| blob | 53dedc73c2a3dbe608b56fac911a7eb3dca19ee2 |
1 /*-------------------------------------------------------------------------
2 *
3 * basebackup.c
4 * code for taking a base backup and streaming it to a standby
5 *
6 * Portions Copyright (c) 2010-2022, PostgreSQL Global Development Group
7 *
8 * IDENTIFICATION
9 * src/backend/replication/basebackup.c
10 *
11 *-------------------------------------------------------------------------
12 */
15 #include <sys/stat.h>
16 #include <unistd.h>
17 #include <time.h>
46 /*
47 * How much data do we want to send in one CopyData message? Note that
48 * this may also result in reading the underlying files in chunks of this
49 * size.
50 *
51 * NB: The buffer size is required to be a multiple of the system block
52 * size, so use that value instead if it's bigger than our preference.
53 */
54 #define SINK_BUFFER_LENGTH Max(32768, BLCKSZ)
57 {
63 uint32 maxrate;
65 backup_manifest_option manifest;
66 pg_checksum_type manifest_checksum_type;
92 /* Was the backup currently in-progress initiated in recovery mode? */
95 /* Relative path of temporary statistics directory */
98 /* Total number of checksum failures during base backup. */
101 /* Do not verify checksums. */
104 /*
105 * Definition of one element part of an exclusion list, used for paths part
106 * of checksum validation or base backups. "name" is the name of the file
107 * or path to check for exclusion. If "match_prefix" is true, any items
108 * matching the name as prefix are excluded.
109 */
110 struct exclude_list_item
111 {
114 };
116 /*
117 * The contents of these directories are removed or recreated during server
118 * start so they are not included in backups. The directories themselves are
119 * kept and included as empty to preserve access permissions.
120 *
121 * Note: this list should be kept in sync with the filter lists in pg_rewind's
122 * filemap.c.
123 */
125 {
126 /*
127 * Skip temporary statistics files. PG_STAT_TMP_DIR must be skipped even
128 * when stats_temp_directory is set because PGSS_TEXT_FILE is always
129 * created there.
130 */
131 PG_STAT_TMP_DIR,
133 /*
134 * It is generally not useful to backup the contents of this directory
135 * even if the intention is to restore to another primary. See backup.sgml
136 * for a more detailed description.
137 */
140 /* Contents removed on startup, see dsm_cleanup_for_mmap(). */
141 PG_DYNSHMEM_DIR,
143 /* Contents removed on startup, see AsyncShmemInit(). */
146 /*
147 * Old contents are loaded for possible debugging but are not required for
148 * normal operation, see SerialInit().
149 */
152 /* Contents removed on startup, see DeleteAllExportedSnapshotFiles(). */
155 /* Contents zeroed on startup, see StartupSUBTRANS(). */
158 /* end of list */
159 NULL
160 };
162 /*
163 * List of files excluded from backups.
164 */
166 {
167 /* Skip auto conf temporary file. */
170 /* Skip current log file temporary file */
173 /*
174 * Skip relation cache because it is rebuilt on startup. This includes
175 * temporary files.
176 */
179 /*
180 * If there's a backup_label or tablespace_map file, it belongs to a
181 * backup started by the user with pg_start_backup(). It is *not* correct
182 * for this backup. Our backup_label/tablespace_map is injected into the
183 * tar separately.
184 */
188 /*
189 * If there's a backup_manifest, it belongs to a backup that was used to
190 * start this server. It is *not* correct for this backup. Our
191 * backup_manifest is injected into the backup separately if users want
192 * it.
193 */
199 /* end of list */
201 };
203 /*
204 * List of files excluded from checksum validation.
205 *
206 * Note: this list should be kept in sync with what pg_checksums.c
207 * includes.
208 */
214 #ifdef EXEC_BACKEND
216 #endif
218 };
220 /*
221 * Actually do a base backup for the specified tablespaces.
222 *
223 * This is split out mainly to avoid complaints about "variable might be
224 * clobbered by longjmp" from stupider versions of gcc.
