Thread: Dumping an Extension's Script
Hi, Please find attached to this email an RFC patch implementing the basics of the pg_dump --extension-script option. After much discussion around the concept of an inline extension, we decided last year that a good first step would be pg_dump support for an extension's script. The approach I've been using here is to dump the script from the catalog current dependencies, which mean that a sequence of CREATE EXTENSION followed by a number of ALTER EXTENSION … UPDATE … will be consolidated into a single CREATE EXTENSION command in the dump, much the same as with CREATE TABLE then ALTER TABLE … ADD COLUMN and the like. Currently the option behavior is the following, that looks sane to me, and is open for discussion: the dump's schema always include the CREATE EXTENSION commands you need. The extensions listed in the -X option (that you can use more than once) will get dumped with their's current member objects in a script, inline. To try the attached patch, you could do as following: createdb foo psql -c "create extension hstore" -d foo pg_dump -X hstore -f /tmp/foo.sql foo createdb bar psql -1 -f /tmp/foo.sql -d bar To be able to restore the dump, I've been adding some basic support to the CREATE EXTENSION command so that it will find the data it needs from the SQL command rather than the control file. Note that the extension control file only contains information about how to install an extension from a script file on disk. That's something we don't need at all when installing the extension from a dump, using either pg_restore or psql. We have some exceptions to that principle, namely: requires (sets the search_path) and relocatable (found in the catalogs, needs to survive dump/restore). Given positive feedback on that way to attack the problem, the TODO list includes: - document the new pg_dump --extension-script switch - add support for ALTER EXTENSION … WITH $$ <script here> $$; The ALTER EXTENSION support is optional as far as pg_dump support goes, it would be good to have it to make the User Interface complete. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Attachment
On Mon, Nov 12, 2012 at 11:00 AM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote: > Please find attached to this email an RFC patch implementing the basics > of the pg_dump --extension-script option. After much discussion around > the concept of an inline extension, we decided last year that a good > first step would be pg_dump support for an extension's script. Do you have a link to the original thread? I have to confess I don't remember what the purpose of this was and, heh heh, there are no documentation changes in the patch itself either. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Robert Haas <robertmhaas@gmail.com> writes: >> Please find attached to this email an RFC patch implementing the basics >> of the pg_dump --extension-script option. After much discussion around >> the concept of an inline extension, we decided last year that a good >> first step would be pg_dump support for an extension's script. > > Do you have a link to the original thread? I have to confess I don't > remember what the purpose of this was and, heh heh, there are no > documentation changes in the patch itself either. My notes include those links to the original thread: http://archives.postgresql.org/message-id/3157.1327298440@sss.pgh.pa.us http://archives.postgresql.org/pgsql-hackers/2012-01/msg01311.php https://commitfest.postgresql.org/action/patch_view?id=746 I could of course work on documenting the changes prior to the reviewing, the thing is that I've been taking a different implementation route towards the pg_dump --extension-script idea we talked about, that I think is much simpler than anything else. So I'd like to know if that approach is deemed acceptable by the Guardians Of The Code before expanding any more hour on this… It basically boils down to this hunk in dumpExtension(): output CREATE EXTENSION x WITH … AS $x$ /* * Have another archive for this extension: this allows us to simply * walk the extension's dependencies and usethe existing pg_dump code * to get the object create statement to be added in the script. * */ eout = CreateArchive(NULL,archNull, 0, archModeAppend); EH = (ArchiveHandle *) eout; /* grab existing connection and remote version information */ EH->connection = ((ArchiveHandle *)fout)->connection; eout->remoteVersion= fout->remoteVersion; /* dump all objects for this extension, that have been sorted out in * the right order following dependencies etc */ ... /* restore the eout Archive into the local buffer */ for (te = EH->toc->next; te != EH->toc; te = te->next) { if (strlen(te->defn) > 0) appendPQExpBuffer(q, "%s", te->defn); } CloseArchive(eout); output $x$; What do you think? -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
On Thu, Nov 15, 2012 at 3:09 PM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote: > Robert Haas <robertmhaas@gmail.com> writes: >>> Please find attached to this email an RFC patch implementing the basics >>> of the pg_dump --extension-script option. After much discussion around >>> the concept of an inline extension, we decided last year that a good >>> first step would be pg_dump support for an extension's script. >> >> Do you have a link to the original thread? I have to confess I don't >> remember what the purpose of this was and, heh heh, there are no >> documentation changes in the patch itself either. > > My notes include those links to the original thread: > > http://archives.postgresql.org/message-id/3157.1327298440@sss.pgh.pa.us > http://archives.postgresql.org/pgsql-hackers/2012-01/msg01311.php > https://commitfest.postgresql.org/action/patch_view?id=746 > > I could of course work on documenting the changes prior to the > reviewing, the thing is that I've been taking a different implementation > route towards the pg_dump --extension-script idea we talked about, that > I think is much simpler than anything else. > > So I'd like to know if that approach is deemed acceptable by the > Guardians Of The Code before expanding any more hour on this… > > It basically boils down to this hunk in dumpExtension(): > > output CREATE EXTENSION x WITH … AS $x$ > > /* > * Have another archive for this extension: this allows us to simply > * walk the extension's dependencies and use the existing pg_dump code > * to get the object create statement to be added in the script. > * > */ > eout = CreateArchive(NULL, archNull, 0, archModeAppend); > > EH = (ArchiveHandle *) eout; > > /* grab existing connection and remote version information */ > EH->connection = ((ArchiveHandle *)fout)->connection; > eout->remoteVersion = fout->remoteVersion; > > /* dump all objects for this extension, that have been sorted out in > * the right order following dependencies etc */ > ... > > /* restore the eout Archive into the local buffer */ > for (te = EH->toc->next; te != EH->toc; te = te->next) > { > if (strlen(te->defn) > 0) > appendPQExpBuffer(q, "%s", te->defn); > } > CloseArchive(eout); > > output $x$; > > What do you think? That approach seems likely to break things for the hoped-for parallel pg_dump feature, though I'm not sure exactly in what way. Beyond that, I think much of the appeal of the extension feature is that it dumps as "CREATE EXTENSION hstore;" and nothing more. That allows you to migrate a dump between systems with different but compatible versions of the hstore and have things work as intended. I'm not opposed to the idea of being able to make extensions without files on disk work ... but I consider it a niche use case; the behavior we have right now works well for me and hopefully for others most of the time. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Robert Haas <robertmhaas@gmail.com> writes: > That approach seems likely to break things for the hoped-for parallel > pg_dump feature, though I'm not sure exactly in what way. Will the parallel dump solve the dependencies and extension membership properties in parallel too? > Beyond that, I think much of the appeal of the extension feature is > that it dumps as "CREATE EXTENSION hstore;" and nothing more. That > allows you to migrate a dump between systems with different but > compatible versions of the hstore and have things work as intended. Yes. That's the only use case supported so far. The contrib/ use case. > I'm not opposed to the idea of being able to make extensions without > files on disk work ... but I consider it a niche use case; the > behavior we have right now works well for me and hopefully for others > most of the time. I hear you. I'm not doing that on my free time, it's not a hobby, I have customers that want it bad enough to be willing to sponsor my work here. I hope that helps you figuring about the use case being a niche or not. The current extension support has been targeted at a single use case, because that's how you bootstrap that kind of feature. We have request for extensions that will not include a part written in C. We've been around the topic last year, we spent much energy trying to come up with something easy enough to accept as a first step in that direction, and the conclusion at the time was that we want to be able to dump an extension's script. That's what my current patch is all about. More about use cases. Consider PL/Proxy. By the way, that should really really get in core and be called a FOREIGN FUNCTION, but let's get back on topic. So I have customers with between 8 and 256 plproxy partitions, that means each database upgrade has to reach that many databases. Now, I've built a automatic system that will fetch the PL function code from the staging database area, put them into files depending on the schema they live in, package those files into a single one that can be used by the CREATE EXTENSION command, automatically create an upgrade file to be able to ALTER EXTENSION … TO VERSION …, and create a bunch of debian packages out of that (a single debian source package that will build as many binary packages as we have extensions). Then, the system will push those packages to an internal repository, run apt-get update on all the database hosts, then connect to each partition and run the upgrade command. All of that could get simplified to getting the PL code into a single SQL command then running it on all the members of the cluster by using a plproxy RUN ON ALL command, now that it's a self-contained single SQL command. Of course that's only one use case, but that email is already only too long for what it does: rehashing a story we already ran last year. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Robert Haas <robertmhaas@gmail.com> writes: > I'm not opposed to the idea of being able to make extensions without > files on disk work ... but I consider it a niche use case; the > behavior we have right now works well for me and hopefully for others > most of the time. Apparently I'm not the only one doing extensions without anything to compile, all SQL: http://keithf4.com/extension_tips_3 Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
On 19 November 2012 16:25, Robert Haas <robertmhaas@gmail.com> wrote: > Beyond that, I think much of the appeal of the extension feature is > that it dumps as "CREATE EXTENSION hstore;" and nothing more. That > allows you to migrate a dump between systems with different but > compatible versions of the hstore and have things work as intended. > I'm not opposed to the idea of being able to make extensions without > files on disk work ... but I consider it a niche use case; the > behavior we have right now works well for me and hopefully for others > most of the time. Distributing software should only happen by files? So why does Stackbuilder exist on the Windows binary? Why does yum exist? What's wrong with ftp huh? Why does CPAN? I've a feeling this case might be a sensible way forwards, not a niche at all. -- Simon Riggs http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
On 20.11.2012 21:25, Simon Riggs wrote: > On 19 November 2012 16:25, Robert Haas<robertmhaas@gmail.com> wrote: > >> Beyond that, I think much of the appeal of the extension feature is >> that it dumps as "CREATE EXTENSION hstore;" and nothing more. That >> allows you to migrate a dump between systems with different but >> compatible versions of the hstore and have things work as intended. >> I'm not opposed to the idea of being able to make extensions without >> files on disk work ... but I consider it a niche use case; the >> behavior we have right now works well for me and hopefully for others >> most of the time. > > Distributing software should only happen by files? > > So why does Stackbuilder exist on the Windows binary? > > Why does yum exist? What's wrong with ftp huh? > > Why does CPAN? > > I've a feeling this case might be a sensible way forwards, not a niche at all. I have to join Robert in scratching my head over this. I don't understand what the use case is. Can you explain? I don't understand the comparison with stackbuilder, yum, ftp and CPAN. CPAN seems close to pgxn, but what does that have to do with this patch? On 20.11.2012 11:08, Dimitri Fontaine wrote:> Apparently I'm not the only one doing extensions without anything to> compile,all SQL:>> http://keithf4.com/extension_tips_3 No doubt about that. I'm sure extensions written in pure SQL or PL/pgSQL are very common. But what does that have to do with this patch? - Heikki
Heikki Linnakangas <hlinnakangas@vmware.com> writes: > No doubt about that. I'm sure extensions written in pure SQL or PL/pgSQL are > very common. But what does that have to do with this patch? This patch is all about enabling users to create extension without having to ship them as root on the file system of the database(s) server(s) first. When you're having to code your extension in C, you know you're in for shipping an executable binary (.so, .dylib or .dll), and for security reasons it's well understood that you will have to get root privileges on the server's file system to ship your binary before to be able to ask PostgreSQL to please load it and execute the code in there. When you can code your extension using dynamic code such as SQL or PL/pgSQL, PL/pythonu or PL/perl, there's absolutely no good reason to have to do the "ship on the server's file system first" that I can see. Technically creating an extension "inline" (sending its definition in the CREATE EXTENSION query itself) solves the problem of having to access the server's file system as root. Then, next pg_dump will include "CREATE EXTENSION foo;" as usual and at pg_restore time that access files on the file systems. But maybe you still are not granted access to the server's file system as root on the pg_restore target, right? So now you need to be able to include the extension's script into the dump. Now, we don't want to have more than one kind of extensions. That's what we learnt all together when reviewing my proposal from last year. Having more than one way to ship an extension is good, having two different animals with two different incompatible behaviors named the same thing is bad. The solution we found is then to be able to include an extension's script into pg_dump's output, and that's what my current patch implements, per last year review. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
On 05.12.2012 12:22, Dimitri Fontaine wrote: > Heikki Linnakangas<hlinnakangas@vmware.com> writes: >> No doubt about that. I'm sure extensions written in pure SQL or PL/pgSQL are >> very common. But what does that have to do with this patch? > > This patch is all about enabling users to create extension without > having to ship them as root on the file system of the database(s) > server(s) first. > ... > When you can code your extension using dynamic code such as SQL or > PL/pgSQL, PL/pythonu or PL/perl, there's absolutely no good reason to > have to do the "ship on the server's file system first" that I can see. > > Technically creating an extension "inline" (sending its definition in > the CREATE EXTENSION query itself) solves the problem of having to > access the server's file system as root. Ok, I'm with you this far. > Then, next pg_dump will include "CREATE EXTENSION foo;" as usual and at > pg_restore time that access files on the file systems. But maybe you > still are not granted access to the server's file system as root on the > pg_restore target, right? So now you need to be able to include the > extension's script into the dump. Now you lost me. I can see the need to install an extension without access to the filesystem - but it does not follow that you need to be able to dump an extension script. In general, I think you're confusing three things: 1. The way an extension is deployed. It could be by copying the files to the file system, by sending them over libpq, or shipped in .rpms by the OS, or something else. 2. The way an extension's files are laid out before it's deployed. Typically, you want to keep an extension's source code (whether it's C or SQL or plpython) in a version control system. 3. Being able to deploy extensions to the server without superuser or root access I think it would make this discussion a lot clearer if we keep those concerns separate. It's useful to have a mechanism to deploy an extension over libpq. It's not clear to me if you're envisioning to change 2. I don't think we should; having a .sql file and a .control file seems perfectly fine to me. I'd suggest that we just need a way to upload an extension to the server via libpq. Something like "UPLOAD EXTENSION foo", which goes into COPY mode and you can stream over a zip file containing the .sql and .control file that make up the extension. The server would unzip the file into the right directory. Now, point 3 is yet another issue. If you need to copy the extension files to /usr/share/, you need root (or similar) access on the filesystem. We could allow extensions to be located somewhere in the data directory instead. Like $PGDATA/extensions. But again, that would be an independent change from 1 and 2. And I still don't understand why pg_dump needs to know about any of this... - Heikki
On 2012-12-05 19:13:10 +0200, Heikki Linnakangas wrote: > On 05.12.2012 12:22, Dimitri Fontaine wrote: > >Heikki Linnakangas<hlinnakangas@vmware.com> writes: > >>No doubt about that. I'm sure extensions written in pure SQL or PL/pgSQL are > >>very common. But what does that have to do with this patch? > > > >This patch is all about enabling users to create extension without > >having to ship them as root on the file system of the database(s) > >server(s) first. > >... > >When you can code your extension using dynamic code such as SQL or > >PL/pgSQL, PL/pythonu or PL/perl, there's absolutely no good reason to > >have to do the "ship on the server's file system first" that I can see. > > > >Technically creating an extension "inline" (sending its definition in > >the CREATE EXTENSION query itself) solves the problem of having to > >access the server's file system as root. > > Ok, I'm with you this far. > > >Then, next pg_dump will include "CREATE EXTENSION foo;" as usual and at > >pg_restore time that access files on the file systems. But maybe you > >still are not granted access to the server's file system as root on the > >pg_restore target, right? So now you need to be able to include the > >extension's script into the dump. > > Now you lost me. I can see the need to install an extension without access > to the filesystem - but it does not follow that you need to be able to dump > an extension script. In general, I think you're confusing three things: > > 1. The way an extension is deployed. It could be by copying the files to the > file system, by sending them over libpq, or shipped in .rpms by the OS, or > something else. > > 2. The way an extension's files are laid out before it's deployed. > Typically, you want to keep an extension's source code (whether it's C or > SQL or plpython) in a version control system. > > 3. Being able to deploy extensions to the server without superuser or root > access > > I think it would make this discussion a lot clearer if we keep those > concerns separate. It's useful to have a mechanism to deploy an extension > over libpq. It's not clear to me if you're envisioning to change 2. I don't > think we should; having a .sql file and a .control file seems perfectly fine > to me. > > I'd suggest that we just need a way to upload an extension to the server via > libpq. Something like "UPLOAD EXTENSION foo", which goes into COPY mode and > you can stream over a zip file containing the .sql and .control file that > make up the extension. The server would unzip the file into the right > directory. Not sure what is better here. Dimitri's way seems to be easier to manage for people who maintain their database in update scripts and such and your's seems to be a bit simpler from the backend perspective. > Now, point 3 is yet another issue. If you need to copy the extension files > to /usr/share/, you need root (or similar) access on the filesystem. We > could allow extensions to be located somewhere in the data directory > instead. Like $PGDATA/extensions. But again, that would be an independent > change from 1 and 2. I think installing them into some global space is not a sensible interim-step. Having a UPLOAD EXTENSION in one database affect all other databases or even clusters (because you e.g. updated the version) would be really confusing. Which leads to: > And I still don't understand why pg_dump needs to know about any of this... Extensions should be fully per-database and we want pg_dump backups to be restorable into another database/clusters/servers. So having a mode for pg_dump that actually makes dumps that are usable for recovering after a disaster seems sensible to me. Otherwise you need to redeploy from the VCS or whatever, which isn't really what you want when restoring a database backup. Comparing the situation to the one where you have extensions provided by the packaging system or by /contrib or whatever doesn't seem to be all that valid to me. Greetings, Andres Freund --Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
