Merge branch 'master' into fix_admin_user_auth

Makefile

@@ -128,10 +128,6 @@ AM_LANG_RC_LINK = false
 # now load antimake
 #
 
-PYTEST = $(shell command -v pytest || echo 'python3 -m pytest')
-
-CONCURRENCY = auto
-
 USUAL_DIR = lib
 
 abs_top_srcdir ?= $(CURDIR)
@@ -141,6 +137,10 @@ config.mak:
 	@echo "Please run ./configure"
 	@exit 1
 
+PYTEST = $(shell command -v pytest || echo '$(PYTHON) -m pytest')
+
+CONCURRENCY = auto
+
 check: all
 	etc/optscan.sh
 	PYTHONIOENCODING=utf8 $(PYTEST) -n $(CONCURRENCY)
@@ -168,4 +168,4 @@ htmls:
 	done
 
 doc/pgbouncer.1 doc/pgbouncer.5:
-	$(MAKE) -C doc
+	$(MAKE) -C doc $(@F)

NEWS.md

@@ -1,6 +1,58 @@
 PgBouncer changelog
 ===================
 
+PgBouncer 1.19.x
+----------------
+
+**2023-05-04  -  PgBouncer 1.19.0  -  "The old-fashioned, human-generated kind"**
+
+- Features
+  * Add `auth_dbname` option, which specifies against which database
+    to run the `auth_query`. ([#764])
+  * Add the `SHOW STATE` command, which shows if PgBouncer is active,
+    paused or suspended. ([#528])
+  * Add support for peering between PgBouncer processes.  This allows
+    configuring PgBouncer such that cancellation requests continue to
+    work when multiple different PgBouncer processes are behind a
+    single load balancer. ([#666])
+  * Add a dedicated `cancel_wait_timeout` setting, which determines
+    after how long to give up on forwarding a cancel request.  Default
+    is 10 seconds. ([#833])
+  * New testing framework ([#792])
+
+- Fixes
+  * Fix possible memory leak on TLS handshake failure. ([#796])
+  * Give more accurate error messages for unsupported command-line
+    options on Windows. ([#620])
+  * Fix calling `disconnect_server` on a server in `BEING_CANCELED`
+    state. ([#815]) (introduced in 1.18.0)
+  * Don't exit with a non-zero status when a `SIGTERM` is
+    received. ([#834])
+  * Fail hard during startup when a socket could not be created in
+    `unix_socket_dir`. ([#830])
+  * Fail hard during startup when none of the addresses in
+    `listen_addr` could be listened on. ([#838])
+  * Give more warning messages with more information when
+    `sbuf_connect` fails.  This is especially useful when failing to
+    create Unix sockets. ([#837])
+
+- Cleanups
+  * Various CI updates for better performance
+  * Removed AppVeyor
+
+[#528]: https://github.com/pgbouncer/pgbouncer/issues/528
+[#620]: https://github.com/pgbouncer/pgbouncer/pull/620
+[#666]: https://github.com/pgbouncer/pgbouncer/pull/666
+[#764]: https://github.com/pgbouncer/pgbouncer/pull/764
+[#792]: https://github.com/pgbouncer/pgbouncer/pull/792
+[#796]: https://github.com/pgbouncer/pgbouncer/pull/796
+[#815]: https://github.com/pgbouncer/pgbouncer/pull/815
+[#830]: https://github.com/pgbouncer/pgbouncer/pull/830
+[#833]: https://github.com/pgbouncer/pgbouncer/pull/833
+[#834]: https://github.com/pgbouncer/pgbouncer/pull/834
+[#837]: https://github.com/pgbouncer/pgbouncer/pull/837
+[#838]: https://github.com/pgbouncer/pgbouncer/pull/838
+
 PgBouncer 1.18.x
 ----------------
 

configure.ac

@@ -1,7 +1,7 @@
 dnl Process this file with autoconf to produce a configure script.
 
 AC_INIT([PgBouncer],
-        [1.18.0],
+        [1.19.0],
         [https://github.com/pgbouncer/pgbouncer/issues], [],
         [https://www.pgbouncer.org/])
 AC_CONFIG_SRCDIR(src/janitor.c)

doc/config.md

@@ -212,6 +212,15 @@ If you need to specify multiple values, use a comma-separated list (e.g.
 
