases is the key. But fine, in general we have found that
the in memory representation is more important in terms of supporting
clusters with very large numbers of files.
When I ran pg_validatebackup I expected to use -D to specify the backup
dir since pg_basebackup does. On the other hand -D is weird because I
*really* expect that to be the pg data dir.
But, do we want this to be different from pg_basebackup?
I think it's pretty distinguishable, because pg_basebackup needs an
input (server) and an output (directory), whereas pg_validatebackup
only needs one. I don't really care if we want to change it, but I was
thinking of this as being more analogous to, say, pg_resetwal.
Granted, that's a danger-don't-use-this tool and this isn't, but I
don't think we want the -D-is-optional behavior that tools like pg_ctl
have, because having a tool that isn't supposed to be used on a
running cluster default to $PGDATA seems inadvisable. And if the
argument is mandatory then it's not clear to me why we should make
people type -D in front of it.
Honestly I think pg_basebackup is the confusing one, because in most
cases -D points at the running cluster dir. So, OK.
> +checksum_length = checksum_string_length / 2;
This check is defeated if a single character is added the to checksum.
Not too big a deal since you still get an error, but still.
I don't see what the problem is here. We speculatively divide by two
and allocate memory assuming the value that it was even, but then
before doing anything critical we bail out if it was actually odd.
That's harmless. We could get around it by saying:
if (checksum_string_length % 2 != 0)
context->error_cb(...);
checksum_length = checksum_string_length / 2;
checksum_payload = palloc(checksum_length);
if (!hexdecode_string(...))
context->error_cb(...);
...but that would be adding additional code, and error messages, for
what's basically a can't-happen-unless-the-user-is-messing-with-us
case.
Sorry, pasted the wrong code and even then still didn't get it quite
right.
The problem:
If I remove an even characters from a checksum it appears the checksum
passes but the manifest checksum fails:
$ pg_basebackup -D test/backup5 --manifest-checksums=SHA256
$ vi test/backup5/backup_manifest
* Remove two characters from the checksum of backup_label
$ pg_validatebackup test/backup5
pg_validatebackup: fatal: manifest checksum mismatch
But if I add any number of characters or remove an odd number of
characters I get:
pg_validatebackup: fatal: invalid checksum for file "backup_label":
"a98e9164fd59d498d14cfdf19c67d1c2208a30e7b939d1b4a09f524c7adfc11fXX"
and no manifest checksum failure.
> + * Verify that the manifest checksum is correct.
This is not working the way I would expect -- I could freely modify the
manifest without getting a checksum error on the manifest. For example:
$ /home/vagrant/test/pg/bin/pg_validatebackup test/backup3
pg_validatebackup: fatal: invalid checksum for file "backup_label":
"408901e0814f40f8ceb7796309a59c7248458325a21941e7c55568e381f53831?"
So, if I deleted the entry above, I got a manifest checksum error. But
if I just modified the checksum I get a file checksum error with no
manifest checksum error.
I would prefer a manifest checksum error in all cases where it is wrong,
unless --exit-on-error is specified.
I think I would too, but I'm confused as to what you're doing, because
if I just modified the manifest --
Re: backup manifests
On 3/30/20 5:08 PM, Andres Freund wrote: The data in the backup label isn't sufficient though. Without having parsed the timeline file there's no way to verify that the correct WAL is present. I guess we can also add client side tools to parse timelines, add command the fetch all of the required files, and then interpret that somehow. But that seems much more complicated. Imo it makes sense to want to be able verify that WAL looks correct even transporting WAL using another method (say archiving) and thus using pg_basebackup's -Xnone. For the manifest to actually list what's required for the base backup doesn't seem redundant to me. Imo it makes the manifest file make a good bit more sense, since afterwards it actually describes the whole base backup. FWIW, pgBackRest stores the backup WAL stop/start in the manifest. To get this information after the backup is complete requires parsing the .backup file which doesn't get stored in the backup directory by pg_basebackup. As far as I know, this is only accessibly to solutions that implement archive_command. So, pgBackRest could do that but it seems far more trouble than it is worth. Regards, -- -David da...@pgmasters.net
Re: backup manifests
