| blob | 1ef1713c91a4978e851335abaa16346d2276a278 |
1 /*-------------------------------------------------------------------------
2 *
3 * xlogarchive.c
4 * Functions for archiving WAL files and restoring from the archive.
5 *
6 *
7 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
8 * Portions Copyright (c) 1994, Regents of the University of California
9 *
10 * src/backend/access/transam/xlogarchive.c
11 *
12 *-------------------------------------------------------------------------
13 */
17 #include <sys/stat.h>
18 #include <sys/wait.h>
19 #include <signal.h>
20 #include <unistd.h>
35 /*
36 * Attempt to retrieve the specified file from off-line archival storage.
37 * If successful, fill "path" with its complete path (note that this will be
38 * a temp file name that doesn't follow the normal naming convention), and
39 * return true.
40 *
41 * If not successful, fill "path" with the name of the normal on-line file
42 * (which may or may not actually exist, but we'll try to use it), and return
43 * false.
44 *
45 * For fixed-size files, the caller may pass the expected size as an
46 * additional crosscheck on successful recovery. If the file size is not
47 * known, set expectedSize = 0.
48 *
49 * When 'cleanupEnabled' is false, refrain from deleting any old WAL segments
50 * in the archive. This is used when fetching the initial checkpoint record,
51 * when we are not yet sure how far back we need the WAL.
52 */
53 bool
57 {
63 XLogSegNo restartSegNo;
64 XLogRecPtr restartRedoPtr;
65 TimeLineID restartTli;
67 /*
68 * Ignore restore_command when not in archive recovery (meaning we are in
69 * crash recovery).
70 */
74 /* In standby mode, restore_command might not be supplied */
78 /*
79 * When doing archive recovery, we always prefer an archived log file even
80 * if a file of the same name exists in XLOGDIR. The reason is that the
81 * file in XLOGDIR could be an old, un-filled or partly-filled version
82 * that was copied and restored as part of backing up $PGDATA.
83 *
84 * We could try to optimize this slightly by checking the local copy
85 * lastchange timestamp against the archived copy, but we have no API to
86 * do this, nor can we guarantee that the lastchange timestamp was
87 * preserved correctly when we copied to archive. Our aim is robustness,
88 * so we elect not to do this.
89 *
90 * If we cannot obtain the log file from the archive, however, we will try
91 * to use the XLOGDIR file if it exists. This is so that we can make use
92 * of log segments that weren't yet transferred to the archive.
93 *
94 * Notice that we don't actually overwrite any files when we copy back
95 * from archive because the restore_command may inadvertently restore
96 * inappropriate xlogs, or they may be corrupt, so we may wish to fallback
97 * to the segments remaining in current XLOGDIR later. The
98 * copy-from-archive filename is always the same, ensuring that we don't
99 * run out of disk space on long recoveries.
100 */
103 /*
104 * Make sure there is no existing file named recovername.
105 */
107 {
112 xlogpath)));
113 }
114 else
115 {
120 xlogpath)));
121 }
123 /*
124 * Calculate the archive file cutoff point for use during log shipping
125 * replication. All files earlier than this point can be deleted from the
126 * archive, though there is no requirement to do so.
127 *
128 * If cleanup is not enabled, initialise this with the filename of
129 * InvalidXLogRecPtr, which will prevent the deletion of any WAL files
130 * from the archive because of the alphabetic sorting property of WAL
131 * filenames.
132 *
133 * Once we have successfully located the redo pointer of the checkpoint
134 * from which we start recovery we never request a file prior to the redo
135 * pointer of the last restartpoint. When redo begins we know that we have
136 * successfully located it, so there is no need for additional status
137 * flags to signify the point when we can begin deleting WAL files from
138 * the archive.
139 */
141 {
145 wal_segment_size);
146 /* we shouldn't need anything earlier than last restart point */
148 }
149 else
152 /* Build the restore command to execute */
155 lastRestartPointFname);
159 xlogRestoreCmd)));
164 /*
165 * PreRestoreCommand() informs the SIGTERM handler for the startup process
166 * that it should proc_exit() right away. This is done for the duration
167 * of the system() call because there isn't a good way to break out while
168 * it is executing. Since we might call proc_exit() in a signal handler,
169 * it is best to put any additional logic before or after the
170 * PreRestoreCommand()/PostRestoreCommand() section.
171 */
174 /*
175 * Copy xlog from archival storage to XLOGDIR
176 */
185 {
186 /*
187 * command apparently succeeded, but let's make sure the file is
188 * really there now and has the correct size.
189 */
191 {
193 {
196 /*
197 * If we find a partial file in standby mode, we assume it's
198 * because it's just being copied to the archive, and keep
199 * trying.
