| blob | 637c0ce459766a3aaa24a9b0fd9468a60cb7244c |
1 /*-------------------------------------------------------------------------
2 *
3 * basebackup.c
4 * code for taking a base backup and streaming it to a standby
5 *
6 * Portions Copyright (c) 2010-2022, PostgreSQL Global Development Group
7 *
8 * IDENTIFICATION
9 * src/backend/replication/basebackup.c
10 *
11 *-------------------------------------------------------------------------
12 */
15 #include <sys/stat.h>
16 #include <unistd.h>
17 #include <time.h>
48 /*
49 * How much data do we want to send in one CopyData message? Note that
50 * this may also result in reading the underlying files in chunks of this
51 * size.
52 *
53 * NB: The buffer size is required to be a multiple of the system block
54 * size, so use that value instead if it's bigger than our preference.
55 */
56 #define SINK_BUFFER_LENGTH Max(32768, BLCKSZ)
59 {
65 uint32 maxrate;
70 backup_manifest_option manifest;
71 pg_compress_algorithm compression;
72 pg_compress_specification compression_specification;
73 pg_checksum_type manifest_checksum_type;
99 /* Was the backup currently in-progress initiated in recovery mode? */
102 /* Total number of checksum failures during base backup. */
105 /* Do not verify checksums. */
108 /*
109 * Definition of one element part of an exclusion list, used for paths part
110 * of checksum validation or base backups. "name" is the name of the file
111 * or path to check for exclusion. If "match_prefix" is true, any items
112 * matching the name as prefix are excluded.
113 */
114 struct exclude_list_item
115 {
118 };
120 /*
121 * The contents of these directories are removed or recreated during server
122 * start so they are not included in backups. The directories themselves are
123 * kept and included as empty to preserve access permissions.
124 *
125 * Note: this list should be kept in sync with the filter lists in pg_rewind's
126 * filemap.c.
127 */
129 {
130 /*
131 * Skip temporary statistics files. PG_STAT_TMP_DIR must be skipped
132 * because extensions like pg_stat_statements store data there.
133 */
134 PG_STAT_TMP_DIR,
136 /*
137 * It is generally not useful to backup the contents of this directory
138 * even if the intention is to restore to another primary. See backup.sgml
139 * for a more detailed description.
140 */
143 /* Contents removed on startup, see dsm_cleanup_for_mmap(). */
144 PG_DYNSHMEM_DIR,
146 /* Contents removed on startup, see AsyncShmemInit(). */
149 /*
150 * Old contents are loaded for possible debugging but are not required for
151 * normal operation, see SerialInit().
152 */
155 /* Contents removed on startup, see DeleteAllExportedSnapshotFiles(). */
158 /* Contents zeroed on startup, see StartupSUBTRANS(). */
161 /* end of list */
162 NULL
163 };
165 /*
166 * List of files excluded from backups.
167 */
169 {
170 /* Skip auto conf temporary file. */
173 /* Skip current log file temporary file */
176 /*
177 * Skip relation cache because it is rebuilt on startup. This includes
178 * temporary files.
179 */
182 /*
183 * backup_label and tablespace_map should not exist in a running cluster
184 * capable of doing an online backup, but exclude them just in case.
185 */
189 /*
190 * If there's a backup_manifest, it belongs to a backup that was used to
191 * start this server. It is *not* correct for this backup. Our
192 * backup_manifest is injected into the backup separately if users want
193 * it.
194 */
200 /* end of list */
202 };
204 /*
205 * List of files excluded from checksum validation.
206 *
207 * Note: this list should be kept in sync with what pg_checksums.c
208 * includes.
209 */
215 #ifdef EXEC_BACKEND
217 #endif
219 };
221 /*
222 * Actually do a base backup for the specified tablespaces.
223 *
224 * This is split out mainly to avoid complaints about "variable might be
225 * clobbered by longjmp" from stupider versions of gcc.
226 */
227 static void
229 {
230 bbsink_state state;
231 XLogRecPtr endptr;
232 TimeLineID endtli;
233 StringInfo labelfile;
234 StringInfo tblspc_map_file;
235 backup_manifest_info manifest;
237 /* Initial backup state, insofar as we know it now. */
244 /* we're going to use a BufFile, so we need a ResourceOwner */
261 tblspc_map_file);
263 /*
264 * Once do_pg_backup_start has been called, ensure that any failure causes
265 * us to abort the backup so we don't "leak" a backup counter. For this
266 * reason, *all* functionality between do_pg_backup_start() and the end of
267 * do_pg_backup_stop() should be inside the error cleanup block!