Hi, On 2020-03-30 15:23:08 -0400, Robert Haas wrote: > On Mon, Mar 30, 2020 at 2:59 PM Andres Freund wrote: > > I wonder if it'd not be best, independent of whether we build in this > > verification, to include that metadata in the manifest file. That's for > > sure better than having to build a separate tool to parse timeline > > history files. > > I don't think that's better, or at least not "for sure better". The > backup_label going to include the START TIMELINE, and if -Xfetch is > used, we're also going to have all the timeline history files. If the > backup manifest includes those same pieces of information, then we've > got two sources of truth: one copy in the files the server's actually > going to read, and another copy in the backup_manifest which we're > going to potentially use for validation but ignore at runtime. That > seems not great. The data in the backup label isn't sufficient though. Without having parsed the timeline file there's no way to verify that the correct WAL is present. I guess we can also add client side tools to parse timelines, add command the fetch all of the required files, and then interpret that somehow. But that seems much more complicated. Imo it makes sense to want to be able verify that WAL looks correct even transporting WAL using another method (say archiving) and thus using pg_basebackup's -Xnone. For the manifest to actually list what's required for the base backup doesn't seem redundant to me. Imo it makes the manifest file make a good bit more sense, since afterwards it actually describes the whole base backup. Taking the redundancy agreement a bit further you can argue that we don't need a list of relation files at all, since they're in the catalog :P. Obviously going to that extreme doesn't make all that much sense... But I do think it's a second source of truth that's independent of what the backends actually are going to read. Greetings, Andres Freund
Re: backup manifests
On Sun, Mar 29, 2020 at 9:05 PM David Steele wrote: > Yeah, that seems reasonable. > > In our case backups are nearly always compressed and/or encrypted so > even checking the original size is a bit of work. Getting the checksum > at the same time seems like an obvious win. Makes sense. If this even got extended so it could read from tar-files instead of the filesystem directly, we'd surely want to take the opposite approach and just make a single pass. I'm not sure whether it's worth doing that at some point in the future, but it might be. If we're going to add the capability to compress or encrypt backups to pg_basebackup, we might want to do that first, and then make this tool handle all of those formats in one go. (As always, I don't have the ability to control how arbitrary developers spend their development time... so this is just a thought.) -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
On Mon, Mar 30, 2020 at 2:59 PM Andres Freund wrote: > I wonder if it'd not be best, independent of whether we build in this > verification, to include that metadata in the manifest file. That's for > sure better than having to build a separate tool to parse timeline > history files. I don't think that's better, or at least not "for sure better". The backup_label going to include the START TIMELINE, and if -Xfetch is used, we're also going to have all the timeline history files. If the backup manifest includes those same pieces of information, then we've got two sources of truth: one copy in the files the server's actually going to read, and another copy in the backup_manifest which we're going to potentially use for validation but ignore at runtime. That seems not great. > Btw, just in case somebody suggests it: I don't think it's possible to > compute the WAL checksums at this point. In stream mode WAL very well > might already have been removed. Right. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
Hi, On 2020-03-30 15:04:55 -0400, Robert Haas wrote: > I guess I'd like to be clear here that I have no fundamental > disagreement with taking this tool in any direction that people would > like it to go. For me it's just a question of timing. Feature freeze > is now a week or so away, and nothing complicated is going to get done > in that time. If we can all agree on something simple based on > Andres's recent proposal, cool, but I'm not yet sure that will be the > case, so what's plan B? We could decide that what I have here is just > too little to be a viable facility on its own, but I think Stephen is > the only one taking that position. We could release it as > pg_validatemanifest with a plan to rename it if other backup-related > checks are added later. We could release it as pg_validatebackup with > the idea to avoid having to rename it when more backup-related checks > are added later, but with a greater possibility of confusion in the > meantime and no hard guarantee that anyone will actually develop such > checks. We could put it in to pg_checksums, but I think that's really > backing ourselves into a corner: if backup validation develops other > checks that are not checksum-related, what then? I'd much rather > gamble on keeping things together by topic (backup) than technology > used internally (checksum). Putting it into pg_basebackup is another > option, and would avoid that problem, but it's not my preferred > option, because as I noted before, I think the command-line options > will get confusing. I'm mildly inclined to name it pg_validate, pg_validate_dbdir or such. And eventually (definitely not this release) subsume pg_checksums in it. That way we can add other checkers too. I don't really see a point in ending up with lots of different commands over time. Partially because there's probably plenty checks where the overall cost can be drastically reduced by combining IO. Partially because there's probably plenty shareable infrastructure. And partially because I think it makes discovery for users a lot easier. Greetings, Andres Freund
