diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2006-11-21 20:59:53 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2006-11-21 20:59:53 +0000 |
| commit | 3ad0728c817bf8abd2c76bd11d856967509b307c (patch) | |
| tree | ffaf56c059f678d2b41390027b8b9b973660cb7c /src/backend/access/transam/xlog.c | |
| parent | de597154a8acae01be28ba32b5b6e0ec4915ef3f (diff) | |
| download | postgresql-3ad0728c817bf8abd2c76bd11d856967509b307c.tar.gz postgresql-3ad0728c817bf8abd2c76bd11d856967509b307c.zip | |
On systems that have setsid(2) (which should be just about everything except
Windows), arrange for each postmaster child process to be its own process
group leader, and deliver signals SIGINT, SIGTERM, SIGQUIT to the whole
process group not only the direct child process. This provides saner behavior
for archive and recovery scripts; in particular, it's possible to shut down a
warm-standby recovery server using "pg_ctl stop -m immediate", since delivery
of SIGQUIT to the startup subprocess will result in killing the waiting
recovery_command. Also, this makes Query Cancel and statement_timeout apply
to scripts being run from backends via system(). (There is no support in the
core backend for that, but it's widely done using untrusted PLs.) Per gripe
from Stephen Harris and subsequent discussion.
Diffstat (limited to 'src/backend/access/transam/xlog.c')
| -rw-r--r-- | src/backend/access/transam/xlog.c | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c index a1a56b391c7..883dbd42f7d 100644 --- a/src/backend/access/transam/xlog.c +++ b/src/backend/access/transam/xlog.c @@ -7,7 +7,7 @@ * Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/backend/access/transam/xlog.c,v 1.256 2006/11/16 14:28:41 petere Exp $ + * $PostgreSQL: pgsql/src/backend/access/transam/xlog.c,v 1.257 2006/11/21 20:59:52 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -18,9 +18,10 @@ #include <fcntl.h> #include <signal.h> #include <time.h> -#include <unistd.h> #include <sys/stat.h> #include <sys/time.h> +#include <sys/wait.h> +#include <unistd.h> #include "access/clog.h" #include "access/heapam.h" @@ -2373,6 +2374,7 @@ RestoreArchivedFile(char *path, const char *xlogfname, char *endp; const char *sp; int rc; + bool signaled; struct stat stat_buf; /* @@ -2516,13 +2518,28 @@ RestoreArchivedFile(char *path, const char *xlogfname, } /* - * remember, we rollforward UNTIL the restore fails so failure here is + * Remember, we rollforward UNTIL the restore fails so failure here is * just part of the process... that makes it difficult to determine * whether the restore failed because there isn't an archive to restore, * or because the administrator has specified the restore program * incorrectly. We have to assume the former. + * + * However, if the failure was due to any sort of signal, it's best to + * punt and abort recovery. (If we "return false" here, upper levels + * will assume that recovery is complete and start up the database!) + * It's essential to abort on child SIGINT and SIGQUIT, because per spec + * system() ignores SIGINT and SIGQUIT while waiting; if we see one of + * those it's a good bet we should have gotten it too. Aborting on other + * signals such as SIGTERM seems a good idea as well. + * + * Per the Single Unix Spec, shells report exit status > 128 when + * a called command died on a signal. Also, 126 and 127 are used to + * report problems such as an unfindable command; treat those as fatal + * errors too. */ - ereport(DEBUG2, + signaled = WIFSIGNALED(rc) || WEXITSTATUS(rc) > 125; + + ereport(signaled ? FATAL : DEBUG2, (errmsg("could not restore file \"%s\" from archive: return code %d", xlogfname, rc))); |