268 */
271 {
275 /* Add a node for the base directory at the end */
280 /*
281 * Calculate the total backup size by summing up the size of each
282 * tablespace
283 */
285 {
289 {
295 else
297 NULL);
299 }
301 }
303 /* notify basebackup sink about start of backup */
306 /* Send off our tablespaces one by one */
308 {
312 {
318 /* In the main tar, include the backup_label first... */
322 /* Then the tablespace_map file, if required... */
324 {
328 }
330 /* Then the bulk of the files... */
334 /* ... and pg_control after everything else. */
339 XLOG_CONTROL_FILE)));
342 }
343 else
344 {
350 }
352 /*
353 * If we're including WAL, and this is the main data directory we
354 * don't treat this as the end of the tablespace. Instead, we will
355 * include the xlog files below and stop afterwards. This is safe
356 * since the main data directory is always sent *last*.
357 */
359 {
361 }
362 else
363 {
364 /* Properly terminate the tarfile. */
370 /* OK, that's the end of the archive. */
372 }
373 }
377 }
382 {
383 /*
384 * We've left the last tar file "open", so we can now append the
385 * required WAL files to it.
386 */
388 XLogSegNo segno;
389 XLogSegNo startsegno;
390 XLogSegNo endsegno;
399 TimeLineID tli;
403 /*
404 * I'd rather not worry about timelines here, so scan pg_wal and
405 * include all WAL files in the range between 'startptr' and 'endptr',
406 * regardless of the timeline the file is stamped with. If there are
407 * some spurious WAL files belonging to timelines that don't belong in
408 * this server's history, they will be included too. Normally there
409 * shouldn't be such files, but if there are, there's little harm in
410 * including them.
411 */
419 {
420 /* Does it look like a WAL segment, and is it in the range? */
424 {
426 }
427 /* Does it look like a timeline history file? */
429 {
431 }
432 }
435 /*
436 * Before we go any further, check that none of the WAL segments we
437 * need were removed.
438 */
441 /*
442 * Sort the WAL filenames. We want to send the files in order from
443 * oldest to newest, to reduce the chance that a file is recycled
444 * before we get a chance to send it over.
445 */
448 /*
449 * There must be at least one xlog file in the pg_wal directory, since
450 * we are doing backup-including-xlog.
451 */
456 /*
457 * Sanity check: the first and last segment should cover startptr and
458 * endptr, with no gaps in between.
459 */
463 {
467 wal_segment_size);
470 }
472 {
479 {
485 }
486 }
488 {
494 }
496 /* Ok, we have everything we need. Send the WAL files. */
498 {
509 {
512 /*
513 * Most likely reason for this is that the file was already
514 * removed by a checkpoint, so check for that to get a better
515 * error message.
516 */
523 }
529 pathbuf)));
531 {
536 }
538 /* send the WAL file itself */
545 {
553 }
556 {
561 }
563 /*
564 * wal_segment_size is a multiple of TAR_BLOCK_SIZE, so no need
565 * for padding.
566 */
571 /*
572 * Mark file as archived, otherwise files can get archived again
573 * after promotion of a new node. This is in line with
574 * walreceiver.c always doing an XLogArchiveForceDone() after a
575 * complete segment.
576 */
579 }
581 /*
582 * Send timeline history files too. Only the latest timeline history
583 * file is required for recovery, and even that only if there happens
584 * to be a timeline switch in the first WAL segment that contains the
585 * checkpoint record, or if we're taking a base backup from a standby
586 * server and the target timeline changes while the backup is taken.
587 * But they are small and highly useful for debugging purposes, so
588 * better include them all, always.
589 */
591 {
604 /* unconditionally mark file as archived */
607 }
609 /* Properly terminate the tar file. */
615 /* OK, that's the end of the archive. */
617 }
627 {
632 total_checksum_failures,
633 total_checksum_failures)));
638 }
640 /*
641 * Make sure to free the manifest before the resource owners as manifests
642 * use cryptohash contexts that may depend on resource owners (like
643 * OpenSSL).
644 */
647 /* clean up the resource owner we created */
651 }
653 /*
654 * list_sort comparison function, to compare log/seg portion of WAL segment
655 * filenames, ignoring the timeline portion.