On 05.12.2012 19:27, Andres Freund wrote: >> And I still don't understand why pg_dump needs to know about any of this... > > Extensions should be fully per-database and we want pg_dump backups to > be restorable into another database/clusters/servers. So having a mode > for pg_dump that actually makes dumps that are usable for recovering > after a disaster seems sensible to me. Otherwise you need to redeploy > from the VCS or whatever, which isn't really what you want when > restoring a database backup. Ok - but that it yet another issue, not to be confused with how you deploy extensions. If we are to have such a mode in pg_dump, it should be able to dump *all* extensions, regardless of how they were deployed. (ok, might be difficult for extensions that include .so files or similar, but certainly for an extension that only contains a .sql file and a .control file, it shouldn't matter how it was deployed). And whether extension control files (or the same information stored in a table or wherever) should be per-database or per cluster - that's *yet* another separate issue. You could argue for either behavior. - Heikki
On 2012-12-05 19:40:58 +0200, Heikki Linnakangas wrote: > On 05.12.2012 19:27, Andres Freund wrote: > >>And I still don't understand why pg_dump needs to know about any of this... > > > >Extensions should be fully per-database and we want pg_dump backups to > >be restorable into another database/clusters/servers. So having a mode > >for pg_dump that actually makes dumps that are usable for recovering > >after a disaster seems sensible to me. Otherwise you need to redeploy > >from the VCS or whatever, which isn't really what you want when > >restoring a database backup. > > Ok - but that it yet another issue, not to be confused with how you deploy > extensions. If we are to have such a mode in pg_dump, it should be able to > dump *all* extensions, regardless of how they were deployed. (ok, might be > difficult for extensions that include .so files or similar, but certainly > for an extension that only contains a .sql file and a .control file, it > shouldn't matter how it was deployed). For me it seems pretty natural to support dumping extension the way they got created. I.e. a plain CREATE EXTENSION ...; if the extension was preinstalled and some form that includes the extension source if you installed it via the connection. Extensions that were installed in some global manner *should* not be dumped with ones installed over the connection. E.g. dumping /contrib or packaged modules seems to be a bad idea to me. That would possibly be useful as a debugging tool, but I don't see much point besides that. > And whether extension control files (or the same information stored in a > table or wherever) should be per-database or per cluster - that's *yet* > another separate issue. You could argue for either behavior. What would be the case for the per-cluster in the case of uploaded extensions? Greetings, Andres Freund --Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
Heikki Linnakangas <hlinnakangas@vmware.com> writes: > Ok - but that it yet another issue, not to be confused with how you deploy > extensions. If we are to have such a mode in pg_dump, it should be able to > dump *all* extensions, regardless of how they were deployed. (ok, might be > difficult for extensions that include .so files or similar, but certainly > for an extension that only contains a .sql file and a .control file, it > shouldn't matter how it was deployed). That's what you have in the current patch. Try => create extension 'hstore'; $ pg_dump --extension-script hstore It works as far as the script is concerned, and the control file is not needed any more because the script as dumped does not need it, except for the two parameters 'require' and 'relocatable', that are added in the SQL command. The binary file is not taken care of by this mechanism. Remember that in most cases pg_restore will not be granted to deploy it at the right place anyway, for security reasons. > And whether extension control files (or the same information stored in a > table or wherever) should be per-database or per cluster - that's *yet* > another separate issue. You could argue for either behavior. At the SQL level, extensions do live in a database. The only reason why we currently have them on the file system is binary executables (.so, .dylib, .dll). And those are not per database, not even per cluster, not even per major version, they are *per server*. It's something that makes me very sad, and that I want to have the chance to fix later, but that won't happen in 9.3, and certainly not in that very patch… Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Andres Freund <andres@2ndquadrant.com> writes: > On 2012-12-05 19:13:10 +0200, Heikki Linnakangas wrote: >> And I still don't understand why pg_dump needs to know about any of this... > Extensions should be fully per-database and we want pg_dump backups to > be restorable into another database/clusters/servers. Wait a minute. I haven't bought into either of those statements, and most particularly not the first one. Upthread, Dimitri claimed that he wasn't creating two different kinds of extensions with this patch, but the more I read about it the more it seems that he *is* making a fundamentally different kind of animal. And I don't think it's necessarily a good idea, especially not if we still call it an extension. I kind of like Heikki's idea of leaving CREATE EXTENSION alone and inventing a separate "UPLOAD EXTENSION" operation, but there's a problem with that: in many, probably most, installations, the server does not and should not have permission to scribble on the directories where the extension scripts are stored. Possibly we could circumvent that by creating an auxiliary extensions directory under $PGDATA. (But then it starts to seem like pg_dumpall --- not pg_dump --- ought to include those files in its output...) regards, tom lane
Heikki Linnakangas <hlinnakangas@vmware.com> writes: > And whether extension control files (or the same information stored in a > table or wherever) should be per-database or per cluster - that's *yet* > another separate issue. You could argue for either behavior. I think anyone arguing for the former is confusing an installed extension with a not-installed one. Maybe it would help if we adopted different terminologies. Perhaps call the control+sql files a "template", while using "extension" for the installed entity? regards, tom lane
On 2012-12-05 12:55:42 -0500, Tom Lane wrote: > Andres Freund <andres@2ndquadrant.com> writes: > > On 2012-12-05 19:13:10 +0200, Heikki Linnakangas wrote: > >> And I still don't understand why pg_dump needs to know about any of this... > > > Extensions should be fully per-database and we want pg_dump backups to > > be restorable into another database/clusters/servers. > > Wait a minute. I haven't bought into either of those statements, and > most particularly not the first one. Ok. > Upthread, Dimitri claimed that he wasn't creating two different kinds of > extensions with this patch, but the more I read about it the more it > seems that he *is* making a fundamentally different kind of animal. > And I don't think it's necessarily a good idea, especially not if we > still call it an extension. I have to admit I haven't read the whole discussion about this. And I also have to say that I have no idea yet whether I like the current implementation because I haven't looked at it yet. I just wanted to give input to the separate problems Heikki listed. Because I wished for something roughly like this for years... To me it seems to be sensible that extensions which are preinstalled on the system are global and extensions which a single user inside a single database created are per database. Imo that doesn't make them all that fundamentally different. > I kind of like Heikki's idea of leaving CREATE EXTENSION alone and > inventing a separate "UPLOAD EXTENSION" operation, but there's a problem > with that: in many, probably most, installations, the server does not > and should not have permission to scribble on the directories where the > extension scripts are stored. Possibly we could circumvent that by > creating an auxiliary extensions directory under $PGDATA. (But then > it starts to seem like pg_dumpall --- not pg_dump --- ought to include > those files in its output...) UPLOAD EXTENSION seems to be a good idea. But I really really would like them to go to a per-database directory not a per-cluster one. Otherwise the coordination between different database "owners" inside a cluster will get really hairy. I want to be able to install different versions of an application into different databases. Greetings, Andres Freund --Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
On 05.12.2012 20:07, Tom Lane wrote: > Heikki Linnakangas<hlinnakangas@vmware.com> writes: >> And whether extension control files (or the same information stored in a >> table or wherever) should be per-database or per cluster - that's *yet* >> another separate issue. You could argue for either behavior. > > I think anyone arguing for the former is confusing an installed > extension with a not-installed one. Maybe it would help if we adopted > different terminologies. Perhaps call the control+sql files a "template", > while using "extension" for the installed entity? +1 on the naming. You could still argue that templates should be per-database. It would make life easier for someone who is database owner but not superuser, for example, allowing you to install an extension that only affects your own database (assuming we set up the permissions so that that's possible, of course). - Heikki
Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > At the SQL level, extensions do live in a database. The only reason why > we currently have them on the file system is binary executables (.so, > .dylib, .dll). And those are not per database, not even per cluster, not > even per major version, they are *per server*. It's something that makes > me very sad, and that I want to have the chance to fix later, but that > won't happen in 9.3, and certainly not in that very patch… I think you're wasting your time to imagine that that case will ever be "fixed". Allowing the server to scribble on executable files would set off all kinds of security alarm bells, and rightly so. If Postgres ever did ship with such a thing, I rather imagine that I'd be required to patch it out of Red Hat releases (not that SELinux wouldn't prevent it from happening anyway). I do see an argument for allowing SQL-only extensions to be installed this way, since that doesn't allow the execution of anything the user couldn't execute anyway. There's no need to worry about anything except control and script files though. regards, tom lane
On 05.12.2012 20:13, Andres Freund wrote: > But I really really would like them to go to a per-database directory > not a per-cluster one. Otherwise the coordination between different > database "owners" inside a cluster will get really hairy. I want to be > able to install different versions of an application into different > databases. Extension authors should be careful to maintain backwards-compatibility, so that it would be enough to have the latest version installed. If you break compatibility, you probably should rename the extension. That said, I can understand that in practice you'd want to have different versions installed at the same time, so that you don't need to re-test everything when upgrading an extension, and don't need to trust that the extension author didn't accidentally break backwards-compatibility anyway. If you really meant "different versions of an application", and not "different versions of an extension", then it seems to me that you're abusing the extension infrastructure for something else. If you have some functions that you consider part of the application, even if those functions might be useful in other applications too, you probably don't want to treat them as an extension. - Heikki
On 2012-12-05 20:15:42 +0200, Heikki Linnakangas wrote: > On 05.12.2012 20:07, Tom Lane wrote: > >Heikki Linnakangas<hlinnakangas@vmware.com> writes: > >>And whether extension control files (or the same information stored in a > >>table or wherever) should be per-database or per cluster - that's *yet* > >>another separate issue. You could argue for either behavior. > > > >I think anyone arguing for the former is confusing an installed > >extension with a not-installed one. Not sure whether it would be the best design, but having something like UPLOAD EXTENSION which can only exist in the installed form would be enough for nearly all the use-cases I experienced. > Maybe it would help if we adopted > >different terminologies. Perhaps call the control+sql files a "template", > >while using "extension" for the installed entity? > > +1 on the naming. +1 on the idea of naming them separately, I am not happy with template, but then I don't have a better suggestion. > You could still argue that templates should be per-database. It would make > life easier for someone who is database owner but not superuser, for > example, allowing you to install an extension that only affects your own > database (assuming we set up the permissions so that that's possible, of > course). +1. We could even have two variants, UPLOAD [GLOBAL] EXTENSION/TEMPLATE. ISTM that we would need some kind of search path anyway so adding that separation seems to be a minimal amount of additional effort. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
On 2012-12-05 20:23:29 +0200, Heikki Linnakangas wrote: > On 05.12.2012 20:13, Andres Freund wrote: > >But I really really would like them to go to a per-database directory > >not a per-cluster one. Otherwise the coordination between different > >database "owners" inside a cluster will get really hairy. I want to be > >able to install different versions of an application into different > >databases. > > Extension authors should be careful to maintain backwards-compatibility, so > that it would be enough to have the latest version installed. If you break > compatibility, you probably should rename the extension. In theory yes. In practice: > That said, I can understand that in practice you'd want to have different > versions installed at the same time, so that you don't need to re-test > everything when upgrading an extension, and don't need to trust that the > extension author didn't accidentally break backwards-compatibility anyway. ;) > If you really meant "different versions of an application", and not > "different versions of an extension", then it seems to me that you're > abusing the extension infrastructure for something else. If you have some > functions that you consider part of the application, even if those functions > might be useful in other applications too, you probably don't want to treat > them as an extension. I was thinking of reusable parts of applications that might be used in more than one application. *But* I think this also is a good basis to encapsulate individual non-shared parts of an application. Why not? Greetings, Andres Freund --Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
On 2012-12-05 13:18:16 -0500, Tom Lane wrote: > Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > > At the SQL level, extensions do live in a database. The only reason why > > we currently have them on the file system is binary executables (.so, > > .dylib, .dll). And those are not per database, not even per cluster, not > > even per major version, they are *per server*. It's something that makes > > me very sad, and that I want to have the chance to fix later, but that > > won't happen in 9.3, and certainly not in that very patch… Maybe I am missing something, but you already can separate them per major version. You co-wrote the debian infrastructure to do so for some debian packages, so I am not sure what you mean here. Adding some *NON WRITABLE* per-cluster library directory doesn't seem to be as controversion as other suggestions. > > I think you're wasting your time to imagine that that case will ever be > "fixed". Allowing the server to scribble on executable files would set > off all kinds of security alarm bells, and rightly so. If Postgres ever > did ship with such a thing, I rather imagine that I'd be required to > patch it out of Red Hat releases (not that SELinux wouldn't prevent > it from happening anyway). +1 Greetings, Andres Freund --Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
