Peter Eisentraut [Tue, 10 Sep 2019 19:26:41 +0000 (21:26 +0200)]
Fix issue with PAM users losing their password
The normal flow when starting a client connection is that set_pool()
is called with an empty password (""). For normal users, the password
was already set earlier from auth_file or auth_query, so this empty
password is ignored. For PAM users, the empty password is stored but
the real password is set later when authentication is complete.
The problem in the PAM case is that for the next client connection,
this would overwrite the stored password with an empty password until
the real password would then be re-added later. If the client
authentication doesn't complete for whatever reason (perhaps server is
down and fast-fail is active), then the correct password is never set.
This would then have clobbered the user's password that might be
useful for server authentication. There are probably other failure
scenarios.
To fix, call set_pool() with a NULL password instead, and teach
add_pam_user() not to overwrite an existing password if the argument
is NULL.
Internally, most statistiscs are kept as uint64_t. Sending those
with a row descriptor that claims they are bigint can lead to problems
if uint64_t values can overflow the signed 64-bit integer range. Then
a client library that wants to convert the value to its locally
appropriate signed 64-bit integer type would run into errors.
Peter Eisentraut [Tue, 27 Aug 2019 20:22:24 +0000 (22:22 +0200)]
Travis CI: Shell fix
Newer cd versions apparently complain about too many arguments, which
was a problem here, since pgbouncer-* expands to both the directory
name and the tarball name.
Peter Eisentraut [Fri, 16 Aug 2019 10:56:50 +0000 (12:56 +0200)]
Recognize GSSENCRequest packet
This is a new startup packet type introduced in PostgreSQL 12. In
PgBouncer, we'll for now reject GSS encryption attempts.
Without this, PgBouncer would reject such connections with "bad packet
header" errors, requiring the client to reconnect before being able to
do the normal startup.
Peter Eisentraut [Thu, 15 Aug 2019 07:33:44 +0000 (09:33 +0200)]
test: Restart pgbouncer for every test
There are too many cases where existing pool states lingers between
one test and another, making some test results unreliable. It's safer
to just restart the whole process to get a clean start.
This also lets us mark the pgbouncer log file with where a test began
and ended.
Note: Valgrind on Ubuntu xenial is broken for OpenSSL[0], so don't
configure that right now. Travis CI on bionic still has issues[1], so
we're stuck here for now.
This is the default in recent PostgreSQL versions. This change just
makes the script behavior consistent across versions. We can now also
remove some sleep calls to make the tests start faster.
Peter Eisentraut [Wed, 31 Jul 2019 11:51:44 +0000 (13:51 +0200)]
Fix wait time computation with auth_user
When using auth_user, the transition to the CL_WAITING_LOGIN state
would not initialize the client->wait_start field. This would either
lead to garbage values being recorded, or under assertions enabled it
would crash in activate_client().
(test_auth_user was actually reproducing this problem, but a crash
requires assertions enabled and new memory being all zero, so it was
difficult to catch it.)
Peter Eisentraut [Sat, 29 Jun 2019 13:47:43 +0000 (15:47 +0200)]
Rewrite man page filter to work independent of Pandoc
This allows it to work with really old Pandoc versions that don't have
the --filter option (e.g., on CentOS 6). This just makes it a plain
text-munging filter script.
Marco Nenciarini [Wed, 26 Jun 2019 13:38:48 +0000 (15:38 +0200)]
Do not depend on Pandoc 2.0
Replace the Lua filter with one written in Python, so it can work with
older Pandoc versions. Import pandocfilters.py package from Pandoc to
help with that.
Peter Eisentraut [Mon, 24 Jun 2019 14:46:45 +0000 (16:46 +0200)]
Fix idle_transaction_timeout calculation
idle_transaction_timeout should count from the last request of the
server, because the server sent the idle information. The code
previously used the last request of the client, which could lead to
premature timeouts.
It seems that many contributors already submit patches thinking that
rst is Markdown, which leads to incorrect and inconsistent formatting,
since the two are similar but not compatible. By using the more well
known Markdown, we can perhaps hope to achieve better formatted
documentation contributions.
Also, since the web site uses Markdown as its source format, by using
Markdown here we can avoid the fragile conversion process altogether.
Once upon a time, one could point auth_file to pg_auth in the
PostgreSQL data directory, but this is long obsolete (gone as of
PostgreSQL 9.0), so remove mentions of it.
Prevent too long user name or password from client
In most cases, this wouldn't work anyway, because for example the user
wouldn't be found in pgbouncer, since userlist.txt doesn't permit too
long user names. But in the case of PAM there was no such check, so
too long user names could be added by add_pam_user(), which would
truncate them, and then a subsequent search using the not-truncated
name wouldn't find it, causing duplicates to be added.
Marco Nenciarini [Fri, 28 Dec 2018 19:06:58 +0000 (20:06 +0100)]
Avoid 'unexpected response from login query' after a postgres reload
After a PostgreSQL reload, the backend could inform the frontend about
configuration changes by sending some ParameterStatus messages
together with the usual login query response. These messages can be
safely ignored in the login query response handler.
Marco Slot [Tue, 25 Sep 2018 10:10:52 +0000 (10:10 +0000)]
Do not wait server_login_retry for next connect if cancellation succeeds
If postgres restarts while there are N cancellations in the queue,
pgbouncer is currently unavailable for at least N*server_login_retry
because it uses every new connection for one queued cancellation and
then waits server_login_retry before opening a new connection because
the last_connect_failed flag is still set to 1. This can lead to
prolonged downtime.
This changes fixes the issue by introducing a last_login_failed flag.
The last_connect_failed is now reset when a cancellation succeeds, such
that launch_new_connection no longer waits if pgbouncer manages to
connect, but has queued cancellations. The last_login_failed flag has
the same semantics as the last_connect_failed flag had previously, such
that check_fast_fail still rejects connections when there are no servers
available and the last login failed.
Peter Eisentraut [Fri, 21 Sep 2018 13:35:00 +0000 (15:35 +0200)]
Add exit status to test scripts
When a test fails, exit with status 1, so automation can catch test
failures. Also add a way to skip tests that cannot be run (mainly for
lack of sudo in this case).
Peter Eisentraut [Tue, 21 Aug 2018 19:55:33 +0000 (21:55 +0200)]
Make sure file descriptor info goes to the log
Delay the call to check_limits() until after daemonization so that the
message goes to the server log and is not printed to some other output
location.
Peter Eisentraut [Fri, 17 Aug 2018 19:50:04 +0000 (21:50 +0200)]
Fix up conntest test programs
Allow asynctest to run without an explicitly specified connection
string. That way it can pick up the connection parameters from the
environment. The run-conntest.sh driver script was already calling it
that way.
Fix the location of the pgbouncer binary in run-conntest.sh.
Peter Eisentraut [Thu, 16 Aug 2018 19:10:47 +0000 (21:10 +0200)]
Improve test script robustness
Consistently exit with an error if the OS is not supported by the
firewall manipulation commands. Previously, it would in some cases
print an error but not exit.
Peter Eisentraut [Wed, 25 Jul 2018 10:57:24 +0000 (12:57 +0200)]
Fast close
Disconnect a server in session pool mode immediately if it is in
"close_needed" (reconnect) mode. This ensures that the RECONNECT
command doesn't have to wait for session end.