656 */
657 static int
659 {
664 }
666 /*
667 * Parse the base backup options passed down by the parser
668 */
669 static void
671 {
698 {
702 {
709 }
711 {
718 }
720 {
731 else
735 optval)));
737 }
739 {
746 }
748 {
755 }
757 {
758 int64 maxrate;
774 }
776 {
783 }
785 {
792 }
794 {
803 {
806 else
808 }
811 else
815 optval)));
817 }
819 {
831 optval)));
833 }
835 {
842 }
844 {
853 }
855 {
866 optval)));
868 }
870 {
877 }
878 else
883 }
888 {
894 }
897 {
904 }
906 {
911 target_str)));
913 }
914 else
924 {
929 error_detail =
935 error_detail));
936 }
937 }
940 /*
941 * SendBaseBackup() - send a complete base backup.
942 *
943 * The function will put the system into backup mode like pg_backup_start()
944 * does, so that the backup is consistent even though we read directly from
945 * the filesystem, bypassing the buffer cache.
946 */
947 void
949 {
950 basebackup_options opt;
964 {
970 }
972 /*
973 * If the target is specifically 'client' then set up to stream the backup
974 * to the client; otherwise, it's being sent someplace else and should not
975 * be sent to the client. BaseBackupGetSink has the job of setting up a
976 * sink to send the backup data wherever it needs to go.
977 */
982 /* Set up network throttling, if client requested it */
986 /* Set up server-side compression, if client requested it */
994 /* Set up progress reporting. */
997 /*
998 * Perform the base backup, but make sure we clean up the bbsink even if
999 * an error occurs.
1000 */
1002 {
1004 }
1006 {
1008 }
1010 }
1012 /*
1013 * Inject a file with given name and content in the output tar stream.
1014 */
1015 static void
1018 {
1021 len;
1022 pg_checksum_context checksum_ctx;
1026 filename);
1030 /*
1031 * Construct a stat struct for the backup_label file we're injecting in
1032 * the tar.
1033 */
1034 /* Windows doesn't have the concept of uid and gid */
1035 #ifdef WIN32
1038 #else
1041 #endif
1050 filename);
1053 {
1060 }
1066 }
1068 /*
1069 * Include the tablespace directory pointed to by 'path' in the output tar
1070 * stream. If 'sizeonly' is true, we just calculate a total length and return
1071 * it, without actually sending anything.
1072 *
1073 * Only used to send auxiliary tablespaces, not PGDATA.
1074 */
1075 static int64
1078 {
1079 int64 size;
1083 /*
1084 * 'path' points to the tablespace location, but we only want to include
1085 * the version directory in it that belongs to us.
1086 */
1088 TABLESPACE_VERSION_DIRECTORY);
1090 /*
1091 * Store a directory entry in the tar file so we get the permissions
1092 * right.
1093 */
1095 {
1100 pathbuf)));
1102 /* If the tablespace went away while scanning, it's no error. */
1104 }
1107 sizeonly);
1109 /* Send all the files in the tablespace version directory */
1111 spcoid);
1114 }
1116 /*
1117 * Include all files from the given directory in the output tar stream. If
1118 * 'sizeonly' is true, we just calculate a total length and return it, without
1119 * actually sending anything.
1120 *
1121 * Omit any directory in the tablespaces list, to avoid backing up
1122 * tablespaces twice when they were created inside PGDATA.
1123 *
1124 * If sendtblspclinks is true, we need to include symlink
1125 * information in the tar file. If not, we can skip that
1126 * as it will be sent separately in the tablespace_map file.
1127 */
1128 static int64
1132 {
1141 /*
1142 * Determine if the current path is a database directory that can contain
1143 * relations.
1144 *
1145 * Start by finding the location of the delimiter between the parent path
1146 * and the current path.
1147 */
1150 /* Does this path look like a database path (i.e. all digits)? */
1153 {
1154 /* Part of path that contains the parent directory. */
1157 /*
1158 * Mark path as a database directory if the parent path is either
1159 * $PGDATA/base or a tablespace version path.
1160 */
1164 TABLESPACE_VERSION_DIRECTORY,
1167 }
1171 {
1177 /* Skip special stuff */
1181 /* Skip temporary files */
1183 PG_TEMP_FILE_PREFIX,
1187 /*
1188 * Check if the postmaster has signaled us to exit, and abort with an
1189 * error in that case. The error handler further up will call
1190 * do_pg_abort_backup() for us. Also check that if the backup was
1191 * started while still in recovery, the server wasn't promoted.