On Wed, Dec 5, 2012 at 5:22 AM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote: > This patch is all about enabling users to create extension without > having to ship them as root on the file system of the database(s) > server(s) first. Right, but it changes the way that existing extensions *dump*, which seems to me to undo the use case that works now. I mean, the advantage of dumping an extension as CREATE EXTENSION hstore is that you can reload that dump on a different server with a newer version of hstore installed, and it'll still work. If we go back to dumping all of the SQL commands that compose that extension, then it'll break again, in exactly the way things were broken before we had extensions in the first place. Back in the bad old days, you'd dump your old database (which had all of the SQL commands for say hstore) and then reload it on your new database - and it would fail, because the old SQL commands didn't match the new binaries. Oops. With the extension mechanism, it all works just fine: the old database emits CREATE EXTENSION hstore and the new database can execute that just fine. You still have a problem if the extension has meanwhile been changed in a backwards-incompatible way that doesn't work for your application (i.e. you're using the => operator which has since been removed) but hopefully that doesn't happen too often, and in any event it seems relatively unavoidable. And it takes nothing away from the problem that extensions DO solve, which is incompatibilities between the SQL file and the shared library. > When you can code your extension using dynamic code such as SQL or > PL/pgSQL, PL/pythonu or PL/perl, there's absolutely no good reason to > have to do the "ship on the server's file system first" that I can see. > > Technically creating an extension "inline" (sending its definition in > the CREATE EXTENSION query itself) solves the problem of having to > access the server's file system as root. True, but so does not putting the code into an extension at all. You can just create loose functions and operators. It's unclear to me what advantage the extension mechanism provides if there's no shared library and no on-disk files involved. > Then, next pg_dump will include "CREATE EXTENSION foo;" as usual and at > pg_restore time that access files on the file systems. But maybe you > still are not granted access to the server's file system as root on the > pg_restore target, right? So now you need to be able to include the > extension's script into the dump. Granting for the moment that there's a reason to call this an extension at all, rather than a schema or just a bunch of random CREATE commands, which is not obvious to me, yes, you need to include it in the dump. But sure then the extension needs to be marked as being, somehow, a different flavor of extension that can only use SQL (not shlibs) and needs to be dumped in-line, because otherwise, as noted above, we break things for the flavor of extensions we've already got. Also, even there, it seems to me that it ought to work something like this: CREATE EXTENSION inline_extension NULL; -- create an extension with no members CREATE FUNCTION blahblahblah ... ALTER EXTENSION inline_extension ADD FUNCTION blahblab ... and so on for all the other members That is, the extension members should just become dumpable objects. This seems quite bizarre since the whole point of extensions AIUI is to avoid dumping the members, but it's better than what the patch implements. In the patch, IIRC, you emit all the members as a "separate" dump that gets enclosed by dollar quotes. This strikes me as ugly, and I think you can construct circular dependency situations in which it will fail outright. > Now, we don't want to have more than one kind of extensions. That's what > we learnt all together when reviewing my proposal from last year. Having > more than one way to ship an extension is good, having two different > animals with two different incompatible behaviors named the same thing > is bad. The solution we found is then to be able to include an > extension's script into pg_dump's output, and that's what my current > patch implements, per last year review. I don't think I agree. I don't see a problem having more than one kind of extensions, but I'm worried that you're trying to shoehorn something that isn't really an extension into an extension-sized box. And I sure don't want that to mean "let's break stuff that works right now". -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On Wed, Dec 5, 2012 at 12:47 PM, Andres Freund <andres@2ndquadrant.com> wrote: > For me it seems pretty natural to support dumping extension the way they > got created. I.e. a plain CREATE EXTENSION ...; if the extension was > preinstalled and some form that includes the extension source if you > installed it via the connection. > > Extensions that were installed in some global manner *should* not be > dumped with ones installed over the connection. E.g. dumping /contrib or > packaged modules seems to be a bad idea to me. > > That would possibly be useful as a debugging tool, but I don't see much > point besides that. I agree with all of that. What I can't quite figure out is - AIUI, extensions are a way of bundling shared libraries with SQL scripts, and a way of managing the dump and restore process. If you just have SQL, there's no bundling to do, and if you reverse out the pg_dump changes (which is more or less what's being proposed here), then what do you have left other than the good feeling of being "part of an extension"? At that point, it seems to me that you've gone to a lot of work to add a layer of packaging that serves no real purpose. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On 2012-12-05 13:50:27 -0500, Robert Haas wrote: > On Wed, Dec 5, 2012 at 12:47 PM, Andres Freund <andres@2ndquadrant.com> wrote: > > For me it seems pretty natural to support dumping extension the way they > > got created. I.e. a plain CREATE EXTENSION ...; if the extension was > > preinstalled and some form that includes the extension source if you > > installed it via the connection. > > > > Extensions that were installed in some global manner *should* not be > > dumped with ones installed over the connection. E.g. dumping /contrib or > > packaged modules seems to be a bad idea to me. > > > > That would possibly be useful as a debugging tool, but I don't see much > > point besides that. > > I agree with all of that. > > What I can't quite figure out is - AIUI, extensions are a way of > bundling shared libraries with SQL scripts, and a way of managing the > dump and restore process. If you just have SQL, there's no bundling > to do, and if you reverse out the pg_dump changes (which is more or > less what's being proposed here), then what do you have left other > than the good feeling of being "part of an extension"? At that point, > it seems to me that you've gone to a lot of work to add a layer of > packaging that serves no real purpose. Manageability. E.g. for years I had a set of (trigger) functions to counted the number of rows in a table in a lockless manner. That's used in 10+ applications of former clients of mine. All (plpg)sql. Imagine I want to ship an updated version that 1. removes some *internal* functions, 2. adds some internal function. 3. adds a new *external* function. Now most of the clients use completely different development models and completely different ways of manageing upgrades. I needed to integrate my teensy module into all of them. If we had a way to package it nicely they could just upload the extension inside their own workflows and I (or they) would be freed from integrating foreign update scripts into their workflow. Imagine embedding a PGXN module into your application which is used on many servers and doesn't need superuser privileges or anything. Same thing. That's not something all that uncommon is it? Greetings, Andres Freund --Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
On Wed, Dec 5, 2012 at 2:01 PM, Andres Freund <andres@2ndquadrant.com> wrote: > E.g. for years I had a set of (trigger) functions to counted the number > of rows in a table in a lockless manner. That's used in 10+ applications > of former clients of mine. All (plpg)sql. > Imagine I want to ship an updated version that 1. removes some > *internal* functions, 2. adds some internal function. 3. adds a new > *external* function. > > Now most of the clients use completely different development models and > completely different ways of manageing upgrades. I needed to integrate > my teensy module into all of them. > > If we had a way to package it nicely they could just upload the > extension inside their own workflows and I (or they) would be freed from > integrating foreign update scripts into their workflow. OK, but let me play devil's advocate here. Under the status quo, if they used loose database objects, they would need to execute some database code that does this: DROP FUNCTION internalfunc1(int); CREATE FUNCTION internalfunc2(int); CREATE FUNCTION externalfunc3(int); IIUC, under this proposal, the client would instead need to execute some SQL code that looks something this (I'm faking the syntax here, forgive me, but the patch doesn't seem to contemplate ALTER): ALTER EXTENSION myextension UPDATE TO 1.1 USING SCRIPT $$ ALTER EXTENSION myextension DROP FUNCTION internalfunc1(int); DROP FUNCTION internalfunc1(int); CREATE FUNCTION internalfunc2(int); ALTER EXTENSION myextension ADDFUNCTION internalfunc2(int); CREATE FUNCTION externalfunc3(int); ALTER FUNCTION myextension ADD FUNCTION externalfunc3(int); $$; That doesn't really look like an improvement to me. What am I missing? > Imagine embedding a PGXN module into your application which is used on > many servers and doesn't need superuser privileges or anything. Same > thing. > > That's not something all that uncommon is it? Not at all. I'm not questioning the use case at all; I'm questioning whether extensions are the right tool for addressing it. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On 2012-12-05 14:10:34 -0500, Robert Haas wrote: > On Wed, Dec 5, 2012 at 2:01 PM, Andres Freund <andres@2ndquadrant.com> wrote: > > E.g. for years I had a set of (trigger) functions to counted the number > > of rows in a table in a lockless manner. That's used in 10+ applications > > of former clients of mine. All (plpg)sql. > > Imagine I want to ship an updated version that 1. removes some > > *internal* functions, 2. adds some internal function. 3. adds a new > > *external* function. > > > > Now most of the clients use completely different development models and > > completely different ways of manageing upgrades. I needed to integrate > > my teensy module into all of them. > > > > If we had a way to package it nicely they could just upload the > > extension inside their own workflows and I (or they) would be freed from > > integrating foreign update scripts into their workflow. > > OK, but let me play devil's advocate here. Under the status quo, if > they used loose database objects, they would need to execute some > database code that does this: > > DROP FUNCTION internalfunc1(int); > CREATE FUNCTION internalfunc2(int); > CREATE FUNCTION externalfunc3(int); They would need to do exactly that if their database had version 1.1 and they upgrade to 1.3 but not if they already had 1.2... > IIUC, under this proposal, the client would instead need to execute > some SQL code that looks something this (I'm faking the syntax here, > forgive me, but the patch doesn't seem to contemplate ALTER): > > ALTER EXTENSION myextension UPDATE TO 1.1 USING SCRIPT $$ > ALTER EXTENSION myextension DROP FUNCTION internalfunc1(int); > DROP FUNCTION internalfunc1(int); > CREATE FUNCTION internalfunc2(int); > ALTER EXTENSION myextension ADD FUNCTION internalfunc2(int); > CREATE FUNCTION externalfunc3(int); > ALTER FUNCTION myextension ADD FUNCTION externalfunc3(int); > $$; > > That doesn't really look like an improvement to me. What am I missing? They should be able to simply slurp the extension from a file, possibly even install it outside their own update mechanism. Given that you don't know which version was installed beforehand thats not really possible without some infrastructure. And they should be able to drop the extension again afterwards without it leaving a trace. Nearly all I have seen out there fails at that, and the extension mechanism provides tracking of that. > > Imagine embedding a PGXN module into your application which is used on > > many servers and doesn't need superuser privileges or anything. Same > > thing. > > > > That's not something all that uncommon is it? > > Not at all. I'm not questioning the use case at all; I'm questioning > whether extensions are the right tool for addressing it. Do you have some alterantive suggestion? Greetings, Andres Freund --Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
On Wed, Dec 5, 2012 at 2:19 PM, Andres Freund <andres@2ndquadrant.com> wrote: >> IIUC, under this proposal, the client would instead need to execute >> some SQL code that looks something this (I'm faking the syntax here, >> forgive me, but the patch doesn't seem to contemplate ALTER): >> >> ALTER EXTENSION myextension UPDATE TO 1.1 USING SCRIPT $$ >> ALTER EXTENSION myextension DROP FUNCTION internalfunc1(int); >> DROP FUNCTION internalfunc1(int); >> CREATE FUNCTION internalfunc2(int); >> ALTER EXTENSION myextension ADD FUNCTION internalfunc2(int); >> CREATE FUNCTION externalfunc3(int); >> ALTER FUNCTION myextension ADD FUNCTION externalfunc3(int); >> $$; >> >> That doesn't really look like an improvement to me. What am I missing? > > They should be able to simply slurp the extension from a file, possibly > even install it outside their own update mechanism. Given that you don't > know which version was installed beforehand thats not really possible > without some infrastructure. > > And they should be able to drop the extension again afterwards without > it leaving a trace. Nearly all I have seen out there fails at that, and > the extension mechanism provides tracking of that. Ah, OK. Well, it sounds like this might be a decent fit for the TEMPLATE concept proposed upthread, then. I have no objection whatsoever to the concept of storing the SQL and control files somewhere that doesn't need access to the server filesystem - in fact, I think I previously proposed allowing those to be stored in a database table. You could do that with something like: CREATE TEMPLATE yadda; ALTER TEMPLATE yadda ADD FILE 'yadda--1.0.sql' CONTENT $$...$$; ...or whatever. And that'd be 100% fine with me, and it could dump and restore just that way, and life would be good. Or at least, it sounds to me like that would meet the requirements you are articulating without breaking anything that works today. In fact, it sounds pretty cool. The root of my objections upthread, I think, is that the design this patch puts on the table seems to me to conflate the extension (which is always a database object) with the template (which is *currently* always a filesystem object). I think that's bound to create some problems. In the patch as it exists today, I think those problems are going to leak out in the form of breaking some of the things for which extensions can currently be used, but even if we address those points I have a sneaking suspicion that there will be others. For example, your point (in the portion of your email I'm not quoting here) about an upgrade across multiple version is well-taken - you need a different script depending on the version that's currently installed. Fixing that, though, seems to require a catalog of upgrade scripts, so that the server can look at the installed version and the available scripts and decide how to proceed. That catalog currently takes the form of separate files in the filesystem, but I don't see any reason why we can't store it somewhere else. What I'm not sold on is the idea of shuttling it across as part of CREATE/ALTER EXTENSION statements. I'm willing to be persuaded, but right now I can't see how that's ever going either robust or convenient. Making it part of a separate SQL object type gets around that problem rather nicely, IMHO. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Robert Haas escribió: > I have no objection whatsoever to the concept of storing the SQL and > control files somewhere that doesn't need access to the server > filesystem - in fact, I think I previously proposed allowing those to > be stored in a database table. You could do that with something like: > > CREATE TEMPLATE yadda; > ALTER TEMPLATE yadda ADD FILE 'yadda--1.0.sql' CONTENT $$...$$; > > ...or whatever. This seems unnecessary to me. What the patch at hand does is take the file (actually, the contents of the file) and execute it directly, without installing anything on disk. The precise contents of the extension is still tracked through pg_depend, so you can drop it without having previously saved neither the control file or the SQL script. (In fact, that's how DROP EXTENSION works currently.) There's also the pg_dump side of things; with your proposal we would be forced to move over the yadda--1.0.sql file from the old server to the new one; or, equivalently, put the whole ALTER TEMPLATE .. CONTENT command in the dump, which is equivalent to what Dimitri's patch does; so there doesn't seem to be a point. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
Andres Freund <andres@2ndquadrant.com> writes: > Maybe I am missing something, but you already can separate them per > major version. You co-wrote the debian infrastructure to do so for some > debian packages, so I am not sure what you mean here. The debian infrastructure I've help building is all about compiling an extension source package once and having as many binary artefacts as you have major versions of PostgreSQL lying around. So yes in debian you can actually install such extensions at different on disk locations per major version. Sorry for the confusion. > Adding some *NON WRITABLE* per-cluster library directory doesn't seem to > be as controversion as other suggestions. Well, it means a per-initdb (user driven) location where to store binary files, ask Tom what he thinks about that with his Red Hat Packager… Hat. > On 2012-12-05 13:18:16 -0500, Tom Lane wrote: >> I think you're wasting your time to imagine that that case will ever be >> "fixed". Allowing the server to scribble on executable files would set >> off all kinds of security alarm bells, and rightly so. If Postgres ever >> did ship with such a thing, I rather imagine that I'd be required to >> patch it out of Red Hat releases (not that SELinux wouldn't prevent >> it from happening anyway). That part I did understand. I still can't be happy about it, but I won't get back with any proposal where that's put into questions. That said, while you're talking about it, what if it's an opt-in GUC? >> I do see an argument for allowing SQL-only extensions to be installed >> this way, since that doesn't allow the execution of anything the user >> couldn't execute anyway. There's no need to worry about anything except >> control and script files though. […please make sure you're not drinking (coffee) before reading further…] Now if we can't fix the executable files situation, what about making the C coded extensions not require an executable anymore? I'm thinking about studying what it would take exactly to write a PL/C where the PostgreSQL backend would basically compile the embedded C code at CREATE FUNCTION time and store bytecode or binary in the probin column. I've stumbled accross more than one "dynamic code" or "retargetable compiler" thing already, and several of those even have compatible licences. Maybe the most promising ones are PL/LLVM or embeding the QEMU code transformation code (a fork of the tcc compiler). So, we're talking about a PL/C language, in-core or extension, where you could define say hstore without shipping any executable binary. Yeah, I'm crazy that way. Now I'll get back to the main thread… Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
On 2012-12-05 21:16:52 +0100, Dimitri Fontaine wrote: > Andres Freund <andres@2ndquadrant.com> writes: > > Adding some *NON WRITABLE* per-cluster library directory doesn't seem to > > be as controversion as other suggestions. > > Well, it means a per-initdb (user driven) location where to store binary > files, ask Tom what he thinks about that with his Red Hat Packager… Hat. I think it might be different if the directory is non-writable and connot be made writable by user running postgres. > >> I do see an argument for allowing SQL-only extensions to be installed > >> this way, since that doesn't allow the execution of anything the user > >> couldn't execute anyway. There's no need to worry about anything except > >> control and script files though. > > […please make sure you're not drinking (coffee) before reading further…] > > Now if we can't fix the executable files situation, what about making > the C coded extensions not require an executable anymore? I'm thinking > about studying what it would take exactly to write a PL/C where the > PostgreSQL backend would basically compile the embedded C code at CREATE > FUNCTION time and store bytecode or binary in the probin column. > > So, we're talking about a PL/C language, in-core or extension, where you > could define say hstore without shipping any executable binary. Yeah, > I'm crazy that way. Now I'll get back to the main thread… Imo thats not a sensible thing to pursue. It would seriously shorten the effort needed to run user-provided code. Yes, you can execute unrestricted perl, python whatever already but with selinux and similar things in place that won't allow you to run your own binaries. And currently execute-or-write protection will prevent you from executing compiled code. So you would have to disable that as well... Greetings, Andres Freund --Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
So, Lots of things are being said, most of them are really interesting and some of them are just re-hashing what we said about a year ago in the "Inline Extensions" thread, whose conclusion was that the key not to have two different beasts (inline, file based) was for pg_dump to process them all the same way. Meanwhile, I think I need to address that reaction first: Robert Haas <robertmhaas@gmail.com> writes: > What I can't quite figure out is - AIUI, extensions are a way of > bundling shared libraries with SQL scripts, and a way of managing the > dump and restore process. Not quite. Extensions are user defined CASCADE support. It's all about pg_depend extensibility. Extensions are a way to manage dependencies of SQL objects in a way that allow you to manage them as a single entity. Now you can CREATE EXTENSION ALTER EXTENSION DROP EXTENSION and all you're doing is managing a bunch of SQL objects at once. The fact that it allows to implement a working dump&restore of aborigen extensions called contribs has been the first step, not the whole goal. You will notice that there's nothing in the whole extension patch and framework that refers to a "module", those little executable binary files whose name depend on the OS PostgreSQL is running on, and that you manage at the file system level, in postgresql.conf with some GUCs, and with the LOAD command. You will also notice that we have been *very* careful not to taint any extension related SQL command with the notion of files. That part is well separated away and only meant to be known by extension authors and packagers, not by mere mortals such as DBAs or users. The current patch is willing to push that a little further away, making it optional even to extension authors. Those two facts didn't just happen. And I was not alone in designing the system that way. Let's continue the design and its implementation! :) Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Andres Freund escribió: > On 2012-12-05 21:16:52 +0100, Dimitri Fontaine wrote: > > Now if we can't fix the executable files situation, what about making > > the C coded extensions not require an executable anymore? I'm thinking > > about studying what it would take exactly to write a PL/C where the > > PostgreSQL backend would basically compile the embedded C code at CREATE > > FUNCTION time and store bytecode or binary in the probin column. > Imo thats not a sensible thing to pursue. +1. Certainly a pg_dump patch's thread is not the place to propose it. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