 Default: empty
 
+### peer_id
+The peer id used to identify this PgBouncer process in a group of PgBouncer
+processes that are peered together. The `peer_id` value should be unique within
+a group of peered PgBouncer processes. When set to 0 pgbouncer peering is
+disabled. See the docs for the `[peers]` section for more information. The
+maximum value that can be used for the `peer_id` is 16383.
+
+Default: 0
+
 ### disable_pqexec
 
 Disable the Simple Query protocol (PQexec).  Unlike the Extended Query protocol, Simple Query
@@ -403,7 +412,6 @@ For example, using "-v -v" on the command line is the same as `verbose=2`.
 
 Default: 0
 
-
 ## Console access control
 
 ### admin_users
@@ -768,7 +776,19 @@ This setting is used to prevent unresponsive servers from grabbing up
 connections.  It also helps when the server is down or rejects
 connections for any reason.
 
-Default: 120
+Default: 120.0
+
+### cancel_wait_timeout
+
+Maximum time cancellation requests are allowed to spend waiting for execution.
+If the cancel request is not assigned to a server during that time, the client is
+disconnected.
+0 disables.  If this is disabled, cancel requests will be queued indefinitely. [seconds]
+
+This setting is used to prevent a client locking up when a cancel cannot be
+forwarded due to the server being down.
+
+Default: 10.0
 
 ### client_idle_timeout
 
@@ -853,6 +873,12 @@ is used.  Also note that if you make use of this option, you can no
 longer connect to a specific PgBouncer instance via TCP/IP, which
 might have implications for monitoring and metrics collection.
 
+To make sure query cancellations keep working, you should set up PgBouncer
+peering between the different PgBouncer processes. For details look at docs
+for the `peer_id` configuration option and the `peers` configuration section.
+There's also an example that uses peering and so_reuseport in the example
+section of these docs.
+
 Default: 0
 
 ### tcp_defer_accept
@@ -1076,6 +1102,79 @@ database or default `pool_mode` is used.
 Configure a maximum for the user (i.e. all pools with the user will
 not have more than this many server connections).
 
+## Section [peers]
+
+The section `[peers]` defines the peers that PgBouncer can forward cancellation
+requests to and where those cancellation requests will be routed.
+
+PgBouncer processes can be peered together in a group by defining a `peer_id`
+value and a `[peers]` section in the configs of all the PgBouncer processes.
+These PgBouncer processes can then forward cancellations requests to the process
+that it originated from.  This is needed to make cancellations work when
+multiple PgBouncer processes (possibly on different servers) are behind the same
+TCP load balancer.  Cancellation requests are sent over different TCP
+connections than the query they are cancelling, so a TCP load balancer might
+send the cancellation request connection to a different process than the one
+that it was meant for.  By peering them these cancellation requests eventually
+end up at the right process. A more in-depth explanation is provided in this
+[recording of a conference talk][cancel-problem-video].
+
+[cancel-problem-video]: https://www.youtube.com/watch?v=M585FfbboNA
+
+The section contains key=value lines like
+
+    peer_id = connection string
+
+Where the key will be taken as a `peer_id` and the value as a connection string,
+consisting of key=value pairs of connection parameters, described below (similar
+to libpq, but the actual libpq is not used and the set of available features is
+different).  Example:
+
+    1 = host=host1.example.com
+    2 = host=/tmp/pgbouncer-2  port=5555
+
+Note: For peering to work, the `peer_id` of each PgBouncer process in the group
+must be unique within the peered group.  And the `[peers]` section should
+contain entries for each of those peer ids.  An example can be found in the
+examples section of these docs.  It **is** allowed, but not necessary, for the
+`[peers]` section to contain the `peer_id` of the PgBouncer that the config is
+for. Such an entry will be ignored, but it is allowed to config management easy.
+Because it allows using the exact same `[peers]` section for multiple
+configs.
+
+### host
+
+Host name or IP address to connect to.  Host names are resolved at connection
+time, the result is cached per `dns_max_ttl` parameter.  If DNS returns several
+results, they are used in a round-robin manner.  But in general it's not
+recommended to use a hostname that resolves to multiple IPs, because then the
+cancel request might still be forwarded to the wrong node and it would need to
+be forwarded again (which is only allowed up to three times).
+
+If the value begins with `/`, then a Unix socket in the file-system namespace is
+used.  If the value begins with `@`, then a Unix socket in the abstract
+namespace is used.
+
+Examples:
+
+	host=localhost
+	host=127.0.0.1
+	host=2001:0db8:85a3:0000:0000:8a2e:0370:7334
+	host=/var/run/pgbouncer-1
+
+### port
+
+Default: 6432
+
+### pool_size
+
+Set the maximum number of cancel requests that can be in flight to the peer at
+the same time.  It's quite normal for cancel requests to arrive in bursts, e.g.
+when the backing Postgres server slow or down.  So it's important for
+`pool_size` to not be so low that it cannot handle these bursts.
+
+If not set, the `default_pool_size` is used.
+
 