225 */
226 static void
228 {
229 bbsink_state state;
230 XLogRecPtr endptr;
231 TimeLineID endtli;
232 StringInfo labelfile;
233 StringInfo tblspc_map_file;
234 backup_manifest_info manifest;
237 /* Initial backup state, insofar as we know it now. */
244 /* we're going to use a BufFile, so we need a ResourceOwner */
263 tblspc_map_file);
265 /*
266 * Once do_pg_start_backup has been called, ensure that any failure causes
267 * us to abort the backup so we don't "leak" a backup counter. For this
268 * reason, *all* functionality between do_pg_start_backup() and the end of
269 * do_pg_stop_backup() should be inside the error cleanup block!
270 */
273 {
277 /*
278 * Calculate the relative path of temporary statistics directory in
279 * order to skip the files which are located in that directory later.
280 */
286 else
289 /* Add a node for the base directory at the end */
294 /*
295 * Calculate the total backup size by summing up the size of each
296 * tablespace
297 */
299 {
303 {
309 else
311 NULL);
313 }
315 }
317 /* notify basebackup sink about start of backup */
320 /* Send off our tablespaces one by one */
322 {
326 {
332 /* In the main tar, include the backup_label first... */
336 /* Then the tablespace_map file, if required... */
338 {
342 }
344 /* Then the bulk of the files... */
348 /* ... and pg_control after everything else. */
353 XLOG_CONTROL_FILE)));
356 }
357 else
358 {
364 }
366 /*
367 * If we're including WAL, and this is the main data directory we
368 * don't treat this as the end of the tablespace. Instead, we will
369 * include the xlog files below and stop afterwards. This is safe
370 * since the main data directory is always sent *last*.
371 */
373 {
375 }
376 else
377 {
378 /* Properly terminate the tarfile. */
384 /* OK, that's the end of the archive. */
386 }
387 }
391 }
396 {
397 /*
398 * We've left the last tar file "open", so we can now append the
399 * required WAL files to it.
400 */
402 XLogSegNo segno;
403 XLogSegNo startsegno;
404 XLogSegNo endsegno;
413 TimeLineID tli;
417 /*
418 * I'd rather not worry about timelines here, so scan pg_wal and
419 * include all WAL files in the range between 'startptr' and 'endptr',
420 * regardless of the timeline the file is stamped with. If there are
421 * some spurious WAL files belonging to timelines that don't belong in
422 * this server's history, they will be included too. Normally there
423 * shouldn't be such files, but if there are, there's little harm in
424 * including them.
425 */
433 {
434 /* Does it look like a WAL segment, and is it in the range? */
438 {
440 }
441 /* Does it look like a timeline history file? */
443 {
445 }
446 }
449 /*
450 * Before we go any further, check that none of the WAL segments we
451 * need were removed.
452 */
455 /*
456 * Sort the WAL filenames. We want to send the files in order from
457 * oldest to newest, to reduce the chance that a file is recycled
458 * before we get a chance to send it over.
459 */
462 /*
463 * There must be at least one xlog file in the pg_wal directory, since
464 * we are doing backup-including-xlog.
465 */
470 /*
471 * Sanity check: the first and last segment should cover startptr and
472 * endptr, with no gaps in between.
473 */
477 {
481 wal_segment_size);
484 }
486 {
493 {
499 }
500 }
502 {
508 }
510 /* Ok, we have everything we need. Send the WAL files. */
512 {
523 {
526 /*
527 * Most likely reason for this is that the file was already
528 * removed by a checkpoint, so check for that to get a better
529 * error message.
530 */
537 }
543 pathbuf)));
545 {
550 }
552 /* send the WAL file itself */
559 {
567 }
570 {
575 }
577 /*
578 * wal_segment_size is a multiple of TAR_BLOCK_SIZE, so no need
579 * for padding.
580 */
585 /*
586 * Mark file as archived, otherwise files can get archived again
587 * after promotion of a new node. This is in line with
588 * walreceiver.c always doing an XLogArchiveForceDone() after a
589 * complete segment.
590 */
593 }
595 /*
596 * Send timeline history files too. Only the latest timeline history
597 * file is required for recovery, and even that only if there happens
598 * to be a timeline switch in the first WAL segment that contains the
599 * checkpoint record, or if we're taking a base backup from a standby
600 * server and the target timeline changes while the backup is taken.
601 * But they are small and highly useful for debugging purposes, so
602 * better include them all, always.