Alvaro Herrera <alvherre@2ndquadrant.com> writes: > +1. Certainly a pg_dump patch's thread is not the place to propose it. Sure. Sorry about that, the goal of that previous message was to let people come to understand better my whole vision of what is an Extension, a contrib, and where we are what I wanted us to build. I refined those ideas in another email though, so you can safely ignore this sub-thread. I'll get back to the question of storing .so in a per database location with an opt-in GUC later, when appropriate. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Andres Freund <andres@2ndquadrant.com> writes: > On 2012-12-05 21:16:52 +0100, Dimitri Fontaine wrote: >> Now if we can't fix the executable files situation, what about making >> the C coded extensions not require an executable anymore? I'm thinking >> about studying what it would take exactly to write a PL/C where the >> PostgreSQL backend would basically compile the embedded C code at CREATE >> FUNCTION time and store bytecode or binary in the probin column. >> >> So, we're talking about a PL/C language, in-core or extension, where you >> could define say hstore without shipping any executable binary. Yeah, >> I'm crazy that way. Now I'll get back to the main thread… > Imo thats not a sensible thing to pursue. That would be another thing that Red Hat would refuse to ship, as would any other distro with an ounce of concern about security. But in any case there's no way that we could implement it portably. regards, tom lane
Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: >> On 2012-12-05 13:18:16 -0500, Tom Lane wrote: >>> I think you're wasting your time to imagine that that case will ever be >>> "fixed". Allowing the server to scribble on executable files would set >>> off all kinds of security alarm bells, and rightly so. If Postgres ever >>> did ship with such a thing, I rather imagine that I'd be required to >>> patch it out of Red Hat releases (not that SELinux wouldn't prevent >>> it from happening anyway). > That part I did understand. I still can't be happy about it, but I won't > get back with any proposal where that's put into questions. That said, > while you're talking about it, what if it's an opt-in GUC? GUC or no GUC, it'd still be letting an unprivileged network-exposed application (PG) do something that's against any sane system-level security policy. Lipstick is not gonna help this pig. regards, tom lane
On 2012-12-05 16:20:41 -0500, Tom Lane wrote: > Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > >> On 2012-12-05 13:18:16 -0500, Tom Lane wrote: > >>> I think you're wasting your time to imagine that that case will ever be > >>> "fixed". Allowing the server to scribble on executable files would set > >>> off all kinds of security alarm bells, and rightly so. If Postgres ever > >>> did ship with such a thing, I rather imagine that I'd be required to > >>> patch it out of Red Hat releases (not that SELinux wouldn't prevent > >>> it from happening anyway). > > > That part I did understand. I still can't be happy about it, but I won't > > get back with any proposal where that's put into questions. That said, > > while you're talking about it, what if it's an opt-in GUC? > > GUC or no GUC, it'd still be letting an unprivileged network-exposed > application (PG) do something that's against any sane system-level > security policy. Lipstick is not gonna help this pig. What about the non-writable per cluster directory? Thats something I've actively wished for in the past when developing a C module thats also used in other clusters. Greetings, Andres Freund
Andres Freund <andres@anarazel.de> writes: > On 2012-12-05 16:20:41 -0500, Tom Lane wrote: >> GUC or no GUC, it'd still be letting an unprivileged network-exposed >> application (PG) do something that's against any sane system-level >> security policy. Lipstick is not gonna help this pig. > What about the non-writable per cluster directory? Thats something I've > actively wished for in the past when developing a C module thats also > used in other clusters. I see no security objection to either per-cluster or per-database script+control-file directories, as long as they can only contain SQL scripts and not executable files. If we allow such things to be installed by less-than-superusers, we'll have to think carefully about what privileges are given when running the script. I forget at the moment how much of that we already worked out back in the 9.1 era; I remember it was discussed but not whether we had a bulletproof solution. regards, tom lane
On 2012-12-05 16:42:38 -0500, Tom Lane wrote: > Andres Freund <andres@anarazel.de> writes: > > On 2012-12-05 16:20:41 -0500, Tom Lane wrote: > >> GUC or no GUC, it'd still be letting an unprivileged network-exposed > >> application (PG) do something that's against any sane system-level > >> security policy. Lipstick is not gonna help this pig. > > > What about the non-writable per cluster directory? Thats something I've > > actively wished for in the past when developing a C module thats also > > used in other clusters. > > I see no security objection to either per-cluster or per-database > script+control-file directories, as long as they can only contain > SQL scripts and not executable files. Well, I was explicitly talking about C code above. The question doesn't really have to do too much with this thread, sorry. Given I am proposing the directory to be explicitly read-only and under permission that don't allow postgres to change that its not really suitable for this topic... Greetings, Andres Freund
On Wed, Dec 5, 2012 at 2:54 PM, Alvaro Herrera <alvherre@2ndquadrant.com> wrote: > Robert Haas escribió: >> I have no objection whatsoever to the concept of storing the SQL and >> control files somewhere that doesn't need access to the server >> filesystem - in fact, I think I previously proposed allowing those to >> be stored in a database table. You could do that with something like: >> >> CREATE TEMPLATE yadda; >> ALTER TEMPLATE yadda ADD FILE 'yadda--1.0.sql' CONTENT $$...$$; >> >> ...or whatever. > > This seems unnecessary to me. What the patch at hand does is take the > file (actually, the contents of the file) and execute it directly, > without installing anything on disk. The precise contents of the > extension is still tracked through pg_depend, so you can drop it without > having previously saved neither the control file or the SQL script. (In > fact, that's how DROP EXTENSION works currently.) Yeah, DROP will work. But what about ALTER .. UPDATE? > There's also the pg_dump side of things; with your proposal we would be > forced to move over the yadda--1.0.sql file from the old server to the > new one; or, equivalently, put the whole ALTER TEMPLATE .. CONTENT > command in the dump, which is equivalent to what Dimitri's patch does; > so there doesn't seem to be a point. Well, there's certainly a point, because IIUC Dimitri's patch dumps the file into the pg_dump output no matter whether the file originally came from an SQL command or the filesystem. IMHO, anyone who thinks that isn't going to break things rather badly isn't thinking hard enough. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Robert Haas <robertmhaas@gmail.com> writes: > Yeah, DROP will work. But what about ALTER .. UPDATE? What about it? > Well, there's certainly a point, because IIUC Dimitri's patch dumps > the file into the pg_dump output no matter whether the file originally > came from an SQL command or the filesystem. IMHO, anyone who thinks > that isn't going to break things rather badly isn't thinking hard > enough. Only if you ask for it using --extension-script. The default behaviour didn't change, whether you decide to install your extension from the file system or the PostgreSQL port. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Dimitri Fontaine escribió: > Robert Haas <robertmhaas@gmail.com> writes: > > Well, there's certainly a point, because IIUC Dimitri's patch dumps > > the file into the pg_dump output no matter whether the file originally > > came from an SQL command or the filesystem. IMHO, anyone who thinks > > that isn't going to break things rather badly isn't thinking hard > > enough. > > Only if you ask for it using --extension-script. The default behaviour > didn't change, whether you decide to install your extension from the > file system or the PostgreSQL port. What happens on a normal pg_dump of the complete database? For extensions that were installed using strings instead of files, do I get a string back? Because if not, the restore is clearly going to fail anyway. I mean, clearly the user doesn't want to list the extensions, figure which ones were installed by strings, and then do pg_dump --extension-script on them. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
Alvaro Herrera <alvherre@2ndquadrant.com> writes: > What happens on a normal pg_dump of the complete database? For > extensions that were installed using strings instead of files, do I get > a string back? Because if not, the restore is clearly going to fail > anyway. The argument here is that the user would then have packaged its extension as files in the meantime. If not, that's operational error. A backup you didn't restore successfully isn't a backup anyway. > I mean, clearly the user doesn't want to list the extensions, figure > which ones were installed by strings, and then do pg_dump > --extension-script on them. The idea is that the user did install the extensions that came by strings. Last year the consensus was clearly for pg_dump not to distinguish in between file based and string based extensions that are exactly the same thing once installed in a database. That's the current design. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
On 2012-12-05 23:28:45 +0100, Dimitri Fontaine wrote: > Alvaro Herrera <alvherre@2ndquadrant.com> writes: > > What happens on a normal pg_dump of the complete database? For > > extensions that were installed using strings instead of files, do I get > > a string back? Because if not, the restore is clearly going to fail > > anyway. > > The argument here is that the user would then have packaged its > extension as files in the meantime. If not, that's operational error. A > backup you didn't restore successfully isn't a backup anyway. Uh. Wait. What? If that argument is valid, we don't need anything but file based extensions. > > I mean, clearly the user doesn't want to list the extensions, figure > > which ones were installed by strings, and then do pg_dump > > --extension-script on them. > > The idea is that the user did install the extensions that came by > strings. Last year the consensus was clearly for pg_dump not to > distinguish in between file based and string based extensions that are > exactly the same thing once installed in a database. That's the current > design. I don't find that argument convincing in the slightest. Could I perhaps convince you to dig up a reference? I would be interested in the arguments for that design back then. Greetings, Andres Freund --Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
Andres Freund <andres@2ndquadrant.com> writes: >> The argument here is that the user would then have packaged its >> extension as files in the meantime. If not, that's operational error. A >> backup you didn't restore successfully isn't a backup anyway. > > Uh. Wait. What? If that argument is valid, we don't need anything but > file based extensions. Well, I've been trying to understand the consensus, and to implement it in the simplest possible way. Maybe the default should be to activate automatically --extension-script for extensions without control files? >> The idea is that the user did install the extensions that came by >> strings. Last year the consensus was clearly for pg_dump not to >> distinguish in between file based and string based extensions that are >> exactly the same thing once installed in a database. That's the current >> design. > > I don't find that argument convincing in the slightest. Could I perhaps > convince you to dig up a reference? I would be interested in the > arguments for that design back then. I think here it is: http://archives.postgresql.org/pgsql-hackers/2012-01/msg01307.php -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
On Wed, Dec 5, 2012 at 5:08 PM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> Yeah, DROP will work. But what about ALTER .. UPDATE? > > What about it? Well, with the design you have proposed, unless you have access to the filesystem, it ain't gonna work. And if you have access to the filesystem, then this whole discussion is moot. >> Well, there's certainly a point, because IIUC Dimitri's patch dumps >> the file into the pg_dump output no matter whether the file originally >> came from an SQL command or the filesystem. IMHO, anyone who thinks >> that isn't going to break things rather badly isn't thinking hard >> enough. > > Only if you ask for it using --extension-script. The default behaviour > didn't change, whether you decide to install your extension from the > file system or the PostgreSQL port. That doesn't impress me in the slightest. Suppose you have two identically configured machines A and B on which you install hstore (from the filesystem) and a hypothetical extension istore (via the inline extension mechanism). Now, you take regular backups of machine A, and one day it dies, so you want to restore onto machine B. Well, if you didn't dump with --extension-script, then you've got an incomplete backup, so you are hosed. And if you did dump with --extension-script, then you're OK in that scenario, but the wheels come off if you try to dump and restore onto machine C, which is running a newer version of PostgreSQL with an updated hstore. To do it right, you have to remember which extensions you installed which way and dump exactly the right thing for each one. That can't be good. Like Andres, I'd like to see a reference to the thread where we supposedly had consensus on this behavior. I don't really recall us achieving consensus on anything, but if we did I have a hard time believing it was this. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On Wed, Dec 5, 2012 at 5:43 PM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote: >> I don't find that argument convincing in the slightest. Could I perhaps >> convince you to dig up a reference? I would be interested in the >> arguments for that design back then. > > I think here it is: > > http://archives.postgresql.org/pgsql-hackers/2012-01/msg01307.php Ah ha! I had to read that twice to remember what I meant by it, so that may be a sign that the original email wasn't any too clear. That having been said, I think that the confusion is this: the second paragraph of that email was intended to be interpreted *in the context* of the proposal made in the first paragraph of the email, NOT as a separate proposal. In other words, the first paragraph is arguing for something like the notion of an extension template - the ability to store the extension files inside the server, in cases where you don't want them to appear in the file system. But perhaps implemented using functions rather than dedicated SQL syntax. But regardless of the concrete syntax, the first paragraph is proposing that we have something conceptually similar to: CREATE TEMPLATE yadda; ALTER TEMPLATE yadda ADD FILE 'yadda--1.0.sql' CONTENT $$...$$; Given that context, the second paragraph is intended as a suggestion that we should have something like pg_dump --no-templates -- which would still emit any CREATE EXTENSION commands, but not any CREATE/ALTER TEMPLATE commands - so if you relied on any templates in setting up the old cluster, the new cluster would need to have the files installed in the usual place. It was not a suggestion that we shoehorn the file management into CREATE / ALTER EXTENSION as you are proposing here; the first paragraph expresses my opinion, which hasn't changed between then and now, that that's a bad design. Ugh. Is that any more clear than what I said before? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Robert Haas <robertmhaas@gmail.com> writes: > Well, with the design you have proposed, unless you have access to the > filesystem, it ain't gonna work. And if you have access to the > filesystem, then this whole discussion is moot. I did mention that this version of the patch is only ready to host the current design talk we have now. I intend to amend it with some inline ALTER EXTENSION facility. In the worked out example you gave in another mail of this thread, you would have to remove any explicit ALTER EXTENSION … ADD … of course, as in a classic script here. You would have to fill in both the current and next version of the extension I guess, as a defensive check, too. > That doesn't impress me in the slightest. Suppose you have two > identically configured machines A and B on which you install hstore > (from the filesystem) and a hypothetical extension istore (via the > inline extension mechanism). Now, you take regular backups of machine > A, and one day it dies, so you want to restore onto machine B. Well, > if you didn't dump with --extension-script, then you've got an > incomplete backup, so you are hosed. And if you did dump with You didn't ever restore your backup? So you didn't know for sure you had one. More seriously… > --extension-script, then you're OK in that scenario, but the wheels > come off if you try to dump and restore onto machine C, which is > running a newer version of PostgreSQL with an updated hstore. To do > it right, you have to remember which extensions you installed which > way and dump exactly the right thing for each one. That can't be > good. In the patch we're talking about, the --extension-script is an accumulative option that needs an argument, so you do pg_dump --extension-script istore --extension-script foo or if you're into short options pg_dump -X istore -X foo -X bar I'm not saying that design is perfect nor definitive, it's just what happens to be in the patch, and it allows you to solve your problem. We could default the --extension-script to any installed extension for which we don't have a control file? > Like Andres, I'd like to see a reference to the thread where we > supposedly had consensus on this behavior. I don't really recall us > achieving consensus on anything, but if we did I have a hard time > believing it was this. What I remember about the "consensus" from last year is: - http://archives.postgresql.org/pgsql-hackers/2012-01/msg01307.php - inline and file based extensions must be the same beast once in the database - pg_dump options should work the same against either kind - it all boils down to designing a consistent dump behavior Which is the angle I've been working on reaching this round. The other thing we said is more about how to get the dump's content, and I realised that it could be so much simpler than relying on any file anywhere: pg_extension and pg_depend have all the information we need. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Robert Haas <robertmhaas@gmail.com> writes: > In other words, the first paragraph is arguing for something like the > notion of an extension template - the ability to store the extension > files inside the server, in cases where you don't want them to appear > in the file system. But perhaps implemented using functions rather > than dedicated SQL syntax. But regardless of the concrete syntax, the > first paragraph is proposing that we have something conceptually > similar to: > CREATE TEMPLATE yadda; > ALTER TEMPLATE yadda ADD FILE 'yadda--1.0.sql' CONTENT $$...$$; > Given that context, the second paragraph is intended as a suggestion > that we should have something like pg_dump --no-templates -- which > would still emit any CREATE EXTENSION commands, but not any > CREATE/ALTER TEMPLATE commands - so if you relied on any templates in > setting up the old cluster, the new cluster would need to have the > files installed in the usual place. It was not a suggestion that we > shoehorn the file management into CREATE / ALTER EXTENSION as you are > proposing here; the first paragraph expresses my opinion, which hasn't > changed between then and now, that that's a bad design. FWIW, the more I think about it the more I like the notion of treating "extension templates" as a separate kind of object. I do see value in storing them inside the database system: transactional safety, the ability to identify an owner, etc etc. But conflating this functionality with installed extensions is just going to create headaches. regards, tom lane
Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > Robert Haas <robertmhaas@gmail.com> writes: >> Well, there's certainly a point, because IIUC Dimitri's patch dumps >> the file into the pg_dump output no matter whether the file originally >> came from an SQL command or the filesystem. IMHO, anyone who thinks >> that isn't going to break things rather badly isn't thinking hard >> enough. > Only if you ask for it using --extension-script. The default behaviour > didn't change, whether you decide to install your extension from the > file system or the PostgreSQL port. A dump-level option for that seems completely wrong in any case: it breaks one of the fundamental design objectives for extensions, or at least for extensions as originally conceived. It might be necessary to do it this way for these new critters, but that just reinforces the point that you're designing a new kind of object. I think a separate kind of "extension template" object would make a lot more sense. regards, tom lane
Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > In the patch we're talking about, the --extension-script is an > accumulative option that needs an argument, so you do > pg_dump --extension-script istore --extension-script foo > or if you're into short options > pg_dump -X istore -X foo -X bar My reaction to this is "you've *got* to be kidding". You're going to put it on the user to remember which extensions are which, or else he gets an unusable dump? I don't think we should have a switch like this at all. pg_dump should do the right thing for each extension without being told. And, once more, I think keeping the dump behavior for extensions as-is and inventing a different concept for the script-file-substitutes would be better than conflating the cases. regards, tom lane
Tom Lane <tgl@sss.pgh.pa.us> writes: >> CREATE TEMPLATE yadda; >> ALTER TEMPLATE yadda ADD FILE 'yadda--1.0.sql' CONTENT $$...$$; > > FWIW, the more I think about it the more I like the notion of treating > "extension templates" as a separate kind of object. I do see value in > storing them inside the database system: transactional safety, the > ability to identify an owner, etc etc. But conflating this > functionality with installed extensions is just going to create > headaches. I totally agree that the current proposal is somewhat of a mess, and making a distinction between an extension and its packaging seems like a good approach to the problem. Tom Lane <tgl@sss.pgh.pa.us> writes: > A dump-level option for that seems completely wrong in any case: it > breaks one of the fundamental design objectives for extensions, or > at least for extensions as originally conceived. It might be necessary > to do it this way for these new critters, but that just reinforces the > point that you're designing a new kind of object. Well what this template idea is saying to me is that once installed, we're still talking about an extension, the exact same thing. > I think a separate kind of "extension template" object would make a lot > more sense. I'm on board now. We still have some questions to answer, and here's a worked out design proposal for implementing my understanding of your "extension's template" idea: - Extension Scripts are now stored in the catalogs, right? problem: pg_extension_script(extension, version, fromversion, script) what's the unique key when fromversionis nullable? so I would propose to have instead: pg_extension_install_script(extension, version, script) unique(extension, version) pg_extension_update_script(extension, oldversion, newversion, script) unique(extension, oldversion, newversion) - The control file should get in the catalogs too, and as it can get some per-version changes, it needs to be stored separately: pg_extension_control(extension, version, default_version, default_full_version, module_pathname, relocatable, superuser, schema, requires) unique(extension, version) We would do the secondary control file overriding at creation time. - The naming "TEMPLATE" appears to me to be too much of a generic naming for our usage here, so I'm not sure about it yet.On the other hand the following proposal would certainly require to reserve new keywords, which we want to avoid: CREATE EXTENSION PARAMETERS FOR 'version' [ WITH ] key = val… CREATE EXTENSION SCRIPT FOR 'version' AS $$ … $$; CREATE EXTENSION SCRIPT FROM 'version' TO 'version' AS … So maybe what we could do instead is something like the following: ALTER EXTENSION … CONFIGURATION FOR 'version' SET param = value, …; ALTER EXTENSION … SET SCRIPT FOR 'version' AS$$ … $$; ALTER EXTENSION … SET SCRIPT FROM 'version' TO 'version' AS … Oh actually TEMPLATE is already a keyword thanks to text search, so another alternative would be the following, if wereally really want to avoid any new keyword in our grammar: ALTER EXTENSION … CONFIGURATION FOR 'version' SET param = value, …; ALTER EXTENSION … SET TEMPLATE FOR 'version' AS$$ … $$; ALTER EXTENSION … SET TEMPLATE FROM 'version' TO 'version' AS … That would mean that ALTER EXTENSION could create objects in other catalogs for an extension that does not exists itselfyet, but is now known available (select * from pg_available_extensions()). We already have commands that will create subsidiary objects in other places in the catalogs (serial, composite types,array types) but all of those are using the new object in the command itself. So that would be new, but it allowsfor not having any new keyword here. The $2.56 question being what would be the pg_dump policy of the "extension templates" objects? I suppose the whole game here is to dump them all by default, which would just work at pg_restore time too. It's possible to filter templates out at dump or restore time if you need to install a new set of templates for a given extension before to run CREATE EXTENSION so that's ok. Now, my understanding is that CREATE EXTENSION would check for templates being already available in the catalogs and failing to find them would have to do the extra steps of creating them from disk files as a preparatory step, right? (backward compatibility requirement) Finally, while we're talking about reflecting on-disk objects into the catalogs, do we want to have a pg_module catalog where we list all shared objects binaries we know about, with a boolean column to indicate which of those we loaded in the current session, and by which extension if any? I don't think we could easily match a .so with an extension's template so I won't be proposing that, but we could quite easily match them now with extensions, because we're going to have to LOAD the module while creating_extension = true. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > Tom Lane <tgl@sss.pgh.pa.us> writes: >> I think a separate kind of "extension template" object would make a lot >> more sense. > I'm on board now. We still have some questions to answer, and here's a > worked out design proposal for implementing my understanding of your > "extension's template" idea: > - Extension Scripts are now stored in the catalogs, right? Only for these new-style thingies. I am not suggesting breaking the existing file-based implementation, only offering a parallel catalog-based implementation too. We'd have to think about what to do for name collisions --- probably having the catalog entry take precedence is okay, but is there an argument for something else? > [ need separate catalogs for install scripts and update scripts ] Check. > pg_extension_control(extension, version, default_version, > default_full_version, module_pathname, > relocatable, superuser, schema, requires) Given that the feature is going to be restricted to pure-SQL extensions, I'm pretty sure we can do without module_pathname, and maybe some other things. > - The naming "TEMPLATE" appears to me to be too much of a generic > naming for our usage here, so I'm not sure about it yet. Yeah, possibly, but I don't have a better idea yet. I don't like either PARAMETERS or SCRIPT --- for one thing, those don't convey the idea that this is an object in its own right rather than an attribute of an extension. > Oh actually TEMPLATE is already a keyword thanks to text search, Actually, given the text search precedent, I'm not sure why you're so against TEMPLATE. > That would mean that ALTER EXTENSION could create objects in other > catalogs for an extension that does not exists itself yet, but is now > known available (select * from pg_available_extensions()). Man, that is just horrid. It brings back exactly the confusion we're trying to eliminate by using the "template" terminology. We don't want it to look like manipulating a template has anything to do with altering an extension of the same name (which might or might not even be installed). > The $2.56 question being what would be the pg_dump policy of the > "extension templates" objects? The ones that are catalog objects, not file objects, should be dumped I think. > Now, my understanding is that CREATE EXTENSION would check for templates > being already available in the catalogs and failing to find them would > have to do the extra steps of creating them from disk files as a > preparatory step, right? (backward compatibility requirement) Wrong. There is no reason whatsoever to load file-based stuff into catalogs. That just adds complication and overhead to cases that work already, and will break update cases (what happens when a package update changes the files?). > I don't think we could easily match a .so with an extension's template > so I won't be proposing that, but we could quite easily match them now > with extensions, because we're going to have to LOAD the module while > creating_extension = true. One more time: this mode has nothing to do with extensions that involve a .so. It's for extensions that can be represented purely as scripts, and thus are self-contained in the proposed catalog entries. regards, tom lane
Tom Lane <tgl@sss.pgh.pa.us> writes: > Only for these new-style thingies. I am not suggesting breaking the > existing file-based implementation, only offering a parallel > catalog-based implementation too. We'd have to think about what to do > for name collisions --- probably having the catalog entry take > precedence is okay, but is there an argument for something else? Yeah, well, I would have prefered to have two ways to fill-in the templates then only work from the templates. That would solve the name collision problem, and I guess would allow to share more code. The other thing is that I want to support extensions that use both models: say the prototype has been written in pl/pythonu but the next version now is switching to C/.so… >> [ need separate catalogs for install scripts and update scripts ] > Check. Ok. >> pg_extension_control(extension, version, default_version, >> default_full_version, module_pathname, >> relocatable, superuser, schema, requires) > > Given that the feature is going to be restricted to pure-SQL extensions, > I'm pretty sure we can do without module_pathname, and maybe some other > things. I already removed "directory" from that list beause once in the catalogs you don't care where the files might have been found. MODULE_PATHNAME is about how to read the script that we would store in the catalogs, not sure we can bypass that. > Yeah, possibly, but I don't have a better idea yet. I don't like > either PARAMETERS or SCRIPT --- for one thing, those don't convey the > idea that this is an object in its own right rather than an attribute of > an extension. A template is something that needs to be instanciated with specific parameters, and can get used any number of times with different sets of parameters to build each time a new object. It's nothing like what we're talking about, or I don't understand it at all. My understanding is that we store the extension "sources" in our catalogs so as to be able to execute them later. The only option we have that looks like a template parameter would be the SCHEMA, the others are about picking the right sources/script. > Actually, given the text search precedent, I'm not sure why you're so > against TEMPLATE. See above, my understanding of your proposal is not matching the definition I know of that term. >> That would mean that ALTER EXTENSION could create objects in other >> catalogs for an extension that does not exists itself yet, but is now >> known available (select * from pg_available_extensions()). > > Man, that is just horrid. It brings back exactly the confusion we're > trying to eliminate by using the "template" terminology. We don't want > it to look like manipulating a template has anything to do with altering > an extension of the same name (which might or might not even be > installed). I still can't help but thinking in terms of populating the "templates" one way or the other and then using the "templates" to create or update the extension itself. We could maybe have a command akin to "yum update" or "apt-get update" that would refresh the TEMPLATEs from disk (handling name conflicts, file name parsing and control files parsing), and some options to the EXTENSION commands to force a refresh before working? So either REFRESH EXTENSION TEMPLATES; ALTER EXTENSION hstore UPDATE TO '1.2'; or ALTER EXTENSION hstore UPDATE TO '1.2' WITH TEMPLATE REFRESH; So my horrid proposal above would mean that the REFRESH option defaults to true, and is also available to CREATE EXTENSION. I'm not sure how much less horrid that makes it, but I sure hope it allows to better explain / convey my vision about the thing. >> The $2.56 question being what would be the pg_dump policy of the >> "extension templates" objects? > > The ones that are catalog objects, not file objects, should be dumped > I think. Agreed. > Wrong. There is no reason whatsoever to load file-based stuff into > catalogs. That just adds complication and overhead to cases that work > already, and will break update cases (what happens when a package update > changes the files?). What happens if the extension that was a created from a template is now maintained on-disk (switch from pl/perlu to C)? What if the extension that was on-disk because you couldn't use a template in 9.1 and 9.2 now wants to be managed by the template system? What if the PGXN guys think template are a perfect solution to integrate into their client tool but the debian and yum packagers prefer to ship disk-based extensions? And you want to switch from one packaging system to the other? Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Hi, Please find attached a preliminary patch following the TEMPLATE ideas, and thanks in particular to Tom and Heikki for a practical design about how to solve that problem! Tom Lane <tgl@sss.pgh.pa.us> writes: >> - Extension Scripts are now stored in the catalogs, right? > > Only for these new-style thingies. I am not suggesting breaking the > existing file-based implementation, only offering a parallel > catalog-based implementation too. We'd have to think about what to do > for name collisions --- probably having the catalog entry take > precedence is okay, but is there an argument for something else? The attached patch is implementing TEMPLATEs only for these new-style thingies. Conflicts are checked at template creation time, and at create extension time we do the file system lookup first, so that's the winner. >> [ need separate catalogs for install scripts and update scripts ] > > Check. You'll find the 3 of them in the attached unfinished patch (install, update, control). > Actually, given the text search precedent, I'm not sure why you're so > against TEMPLATE. So I called them TEMPLATE and I tried hard to leave that term open to other uses. As a result the main syntax is CREATE TEMPLATE FOR EXTENSION … ALTER TEMPLATE FOR EXTENSION … DROP TEMPLATE FOR EXTENSION … No new keyword has been added to the parser in the making of this patch. You'll find some usage examples in the regression tests part of the patch, and the new commands have received the very minimum documentation coverage. I intend to fill in the docs some more before calling it ready for commit, of course. I'm at a point where I need feedback before continuing though, and I think Tom is in the best position to provide it given the previous exchanges. >> The $2.56 question being what would be the pg_dump policy of the >> "extension templates" objects? > > The ones that are catalog objects, not file objects, should be dumped > I think. So, the current version of the patch has no support for pg_dump and psql yet, and most ALTER commands in the grammar are not yet implemented. In the lacking list we can also add ALTER … OWNER TO / RENAME and COMMENT, both for the new catalog objects and the extension to be created from them. I think we could transfer the COMMENT on the template from the pg_extension_control (so that you can change the comment at upgrade) to the extension, but wanted to talk about that first. The alternative is to simply add a comment column to the pg_extension_control catalog, along with a grammar rule to get the information from the commands. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Attachment
Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > Please find attached a preliminary patch following the TEMPLATE ideas, FYI, I've added it to the commitfest: https://commitfest.postgresql.org/action/patch_view?id=1032 Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
* Dimitri Fontaine (dimitri@2ndQuadrant.fr) wrote: > Please find attached a preliminary patch following the TEMPLATE ideas, > and thanks in particular to Tom and Heikki for a practical design about > how to solve that problem! Given that it's preliminary and v0 and big and whatnot, it seems like it should be bounced to post-9.3. Even so, I did take a look through it, probably mostly because I'd really like to see this feature. :) What's with removing the OBJECT_TABLESPACE case? Given that get_object_address_tmpl() seems to mainly just fall into a couple of case statements to split out the different options, I'm not sure that having that function is useful, or perhaps it should be 2 distinct functions? ExtensionControlFile seemed like a good name, just changing that to "ExtensionControl" doesn't seem as nice, tho that's a bit of bike shedding, I suppose. I'm not sure we have a 'dile system'... :) For my 2c, I wish we could do something better than having to support both on-disk conf files and in-database configs. Don't have any particular solution to that tho. Also pretty sure we only have one catalog ('get_ext_ver_list_from_catalogs') 'Template' seems like a really broad term which might end up being associated with things beyond extensions, yet there are a number of places where you just use 'TEMPLATE', eg, ACL_KIND_TEMPLATE. Seems like it might become an issue later. Just a side-note, there's also some whitespace issues. Also, no pg_dump/restore support..? Seems like that'd be useful.. That's just a real quick run-through with my notes. If this patch is really gonna go into 9.3, I'll try to take a deeper look. Thanks, Stephen
On 2013-01-18 12:45:02 -0500, Stephen Frost wrote: > * Dimitri Fontaine (dimitri@2ndQuadrant.fr) wrote: > > Please find attached a preliminary patch following the TEMPLATE ideas, > > and thanks in particular to Tom and Heikki for a practical design about > > how to solve that problem! > > Given that it's preliminary and v0 and big and whatnot, it seems like > it should be bounced to post-9.3. Even so, I did take a look through > it, probably mostly because I'd really like to see this feature. :) To be fair, the patch start its life pretty early on in the cycle and only got really reviewed (and I think updated) later. I just got rewritten into this form based on review. > 'Template' seems like a really broad term which might end up being > associated with things beyond extensions, yet there are a number of > places where you just use 'TEMPLATE', eg, ACL_KIND_TEMPLATE. Seems like > it might become an issue later. I think Tom came up with that name and while several people (including me and I think also Dim) didn't really like it nobody has come up with a better name so far. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
