Thread: Document that server will start even if it's unable to open some TCP/IP ports
Document that server will start even if it's unable to open some TCP/IP ports
From
Gurjeet Singh
Date:
The attached patch clarifies that the server will start even if it is unable to open the port on some of the TCP/IP addresses listed (or implied by a value of '*' or localhost) in listen_addresses parameter. I think it is important to call this out, because I was surprised to see that the server started even though the port was occupied by another process. Upon close inspection, I noticed that the other process was using that port on 127.0.0.1, so Postgres complained about that interface (a warning in server log), but it was able to open the port on IPv6 ::1, so it started up as normal. Upon further testing, I saw that server will not start only if it is unable to open the port on _all_ the interfaces/addresses. It it's able to open the port on at least one, the server will start. If listen_addresses is empty, then server won't try to open any TCP/IP ports. The patch does not change any language related to that. Best regards, Gurjeet http://Gurje.et
Attachment
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Nathan Bossart
Date:
On Sat, May 27, 2023 at 03:17:21PM -0700, Gurjeet Singh wrote: > Upon further testing, I saw that server will not start only if it is > unable to open the port on _all_ the interfaces/addresses. It it's > able to open the port on at least one, the server will start. This surprised me. I would've expected the server to fail to start if it failed for anything in listen_addresses. After some digging, I found what I believe is the original justification [0] as well as a follow-up thread [1] that seems to call out kernel support for IPv6 as the main objection. Perhaps it is time to reevaluate this decision. > If listen_addresses is empty, then server won't try to open any TCP/IP > ports. The patch does not change any language related to that. Your proposed change notes that the server only starts if it can listen on at least one TCP/IP address, which I worry might lead folks to think that the server won't start if listen_addresses is empty. [0] https://postgr.es/m/6739.1079384078%40sss.pgh.pa.us [1] https://postgr.es/m/200506281149.51696.peter_e%40gmx.net -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Gurjeet Singh
Date:
On Mon, Jun 12, 2023 at 10:59 PM Nathan Bossart <nathandbossart@gmail.com> wrote: > On Sat, May 27, 2023 at 03:17:21PM -0700, Gurjeet Singh wrote: > > If listen_addresses is empty, then server won't try to open any TCP/IP > > ports. The patch does not change any language related to that. > > Your proposed change notes that the server only starts if it can listen on > at least one TCP/IP address, which I worry might lead folks to think that > the server won't start if listen_addresses is empty. Perhaps we can prefix that statement with "If listen_addresses is not empty", like so: --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -661,3 +661,9 @@ include_dir 'conf.d' which allows only local TCP/IP <quote>loopback</quote> connections to be - made. While client authentication (<xref + made. If <varname>listen_addresses</varname> is not empty, the server + will start only if it can open the <varname>port</varname> + on at least one TCP/IP address. If server is unable to open + <varname>port</varname> on a TCP/IP address, it emits a warning. + <para> + </para> + While client authentication (<xref linkend="client-authentication"/>) allows fine-grained control Best regards, Gurjeet http://Gurje.et
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Nathan Bossart
Date:
On Mon, Jun 12, 2023 at 11:57:45PM -0700, Gurjeet Singh wrote: > Perhaps we can prefix that statement with "If listen_addresses is not > empty", like so: Before we spend too much time trying to document the current behavior, I think we should see if we can change it to something less surprising (i.e., failing to start if the server fails for any address). The original objections around kernel support for IPv6 might no longer stand. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Tom Lane
Date:
Nathan Bossart <nathandbossart@gmail.com> writes: > Before we spend too much time trying to document the current behavior, I > think we should see if we can change it to something less surprising (i.e., > failing to start if the server fails for any address). The original > objections around kernel support for IPv6 might no longer stand. I think that'd be more surprising not less. The systemd guys certainly believe that daemons ought to auto-adapt to changes in the machine's internet connectivity. We aren't there yet, but I can imagine somebody trying to fix that someday soon. If the postmaster is able to dynamically acquire and drop ports then it would certainly not make sense to behave as you suggest. regards, tom lane
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Nathan Bossart
Date:
On Tue, Jun 13, 2023 at 04:28:31PM -0400, Tom Lane wrote: > Nathan Bossart <nathandbossart@gmail.com> writes: >> Before we spend too much time trying to document the current behavior, I >> think we should see if we can change it to something less surprising (i.e., >> failing to start if the server fails for any address). The original >> objections around kernel support for IPv6 might no longer stand. > > I think that'd be more surprising not less. The reason it surprises me is because it creates uncertainty about the server configuration. Granted, I could look in the logs for any warnings, but I'm not sure that's the best experience. I would expect this to work more like huge_pages. If I set huge_pages to "on", I know that the server is using huge pages if it starts up. > The systemd guys certainly believe that daemons ought to auto-adapt > to changes in the machine's internet connectivity. We aren't there > yet, but I can imagine somebody trying to fix that someday soon. > If the postmaster is able to dynamically acquire and drop ports then > it would certainly not make sense to behave as you suggest. Agreed, if listen_addresses became a PGC_SIGHUP parameter, it would make sense to avoid shutting down the server if it was dynamically misconfigured, as is done for the configuration files. I think that argument applies for changes in connectivity, too. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Kyotaro Horiguchi
Date:
At Tue, 13 Jun 2023 14:38:14 -0700, Nathan Bossart <nathandbossart@gmail.com> wrote in > On Tue, Jun 13, 2023 at 04:28:31PM -0400, Tom Lane wrote: > > Nathan Bossart <nathandbossart@gmail.com> writes: > >> Before we spend too much time trying to document the current behavior, I > >> think we should see if we can change it to something less surprising (i.e., > >> failing to start if the server fails for any address). The original > >> objections around kernel support for IPv6 might no longer stand. > > > > I think that'd be more surprising not less. > > The reason it surprises me is because it creates uncertainty about the > server configuration. Granted, I could look in the logs for any warnings, > but I'm not sure that's the best experience. I would expect this to work > more like huge_pages. If I set huge_pages to "on", I know that the server > is using huge pages if it starts up. > > > The systemd guys certainly believe that daemons ought to auto-adapt > > to changes in the machine's internet connectivity. We aren't there > > yet, but I can imagine somebody trying to fix that someday soon. > > If the postmaster is able to dynamically acquire and drop ports then > > it would certainly not make sense to behave as you suggest. > > Agreed, if listen_addresses became a PGC_SIGHUP parameter, it would make > sense to avoid shutting down the server if it was dynamically > misconfigured, as is done for the configuration files. I think that > argument applies for changes in connectivity, too. If I had to say, I would feel it rather surprising if server successfully starts even when any explicitly-specified port can't be opened (which is the current case). The current auto-adaption is fine iff I use '*' for listen_addresses. IMHO, for "reliable" auto-adaption, we might want '[+-]?xxx.xxx.xxx.xxx/nn' (and the same for v6), or '[+-]?interface-name' notation to require, allow, or disallow to use specific networks. regards. -- Kyotaro Horiguchi NTT Open Source Software Center
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Tom Lane
Date:
Kyotaro Horiguchi <horikyota.ntt@gmail.com> writes: > If I had to say, I would feel it rather surprising if server > successfully starts even when any explicitly-specified port can't be > opened (which is the current case). There is certainly an argument that such a condition indicates that something's very broken in our configuration and we should complain. But I'm not sure how exciting the case is in practice. The systemd guys would really like us to be willing to come up before any network interfaces are up, and then auto-listen to those interfaces when they do come up. On the other hand, the situation with Unix sockets is much more static: if you can't make a socket in /tmp or /var/run at the instant of postmaster start, it's unlikely you will be able to do so later. Maybe we need different rules for TCP versus Unix-domain sockets? I'm not sure what exactly, but lumping those cases together for a discussion like this feels wrong. regards, tom lane
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Bruce Momjian
Date:
On Tue, Jun 13, 2023 at 11:11:04PM -0400, Tom Lane wrote: > Kyotaro Horiguchi <horikyota.ntt@gmail.com> writes: > > If I had to say, I would feel it rather surprising if server > > successfully starts even when any explicitly-specified port can't be > > opened (which is the current case). > > There is certainly an argument that such a condition indicates that > something's very broken in our configuration and we should complain. > But I'm not sure how exciting the case is in practice. The systemd > guys would really like us to be willing to come up before any network > interfaces are up, and then auto-listen to those interfaces when they > do come up. On the other hand, the situation with Unix sockets is > much more static: if you can't make a socket in /tmp or /var/run at > the instant of postmaster start, it's unlikely you will be able to do > so later. > > Maybe we need different rules for TCP versus Unix-domain sockets? > I'm not sure what exactly, but lumping those cases together for > a discussion like this feels wrong. If we are going to retry for network configuration changes, it seems we would also retry Unix domain sockets for cases like when the permissions are wrong, and then fixed. However, it seem hard to figure out exactly what _is_ working if we take the approach of dynamically retrying listen methods. Do we report anything helpful in the server logs when we start and can't listen on anything? -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Gurjeet Singh
Date:
On Mon, Jun 19, 2023 at 5:48 PM Bruce Momjian <bruce@momjian.us> wrote: > > On Tue, Jun 13, 2023 at 11:11:04PM -0400, Tom Lane wrote: > > > > There is certainly an argument that such a condition indicates that > > something's very broken in our configuration and we should complain. > > But I'm not sure how exciting the case is in practice. The systemd > > guys would really like us to be willing to come up before any network > > interfaces are up, and then auto-listen to those interfaces when they > > do come up. That sounds like a reasonable expectation, as the network conditions can change without any explicit changes made by someone. > > On the other hand, the situation with Unix sockets is > > much more static: if you can't make a socket in /tmp or /var/run at > > the instant of postmaster start, it's unlikely you will be able to do > > so later. I think you're describing a setup where Postgres startup is automatic, as part of server/OS startup. That is the most common case. In cases where someone is performing a Postgres startup manually, they are very likely to have the permissions to fix the problem preventing the startup. > > Maybe we need different rules for TCP versus Unix-domain sockets? > > I'm not sure what exactly, but lumping those cases together for > > a discussion like this feels wrong. +1. > If we are going to retry for network configuration changes, it seems we > would also retry Unix domain sockets for cases like when the permissions > are wrong, and then fixed. The network managers (systemd, etc.) are expected to respond to dynamic conditions, and hence they may perform network config changes in response to things like network outages, and hardware failures, time of day, etc. On the other hand, the permissions required to create files for Unix domain sockets are only expected to change if someone decides to make that change. I wouldn't expect these permissions to be changed dynamically. On those grounds, keeping the treatment of Unix domain sockets out of this discussion for this patch seems reasonable. > However, it seem hard to figure out exactly what _is_ working if we take > the approach of dynamically retrying listen methods. Do we report > anything helpful in the server logs when we start and can't listen on > anything? Yes. For every host listed in listen_addresses, if Postgres fails to open the port on that address, we get a WARNING message in the server log. After the end of processing of a non-empty listen_addresses, if there are zero open TCP/IP connections, the server exits (with a FATAL message, IIRC). Best regards, Gurjeet http://Gurje.et