200 *
201 * Otherwise treat a wrong-sized file as FATAL to ensure the
202 * DBA would notice it, but is that too strong? We could try
203 * to plow ahead with a local copy of the file ... but the
204 * problem is that there probably isn't one, and we'd
205 * incorrectly conclude we've reached the end of WAL and we're
206 * done recovering ...
207 */
210 else
214 xlogfname,
218 }
219 else
220 {
223 xlogfname)));
226 }
227 }
228 else
229 {
230 /* stat failed */
237 }
238 }
240 /*
241 * Remember, we rollforward UNTIL the restore fails so failure here is
242 * just part of the process... that makes it difficult to determine
243 * whether the restore failed because there isn't an archive to restore,
244 * or because the administrator has specified the restore program
245 * incorrectly. We have to assume the former.
246 *
247 * However, if the failure was due to any sort of signal, it's best to
248 * punt and abort recovery. (If we "return false" here, upper levels will
249 * assume that recovery is complete and start up the database!) It's
250 * essential to abort on child SIGINT and SIGQUIT, because per spec
251 * system() ignores SIGINT and SIGQUIT while waiting; if we see one of
252 * those it's a good bet we should have gotten it too.
253 *
254 * On SIGTERM, assume we have received a fast shutdown request, and exit
255 * cleanly. It's pure chance whether we receive the SIGTERM first, or the
256 * child process. If we receive it first, the signal handler will call
257 * proc_exit, otherwise we do it here. If we or the child process received
258 * SIGTERM for any other reason than a fast shutdown request, postmaster
259 * will perform an immediate shutdown when it sees us exiting
260 * unexpectedly.
261 *
262 * We treat hard shell errors such as "command not found" as fatal, too.
263 */
271 not_available:
273 /*
274 * if an archived file is not available, there might still be a version of
275 * this file in XLOGDIR, so return that as the filename to open.
276 *
277 * In many recovery scenarios we expect this to fail also, but if so that
278 * just means we've reached the end of WAL.
279 */
282 }
284 /*
285 * Attempt to execute an external shell command during recovery.
286 *
287 * 'command' is the shell command to be executed, 'commandName' is a
288 * human-readable name describing the command emitted in the logs. If
289 * 'failOnSignal' is true and the command is killed by a signal, a FATAL
290 * error is thrown. Otherwise a WARNING is emitted.
291 *
292 * This is currently used for recovery_end_command and archive_cleanup_command.
293 */
294 void
297 {
301 XLogSegNo restartSegNo;
302 XLogRecPtr restartRedoPtr;
303 TimeLineID restartTli;
307 /*
308 * Calculate the archive file cutoff point for use during log shipping
309 * replication. All files earlier than this point can be deleted from the
310 * archive, though there is no requirement to do so.
311 */
315 wal_segment_size);
317 /*
318 * construct the command to be executed
319 */
320 xlogRecoveryCmd = replace_percent_placeholders(command, commandName, "r", lastRestartPointFname);
325 /*
326 * execute the constructed command
327 */
336 {
337 /*
338 * If the failure was due to any sort of signal, it's best to punt and
339 * abort recovery. See comments in RestoreArchivedFile().
340 */
342 /*------
343 translator: First %s represents a postgresql.conf parameter name like
344 "recovery_end_command", the 2nd is the value of that parameter, the
345 third an already translated error message. */
348 }
349 }
352 /*
353 * A file was restored from the archive under a temporary filename (path),
354 * and now we want to keep it. Rename it under the permanent filename in
355 * pg_wal (xlogfname), replacing any existing file with the same name.
356 */
357 void
359 {
367 {
370 #ifdef WIN32
373 /*
374 * On Windows, if another process (e.g a walsender process) holds the
375 * file open in FILE_SHARE_DELETE mode, unlink will succeed, but the
376 * file will still show up in directory listing until the last handle
377 * is closed, and we cannot rename the new file in its place until
378 * that. To avoid that problem, rename the old file to a temporary
379 * name first. Use a counter to create a unique filename, because the
380 * same file might be restored from the archive multiple times, and a
381 * walsender could still be holding onto an old deleted version of it.
382 */
386 {
391 }
392 #else
393 /* same-size buffers, so this never truncates */
395 #endif
400 xlogfpath)));
402 }
406 /*
407 * Create .done file forcibly to prevent the restored segment from being
408 * archived again later.
409 */
412 else
415 /*
416 * If the existing file was replaced, since walsenders might have it open,
417 * request them to reload a currently-open segment. This is only required
418 * for WAL segments, walsenders don't hold other files open, but there's
419 * no harm in doing this too often, and we don't know what kind of a file
420 * we're dealing with here.
421 */
425 /*
426 * Signal walsender that new WAL has arrived. Again, this isn't necessary
427 * if we restored something other than a WAL segment, but it does no harm
428 * either.