1192 * do_pg_backup_stop() will check that too, but it's better to stop
1193 * the backup early than continue to the end and fail there.
1194 */
1201 "and should not be used. "
1204 /* Scan for files that should be excluded */
1207 {
1211 cmplen++;
1213 {
1217 }
1218 }
1223 /* Exclude all forks for unlogged tables except the init fork */
1227 {
1228 /* Never exclude init forks */
1230 {
1234 /*
1235 * If any other type of fork, check if there is an init fork
1236 * with the same OID. If so, the file can be excluded.
1237 */
1244 {
1250 }
1251 }
1252 }
1254 /* Exclude temporary relations */
1256 {
1262 }
1266 /* Skip pg_control here to back up it last */
1271 {
1276 pathbuf)));
1278 /* If the file went away while scanning, it's not an error. */
1280 }
1282 /* Scan for directories whose contents should be excluded */
1285 {
1287 {
1294 }
1295 }
1300 /*
1301 * We can skip pg_wal, the WAL segments need to be fetched from the
1302 * WAL archive anyway. But include it as an empty directory anyway, so
1303 * we get permissions right.
1304 */
1306 {
1307 /* If pg_wal is a symlink, write it as a directory anyway */
1312 /*
1313 * Also send archive_status directory (by hackishly reusing
1314 * statbuf from above ...).
1315 */
1320 }
1322 /* Allow symbolic links in pg_tblspc only */
1324 #ifndef WIN32
1326 #else
1328 #endif
1329 )
1330 {
1331 #if defined(HAVE_READLINK) || defined(WIN32)
1340 pathbuf)));
1345 pathbuf)));
1350 #else
1352 /*
1353 * If the platform does not have symbolic links, it should not be
1354 * possible to have tablespaces - clearly somebody else created
1355 * them. Warn about it and ignore.
1356 */
1362 }
1364 {
1368 /*
1369 * Store a directory entry in the tar file so we can get the
1370 * permissions right.
1371 */
1373 sizeonly);
1375 /*
1376 * Call ourselves recursively for a directory, unless it happens
1377 * to be a separate tablespace located within PGDATA.
1378 */
1380 {
1383 /*
1384 * ti->rpath is the tablespace relative path within PGDATA, or
1385 * NULL if the tablespace has been properly located somewhere
1386 * else.
1387 *
1388 * Skip past the leading "./" in pathbuf when comparing.
1389 */
1391 {
1394 }
1395 }
1397 /*
1398 * skip sending directories inside pg_tblspc, if not required.
1399 */
1406 }
1408 {
1417 {
1418 /* Add size. */
1421 /* Pad to a multiple of the tar block size. */
1424 /* Size of the header for the file. */
1426 }
1427 }
1428 else
1431 }
1434 }
1436 /*
1437 * Check if a file should have its checksum validated.
1438 * We validate checksums on files in regular tablespaces
1439 * (including global and default) only, and in those there
1440 * are some files that are explicitly excluded.
1441 */
1442 static bool
1444 {
1445 /* Check that the file is in a tablespace */
1449 {
1452 /* Compare file against noChecksumFiles skip list */
1454 {
1458 cmplen++;
1462 }
1465 }
1466 else
1468 }
1470 /*****
1471 * Functions for handling tar file format
1472 *
1473 * Copied from pg_dump, but modified to work with libpq for sending
1474 */
1477 /*
1478 * Given the member, write the TAR header & send the file.
1479 *
1480 * If 'missing_ok' is true, will not throw an error if the file is not found.
1481 *
1482 * If dboid is anything other than InvalidOid then any checksum failures
1483 * detected will get reported to the cumulative stats system.
1484 *
1485 * Returns true if the file was successfully sent, false if 'missing_ok',
1486 * and the file did not exist.
1487 */
1488 static bool
1492 {
1496 uint16 checksum;
1498 off_t cnt;
1502 PageHeader phdr;
1506 pg_checksum_context checksum_ctx;
1510 readfilename);
1514 {
1520 }
1525 {
1528 /*
1529 * Get the filename (excluding path). As last_dir_separator()
1530 * includes the last directory separator, we chop that off by
1531 * incrementing the pointer.