603 */
605 {
618 /* unconditionally mark file as archived */
621 }
623 /* Properly terminate the tar file. */
629 /* OK, that's the end of the archive. */
631 }
641 {
646 total_checksum_failures,
647 total_checksum_failures)));
652 }
654 /*
655 * Make sure to free the manifest before the resource owners as manifests
656 * use cryptohash contexts that may depend on resource owners (like
657 * OpenSSL).
658 */
661 /* clean up the resource owner we created */
665 }
667 /*
668 * list_sort comparison function, to compare log/seg portion of WAL segment
669 * filenames, ignoring the timeline portion.
670 */
671 static int
673 {
678 }
680 /*
681 * Parse the base backup options passed down by the parser
682 */
683 static void
685 {
703 {
707 {
714 }
716 {
723 }
725 {
736 else
740 optval)));
742 }
744 {
751 }
753 {
760 }
762 {
763 int64 maxrate;
779 }
781 {
788 }
790 {
797 }
799 {
808 {
811 else
813 }
816 else
820 optval)));
822 }
824 {
836 optval)));
838 }
839 else
844 }
848 {
854 }
855 }
858 /*
859 * SendBaseBackup() - send a complete base backup.
860 *
861 * The function will put the system into backup mode like pg_start_backup()
862 * does, so that the backup is consistent even though we read directly from
863 * the filesystem, bypassing the buffer cache.
864 */
865 void
867 {
868 basebackup_options opt;
876 {
882 }
884 /* Create a basic basebackup sink. */
887 /* Set up network throttling, if client requested it */
891 /* Set up progress reporting. */
894 /*
895 * Perform the base backup, but make sure we clean up the bbsink even if
896 * an error occurs.
897 */
899 {
901 }
903 {
905 }
907 }
909 /*
910 * Inject a file with given name and content in the output tar stream.
911 */
912 static void
915 {
918 len;
919 pg_checksum_context checksum_ctx;
923 filename);
927 /*
928 * Construct a stat struct for the backup_label file we're injecting in
929 * the tar.
930 */
931 /* Windows doesn't have the concept of uid and gid */
932 #ifdef WIN32
935 #else
938 #endif
947 filename);
950 {
957 }
963 }
965 /*
966 * Include the tablespace directory pointed to by 'path' in the output tar
967 * stream. If 'sizeonly' is true, we just calculate a total length and return
968 * it, without actually sending anything.
969 *
970 * Only used to send auxiliary tablespaces, not PGDATA.
971 */
972 static int64
975 {
976 int64 size;
980 /*
981 * 'path' points to the tablespace location, but we only want to include
982 * the version directory in it that belongs to us.
983 */
985 TABLESPACE_VERSION_DIRECTORY);
987 /*
988 * Store a directory entry in the tar file so we get the permissions
989 * right.
990 */
992 {
997 pathbuf)));
999 /* If the tablespace went away while scanning, it's no error. */
1001 }
1004 sizeonly);
1006 /* Send all the files in the tablespace version directory */
1008 spcoid);
1011 }
1013 /*
1014 * Include all files from the given directory in the output tar stream. If
1015 * 'sizeonly' is true, we just calculate a total length and return it, without
1016 * actually sending anything.
1017 *
1018 * Omit any directory in the tablespaces list, to avoid backing up
1019 * tablespaces twice when they were created inside PGDATA.
1020 *
1021 * If sendtblspclinks is true, we need to include symlink
1022 * information in the tar file. If not, we can skip that
1023 * as it will be sent separately in the tablespace_map file.
1024 */
1025 static int64
1029 {
1038 /*
1039 * Determine if the current path is a database directory that can contain
1040 * relations.
1041 *
1042 * Start by finding the location of the delimiter between the parent path
1043 * and the current path.
1044 */
1047 /* Does this path look like a database path (i.e. all digits)? */
1050 {
1051 /* Part of path that contains the parent directory. */
1054 /*
1055 * Mark path as a database directory if the parent path is either
1056 * $PGDATA/base or a tablespace version path.
1057 */
1061 TABLESPACE_VERSION_DIRECTORY,
1064 }
1068 {
1074 /* Skip special stuff */
1078 /* Skip temporary files */
1080 PG_TEMP_FILE_PREFIX,
1084 /*
1085 * Check if the postmaster has signaled us to exit, and abort with an
1086 * error in that case. The error handler further up will call
1087 * do_pg_abort_backup() for us. Also check that if the backup was
1088 * started while still in recovery, the server wasn't promoted.