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Bruce Momjian
Date:
On Mon, Jun 12, 2023 at 11:57:45PM -0700, Gurjeet Singh wrote: > On Mon, Jun 12, 2023 at 10:59 PM Nathan Bossart > <nathandbossart@gmail.com> wrote: > > On Sat, May 27, 2023 at 03:17:21PM -0700, Gurjeet Singh wrote: > > > If listen_addresses is empty, then server won't try to open any TCP/IP > > > ports. The patch does not change any language related to that. > > > > Your proposed change notes that the server only starts if it can listen on > > at least one TCP/IP address, which I worry might lead folks to think that > > the server won't start if listen_addresses is empty. > > Perhaps we can prefix that statement with "If listen_addresses is not > empty", like so: I came up with a slightly modified doc patch, attached. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
Attachment
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Nathan Bossart
Date:
Thanks for picking this up. On Thu, Sep 07, 2023 at 03:33:57PM -0400, Bruce Momjian wrote: > The default value is <systemitem class="systemname">localhost</systemitem>, > which allows only local TCP/IP <quote>loopback</quote> connections to be > - made. While client authentication (<xref > + made. If <varname>listen_addresses</varname> is not empty, > + the server will start if it can open a <varname>port</varname> > + on at least one TCP/IP address. A warning will be emitted for > + any TCP/IP address which cannot be opened. I think we should move this sentence to before the ѕentence about the default value. That way, "If the list is empty, ..." is immediately followed by "If the list is not empty, ..." IMO the phrase "open a port" is kind of nonstandard. I think we should say something along the lines of If listen_addresses is not empty, the server will start only if it can listen on at least one of the specified addresses. A warning will be emitted for any addresses that the server cannot listen on. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Bruce Momjian
Date:
On Thu, Sep 7, 2023 at 02:54:13PM -0700, Nathan Bossart wrote: > Thanks for picking this up. > > On Thu, Sep 07, 2023 at 03:33:57PM -0400, Bruce Momjian wrote: > > The default value is <systemitem class="systemname">localhost</systemitem>, > > which allows only local TCP/IP <quote>loopback</quote> connections to be > > - made. While client authentication (<xref > > + made. If <varname>listen_addresses</varname> is not empty, > > + the server will start if it can open a <varname>port</varname> > > + on at least one TCP/IP address. A warning will be emitted for > > + any TCP/IP address which cannot be opened. > > I think we should move this sentence to before the ѕentence about the > default value. That way, "If the list is empty, ..." is immediately > followed by "If the list is not empty, ..." > > IMO the phrase "open a port" is kind of nonstandard. I think we should say > something along the lines of > > If listen_addresses is not empty, the server will start only if it can > listen on at least one of the specified addresses. A warning will be > emitted for any addresses that the server cannot listen on. Good idea, updated patch attached. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
Attachment
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Nathan Bossart
Date:
On Thu, Sep 07, 2023 at 07:13:44PM -0400, Bruce Momjian wrote: > On Thu, Sep 7, 2023 at 02:54:13PM -0700, Nathan Bossart wrote: >> IMO the phrase "open a port" is kind of nonstandard. I think we should say >> something along the lines of >> >> If listen_addresses is not empty, the server will start only if it can >> listen on at least one of the specified addresses. A warning will be >> emitted for any addresses that the server cannot listen on. > > Good idea, updated patch attached. I still think we should say "listen on an address" instead of "open a port," but otherwise it LGTM. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Bruce Momjian
Date:
On Thu, Sep 7, 2023 at 09:21:07PM -0700, Nathan Bossart wrote: > On Thu, Sep 07, 2023 at 07:13:44PM -0400, Bruce Momjian wrote: > > On Thu, Sep 7, 2023 at 02:54:13PM -0700, Nathan Bossart wrote: > >> IMO the phrase "open a port" is kind of nonstandard. I think we should say > >> something along the lines of > >> > >> If listen_addresses is not empty, the server will start only if it can > >> listen on at least one of the specified addresses. A warning will be > >> emitted for any addresses that the server cannot listen on. > > > > Good idea, updated patch attached. > > I still think we should say "listen on an address" instead of "open a > port," but otherwise it LGTM. Agreed, I never liked the "port" mention. I couldn't figure how to get "open" out of the warning sentence though. Updated patch attached. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
Attachment
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Nathan Bossart
Date:
On Fri, Sep 08, 2023 at 10:52:10AM -0400, Bruce Momjian wrote: > On Thu, Sep 7, 2023 at 09:21:07PM -0700, Nathan Bossart wrote: >> On Thu, Sep 07, 2023 at 07:13:44PM -0400, Bruce Momjian wrote: >> > On Thu, Sep 7, 2023 at 02:54:13PM -0700, Nathan Bossart wrote: >> >> IMO the phrase "open a port" is kind of nonstandard. I think we should say >> >> something along the lines of >> >> >> >> If listen_addresses is not empty, the server will start only if it can >> >> listen on at least one of the specified addresses. A warning will be >> >> emitted for any addresses that the server cannot listen on. >> > >> > Good idea, updated patch attached. >> >> I still think we should say "listen on an address" instead of "open a >> port," but otherwise it LGTM. > > Agreed, I never liked the "port" mention. I couldn't figure how to get > "open" out of the warning sentence though. Updated patch attached. WFM -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Gurjeet Singh
Date:
On Fri, Sep 8, 2023 at 7:52 AM Bruce Momjian <bruce@momjian.us> wrote: > > On Thu, Sep 7, 2023 at 09:21:07PM -0700, Nathan Bossart wrote: > > On Thu, Sep 07, 2023 at 07:13:44PM -0400, Bruce Momjian wrote: > > > On Thu, Sep 7, 2023 at 02:54:13PM -0700, Nathan Bossart wrote: > > >> IMO the phrase "open a port" is kind of nonstandard. I think we should say > > >> something along the lines of > > >> > > >> If listen_addresses is not empty, the server will start only if it can > > >> listen on at least one of the specified addresses. A warning will be > > >> emitted for any addresses that the server cannot listen on. > > > > > > Good idea, updated patch attached. > > > > I still think we should say "listen on an address" instead of "open a > > port," but otherwise it LGTM. > > Agreed, I never liked the "port" mention. I couldn't figure how to get > "open" out of the warning sentence though. Updated patch attached. LGTM. Best regards, Gurjeet http://Gurje.et
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Bruce Momjian
Date:
On Tue, Sep 12, 2023 at 05:25:44PM -0700, Gurjeet Singh wrote: > On Fri, Sep 8, 2023 at 7:52 AM Bruce Momjian <bruce@momjian.us> wrote: > > > > On Thu, Sep 7, 2023 at 09:21:07PM -0700, Nathan Bossart wrote: > > > On Thu, Sep 07, 2023 at 07:13:44PM -0400, Bruce Momjian wrote: > > > > On Thu, Sep 7, 2023 at 02:54:13PM -0700, Nathan Bossart wrote: > > > >> IMO the phrase "open a port" is kind of nonstandard. I think we should say > > > >> something along the lines of > > > >> > > > >> If listen_addresses is not empty, the server will start only if it can > > > >> listen on at least one of the specified addresses. A warning will be > > > >> emitted for any addresses that the server cannot listen on. > > > > > > > > Good idea, updated patch attached. > > > > > > I still think we should say "listen on an address" instead of "open a > > > port," but otherwise it LGTM. > > > > Agreed, I never liked the "port" mention. I couldn't figure how to get > > "open" out of the warning sentence though. Updated patch attached. > > LGTM. Patch applied back to PG 11. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
Re: Document that server will start even if it's unable to open some TCP/IP ports
From
Gurjeet Singh
Date:
On Tue, Sep 26, 2023 at 4:02 PM Bruce Momjian <bruce@momjian.us> wrote: > > Patch applied back to PG 11. +Peter E. since I received the following automated note: > Closed in commitfest 2023-09 with status: Moved to next CF (petere) Just a note that this patch has been committed (3fea854691), so I have marked the CF item [1] as 'Committed', and specified Bruce as the committer. [1]: https://commitfest.postgresql.org/45/4333/ Best regards, Gurjeet http://Gurje.et