1532 */
1536 {
1539 /*
1540 * Cut off at the segment boundary (".") to get the segment number
1541 * in order to mix it into the checksum.
1542 */
1545 {
1551 }
1552 }
1553 }
1555 /*
1556 * Loop until we read the amount of data the caller told us to expect. The
1557 * file could be longer, if it was extended while we were sending it, but
1558 * for a base backup we can ignore such extended data. It will be restored
1559 * from WAL.
1560 */
1562 {
1565 /* Try to read some more data. */
1570 /*
1571 * If we hit end-of-file, a concurrent truncation must have occurred.
1572 * That's not an error condition, because WAL replay will fix things
1573 * up.
1574 */
1578 /*
1579 * The checksums are verified at block level, so we iterate over the
1580 * buffer in chunks of BLCKSZ, after making sure that
1581 * TAR_SEND_SIZE/buf is divisible by BLCKSZ and we read a multiple of
1582 * BLCKSZ bytes.
1583 */
1587 {
1590 "%u: read buffer size %d and page size %d "
1594 }
1597 {
1599 {
1602 /*
1603 * Only check pages which have not been modified since the
1604 * start of the base backup. Otherwise, they might have been
1605 * written only halfway and the checksum would not be valid.
1606 * However, replaying WAL would reinstate the correct page in
1607 * this case. We also skip completely new pages, since they
1608 * don't have a checksum yet.
1609 */
1611 {
1615 {
1616 /*
1617 * Retry the block on the first failure. It's
1618 * possible that we read the first 4K page of the
1619 * block just before postgres updated the entire block
1620 * so it ends up looking torn to us. We only need to
1621 * retry once because the LSN should be updated to
1622 * something we can ignore on the next pass. If the
1623 * error happens again then it is a true validation
1624 * failure.
1625 */
1627 {
1630 /* Reread the failed block */
1631 reread_cnt =
1635 readfilename,
1638 {
1639 /*
1640 * If we hit end-of-file, a concurrent
1641 * truncation must have occurred, so break out
1642 * of this loop just as if the initial fread()
1643 * returned 0. We'll drop through to the same
1644 * code that handles that case. (We must fix
1645 * up cnt first, though.)
1646 */
1649 }
1651 /* Set flag so we know a retry was attempted */
1654 /* Reset loop to validate the block again */
1655 i--;
1657 }
1659 checksum_failures++;
1673 }
1674 }
1676 blkno++;
1677 }
1678 }
1682 /* Also feed it to the checksum machinery. */
1688 }
1690 /* If the file was truncated while we were sending it, pad it with zeros */
1692 {
1703 }
1705 /*
1706 * Pad to a block boundary, per tar format requirements. (This small piece
1707 * of data is probably not worth throttling, and is not checksummed
1708 * because it's not actually part of the file.)
1709 */
1715 {
1719 checksum_failures,
1723 }
1731 }
1733 static int64
1736 {
1740 {
1741 /*
1742 * As of this writing, the smallest supported block size is 1kB, which
1743 * is twice TAR_BLOCK_SIZE. Since the buffer size is required to be a
1744 * multiple of BLCKSZ, it should be safe to assume that the buffer is
1745 * large enough to fit an entire tar block. We double-check by means
1746 * of these assertions.
1747 */
1758 {
1764 filename)));
1774 }
1777 }
1780 }
1782 /*
1783 * Pad with zero bytes out to a multiple of TAR_BLOCK_SIZE.
1784 */
1785 static void
1787 {
1790 /*
1791 * As in _tarWriteHeader, it should be safe to assume that the buffer is
1792 * large enough that we don't need to do this in multiple chunks.
1793 */
1798 {
1801 }
1802 }
1804 /*
1805 * If the entry in statbuf is a link, then adjust statbuf to make it look like a
1806 * directory, so that it will be written that way.
1807 */
1808 static void
1810 {
1811 /* If symlink, write it as a directory anyway */
1812 #ifndef WIN32
1814 #else
1816 #endif
1818 }
1820 /*
1821 * Read some data from a file, setting a wait event and reporting any error
1822 * encountered.
1823 *
1824 * If partial_read_ok is false, also report an error if the number of bytes
1825 * read is not equal to the number of bytes requested.
1826 *
1827 * Returns the number of bytes read.
1828 */
1829 static int
1832 {
1850 }