| blob | 4b89addf9762d2d9b39de80909e297f4a6a8c572 |
1 /*-------------------------------------------------------------------------
2 *
3 * xlogarchive.c
4 * Functions for archiving WAL files and restoring from the archive.
5 *
6 *
7 * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
8 * Portions Copyright (c) 1994, Regents of the University of California
9 *
10 * src/backend/access/transam/xlogarchive.c
11 *
12 *-------------------------------------------------------------------------
13 */
17 #include <sys/stat.h>
18 #include <sys/wait.h>
19 #include <signal.h>
20 #include <unistd.h>
34 /*
35 * Attempt to retrieve the specified file from off-line archival storage.
36 * If successful, fill "path" with its complete path (note that this will be
37 * a temp file name that doesn't follow the normal naming convention), and
38 * return true.
39 *
40 * If not successful, fill "path" with the name of the normal on-line file
41 * (which may or may not actually exist, but we'll try to use it), and return
42 * false.
43 *
44 * For fixed-size files, the caller may pass the expected size as an
45 * additional crosscheck on successful recovery. If the file size is not
46 * known, set expectedSize = 0.
47 *
48 * When 'cleanupEnabled' is false, refrain from deleting any old WAL segments
49 * in the archive. This is used when fetching the initial checkpoint record,
50 * when we are not yet sure how far back we need the WAL.
51 */
52 bool
56 {
61 XLogSegNo restartSegNo;
62 XLogRecPtr restartRedoPtr;
63 TimeLineID restartTli;
65 /*
66 * Ignore restore_command when not in archive recovery (meaning we are in
67 * crash recovery).
68 */
72 /* In standby mode, restore_command might not be supplied */
76 /*
77 * When doing archive recovery, we always prefer an archived log file even
78 * if a file of the same name exists in XLOGDIR. The reason is that the
79 * file in XLOGDIR could be an old, un-filled or partly-filled version
80 * that was copied and restored as part of backing up $PGDATA.
81 *
82 * We could try to optimize this slightly by checking the local copy
83 * lastchange timestamp against the archived copy, but we have no API to
84 * do this, nor can we guarantee that the lastchange timestamp was
85 * preserved correctly when we copied to archive. Our aim is robustness,
86 * so we elect not to do this.
87 *
88 * If we cannot obtain the log file from the archive, however, we will try
89 * to use the XLOGDIR file if it exists. This is so that we can make use
90 * of log segments that weren't yet transferred to the archive.
91 *
92 * Notice that we don't actually overwrite any files when we copy back
93 * from archive because the restore_command may inadvertently restore
94 * inappropriate xlogs, or they may be corrupt, so we may wish to fallback
95 * to the segments remaining in current XLOGDIR later. The
96 * copy-from-archive filename is always the same, ensuring that we don't
97 * run out of disk space on long recoveries.
98 */
101 /*
102 * Make sure there is no existing file named recovername.
103 */
105 {
110 xlogpath)));
111 }
112 else
113 {
118 xlogpath)));
119 }
121 /*
122 * Calculate the archive file cutoff point for use during log shipping
123 * replication. All files earlier than this point can be deleted from the
124 * archive, though there is no requirement to do so.
125 *
126 * If cleanup is not enabled, initialise this with the filename of
127 * InvalidXLogRecPtr, which will prevent the deletion of any WAL files
128 * from the archive because of the alphabetic sorting property of WAL
129 * filenames.
130 *
131 * Once we have successfully located the redo pointer of the checkpoint
132 * from which we start recovery we never request a file prior to the redo
133 * pointer of the last restartpoint. When redo begins we know that we have
134 * successfully located it, so there is no need for additional status
135 * flags to signify the point when we can begin deleting WAL files from
136 * the archive.
137 */
139 {
143 wal_segment_size);
144 /* we shouldn't need anything earlier than last restart point */
146 }
147 else
150 /*
151 * Check signals before restore command and reset afterwards.
152 */
155 /*
156 * Copy xlog from archival storage to XLOGDIR
157 */
163 {
164 /*
165 * command apparently succeeded, but let's make sure the file is
166 * really there now and has the correct size.
167 */
169 {
171 {
174 /*
175 * If we find a partial file in standby mode, we assume it's
176 * because it's just being copied to the archive, and keep
177 * trying.
178 *
179 * Otherwise treat a wrong-sized file as FATAL to ensure the
180 * DBA would notice it, but is that too strong? We could try
181 * to plow ahead with a local copy of the file ... but the
182 * problem is that there probably isn't one, and we'd
183 * incorrectly conclude we've reached the end of WAL and we're
184 * done recovering ...
185 */
188 else
192 xlogfname,
196 }
197 else
198 {
201 xlogfname)));
204 }
205 }
206 else
207 {
208 /* stat failed */
215 }
216 }
218 not_available:
220 /*
221 * if an archived file is not available, there might still be a version of
222 * this file in XLOGDIR, so return that as the filename to open.
223 *
224 * In many recovery scenarios we expect this to fail also, but if so that
225 * just means we've reached the end of WAL.
226 */
229 }
231 /*
232 * A file was restored from the archive under a temporary filename (path),
233 * and now we want to keep it. Rename it under the permanent filename in
234 * pg_wal (xlogfname), replacing any existing file with the same name.
235 */
236 void
238 {
246 {
249 #ifdef WIN32
252 /*
253 * On Windows, if another process (e.g a walsender process) holds the
254 * file open in FILE_SHARE_DELETE mode, unlink will succeed, but the
255 * file will still show up in directory listing until the last handle
256 * is closed, and we cannot rename the new file in its place until
257 * that. To avoid that problem, rename the old file to a temporary
258 * name first. Use a counter to create a unique filename, because the
259 * same file might be restored from the archive multiple times, and a
260 * walsender could still be holding onto an old deleted version of it.
