The problem is that server_login_retry is only applied when the
backend server is down, but not when it returns an error upon
connection (e.g., authentication error). In that case, the client
sees the error immediately. Be that as it may, it breaks this test
sometimes, if a retry attempt hits the window where the server reports
"database is starting up". (This window should be tiny since no
notable recovery should be happening here, but it happens.) To fix,
adjust the settings so that the retries happen well away from the
backend server startup phase.
Add support to the SCRAM exchange for clients that support channel
binding, such as PostgreSQL version 11 and beyond. If such a client
encounters a PgBouncer server that does not support channel binding,
it will send a channel binding flag 'y', meaning the client supports
channel binding but thinks the server does not. But PgBouncer
erroneously did not accept that flag. This would cause connections to
fail if a PostgreSQL version 11 client connects to a PgBouncer with
SCRAM authentication over SSL.
Peter Eisentraut [Mon, 23 Sep 2019 18:44:49 +0000 (20:44 +0200)]
Add so_reuseport option
Adds an option to specify whether to set the socket option
`SO_REUSEPORT` on TCP listening sockets. On some operating systems,
this allows running multiple PgBouncer instances on the same host
listening on the same port and having the kernel distribute the
connections automatically. This option is a way to get PgBouncer to
use more CPU cores.
Peter Eisentraut [Thu, 19 Sep 2019 09:34:12 +0000 (11:34 +0200)]
Tweak version string
Use Autoconf's PACKAGE_STRING for the --version and SHOW VERSION
output instead of our own macro. This changes the output format
slightly, but we might as well change to the standard format while
we're changing around SHOW VERSION.
Peter Eisentraut [Wed, 18 Sep 2019 07:56:37 +0000 (09:56 +0200)]
Fix reporting of adns implementation in configure
This was slightly broken by 748c83e5d8b05448725ce8a69213ed620a53d431
in the sense that configure would report both, say, c-ares and evdns
as "yes" without indication which one would actually be used. Clean
that logic up a bit and report the actually used implementation at the
end of configure in a clearer way. Also improve the documentation in
README.md around this.
Also clean up the build matrix in .travis.yml and remove a redundant
configuration.
Peter Eisentraut [Thu, 12 Sep 2019 18:47:21 +0000 (20:47 +0200)]
Fix some compiler warnings on Windows 64-bit
For event_set() callbacks, use evutil_socket_t instead of int as the
first argument. This is required for 64-bit Windows; on all other
platforms, the two types are the same.
This requires libevent version 2.
Note that the rest of the socket code still uses int everywhere, so
Windows 64-bit is still probably not going to work correctly.
Peter Eisentraut [Tue, 10 Sep 2019 19:26:41 +0000 (21:26 +0200)]
Fix issue with PAM users losing their password
The normal flow when starting a client connection is that set_pool()
is called with an empty password (""). For normal users, the password
was already set earlier from auth_file or auth_query, so this empty
password is ignored. For PAM users, the empty password is stored but
the real password is set later when authentication is complete.
The problem in the PAM case is that for the next client connection,
this would overwrite the stored password with an empty password until
the real password would then be re-added later. If the client
authentication doesn't complete for whatever reason (perhaps server is
down and fast-fail is active), then the correct password is never set.
This would then have clobbered the user's password that might be
useful for server authentication. There are probably other failure
scenarios.
To fix, call set_pool() with a NULL password instead, and teach
add_pam_user() not to overwrite an existing password if the argument
is NULL.
Internally, most statistiscs are kept as uint64_t. Sending those
with a row descriptor that claims they are bigint can lead to problems
if uint64_t values can overflow the signed 64-bit integer range. Then
a client library that wants to convert the value to its locally
appropriate signed 64-bit integer type would run into errors.
Peter Eisentraut [Tue, 27 Aug 2019 20:22:24 +0000 (22:22 +0200)]
Travis CI: Shell fix
Newer cd versions apparently complain about too many arguments, which
was a problem here, since pgbouncer-* expands to both the directory
name and the tarball name.
Peter Eisentraut [Fri, 16 Aug 2019 10:56:50 +0000 (12:56 +0200)]
Recognize GSSENCRequest packet
This is a new startup packet type introduced in PostgreSQL 12. In
PgBouncer, we'll for now reject GSS encryption attempts.
Without this, PgBouncer would reject such connections with "bad packet
header" errors, requiring the client to reconnect before being able to
do the normal startup.
Peter Eisentraut [Thu, 15 Aug 2019 07:33:44 +0000 (09:33 +0200)]
test: Restart pgbouncer for every test
There are too many cases where existing pool states lingers between
one test and another, making some test results unreliable. It's safer
to just restart the whole process to get a clean start.
This also lets us mark the pgbouncer log file with where a test began
and ended.
Note: Valgrind on Ubuntu xenial is broken for OpenSSL[0], so don't
configure that right now. Travis CI on bionic still has issues[1], so
we're stuck here for now.
This is the default in recent PostgreSQL versions. This change just
makes the script behavior consistent across versions. We can now also
remove some sleep calls to make the tests start faster.
Peter Eisentraut [Wed, 31 Jul 2019 11:51:44 +0000 (13:51 +0200)]
Fix wait time computation with auth_user
When using auth_user, the transition to the CL_WAITING_LOGIN state
would not initialize the client->wait_start field. This would either
lead to garbage values being recorded, or under assertions enabled it
would crash in activate_client().
(test_auth_user was actually reproducing this problem, but a crash
requires assertions enabled and new memory being all zero, so it was
difficult to catch it.)
Peter Eisentraut [Sat, 29 Jun 2019 13:47:43 +0000 (15:47 +0200)]
Rewrite man page filter to work independent of Pandoc
This allows it to work with really old Pandoc versions that don't have
the --filter option (e.g., on CentOS 6). This just makes it a plain
text-munging filter script.
Marco Nenciarini [Wed, 26 Jun 2019 13:38:48 +0000 (15:38 +0200)]
Do not depend on Pandoc 2.0
Replace the Lua filter with one written in Python, so it can work with
older Pandoc versions. Import pandocfilters.py package from Pandoc to
help with that.
Peter Eisentraut [Mon, 24 Jun 2019 14:46:45 +0000 (16:46 +0200)]
Fix idle_transaction_timeout calculation
idle_transaction_timeout should count from the last request of the
server, because the server sent the idle information. The code
previously used the last request of the client, which could lead to
premature timeouts.
It seems that many contributors already submit patches thinking that
rst is Markdown, which leads to incorrect and inconsistent formatting,
since the two are similar but not compatible. By using the more well
known Markdown, we can perhaps hope to achieve better formatted
documentation contributions.
Also, since the web site uses Markdown as its source format, by using
Markdown here we can avoid the fragile conversion process altogether.
Once upon a time, one could point auth_file to pg_auth in the
PostgreSQL data directory, but this is long obsolete (gone as of
PostgreSQL 9.0), so remove mentions of it.
Prevent too long user name or password from client
In most cases, this wouldn't work anyway, because for example the user
wouldn't be found in pgbouncer, since userlist.txt doesn't permit too
long user names. But in the case of PAM there was no such check, so
too long user names could be added by add_pam_user(), which would
truncate them, and then a subsequent search using the not-truncated
name wouldn't find it, causing duplicates to be added.
Marco Nenciarini [Fri, 28 Dec 2018 19:06:58 +0000 (20:06 +0100)]
Avoid 'unexpected response from login query' after a postgres reload
After a PostgreSQL reload, the backend could inform the frontend about
configuration changes by sending some ParameterStatus messages
together with the usual login query response. These messages can be
safely ignored in the login query response handler.