1089 * do_pg_stop_backup() will check that too, but it's better to stop
1090 * the backup early than continue to the end and fail there.
1091 */
1098 "and should not be used. "
1101 /* Scan for files that should be excluded */
1104 {
1108 cmplen++;
1110 {
1114 }
1115 }
1120 /* Exclude all forks for unlogged tables except the init fork */
1124 {
1125 /* Never exclude init forks */
1127 {
1131 /*
1132 * If any other type of fork, check if there is an init fork
1133 * with the same OID. If so, the file can be excluded.
1134 */
1141 {
1147 }
1148 }
1149 }
1151 /* Exclude temporary relations */
1153 {
1159 }
1163 /* Skip pg_control here to back up it last */
1168 {
1173 pathbuf)));
1175 /* If the file went away while scanning, it's not an error. */
1177 }
1179 /* Scan for directories whose contents should be excluded */
1182 {
1184 {
1191 }
1192 }
1197 /*
1198 * Exclude contents of directory specified by statrelpath if not set
1199 * to the default (pg_stat_tmp) which is caught in the loop above.
1200 */
1202 {
1208 }
1210 /*
1211 * We can skip pg_wal, the WAL segments need to be fetched from the
1212 * WAL archive anyway. But include it as an empty directory anyway, so
1213 * we get permissions right.
1214 */
1216 {
1217 /* If pg_wal is a symlink, write it as a directory anyway */
1222 /*
1223 * Also send archive_status directory (by hackishly reusing
1224 * statbuf from above ...).
1225 */
1230 }
1232 /* Allow symbolic links in pg_tblspc only */
1234 #ifndef WIN32
1236 #else
1238 #endif
1239 )
1240 {
1241 #if defined(HAVE_READLINK) || defined(WIN32)
1250 pathbuf)));
1255 pathbuf)));
1260 #else
1262 /*
1263 * If the platform does not have symbolic links, it should not be
1264 * possible to have tablespaces - clearly somebody else created
1265 * them. Warn about it and ignore.
1266 */
1272 }
1274 {
1278 /*
1279 * Store a directory entry in the tar file so we can get the
1280 * permissions right.
1281 */
1283 sizeonly);
1285 /*
1286 * Call ourselves recursively for a directory, unless it happens
1287 * to be a separate tablespace located within PGDATA.
1288 */
1290 {
1293 /*
1294 * ti->rpath is the tablespace relative path within PGDATA, or
1295 * NULL if the tablespace has been properly located somewhere
1296 * else.
1297 *
1298 * Skip past the leading "./" in pathbuf when comparing.
1299 */
1301 {
1304 }
1305 }
1307 /*
1308 * skip sending directories inside pg_tblspc, if not required.
1309 */
1316 }
1318 {
1327 {
1328 /* Add size. */
1331 /* Pad to a multiple of the tar block size. */
1334 /* Size of the header for the file. */
1336 }
1337 }
1338 else
1341 }
1344 }
1346 /*
1347 * Check if a file should have its checksum validated.
1348 * We validate checksums on files in regular tablespaces
1349 * (including global and default) only, and in those there
1350 * are some files that are explicitly excluded.
1351 */
1352 static bool
1354 {
1355 /* Check that the file is in a tablespace */
1359 {
1362 /* Compare file against noChecksumFiles skip list */
1364 {
1368 cmplen++;
1372 }
1375 }
1376 else
1378 }
1380 /*****
1381 * Functions for handling tar file format
1382 *
1383 * Copied from pg_dump, but modified to work with libpq for sending
1384 */
1387 /*
1388 * Given the member, write the TAR header & send the file.
1389 *
1390 * If 'missing_ok' is true, will not throw an error if the file is not found.
1391 *
1392 * If dboid is anything other than InvalidOid then any checksum failures detected
1393 * will get reported to the stats collector.
1394 *
1395 * Returns true if the file was successfully sent, false if 'missing_ok',
1396 * and the file did not exist.
1397 */
1398 static bool
1402 {
1406 uint16 checksum;
1408 off_t cnt;
1412 PageHeader phdr;
1416 pg_checksum_context checksum_ctx;
1420 readfilename);
1424 {
1430 }
1435 {
1438 /*
1439 * Get the filename (excluding path). As last_dir_separator()
1440 * includes the last directory separator, we chop that off by
1441 * incrementing the pointer.
