Remove files signaling a standby promotion request at postmaster startup

This commit makes postmaster forcibly remove the files signaling
a standby promotion request. Otherwise, the existence of those files
can trigger a promotion too early, whether a user wants that or not.

This removal of files is usually unnecessary because they can exist
only during a few moments during a standby promotion. However
there is a race condition: if pg_ctl promote is executed and creates
the files during a promotion, the files can stay around even after
the server is brought up to new master. Then, if new standby starts
by using the backup taken from that master, the files can exist
at the server startup and should be removed in order to avoid
an unexpected promotion.

Back-patch to 9.1 where promote signal file was introduced.

Problem reported by Feike Steenbergen.
Original patch by Michael Paquier, modified by me.

Discussion: 20150528100705.4686.91426@wrigleys.postgresql.org

diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c
index 967e0c59efd0567174d6a710725c0050c84c44e6..3e619c81e2547c085ea9c1f4fa900834891fdb9c 100644 (file)
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -10806,6 +10806,15 @@ CheckForStandbyTrigger(void)
        return false;
 }
 
+/*
+ * Remove the files signaling a standby promotion request.
+ */
+void
+RemovePromoteSignalFiles(void)
+{
+       unlink(PROMOTE_SIGNAL_FILE);
+}
+
 /*
  * Check to see if a promote request has arrived. Should be
  * called by postmaster after receiving SIGUSR1.

diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 80e3b6f2599f1fc3c2987a2dd8b5c9afb905da3f..94ba381b0f0d99d5783f24bd0785cfe890e690b2 100644 (file)
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -1087,6 +1087,27 @@ PostmasterMain(int argc, char *argv[])
         */
        RemovePgTempFiles();
 
+       /*
+        * Forcibly remove the files signaling a standby promotion
+        * request. Otherwise, the existence of those files triggers
+        * a promotion too early, whether a user wants that or not.
+        *
+        * This removal of files is usually unnecessary because they
+        * can exist only during a few moments during a standby
+        * promotion. However there is a race condition: if pg_ctl promote
+        * is executed and creates the files during a promotion,
+        * the files can stay around even after the server is brought up
+        * to new master. Then, if new standby starts by using the backup
+        * taken from that master, the files can exist at the server
+        * startup and should be removed in order to avoid an unexpected
+        * promotion.
+        *
+        * Note that promotion signal files need to be removed before
+        * the startup process is invoked. Because, after that, they can
+        * be used by postmaster's SIGUSR1 signal handler.
+        */
+       RemovePromoteSignalFiles();
+
        /*
         * If enabled, start up syslogger collection subprocess
         */

diff --git a/src/include/access/xlog.h b/src/include/access/xlog.h
index 8250254fa300089697c764a39e39a31b80ea0887..49bb5c4aac73aeb5640ede2483361d56252316f0 100644 (file)
--- a/src/include/access/xlog.h
+++ b/src/include/access/xlog.h
@@ -319,6 +319,7 @@ extern XLogRecPtr GetInsertRecPtr(void);
 extern XLogRecPtr GetFlushRecPtr(void);
 extern void GetNextXidAndEpoch(TransactionId *xid, uint32 *epoch);
 extern TimeLineID GetRecoveryTargetTLI(void);
+extern void RemovePromoteSignalFiles(void);
 
 extern void HandleStartupProcInterrupts(void);
 extern void StartupProcessMain(void);