261 */
265 {
270 }
271 #else
272 /* same-size buffers, so this never truncates */
274 #endif
279 xlogfpath)));
281 }
285 /*
286 * Create .done file forcibly to prevent the restored segment from being
287 * archived again later.
288 */
291 else
294 /*
295 * If the existing file was replaced, since walsenders might have it open,
296 * request them to reload a currently-open segment. This is only required
297 * for WAL segments, walsenders don't hold other files open, but there's
298 * no harm in doing this too often, and we don't know what kind of a file
299 * we're dealing with here.
300 */
304 /*
305 * Signal walsender that new WAL has arrived. Again, this isn't necessary
306 * if we restored something other than a WAL segment, but it does no harm
307 * either.
308 */
310 }
312 /*
313 * XLogArchiveNotify
314 *
315 * Create an archive notification file
316 *
317 * The name of the notification file is the message that will be picked up
318 * by the archiver, e.g. we write 0000000100000001000000C6.ready
319 * and the archiver then knows to archive XLOGDIR/0000000100000001000000C6,
320 * then when complete, rename it to 0000000100000001000000C6.done
321 */
322 void
324 {
328 /* insert an otherwise empty file called <XLOG>.ready */
332 {
336 archiveStatusPath)));
338 }
340 {
344 archiveStatusPath)));
346 }
348 /*
349 * Timeline history files are given the highest archival priority to lower
350 * the chance that a promoted standby will choose a timeline that is
351 * already in use. However, the archiver ordinarily tries to gather
352 * multiple files to archive from each scan of the archive_status
353 * directory, which means that newly created timeline history files could
354 * be left unarchived for a while. To ensure that the archiver picks up
355 * timeline history files as soon as possible, we force the archiver to
356 * scan the archive_status directory the next time it looks for a file to
357 * archive.
358 */
362 /* Notify archiver that it's got something to do */
365 }
367 /*
368 * Convenience routine to notify using segment number representation of filename
369 */
370 void
372 {
379 }
381 /*
382 * XLogArchiveForceDone
383 *
384 * Emit notification forcibly that an XLOG segment file has been successfully
385 * archived, by creating <XLOG>.done regardless of whether <XLOG>.ready
386 * exists or not.
387 */
388 void
390 {
396 /* Exit if already known done */
401 /* If .ready exists, rename it to .done */
404 {
407 }
409 /* insert an otherwise empty file called <XLOG>.done */
412 {
416 archiveDone)));
418 }
420 {
424 archiveDone)));
426 }
427 }
429 /*
430 * XLogArchiveCheckDone
431 *
432 * This is called when we are ready to delete or recycle an old XLOG segment
433 * file or backup history file. If it is okay to delete it then return true.
434 * If it is not time to delete it, make sure a .ready file exists, and return
435 * false.
436 *
437 * If <XLOG>.done exists, then return true; else if <XLOG>.ready exists,
438 * then return false; else create <XLOG>.ready and return false.
439 *
440 * The reason we do things this way is so that if the original attempt to
441 * create <XLOG>.ready fails, we'll retry during subsequent checkpoints.
442 */
443 bool
445 {
449 /* The file is always deletable if archive_mode is "off". */
453 /*
454 * During archive recovery, the file is deletable if archive_mode is not
455 * "always".
456 */
461 /*
462 * At this point of the logic, note that we are either a primary with
463 * archive_mode set to "on" or "always", or a standby with archive_mode
464 * set to "always".
465 */
467 /* First check for .done --- this means archiver is done with it */
472 /* check for .ready --- this means archiver is still busy with it */
477 /* Race condition --- maybe archiver just finished, so recheck */
482 /* Retry creation of the .ready file */
485 }
487 /*
488 * XLogArchiveIsBusy
489 *
490 * Check to see if an XLOG segment file is still unarchived.
491 * This is almost but not quite the inverse of XLogArchiveCheckDone: in
492 * the first place we aren't chartered to recreate the .ready file, and
493 * in the second place we should consider that if the file is already gone
494 * then it's not busy. (This check is needed to handle the race condition
495 * that a checkpoint already deleted the no-longer-needed file.)
496 */
497 bool
499 {
503 /* First check for .done --- this means archiver is done with it */
508 /* check for .ready --- this means archiver is still busy with it */
513 /* Race condition --- maybe archiver just finished, so recheck */
518 /*
519 * Check to see if the WAL file has been removed by checkpoint, which
520 * implies it has already been archived, and explains why we can't see a
521 * status file for it.
522 */
529 }
531 /*
532 * XLogArchiveIsReadyOrDone
533 *
534 * Check to see if an XLOG segment file has a .ready or .done file.
535 * This is similar to XLogArchiveIsBusy(), but returns true if the file
536 * is already archived or is about to be archived.
537 *
538 * This is currently only used at recovery. During normal operation this
539 * would be racy: the file might get removed or marked with .ready as we're
540 * checking it, or immediately after we return.
541 */
542 bool
544 {
548 /* First check for .done --- this means archiver is done with it */
553 /* check for .ready --- this means archiver is still busy with it */
558 /* Race condition --- maybe archiver just finished, so recheck */
564 }
566 /*
567 * XLogArchiveIsReady
568 *
569 * Check to see if an XLOG segment file has an archive notification (.ready)
570 * file.
571 */
572 bool
574 {
583 }
585 /*
586 * XLogArchiveCleanup
587 *
588 * Cleanup archive notification file(s) for a particular xlog segment
589 */
590 void
592 {
595 /* Remove the .done file */
598 /* should we complain about failure? */
600 /* Remove the .ready file if present --- normally it shouldn't be */
603 /* should we complain about failure? */
604 }