429 */
431 }
433 /*
434 * XLogArchiveNotify
435 *
436 * Create an archive notification file
437 *
438 * The name of the notification file is the message that will be picked up
439 * by the archiver, e.g. we write 0000000100000001000000C6.ready
440 * and the archiver then knows to archive XLOGDIR/0000000100000001000000C6,
441 * then when complete, rename it to 0000000100000001000000C6.done
442 */
443 void
445 {
449 /* insert an otherwise empty file called <XLOG>.ready */
453 {
457 archiveStatusPath)));
459 }
461 {
465 archiveStatusPath)));
467 }
469 /*
470 * Timeline history files are given the highest archival priority to lower
471 * the chance that a promoted standby will choose a timeline that is
472 * already in use. However, the archiver ordinarily tries to gather
473 * multiple files to archive from each scan of the archive_status
474 * directory, which means that newly created timeline history files could
475 * be left unarchived for a while. To ensure that the archiver picks up
476 * timeline history files as soon as possible, we force the archiver to
477 * scan the archive_status directory the next time it looks for a file to
478 * archive.
479 */
483 /* Notify archiver that it's got something to do */
486 }
488 /*
489 * Convenience routine to notify using segment number representation of filename
490 */
491 void
493 {
500 }
502 /*
503 * XLogArchiveForceDone
504 *
505 * Emit notification forcibly that an XLOG segment file has been successfully
506 * archived, by creating <XLOG>.done regardless of whether <XLOG>.ready
507 * exists or not.
508 */
509 void
511 {
517 /* Exit if already known done */
522 /* If .ready exists, rename it to .done */
525 {
528 }
530 /* insert an otherwise empty file called <XLOG>.done */
533 {
537 archiveDone)));
539 }
541 {
545 archiveDone)));
547 }
548 }
550 /*
551 * XLogArchiveCheckDone
552 *
553 * This is called when we are ready to delete or recycle an old XLOG segment
554 * file or backup history file. If it is okay to delete it then return true.
555 * If it is not time to delete it, make sure a .ready file exists, and return
556 * false.
557 *
558 * If <XLOG>.done exists, then return true; else if <XLOG>.ready exists,
559 * then return false; else create <XLOG>.ready and return false.
560 *
561 * The reason we do things this way is so that if the original attempt to
562 * create <XLOG>.ready fails, we'll retry during subsequent checkpoints.
563 */
564 bool
566 {
570 /* The file is always deletable if archive_mode is "off". */
574 /*
575 * During archive recovery, the file is deletable if archive_mode is not
576 * "always".
577 */
582 /*
583 * At this point of the logic, note that we are either a primary with
584 * archive_mode set to "on" or "always", or a standby with archive_mode
585 * set to "always".
586 */
588 /* First check for .done --- this means archiver is done with it */
593 /* check for .ready --- this means archiver is still busy with it */
598 /* Race condition --- maybe archiver just finished, so recheck */
603 /* Retry creation of the .ready file */
606 }
608 /*
609 * XLogArchiveIsBusy
610 *
611 * Check to see if an XLOG segment file is still unarchived.
612 * This is almost but not quite the inverse of XLogArchiveCheckDone: in
613 * the first place we aren't chartered to recreate the .ready file, and
614 * in the second place we should consider that if the file is already gone
615 * then it's not busy. (This check is needed to handle the race condition
616 * that a checkpoint already deleted the no-longer-needed file.)
617 */
618 bool
620 {
624 /* First check for .done --- this means archiver is done with it */
629 /* check for .ready --- this means archiver is still busy with it */
634 /* Race condition --- maybe archiver just finished, so recheck */
639 /*
640 * Check to see if the WAL file has been removed by checkpoint, which
641 * implies it has already been archived, and explains why we can't see a
642 * status file for it.
643 */
650 }
652 /*
653 * XLogArchiveIsReadyOrDone
654 *
655 * Check to see if an XLOG segment file has a .ready or .done file.
656 * This is similar to XLogArchiveIsBusy(), but returns true if the file
657 * is already archived or is about to be archived.
658 *
659 * This is currently only used at recovery. During normal operation this
660 * would be racy: the file might get removed or marked with .ready as we're
661 * checking it, or immediately after we return.
662 */
663 bool
665 {
669 /* First check for .done --- this means archiver is done with it */
674 /* check for .ready --- this means archiver is still busy with it */
679 /* Race condition --- maybe archiver just finished, so recheck */
685 }
687 /*
688 * XLogArchiveIsReady
689 *
690 * Check to see if an XLOG segment file has an archive notification (.ready)
691 * file.
692 */
693 bool
695 {
704 }
706 /*
707 * XLogArchiveCleanup
708 *
709 * Cleanup archive notification file(s) for a particular xlog segment
710 */
711 void
713 {
716 /* Remove the .done file */
719 /* should we complain about failure? */
721 /* Remove the .ready file if present --- normally it shouldn't be */
724 /* should we complain about failure? */
725 }