Re: backup manifests
On Mon, Mar 30, 2020 at 2:24 AM Amit Kapila wrote: > > Between those two, I would use "pg_validatebackup" if there's a fair chance > > it > > will end up doing the pg_waldump check. Otherwise, I would use > > "pg_validatemanifest". > > +1. I guess I'd like to be clear here that I have no fundamental disagreement with taking this tool in any direction that people would like it to go. For me it's just a question of timing. Feature freeze is now a week or so away, and nothing complicated is going to get done in that time. If we can all agree on something simple based on Andres's recent proposal, cool, but I'm not yet sure that will be the case, so what's plan B? We could decide that what I have here is just too little to be a viable facility on its own, but I think Stephen is the only one taking that position. We could release it as pg_validatemanifest with a plan to rename it if other backup-related checks are added later. We could release it as pg_validatebackup with the idea to avoid having to rename it when more backup-related checks are added later, but with a greater possibility of confusion in the meantime and no hard guarantee that anyone will actually develop such checks. We could put it in to pg_checksums, but I think that's really backing ourselves into a corner: if backup validation develops other checks that are not checksum-related, what then? I'd much rather gamble on keeping things together by topic (backup) than technology used internally (checksum). Putting it into pg_basebackup is another option, and would avoid that problem, but it's not my preferred option, because as I noted before, I think the command-line options will get confusing. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: backup manifests
Hi,
On 2020-03-30 14:35:40 -0400, Robert Haas wrote:
> On Sun, Mar 29, 2020 at 10:08 PM Andres Freund wrote:
> > See the attached minimal prototype for what I am thinking of.
> >
> > This would not correctly handle the case where the timeline changes
> > while taking a base backup. But I'm not sure that'd be all that serious
> > a limitation for now?
> >
> > I'd personally not want to use a base backup that included a timeline
> > switch...
>
> Interesting concept. I've never (or almost never) used the -s and -e
> options to pg_waldump, so I didn't think about using those.
Oh - it's how I use it most of the time when investigating a specific
problem. I just about always use -s, and often -e. Besides just reducing
the logging output, and avoiding spurious errors, it makes it a lot
easier to iteratively expand the logging for records that are
problematic for the case at hand.
> I think
> having a --just-parse option to pg_waldump is a good idea, though
> maybe not with that name e.g. we could call it --quiet.
Yea, I didn't like the option's name. It's just the first thing that
came to mind.
> It is less obvious to me what to do about all that as it pertains to
> the current patch.
FWIW, I personally think we can live with this not validating WAL in the
first release. But I also think it'd be within reach to do better and
allow for WAL verification.
> If we want pg_validatebackup to run pg_waldump in that mode or print
> out a hint about how to run pg_waldump in that mode, it would need to
> obtain the relevant LSNs.
We could just include those in the manifest. Seems like good information
to have in there to me, as it allows to build the complete list of files
needed for a restore.
> It's not clear to me what we would do if the backup crosses a timeline
> switch, assuming that's even a case pg_basebackup allows.
I've not tested it, but it sure looks like it's possible. Both by having
a standby replaying from a node that promotes (multiple timeline
switches possible too, I think, if the WAL source follows timelines),
and by backing up from a standby that's being promoted.
> If we don't want to do anything in pg_validatebackup automatically but
> just want to document this as a a possible technique, we could finesse
> that problem with some weasel-wording.
It'd probably not be too hard to simply emit multiple commands, one for
each timeline "segment".
I wonder if it'd not be best, independent of whether we build in this
verification, to include that metadata in the manifest file. That's for
sure better than having to build a separate tool to parse timeline
history files.
I think it wouldn't be too hard to compute that information while taking
the base backup. We know the end timeline (ThisTimeLineID), so we can
just call readTimeLineHistory(ThisTimeLineID). Which should then allow
for something pretty trivial along the lines of
timelines = readTimeLineHistory(ThisTimeLineID);
last_start = InvalidXLogRecPtr;
foreach(lc, timelines)
{
TimeLineHistoryEntry *he = lfirst(lc);
if (he->end < startptr)
continue;
//
manifest_emit_wal_range(Min(he->begin, startptr), he->end);
last_start = he->end;
}
if (last_start == InvalidXlogRecPtr)
start = startptr;
else
start = last_start;
manifest_emit_wal_range(start, entptr);
Btw, just in case somebody suggests it: I don't think it's possible to
compute the WAL checksums at this point. In stream mode WAL very well
might already have been removed.
Greetings,
Andres Freund