* Andres Freund (andres@2ndquadrant.com) wrote: > On 2013-01-18 12:45:02 -0500, Stephen Frost wrote: > > 'Template' seems like a really broad term which might end up being > > associated with things beyond extensions, yet there are a number of > > places where you just use 'TEMPLATE', eg, ACL_KIND_TEMPLATE. Seems like > > it might become an issue later. > > I think Tom came up with that name and while several people (including > me and I think also Dim) didn't really like it nobody has come up with a > better name so far. 'Extension Template' is fine, I was just objecting to places in the code where it just says 'TEMPLATE'. I imagine we might have some 'XXX Template' at some point in the future and then we'd have confusion between "is this an *extension* template or an XXX template?". Thanks, Stephen
Stephen Frost <sfrost@snowman.net> writes: > 'Extension Template' is fine, I was just objecting to places in the code > where it just says 'TEMPLATE'. I imagine we might have some 'XXX > Template' at some point in the future and then we'd have confusion > between "is this an *extension* template or an XXX template?". We already do: see text search templates. The code tends to call those TSTEMPLATEs, so I'd suggest ACL_KIND_EXTTEMPLATE or some such. I agree with Stephen's objection to use of the bare word "template". regards, tom lane
Tom Lane <tgl@sss.pgh.pa.us> writes: > We already do: see text search templates. The code tends to call those > TSTEMPLATEs, so I'd suggest ACL_KIND_EXTTEMPLATE or some such. I agree > with Stephen's objection to use of the bare word "template". Yes, me too, but I had a hard time to convince myself of using such a wordy notation. I will adjust the patch. Is that all I have to adjust before finishing the command set support? :) Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
* Dimitri Fontaine (dimitri@2ndQuadrant.fr) wrote: > Tom Lane <tgl@sss.pgh.pa.us> writes: > > We already do: see text search templates. The code tends to call those > > TSTEMPLATEs, so I'd suggest ACL_KIND_EXTTEMPLATE or some such. I agree > > with Stephen's objection to use of the bare word "template". > > Yes, me too, but I had a hard time to convince myself of using such a > wordy notation. I will adjust the patch. Is that all I have to adjust > before finishing the command set support? :) I'm keeping a healthy distance away from *that*.. ;) Thanks, Stephen
Hi, Please find attached a new version of the patch, answering to most of your reviewing points. I'll post another version shortly with support for pg_dump and alter owner/rename. The main priority was to confirm that the implementation is conforming to the rought specs and design we agreed before with Tom and Heikki, in order to be able to adjust anything I would have misunderstood there. Stephen Frost <sfrost@snowman.net> writes: > What's with removing the OBJECT_TABLESPACE case? Given that Merge artifact or fat fingers, something like that. > ExtensionControlFile seemed like a good name, just changing that to > "ExtensionControl" doesn't seem as nice, tho that's a bit of bike > shedding, I suppose. Yeah, well, the values in there now can be fetched from a catalog, so I though I should reflect that change somehow. Will revert to the previous name if that's the consensus. > I'm not sure we have a 'dile system'... :) > Also pretty sure we only have one catalog > ('get_ext_ver_list_from_catalogs') Fixed. > 'Template' seems like a really broad term which might end up being > associated with things beyond extensions, yet there are a number of > places where you just use 'TEMPLATE', eg, ACL_KIND_TEMPLATE. Seems like > it might become an issue later. Fixed. Any other straight TEMPLATE reference would be another error when cleaning up the patch, though my reading tonight didn't catch'em. > Also, no pg_dump/restore support..? Seems like that'd be useful.. Yeah, that's the obvious next step. The design is that we absolutely want to dump and restore those templates, that's the key here :) > That's just a real quick run-through with my notes. If this patch is > really gonna go into 9.3, I'll try to take a deeper look. Thanks for that! Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Attachment
Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > Please find attached a new version of the patch, answering to most of > your reviewing points. I'll post another version shortly with support > for pg_dump and alter owner/rename. So, as far as pg_dump is concerned, I have a trick question here. We now have those new catalogs: - pg_extension_control - pg_extension_template - pg_extension_uptmpl When doing CREATE EXTENSION, if we did use a template to find the control information about it, we record a dependency. The template and update_template (named uptmpl to make the name shorter) catalog entries also have a pg_depend dependency towards the pg_extension_control. Now, at pg_dump time, I want to be dumping the templates for the extension and for updating the extension *before* the extension itself. It seems to me that the dependency as setup will guarantee that. The trick is that I don't have anything to dump for a given control entry itself. So I could either add some more commands so that pg_dump can setup the control then the template for creating or updating an extension, or just have a dumpExtensionControl() that does nothing. I'm not sure about which one to pick. Did I explain the problem properly enough for someone to chime in? Now that I've written this in that email, I think I'm going to go for the new command. But maybe we have some precedent for objects that we list in pg_dump only for solving several steps dependency lookups? Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > Now that I've written this in that email, I think I'm going to go for > the new command. But maybe we have some precedent for objects that we > list in pg_dump only for solving several steps dependency lookups? Yes, pg_dump has lots of objects that might not appear in a dump. The most recent examples are the section fence objects ... regards, tom lane
Hi, Please find attached v2 of the Extension Templates patch, with pg_dump support and assorted fixes. It's still missing ALTER RENAME and OWNER facilities, and owner in the dump. There's a design point I want to address with some input before getting there, though. Hence this email. Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > We now have those new catalogs: > > - pg_extension_control > - pg_extension_template > - pg_extension_uptmpl What I did here in pg_dump is adding a new dumpable object type DO_EXTENSION_TEMPLATE where in fact we're fetching entries from pg_extension_control and pg_extension_template and uptmpl. The thing is that we now have a control entry for any script to play, so that we can ALTER the control properties of any known target version. Also, an extension installed from a template keeps a dependency towards the control entry of that template, so that the dump is done with the right ordering. Now, the tricky part that's left over. Say that you have an extension pair with 3 versions available, and those upgrade paths (edited for brevity): ~# select * from pg_extension_update_paths('pair'); source | target | path --------+--------+--------------- 1.0 | 1.1 | 1.0--1.1 1.0 | 1.2 | 1.0--1.1--1.2 1.1 | 1.2 | 1.1--1.2 CREATE EXTENSION pair VERSION '1.2'; PostgreSQL didn't know how to do that before, and still does not. That feature is implemented in another patch of mine for 9.3, quietly waiting for attention to get back to it, and answering to a gripe initially expressed by Robert: https://commitfest.postgresql.org/action/patch_view?id=968 Given the ability to install an extension from a default_version then apply the update path to what the user asked, we would have been able to ship hstore 1.0 and 1.0--1.1 script in 9.2, without having to consider dropping the 1.0 version yet. Now, back to Extension Templates: the pg_dump output from the attached patch is not smart enough to cope with an extension that has been upgraded, it will only install the *default* version of it. There are two ways that I see about addressing that point: - implement default_full_version support for CREATE EXTENSION and have it working both in the case of file based installation and template based installation, then pg_dump work is really straightforward; CREATE EXTENSION pair VERSION '1.2'; -- will install 1.0 then update - add smarts into pg_dump to understand the shortest path of installation and upgrade going from the current default_version to the currently installed version of a template based extension so as to be able to produce the right order of commands, as e.g.: CREATE EXTENSION pair; -- default is 1.0 ALTER EXTENSION pair UPDATE TO '1.2'; -- updates to 1.1 then 1.2 As you might have guessed already, if I'm going to implement some smarts in the system to cope with installation time update paths, I'd rather do it once in the backend rather than hack it together in pg_dump only for the template based case. Should I merge the default_full_version patch into the Extension Template one, or would we rather first see about commiting the default one then the template one, or the other way around, or something else I didn't think about? Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Attachment
Hi, Please find attached v3 of the Extension Templates patch, with full pg_dump support thanks to having merged default_full_version, appended with some regression tests now that it's possible. The patch also implements ALTER RENAME and OWNER facilities for those new templates objects. Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > Now, back to Extension Templates: the pg_dump output from the attached > patch is not smart enough to cope with an extension that has been > upgraded, it will only install the *default* version of it. That's been fixed by merging in the default_full_version patch. > There are two ways that I see about addressing that point: > > - implement default_full_version support for CREATE EXTENSION and have > it working both in the case of file based installation and template > based installation, then pg_dump work is really straightforward; > > CREATE EXTENSION pair VERSION '1.2'; -- will install 1.0 then update And that just works at pg_restore time, automatically, without pg_dump having to know anything about how. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Attachment
On 02/23/2013 12:03 AM, Dimitri Fontaine wrote: > Hi, > > Please find attached v3 of the Extension Templates patch, with full > pg_dump support thanks to having merged default_full_version, appended > with some regression tests now that it's possible. There hasn't been visible movement on this work since the 22'nd when you posted v3 and it was flagged for further review. Nobody's stepped up, can we get any interest in this? What's your opinion on the state of this patch? Are you satisfied with the proposed patch as it stands? Any particular areas you think need attention in review or during final committer examination? Any security concerns? -- Craig Ringer http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
Craig Ringer <craig@2ndquadrant.com> writes: > There hasn't been visible movement on this work since the 22'nd when you > posted v3 and it was flagged for further review. Nobody's stepped up, > can we get any interest in this? I hope we can, it's a pretty important development as far as I'm concerned, a building block for other improvements that won't need further assistance from core code. > What's your opinion on the state of this patch? Are you satisfied with > the proposed patch as it stands? Any particular areas you think need > attention in review or during final committer examination? Any security > concerns? I think the patch is ready for a commiter. What I think the commiter will want to change is here: - hstore changes The patch reverts the hstore--1.1.sql changes to show that with the default_major_version included before, we couldhave chosen to ship with hstore--1.0.sql and hstore--1.0--1.1.sql and install 1.1 by default in more recent releases - docs We might need to add some more high-level docs about the feature, like a worked out example in the main Extension section(35.15), but I felt time pressed and that's typically something that can be done while in beta - catalog names This patch needs 3 new catalogs, named pg_extension_control, pg_extension_template and pg_extension_uptmpl for the Templatesyou use to Update an extension (not the same natural PK as the ones you use to insert). The decision to use 3 catalogs has been validated earlier by Tom. The focus point is on the naming: uptmpl is meantto be as short as possible while still being easy to understand. Is that the case? - psql support When compared to current EXTENSION facilities, psql support here would mean the ability to see an extension's scriptsand control file from psql directly, and we didn't feel like we should add that after tall. So there's no psqlsupport in that patch, other than including the TEMPLATEs in pg_available_extensions(). - pg_available_extension_versions() support Oooops, I didn't add that yet. Follow-up patch needed. Do we want a new full patch or just a patch on-top of that forlater applying? This patch certainly is big enough as it is… - Assert() HeapTuple's catalog In the function extract_ctlversion() I would like to be able to Assert() that the given tuple is from the right catalogand didn't see how to do that Other than that, the patch implements 3 new catalogs and associated commands, and route those commands in a way that the new grammar additions are not tied to EXTENSION TEMPLATEs but rather generic as far as TEMPLATEs are concerned. Regards, -- Dimitri Fontaine 06 63 07 10 78 http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
On 2013-03-04 11:51:36 +0100, Dimitri Fontaine wrote: > - Assert() HeapTuple's catalog > > In the function extract_ctlversion() I would like to be able to > Assert() that the given tuple is from the right catalog and didn't > see how to do that ->t_tableOid. Haven't read the patch, so I am not sure whether thats a good check to make. Its not 100% useful, because several places neglect to set tableOid but I have patch to remedy that (as part of the logical decoding work). I can send that patch separated from other stuff if there's interest. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
Dimitri Fontaine wrote: > Please find attached v3 of the Extension Templates patch, with full > pg_dump support thanks to having merged default_full_version, appended > with some regression tests now that it's possible. Here's a rebased version; there were some merge conflicts with master. I also fixed some compiler warnings. I haven't reviewed the patch in any detail yet. One thing that jump at me from the code style perspective is the strange way it deals with "isnull" from heap_getattr. (I think most of these should just elog(ERROR) if a null attr is found). Another thing is that I don't find the name "uptmpl" very clear. We might wish to see about AtlerExtensionTemplateRename -- not only the typo in the name but also the fact that it opens/closes the catalog for each tuple to rename -- seems suboptimal. Keeping the "template.c" file name seems wrong -- exttemplate.c maybe? (I renamed the parse nodes to ExtTemplate) There was a strange bug in pg_dump; it used "qto" where I thought qversion was appropriate. I changed it (I looked at this hunk more closely than most others because there was a compiler warning here, but I didn't verify that it works.) You seem to love using Capitalized Letters for some things in error messages; I don't find these very pretty, and anyway they violate our style guidelines. (I think these are in elog() not ereport() calls, but still) -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
Attachment
Alvaro Herrera <alvherre@2ndquadrant.com> writes: > Here's a rebased version; there were some merge conflicts with master. Um ... what's with those hstore changes? regards, tom lane
Tom Lane <tgl@sss.pgh.pa.us> writes: > Um ... what's with those hstore changes? Just showing how we could deal with shipping 1.1 in the future, it's not meant to be applied as-is. Part of the feature set in there comes from when Robert complained that we can't have CREATE EXTENSION hstore; install version 1.1 from 1.0 plus 1.0--1.1 upgrade path. It so happens that with extension templates, that features is needed for pg_dump purposes, so it's included in this patch. I've left the hstore changes to show it off only. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Alvaro Herrera <alvherre@2ndquadrant.com> writes: > Here's a rebased version; there were some merge conflicts with master. Thanks! > I also fixed some compiler warnings. I haven't reviewed the patch in > any detail yet. One thing that jump at me from the code style > perspective is the strange way it deals with "isnull" from heap_getattr. > (I think most of these should just elog(ERROR) if a null attr is found). I think you're right here, yes. > Another thing is that I don't find the name "uptmpl" very clear. Any suggestion is welcome, I don't like it very much either. > Keeping the "template.c" file name seems wrong -- exttemplate.c maybe? > (I renamed the parse nodes to ExtTemplate) I've been wondering about that. My thinking is that we're providing a new set of TEMPLATE objects and commands and the commands are designed so that it's easy to add more objects in there. The implementation too is quite open to that, with "routing" functions in template.c. Now I've choosen to implement the Extension templates in the same file because currently those are the only kind of "Templates" that we manage, and this project seems to prefer big files rather than too many files. That said, I'm not wedded to this choice. > There was a strange bug in pg_dump; it used "qto" where I thought > qversion was appropriate. I changed it (I looked at this hunk more > closely than most others because there was a compiler warning here, but > I didn't verify that it works.) It's quite hard for me to spot the hunk you're talking about without setting up a whole new branch to extract the work you did in the new diff, but maybe I'm just missing a diff-between-diffs tool? > You seem to love using Capitalized Letters for some things in error > messages; I don't find these very pretty, and anyway they violate our > style guidelines. (I think these are in elog() not ereport() calls, but > still) I'll make sure to remember about that, thanks. Regards, -- Dimitri Fontaine 06 63 07 10 78 http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