1442 */
1446 {
1449 /*
1450 * Cut off at the segment boundary (".") to get the segment number
1451 * in order to mix it into the checksum.
1452 */
1455 {
1461 }
1462 }
1463 }
1465 /*
1466 * Loop until we read the amount of data the caller told us to expect. The
1467 * file could be longer, if it was extended while we were sending it, but
1468 * for a base backup we can ignore such extended data. It will be restored
1469 * from WAL.
1470 */
1472 {
1475 /* Try to read some more data. */
1480 /*
1481 * If we hit end-of-file, a concurrent truncation must have occurred.
1482 * That's not an error condition, because WAL replay will fix things
1483 * up.
1484 */
1488 /*
1489 * The checksums are verified at block level, so we iterate over the
1490 * buffer in chunks of BLCKSZ, after making sure that
1491 * TAR_SEND_SIZE/buf is divisible by BLCKSZ and we read a multiple of
1492 * BLCKSZ bytes.
1493 */
1497 {
1500 "%u: read buffer size %d and page size %d "
1504 }
1507 {
1509 {
1512 /*
1513 * Only check pages which have not been modified since the
1514 * start of the base backup. Otherwise, they might have been
1515 * written only halfway and the checksum would not be valid.
1516 * However, replaying WAL would reinstate the correct page in
1517 * this case. We also skip completely new pages, since they
1518 * don't have a checksum yet.
1519 */
1521 {
1525 {
1526 /*
1527 * Retry the block on the first failure. It's
1528 * possible that we read the first 4K page of the
1529 * block just before postgres updated the entire block
1530 * so it ends up looking torn to us. We only need to
1531 * retry once because the LSN should be updated to
1532 * something we can ignore on the next pass. If the
1533 * error happens again then it is a true validation
1534 * failure.
1535 */
1537 {
1540 /* Reread the failed block */
1541 reread_cnt =
1545 readfilename,
1548 {
1549 /*
1550 * If we hit end-of-file, a concurrent
1551 * truncation must have occurred, so break out
1552 * of this loop just as if the initial fread()
1553 * returned 0. We'll drop through to the same
1554 * code that handles that case. (We must fix
1555 * up cnt first, though.)
1556 */
1559 }
1561 /* Set flag so we know a retry was attempted */
1564 /* Reset loop to validate the block again */
1565 i--;
1567 }
1569 checksum_failures++;
1583 }
1584 }
1586 blkno++;
1587 }
1588 }
1592 /* Also feed it to the checksum machinery. */
1598 }
1600 /* If the file was truncated while we were sending it, pad it with zeros */
1602 {
1613 }
1615 /*
1616 * Pad to a block boundary, per tar format requirements. (This small piece
1617 * of data is probably not worth throttling, and is not checksummed
1618 * because it's not actually part of the file.)
1619 */
1625 {
1629 checksum_failures,
1633 }
1641 }
1643 static int64
1646 {
1650 {
1651 /*
1652 * As of this writing, the smallest supported block size is 1kB, which
1653 * is twice TAR_BLOCK_SIZE. Since the buffer size is required to be a
1654 * multiple of BLCKSZ, it should be safe to assume that the buffer is
1655 * large enough to fit an entire tar block. We double-check by means
1656 * of these assertions.
1657 */
1668 {
1674 filename)));
1684 }
1687 }
1690 }
1692 /*
1693 * Pad with zero bytes out to a multiple of TAR_BLOCK_SIZE.
1694 */
1695 static void
1697 {
1700 /*
1701 * As in _tarWriteHeader, it should be safe to assume that the buffer is
1702 * large enough that we don't need to do this in multiple chunks.
1703 */
1708 {
1711 }
1712 }
1714 /*
1715 * If the entry in statbuf is a link, then adjust statbuf to make it look like a
1716 * directory, so that it will be written that way.
1717 */
1718 static void
1720 {
1721 /* If symlink, write it as a directory anyway */
1722 #ifndef WIN32
1724 #else
1726 #endif
1728 }
1730 /*
1731 * Read some data from a file, setting a wait event and reporting any error
1732 * encountered.
1733 *
1734 * If partial_read_ok is false, also report an error if the number of bytes
1735 * read is not equal to the number of bytes requested.
1736 *
1737 * Returns the number of bytes read.
1738 */
1739 static int
1742 {
1760 }