 ## Include directive
 
@@ -1202,6 +1301,40 @@ Example of a secure function for `auth_query`:
     REVOKE ALL ON FUNCTION pgbouncer.user_lookup(text) FROM public, pgbouncer;
     GRANT EXECUTE ON FUNCTION pgbouncer.user_lookup(text) TO pgbouncer;
 
+Example configs for 2 peered PgBouncer processes to create a multi-core
+PgBouncer setup using `so_reuseport`. The config for the first process:
+
+    [databases]
+    postgres = host=localhost dbname=postgres
+
+    [peers]
+    1 = host=/tmp/pgbouncer1
+    2 = host=/tmp/pgbouncer2
+
+    [pgbouncer]
+    listen_addr=127.0.0.1
+    auth_file=auth_file.conf
+    so_reuseport=1
+    unix_socket_dir=/tmp/pgbouncer1
+    peer_id=1
+
+
+The config for the second process:
+
+    [databases]
+    postgres = host=localhost dbname=postgres
+
+    [peers]
+    1 = host=/tmp/pgbouncer1
+    2 = host=/tmp/pgbouncer2
+
+    [pgbouncer]
+    listen_addr=127.0.0.1
+    auth_file=auth_file.conf
+    so_reuseport=1
+    ; only unix_socket_dir and peer_id are different
+    unix_socket_dir=/tmp/pgbouncer2
+    peer_id=2
 
 ## See also
 

doc/usage.md

@@ -425,6 +425,26 @@ maxwait_us
 pool_mode
 :   The pooling mode in use.
 
+#### SHOW PEER_POOLS
+
+A new peer_pool entry is made for each configured peer.
+
+database
+:   ID of the configured peer entry.
+
+cl_active_cancel_req
+:   Client connections that have forwarded query cancellations to the server and
+    are waiting for the server response.
+
+cl_waiting_cancel_req
+:   Client connections that have not forwarded query cancellations to the server yet.
+
+sv_active_cancel
+:   Server connections that are currently forwarding a cancel request.
+
+sv_login
+:   Server connections currently in the process of logging in.
+
 #### SHOW LISTS
 
 Show following internal information, in columns (not rows):
@@ -517,6 +537,20 @@ paused
 disabled
 :   1 if this database is currently disabled, else 0.
 
+#### SHOW PEERS
+
+peer_id
+:   ID of the configured peer entry.
+
+host
+:   Host pgbouncer connects to.
+
+port
+:   Port pgbouncer connects to.
+
+pool_size
+:   Maximum number of server connections that can be made to this peer
+
 #### SHOW FDS
 
 Internal command - shows list of file descriptors in use with internal state attached to them.

etc/pgbouncer.ini

@@ -62,6 +62,10 @@ listen_port = 6432
 ;unix_socket_mode = 0777
 ;unix_socket_group =
 
+;; The peer id used to identify this pgbouncer process in a group of pgbouncer
+;; processes that are peered together. When set to 0 pgbouncer peering is disabled
+;peer_id = 0
+
 ;;;
 ;;; TLS settings for accepting clients
 ;;;
@@ -262,6 +266,12 @@ auth_file = /etc/pgbouncer/userlist.txt
 ;; failure. (default: 120)
 ;query_wait_timeout = 120
 
+;; Dangerous.  Client connection is closed if the cancellation request
+;; is not assigned to a server in this time.  Should be used to limit
+;; the time a client application blocks on a queued cancel request in
+;; case of a database or network failure. (default: 120)
+;cancel_wait_timeout = 10
+
 ;; Dangerous.  Client connection is closed if no activity in this
 ;; time.  Should be used to survive network problems. (default: 0)
 ;client_idle_timeout = 0