On 15.03.2013 23:00, Alvaro Herrera wrote: > Dimitri Fontaine wrote: > >> Please find attached v3 of the Extension Templates patch, with full >> pg_dump support thanks to having merged default_full_version, appended >> with some regression tests now that it's possible. > > Here's a rebased version; there were some merge conflicts with master. > I also fixed some compiler warnings. I'm quite worried about the security ramifications of this patch. Today, if you're not sure if a system has e.g sslinfo installed, you can safely just run "CREATE EXTENSION sslinfo". With this patch, that's no longer true, because "foo" might not be the extension you're looking for. Mallory might've done this: create template for extension sslinfo version '1.0' with (schema public) as $$ DO EVIL STUFF $$; Now if you run "CREATE EXTENSION sslinfo" as superuser, you've been compromised. This is not only a problem when sitting at a psql console, it also just became really dangerous to run pg_dump backups without ensuring that all the extensions are installed beforehand. That's exactly the situation we wanted to avoid when extensions were introduced in the first place. Things get even more complicated if there's version 1.0 of sslinfo already installed, and you create an extension template for sslinfo version 1.1. Is that possible? How does it behave? Below are some random bugs that I bumped into while testing. These could be fixed, but frankly I think this should be rejected for security reasons. Documentation doesn't build, multiple errors. In addition to the reference pages, there should be a section in the main docs about these templates. > postgres=# create template for extension myextension version '1.0' with () as 'foobar'; > CREATE TEMPLATE FOR EXTENSION > postgres=# create extension myextension; > ERROR: syntax error at or near "foobar" > LINE 1: create extension myextension; > ^ Confusing error message. > postgres=# create template for extension myextension version '1.0' with () as $$create table foobar(i int4) $$; > CREATE TEMPLATE FOR EXTENSION > postgres=# create extension myextension; > CREATE EXTENSION > postgres=# select * from foobar; > ERROR: relation "foobar" does not exist > LINE 1: select * from foobar; > ^ Where did that table go? > postgres=# create template for extension myextension version '1.0' with () as $$ create function myfunc() returns int4AS $f$ select 123; $f$ language sql; $$; > CREATE TEMPLATE FOR EXTENSION > postgres=# create extension myextension version '1.0'; > CREATE EXTENSION > postgres=# select * from pg_namespace; nspname | nspowner | nspacl > --------------------+----------+------------------------------- > pg_toast | 10 | > pg_temp_1 | 10 | > pg_toast_temp_1 | 10 | > pg_catalog | 10 | {heikki=UC/heikki,=U/heikki} > public | 10 | {heikki=UC/heikki,=UC/heikki} > information_schema | 10 | {heikki=UC/heikki,=U/heikki} > 1.0 | 10 | > (7 rows) Ah, here... Where did that " 1.0" schema come from? > postgres=> create template for extension myextension version '1.0' with (schema public) as $$ create function evilfunc()returns int4 AS 'evilfunc' language internal; $$; > CREATE TEMPLATE FOR EXTENSION > postgres=> create extension myextension version '1.0';ERROR: permission denied for language internal > postgres=> drop template for extension myextension version '1.0'; > ERROR: extension with OID 16440 does not exist Something wrong with catalog caching. > $ make -s install > /usr/bin/install: cannot stat `./hstore--1.0.sql': No such file or directory > make: *** [install] Error 1 Installing hstore fails. > postgres=> create template for extension sslinfo version '1.0' with (schema public) as $$ create function evilfunc() returnsint4 AS 'evilfunc' language internal; $$; > ERROR: extension "sslinfo" is already available > postgres=> create template for extension sslinfo2 version '1.0' with (schema public) as $$ create function evilfunc() returnsint4 AS 'evilfunc' language internal; $$; > CREATE TEMPLATE FOR EXTENSION > postgres=> alter template for extension sslinfo2 rename to sslinfo; > ALTER TEMPLATE FOR EXTENSION If we check for an existing extension at CREATE, should also check for that in ALTER ... RENAME TO. - Heikki
On Wed, Mar 27, 2013 at 10:16 AM, Heikki Linnakangas <hlinnakangas@vmware.com> wrote: > I'm quite worried about the security ramifications of this patch. Today, if > you're not sure if a system has e.g sslinfo installed, you can safely just > run "CREATE EXTENSION sslinfo". With this patch, that's no longer true, > because "foo" might not be the extension you're looking for. Mallory > might've done this: > > create template for extension sslinfo version '1.0' with (schema public) as > $$ DO EVIL STUFF $$; Surely creating an extension template must be a superuser-only operation, in which case this is an issue because Mallory could also have just blown up the world directly if he's already a superuser anyway. If the current patch isn't enforcing that, it's 100% broken. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On 27.03.2013 16:16, Heikki Linnakangas wrote: > Below are some random bugs that I bumped into while testing. These could > be fixed, but frankly I think this should be rejected for security reasons. Also: pg_dump does not dump the owner of an extension template correctly. - Heikki
Robert Haas escribió: > On Wed, Mar 27, 2013 at 10:16 AM, Heikki Linnakangas > <hlinnakangas@vmware.com> wrote: > > I'm quite worried about the security ramifications of this patch. Today, if > > you're not sure if a system has e.g sslinfo installed, you can safely just > > run "CREATE EXTENSION sslinfo". With this patch, that's no longer true, > > because "foo" might not be the extension you're looking for. Mallory > > might've done this: > > > > create template for extension sslinfo version '1.0' with (schema public) as > > $$ DO EVIL STUFF $$; > > Surely creating an extension template must be a superuser-only > operation, in which case this is an issue because Mallory could also > have just blown up the world directly if he's already a superuser > anyway. Yeah .. (except "this is NOT an issue") > If the current patch isn't enforcing that, it's 100% broken. Even if it's not enforcing that, it's not 100% broken, it only contains one more bug we need to fix. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
On Wed, Mar 27, 2013 at 10:32 AM, Alvaro Herrera <alvherre@2ndquadrant.com> wrote: >> Surely creating an extension template must be a superuser-only >> operation, in which case this is an issue because Mallory could also >> have just blown up the world directly if he's already a superuser >> anyway. > > Yeah .. (except "this is NOT an issue") > >> If the current patch isn't enforcing that, it's 100% broken. > > Even if it's not enforcing that, it's not 100% broken, it only contains > one more bug we need to fix. Sure. I didn't mean that such a mistake would make the patch unsalvageable, only that it would be disastrous from a security point of view. But as you say, pretty easy to fix. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Hi, Thanks you for testing and reporting those strange bugs, I should be able to fix them by Tuesday at the earliest. Heikki Linnakangas <hlinnakangas@vmware.com> writes: > create template for extension sslinfo version '1.0' with (schema public) as > $$ DO EVIL STUFF $$; What you're saying is that we should restrict the capability to superusers only, where I didn't think about those security implications before and though that it wouldn't be a necessary limitation. I will add the usual superuser() checks in the next version of the patch. > Documentation doesn't build, multiple errors. In addition to the reference > pages, there should be a section in the main docs about these templates. I really would like for a simpler setup to build documentation on my OS of choice, and realize that's no excuse. Will clean that up in next version of the patch. >> postgres=# create template for extension myextension version '1.0' with () as 'foobar'; >> CREATE TEMPLATE FOR EXTENSION >> postgres=# create extension myextension; >> ERROR: syntax error at or near "foobar" >> LINE 1: create extension myextension; >> ^ > > Confusing error message. Do we need to compute a different error message when applying the script from a template or from a file on-disk? Also please keep in mind that those error messages are typically to be seen by the extension's author. >> postgres=# create template for extension myextension version '1.0' with () as $$create table foobar(i int4) $$; >> CREATE TEMPLATE FOR EXTENSION >> postgres=# create extension myextension; >> CREATE EXTENSION >> postgres=# select * from foobar; >> ERROR: relation "foobar" does not exist >> LINE 1: select * from foobar; >> ^ > > Where did that table go? Well that's not the answer I wanted to make, but: select c.oid, relname, nspname from pg_class c join pg_namespace n on n.oid = c.relnamespace where relname ~ 'foobar'; oid | relname | nspname -------+---------+------------- 41412 | foobar | 1.0 (1 row) > Ah, here... Where did that " 1.0" schema come from? I need to sort that out. Didn't have that problem in my tests (included in the regression tests), will add your test case and see about fixing that bug in the next version of the patch. >> postgres=> create template for extension myextension version '1.0' with >> (schema public) as $$ create function evilfunc() returns int4 AS >> evilfunc' language internal; $$; >> CREATE TEMPLATE FOR EXTENSION >> postgres=> create extension myextension version '1.0';ERROR: permission denied for language internal >> postgres=> drop template for extension myextension version '1.0'; >> ERROR: extension with OID 16440 does not exist > > Something wrong with catalog caching. Or something wrong with dependencies maybe… will have a look at that too, and add some regression tests. >> $ make -s install >> /usr/bin/install: cannot stat `./hstore--1.0.sql': No such file or directory >> make: *** [install] Error 1 > > Installing hstore fails. Works for me. Anyway that part was to show up how we could have been managing the hstore 1.1 update in the past, I don't intend for it to get commited unless specifically asked to do so. I guess I should now remove hstore changes from the patch now, and will do so in the next version of the patch. > If we check for an existing extension at CREATE, should also check for that > in ALTER ... RENAME TO. Indeed. Will fix that too. > Also: > pg_dump does not dump the owner of an extension template correctly. Will look into that too. Thanks for your reviewing and testing, sorry to have missed those bugs. The new version of the patch, early next week, will include fixes for all of those and some more testing. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Heikki Linnakangas <hlinnakangas@vmware.com> writes: > I'm quite worried about the security ramifications of this patch. Today, if > you're not sure if a system has e.g sslinfo installed, you can safely just > run "CREATE EXTENSION sslinfo". With this patch, that's no longer true, > because "foo" might not be the extension you're looking for. Mallory With the attached patch, you can't create a template for an extension that is already available, so to protect against your scenario you only have to make "sslinfo" available. Please also note that when actually installing the "sslinfo" extension, the one from the system will get prefered over the one from the templates, should you have both available. Now, I can see why you would still think it's not enough. Baring better ideas, the current patch restricts the feature to superusers. > Documentation doesn't build, multiple errors. In addition to the reference > pages, there should be a section in the main docs about these templates. I'm now working on that, setting up the documentation tool set. >> postgres=# create template for extension myextension version '1.0' with () as 'foobar'; >> CREATE TEMPLATE FOR EXTENSION >> postgres=# create extension myextension; >> ERROR: syntax error at or near "foobar" >> LINE 1: create extension myextension; >> ^ > > Confusing error message. Introducing a syntax error in hstore--1.1.sql leads to the same message. Even if we agree that it must be changed, I think that's for another patch. ~# create extension hstore; ERROR: syntax error at or near "foobar" at character 115 STATEMENT: create extension hstore; ERROR: syntax error at or near "foobar" >> postgres=# create template for extension myextension version '1.0' with () as $$create table foobar(i int4) $$; >> CREATE TEMPLATE FOR EXTENSION >> postgres=# create extension myextension; >> CREATE EXTENSION >> postgres=# select * from foobar; >> ERROR: relation "foobar" does not exist >> LINE 1: select * from foobar; >> ^ > > Where did that table go? The control->schema was not properly initialized when not given by the user. That's fixed, and I added a regression test. > Ah, here... Where did that " 1.0" schema come from? Fixed too, was the same bug. >> postgres=> create template for extension myextension version '1.0' with >> (schema public) as $$ create function evilfunc() returns int4 AS >> evilfunc' language internal; $$; >> CREATE TEMPLATE FOR EXTENSION >> postgres=> create extension myextension version '1.0';ERROR: permission denied for language internal >> postgres=> drop template for extension myextension version '1.0'; >> ERROR: extension with OID 16440 does not exist > > Something wrong with catalog caching. Works for me, I couldn't reproduce the bug here, working from Álvaro's version 4 of the patch. Maybe he did already fix it, and you tested my version 3? >> $ make -s install >> /usr/bin/install: cannot stat `./hstore--1.0.sql': No such file or directory >> make: *** [install] Error 1 > > Installing hstore fails. Fixed in the attached. Seeing that makes me think that you actually used Álvaro's version 4, though. >> postgres=> create template for extension sslinfo version '1.0' with >> (schema public) as $$ create function evilfunc() returns int4 AS >> evilfunc' language internal; $$; >> ERROR: extension "sslinfo" is already available Expected. >> postgres=> create template for extension sslinfo2 version '1.0' with >> (schema public) as $$ create function evilfunc() returns int4 AS >> evilfunc' language internal; $$; >> CREATE TEMPLATE FOR EXTENSION >> postgres=> alter template for extension sslinfo2 rename to sslinfo; >> ALTER TEMPLATE FOR EXTENSION > > If we check for an existing extension at CREATE, should also check for that > in ALTER ... RENAME TO. Indeed, good catch. Fixed in the attached version 5 of the patch. I didn't add a regression test for that case, because we need to know which extensions are available when we try to obtain this error, and I don't know how to do that. We could create a template for the extension foobar, then foobar2, then rename foobar2 to foobar, but that wouldn't exercise the same code path. Thanks again for your reviewing, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Attachment
Hi, Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: >> Documentation doesn't build, multiple errors. In addition to the reference >> pages, there should be a section in the main docs about these templates. > > I'm now working on that, setting up the documentation tool set. Fixed in the attached version 6 of the patch. I couldn't get to fix the documentation build tool chain on my main workstation, so I had to revive a VM where I was lucky enough to find my old setup was still working, all with shared directories, VPATH build setup etc. Anyways. I also expanded a little on the docs we did have, adding a section in the main extension chapter and some example in the CREATE TEMPLATE FOR EXTENSION reference page. That version has no flaw that I'm aware of and implements the design we reached after almost 2 years on the topic which is more complex than it would appear at first sight. I hope that you will like the patch if not the feature itself, as I have big plans for it in the near future. Many thanks to all involved for helping with the design and the reviewing, regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Attachment
On Wed, Apr 3, 2013 at 8:29 AM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote: > Hi, > > Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: >>> Documentation doesn't build, multiple errors. In addition to the reference >>> pages, there should be a section in the main docs about these templates. >> >> I'm now working on that, setting up the documentation tool set. > > Fixed in the attached version 6 of the patch. > just tried to build this one, but it doesn't apply cleanly anymore... specially the ColId_or_Sconst contruct in gram.y -- Jaime Casanova www.2ndQuadrant.com Professional PostgreSQL: Soporte 24x7 y capacitación Phone: +593 4 5107566 Cell: +593 987171157
Jaime Casanova <jaime@2ndquadrant.com> writes: > just tried to build this one, but it doesn't apply cleanly anymore... > specially the ColId_or_Sconst contruct in gram.y Will rebase tomorrow, thanks for the notice! -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Jaime Casanova <jaime@2ndquadrant.com> writes: > just tried to build this one, but it doesn't apply cleanly anymore... > specially the ColId_or_Sconst contruct in gram.y Please find attached a new version of the patch, v7, rebased to current master tree and with some more cleanup. I've been using the new grammar entry NonReservedWord_or_Sconst, I'm not sure about that. In particular it seems I had forgotten to fix the owner support in pg_dump as noted by Heikki, it's now properly addressed in the attached version. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Attachment
On Mon, Jun 24, 2013 at 4:20 AM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote:
Jaime Casanova <jaime@2ndquadrant.com> writes:Please find attached a new version of the patch, v7, rebased to current
> just tried to build this one, but it doesn't apply cleanly anymore...
> specially the ColId_or_Sconst contruct in gram.y
master tree and with some more cleanup. I've been using the new grammar
entry NonReservedWord_or_Sconst, I'm not sure about that.
I played a bit with this patch.
- If I have control file that has the same name as template, create extension picks up control file? Is this by design?
- Though control file is kind of global information among different databases, pg_extension_template is not. Sounds a little weird to me.
- Why do we need with() clause even if I don't need it?
- I copied and paste from my plv8.control file to template script, and MODULE_PATHNAME didn't work. By design?
-
foo=# create template for extension ex2 version '1.0' with (requires ex1) as $$ $$;
ERROR: template option "requires" takes an argument
-
foo=# create template for extension ex2 version '1.0' with (requires ex1) as $$ $$;
ERROR: template option "requires" takes an argument
- create template ex2, create extension ex2, alter template ex2 rename to ex3, create extension ex3, drop template ex3;
foo=# drop template for extension ex3 version '1.0';
ERROR: cannot drop unrecognized object 3179 16429 0 because other objects depend on it
foo=# drop template for extension ex3 version '1.0';
ERROR: cannot drop unrecognized object 3179 16429 0 because other objects depend on it
- a template that is created in another template script does not appear to depend on the parent template.
- Without control file/template, attempt to create a new extension gives:
foo=# create extension plv8;
ERROR: extension "plv8" has no default control template
foo=# create extension plv8;
ERROR: extension "plv8" has no default control template
but can it be better, like "extension plv8 has no default control file or template"?
- Do we really need separate tables, pg_extension_template and pg_extension_control?
- Looks like both tables don't have toast tables. Some experiment gives: ERROR: row is too big: size 8472, maximum size 8160
Thanks,
--
Hitoshi Harada
Hi, Thanks a lot for your review! Some answers here, new version of the patch with fixes by tuesday. Hitoshi Harada <umi.tanuki@gmail.com> writes: > - If I have control file that has the same name as template, create > extension picks up control file? Is this by design? Yes. That should allow to answer most of Heikki's security complaint, but isn't enough to allow us to open the feature to non superuser if I understand correctly. > - Though control file is kind of global information among different > databases, pg_extension_template is not. Sounds a little weird to me. I think that's a limitation of the old model and we don't want to turn templates for extensions into being shared catalogs. At least that's my understanding of the design consensus. > - Why do we need with() clause even if I don't need it? Will have a fresh look, thanks. > - I copied and paste from my plv8.control file to template script, and > MODULE_PATHNAME didn't work. By design? Yes. MODULE_PATHNAME is deprecated by the control file parameter of the same name, and there's no reason to use it in extension templates even if we got to support C coded extensions in them, which is not the case now. > foo=# create template for extension ex2 version '1.0' with (requires ex1) > as $$ $$; > ERROR: template option "requires" takes an argument Will see about that. > - create template ex2, create extension ex2, alter template ex2 rename to > ex3, create extension ex3, drop template ex3; > foo=# drop template for extension ex3 version '1.0'; > ERROR: cannot drop unrecognized object 3179 16429 0 because other objects > depend on it Well, if I'm following, you're trying to remove a non-existing object. I guess you would prefer a better error message, right? > - a template that is created in another template script does not appear to > depend on the parent template. I don't think that should be automatically the case, even if I admit I didn't think about that case. > - Without control file/template, attempt to create a new extension gives: > foo=# create extension plv8; > ERROR: extension "plv8" has no default control template > but can it be better, like "extension plv8 has no default control file or > template"? Will rework. > - Do we really need separate tables, pg_extension_template and > pg_extension_control? Yes, to be able to have the same feature as we have today with auxilliary control files, that is change properties of the extension from a version to the next. > - Looks like both tables don't have toast tables. Some experiment gives: > ERROR: row is too big: size 8472, maximum size 8160 Will fix in next version of the patch. Thanks, -- Dimitri Fontaine 06 63 07 10 78 http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
On Thu, Jun 27, 2013 at 2:49 AM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote:
Hi,
Thanks a lot for your review!
Some answers here, new version of the patch with fixes by tuesday.Well, if I'm following, you're trying to remove a non-existing object. I
Hitoshi Harada <umi.tanuki@gmail.com> writes:
> - create template ex2, create extension ex2, alter template ex2 rename to
> ex3, create extension ex3, drop template ex3;
> foo=# drop template for extension ex3 version '1.0';
> ERROR: cannot drop unrecognized object 3179 16429 0 because other objects
> depend on it
guess you would prefer a better error message, right?
Right. unrecognized object x y z doesn't look good.
> - a template that is created in another template script does not appear toI don't think that should be automatically the case, even if I admit I
> depend on the parent template.
didn't think about that case.
Really? My understanding is everything that is created under extension depends on the extension, which depends on the template. Why only template is exception?
--
Hitoshi Harada
Hitoshi Harada <umi.tanuki@gmail.com> writes: >> > - a template that is created in another template script does not appear >> to >> > depend on the parent template. >> >> I don't think that should be automatically the case, even if I admit I >> didn't think about that case. >> > Really? My understanding is everything that is created under extension > depends on the extension, which depends on the template. Why only template > is exception? Oh sorry, I understood you meant at CREATE TEMPLATE FOR EXTENSION time rather than at CREATE EXTENSION time, and that you were refering to dependency as in the "require" control parameter. The pg_depend entry against the extension should be there, will fix. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
On Thu, Jun 27, 2013 at 5:49 AM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote: > I think that's a limitation of the old model and we don't want to turn > templates for extensions into being shared catalogs. At least that's my > understanding of the design consensus. I agree. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Very minor comment here: these SGML "id" tags: + <refentry id="SQL-ALTEREXTENSIONTEMPLATE"> are pretty important, because they become the URL for the specific page in the reference docs. So I think you should fix them to be the correct spelling of the command "alter template for extension", and also perhaps add an hyphen or two. Maybe "SQL-ALTER-EXTENSION-FOR-TEMPLATE". (We're inconsistent about adding hyphens; most URLs don't have hyphens after then "sql-" bit, so "sql-altertablespace", but we have some examples of the opposite such as "sql-commit-prepared" and "sql-drop-owned".) -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
I think this is unlikely to work reliably: + PG_TRY(); + { + ExtensionControl *control = read_extension_control_file(extname); + + if (control) + { + ereport(ERROR, + (errcode(ERRCODE_DUPLICATE_OBJECT), + errmsg("extension \"%s\" is already available", extname))); + } + } + PG_CATCH(); + { + /* no control file found is good news for us */ + } + PG_END_TRY(); What if read_extension_control_file() fails because of an out-of-memory error? I think you need to extend that function to have a more useful API, not rely on it raising a specific error. There is at least one more case when you're calling that function in the same way. It'd probably work to have a boolean return (found/not found), and return the ExtensionControl structure through a pointer. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
On Mon, Jun 24, 2013 at 6:20 AM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote: > Jaime Casanova <jaime@2ndquadrant.com> writes: >> just tried to build this one, but it doesn't apply cleanly anymore... >> specially the ColId_or_Sconst contruct in gram.y > > Please find attached a new version of the patch, v7, rebased to current > master tree and with some more cleanup. I've been using the new grammar > entry NonReservedWord_or_Sconst, I'm not sure about that. > Hi, code review (haven't read all the code) ============================ - The error message in aclchk.c:5175 isn't very clear, i mean the user should see something better than "uptmpl" """ if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("extension uptmpl withOID %u does not exist", ext_uptmpl_oid))); """ - In alter.c you made AlterObjectRename_internal non static and replaced a SearchSysCache1 call with a get_catalog_object_by_oid one. Now, in its comment that function says that is for simple cases. And because of the things you're doing it seems to me this isn't a simple case. Maybe instead of modifying it you should create other function RenameExtensionTemplateInternal, just like tablecmd.c does? btw, get_catalog_object_by_oid will execute a SearchSysCacheCopy1 so should be calling heap_freetuple(oldtuple) - This is a typo i guess: AtlerExtensionTemplateRename - In event_triggers.c, it seems the intention was to keep the event_trigger_support array in order, any reason to for not doing it? - extension.c: In function ‘get_ext_ver_list_from_catalog’: extension.c:1150:25: warning: variable ‘evi’ set but not used [-Wunused-but-set-variable] Functionality =========== i tried this: create template for extension test version 'abc' with (nosuperuser) as $$ create function f1(i int) returns int as$_$ select 1; $_$ language sql; $$; CREATE TEMPLATE FOR EXTENSION create template for extension test from 'abc' to 'xyz' with (nosuperuser) as $$ create function f2(i int) returnsint as $_$ select 1; $_$ language sql; $$; CREATE TEMPLATE FOR EXTENSION create template for extension test from 'xyz' to '123' with (nosuperuser) as $$ create function f3(i int) returnsint as $_$ select 1; $_$ language sql; $$; CREATE TEMPLATE FOR EXTENSION create extension test version '123'; CREATE EXTENSION postgres=# \df List of functionsSchema | Name | Result data type | Argument data types | Type --------+------+------------------+---------------------+------ (0 rows) Actually, what this did was to create an 123 schema and it puts the functions there. But that schema is inaccesible and undroppable: select * from "123".f1(1); ERROR: schema "123" does not exist drop schema "123"; ERROR: schema "123" does not exist ---------------------------------------------------------- postgres=# create template for extension test2 version '1.0' with (nosuperuser) as $$ create function f1(i int) returns int as $_$ select 1; $_$ language sql; $$; CREATE TEMPLATE FOR EXTENSION postgres=# create template for extension test2 from '1.0' to '1.1' with (nosuperuser) as $$ create function f2(i int) returns int as $_$ select 1; $_$ language sql; $$; CREATE TEMPLATE FOR EXTENSION postgres=# create template for extension test2 from '1.0' to '2.1' with (nosuperuser) as $$ create function f3(i int) returns int as $_$ select 1; $_$ language sql; $$; CREATE TEMPLATE FOR EXTENSION postgres=# create extension test2 version '2.1'; CREATE EXTENSION In this case only f1() and f3() exists, because the extension is going from 1.0 to 2.1. is this expected? and, yes... the functions are in the schema "2.1" -- Jaime Casanova www.2ndQuadrant.com Professional PostgreSQL: Soporte 24x7 y capacitación Phone: +593 4 5107566 Cell: +593 987171157
On Thu, Jul 4, 2013 at 2:42 AM, Jaime Casanova <jaime@2ndquadrant.com> wrote: > > create extension test version '123'; > CREATE EXTENSION > > postgres=# \df > List of functions > Schema | Name | Result data type | Argument data types | Type > --------+------+------------------+---------------------+------ > (0 rows) > > Actually, what this did was to create an 123 schema and it puts the > functions there. > > But that schema is inaccesible and undroppable: > and dropping the extension let the schema around -- Jaime Casanova www.2ndQuadrant.com Professional PostgreSQL: Soporte 24x7 y capacitación Phone: +593 4 5107566 Cell: +593 987171157
On Thu, Jul 4, 2013 at 12:46 AM, Jaime Casanova <jaime@2ndquadrant.com> wrote: > On Thu, Jul 4, 2013 at 2:42 AM, Jaime Casanova <jaime@2ndquadrant.com> wrote: >> >> create extension test version '123'; >> CREATE EXTENSION >> >> postgres=# \df >> List of functions >> Schema | Name | Result data type | Argument data types | Type >> --------+------+------------------+---------------------+------ >> (0 rows) >> >> Actually, what this did was to create an 123 schema and it puts the >> functions there. >> >> But that schema is inaccesible and undroppable: >> > > and dropping the extension let the schema around > Hm? I guess '123' is not schema, but it's version. -- Hitoshi Harada
Hi, Please find attached version 8 of the patch, with fixes for almost all reported problems. Thanks a lot to you reviewers for finding them! I need some help with: - toast tables for new catalog tables - extension.c:1150:25: warning: variable ‘evi’ set but not used See details below. Hitoshi Harada <umi.tanuki@gmail.com> writes: > - Why do we need with() clause even if I don't need it? Not needed anymore, regression test addded to cover the new grammar form. > foo=# create template for extension ex2 version '1.0' with (requires ex1) > as $$ $$; > ERROR: template option "requires" takes an argument Not sure how to handle the grammar for that case, given that I'm using the same tricks as in the CREATE ROLE options in order to avoid adding new keywords in the patch. > - create template ex2, create extension ex2, alter template ex2 rename to > ex3, create extension ex3, drop template ex3; > foo=# drop template for extension ex3 version '1.0'; > ERROR: cannot drop unrecognized object 3179 16429 0 because other objects > depend on it Fixed in the attached. > - a template that is created in another template script does not appear to > depend on the parent template. What I understand you meant is when doing CREATE TEMPLATE FOR EXTENSION from within a CREATE EXTENSION script. That is now covered in the attached. > - Without control file/template, attempt to create a new extension gives: > foo=# create extension plv8; > ERROR: extension "plv8" has no default control template > but can it be better, like "extension plv8 has no default control file or > template"? Updated the error message, it now looks like that: create extension plv8; ERROR: 42704: Extension "plv8" is not available from "/Users/dim/pgsql/ddl/share/extension" nor as a template LOCATION: read_extension_control, extension.c:676 STATEMENT: create extension plv8; > - Looks like both tables don't have toast tables. Some experiment gives: > ERROR: row is too big: size 8472, maximum size 8160 Not sure why. That's not fixed in the attached. Alvaro Herrera <alvherre@2ndquadrant.com> writes: > Very minor comment here: these SGML "id" tags: > > + <refentry id="SQL-ALTEREXTENSIONTEMPLATE"> Changed to SQL-ALTER-TEMPLATE-FOR-EXTENSION, same with CREATE and DROP commands, update the cross references. Alvaro Herrera <alvherre@2ndquadrant.com> writes: > What if read_extension_control_file() fails because of an out-of-memory > error? I think you need to extend that function to have a more useful > API, not rely on it raising a specific error. There is at least one > more case when you're calling that function in the same way. Good point. I'm now using something really simple: if (access(get_extension_control_filename(extname), F_OK) == 0) { ereport(ERROR, (errcode(ERRCODE_DUPLICATE_OBJECT), errmsg("extension \"%s\" is already available", extname))); } After pondering about it for a while, that doesn't strike me as a modularity violation severe enough to warrant more complex changes. Jaime Casanova <jaime@2ndquadrant.com> writes: > - The error message in aclchk.c:5175 isn't very clear, i mean the user > should see something better than "uptmpl" Fixed in the attached. > - In alter.c you made AlterObjectRename_internal non static and > replaced a SearchSysCache1 call with a get_catalog_object_by_oid one. > Now, in its comment that function says that is for simple cases. And > because of the things you're doing it seems to me this isn't a simple > case. Maybe instead of modifying it you should create other function > RenameExtensionTemplateInternal, just like tablecmd.c does? The get_catalog_object_by_oid() is doing a SearchSysCache1 when that's relevant and possible, so I don't think I changed enough things around to warrant a different API. I'm open to hearing about why I'm wrong if that's the case, though. > - This is a typo i guess: AtlerExtensionTemplateRename Fixed in the attached. > - In event_triggers.c, it seems the intention was to keep the > event_trigger_support array in order, any reason to for not doing it? Fixed in the attached. > - extension.c: In function ‘get_ext_ver_list_from_catalog’: > extension.c:1150:25: warning: variable ‘evi’ set but not used > [-Wunused-but-set-variable] I don't have the warning here, and that code is unchanged from master's branch, only the name of the function did change. Do you have the same warning with master? which version of gcc are you using? > Actually, what this did was to create an 123 schema and it puts the > functions there. There was a fault in the way default values are assigned to auxilliary control entries in pg_extension_control when creating a template for updating an extension. That's been fixed in the attached, a a new regression test has been added. > In this case only f1() and f3() exists, because the extension is going > from 1.0 to 2.1. is this expected? You can use the following SQL statement to debug your upgrade paths, as you could already with file-based control information. This tells me that yes it's expected. select * from pg_extension_update_paths('test2'); source | target | path --------+--------+---------- 1.0 | 1.1 | 1.0--1.1 1.0 | 2.1 | 1.0--2.1 1.1 | 1.0 | 1.1 | 2.1 | 2.1 | 1.0 | 2.1 | 1.1 | (6 rows) You have to remember that the shortest path only will get used to upgrade your extension. > and, yes... the functions are in the schema "2.1" Fixed in the attached. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Attachment
On Thu, Jul 4, 2013 at 7:32 AM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote: > >> - In alter.c you made AlterObjectRename_internal non static and >> replaced a SearchSysCache1 call with a get_catalog_object_by_oid one. >> Now, in its comment that function says that is for simple cases. And >> because of the things you're doing it seems to me this isn't a simple >> case. Maybe instead of modifying it you should create other function >> RenameExtensionTemplateInternal, just like tablecmd.c does? > > The get_catalog_object_by_oid() is doing a SearchSysCache1 when that's > relevant and possible, so I don't think I changed enough things around > to warrant a different API. I'm open to hearing about why I'm wrong if > that's the case, though. > not sure if you're wrong. but at the very least, you miss a heap_freetuple(oldtup) there, because get_catalog_object_by_oid() > >> - extension.c: In function ‘get_ext_ver_list_from_catalog’: >> extension.c:1150:25: warning: variable ‘evi’ set but not used >> [-Wunused-but-set-variable] > > I don't have the warning here, and that code is unchanged from master's > branch, only the name of the function did change. Do you have the same > warning with master? which version of gcc are you using? > no, that code is not unchanged because function get_ext_ver_list_from_catalog() comes from your patch. it's seems the thing is that function get_ext_ver_info() is append a new ExtensionVersionInfo which is then returned and assigned to an *evi pointer that is never used. i'm sure that evi in line 1150 is only because you need to receive the returned value. Maybe you could use "(void) get_ext_ver_info()" (or it should be (void *)?) to avoid that assignment and keep compiler quiet PS: i'm on gcc (Debian 4.7.2-5) 4.7.2 -- Jaime Casanova www.2ndQuadrant.com Professional PostgreSQL: Soporte 24x7 y capacitación Phone: +593 4 5107566 Cell: +593 987171157
Jaime Casanova <jaime@2ndquadrant.com> writes: > not sure if you're wrong. but at the very least, you miss a > heap_freetuple(oldtup) there, because get_catalog_object_by_oid() Well, oldtup can be either a syscache copy or a heap tuple. I've been looking at other call sites and they don't free their tuple either. So I'm leaving it at that for now. > no, that code is not unchanged because function > get_ext_ver_list_from_catalog() comes from your patch. Yes. Here's the relevant hunk: *************** *** 997,1003 **** get_nearest_unprocessed_vertex(List *evi_list) * the versions that can be reached in one step from thatversion. */ static List * ! get_ext_ver_list(ExtensionControlFile *control) { List *evi_list = NIL; int extnamelen = strlen(control->name); --- 1093,1099 ---- * the versions that can be reached in one step from that version. */ static List * ! get_ext_ver_list_from_files(ExtensionControl *control) { List *evi_list = NIL; int extnamelen= strlen(control->name); *************** So the content of the function has not changed. I'm not opposed to trying to fix it, I just don't think it would be wise to do so as part of the extension templates patch, as I do believe that the problem should manifest itself in head too: it's the same code under a new function's name. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
On Sat, Jul 6, 2013 at 2:25 PM, Dimitri Fontaine <dimitri@2ndquadrant.fr> wrote: > Jaime Casanova <jaime@2ndquadrant.com> writes: >> not sure if you're wrong. but at the very least, you miss a >> heap_freetuple(oldtup) there, because get_catalog_object_by_oid() > > Well, oldtup can be either a syscache copy or a heap tuple. I've been > looking at other call sites and they don't free their tuple either. So > I'm leaving it at that for now. > >> no, that code is not unchanged because function >> get_ext_ver_list_from_catalog() comes from your patch. > > Yes. Here's the relevant hunk: > No. That's get_ext_ver_list_from_files() and that function is unchanged (except for the name). I'm talking about get_ext_ver_list_from_catalog() which is a different function. -- Jaime Casanova www.2ndQuadrant.com Professional PostgreSQL: Soporte 24x7 y capacitación Phone: +593 4 5107566 Cell: +593 987171157
Jaime Casanova <jaime@2ndquadrant.com> writes: > the name). I'm talking about get_ext_ver_list_from_catalog() which is > a different > function. Oh. I see it now. Sorry about that. It's blindly fixed in my git repo and I'm going to send an updated patch soon now™ which will include the fix. Thanks for insisting here… Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support