Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vWbSV-005bKi-0M for pgsql-hackers@arkaria.postgresql.org; Fri, 19 Dec 2025 14:27:56 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vWbSU-007uw0-0A for pgsql-hackers@arkaria.postgresql.org; Fri, 19 Dec 2025 14:27:54 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <9erthalion6@gmail.com>) id 1vWbST-007uvr-0c for pgsql-hackers@lists.postgresql.org; Fri, 19 Dec 2025 14:27:54 +0000 Received: from mail-ed1-x52c.google.com ([2a00:1450:4864:20::52c]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <9erthalion6@gmail.com>) id 1vWbSR-001W7P-1N for pgsql-hackers@postgresql.org; Fri, 19 Dec 2025 14:27:52 +0000 Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-64b791b5584so2340203a12.0 for ; Fri, 19 Dec 2025 06:27:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766154464; x=1766759264; darn=postgresql.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=irOOTBnMfR0geSRqLO18xEMBEjO1a9VKOeYSeSF5vQ4=; b=FhJn6Of2cHlSC3PixR9BileRkcltkDZX1QKunoswmuFlcGTok7JHXxt936PaTwT7wS ll/lqpYCUV2+hMfdrbYUIiCN2P3kw3zRnINNI+wWOk8c/G3F343Sz3NmZ2S8zdlNAyCD ejLqqPeRHVVGVuqadwSbObtcRuYmN+/zma/0aK3T/MtE/CjClHQDsUbosDrTswMokBD3 pQlWtifd0B8pZ9JWvhbMzPtRP1Ls2vp/GRYa6BP4cfxAOPIocoA9R5opvvZHFue/DLH/ 0aAp48F7J/v9tBqLJt9bA+heaAJa542+EX5rN/P3Wf1stAclkTeUpKk44bTN+qCCpALq dVQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766154464; x=1766759264; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=irOOTBnMfR0geSRqLO18xEMBEjO1a9VKOeYSeSF5vQ4=; b=SQAOjtj7/6GmauTu3JQXAAZC8Gqb3zMznlfdHJ4/eTdBatD/cm+W2HE6K58nXSBqmP jxo4qaDzh2eLVhcqDXlmNMk25N3zjn2U0aCJhE0xZQ/fsCqpXEBexCgiVH7VPjRXUcf+ /F3Ap7Qxd7cS+Rl60DU2YyH6dMuhi/W4uTw3BB7m9os14aXlhFEJhkEVv+3eNPA8NRcF 5EzfKtdrR3kjqWJCHvZNjszhQg7mymBYxDEBYy1SoeW8J6NnAYr/fQbocZyGiKom4LN5 VVkR96ZVzbVYUf95w4wT8cJfDv/I0QcTL6LAlcGW3A7AoTX/5ggF4oXBD0lEDJdfO6HG JNzQ== X-Gm-Message-State: AOJu0Yw0T4ackmVa4CVLPSDlyvOzGeyGQhW2hI+H07S2vWv0ngcLKqA0 obSdClNebc7t4cc7EkH6H8DNzcvxSCYeCoGDDpPSPZfJ5xIGpecEw4lsUw6V9w== X-Gm-Gg: AY/fxX4VUOFd7/SqXPk20c4sLmqLUP2Is8GWVPPLKWy5pT58qCNhsgMtj6qbSRKwd8+ QfJTgz1QCm2lXT3RZ34rsDDN1o+iTmIPuSRWSPGyH8pUcHAslDR9bwlaiTIceZxGJLp/if5fwo7 fFLGstkbV2VSLQn0QX5sy6D0cVUd1dAo1gtbcWTjDCNa3+mDYsCMwm4GpQW3O5k2GoEO1gfbfax xJ6LKvwqe0BCOEML6TJa65yjVzebhK/D2hbFbmhuKbAIQ1kcOtZfNtyNQT/42anBHBh1EwzZBPn 4IBXhxXG8UKf4g2eU4ZiN6+pZlK9HdcUaucgtkPX6JLdGkgDUnViwCDSPR2b1QcH9ZxtNhtC6+S 47vs2dcBT+MbKs4h1gIJG7ZD3ZoJOPVSMKvxNxA2pC59vl7zfTz4/8ZsCASGLKM3NXoMgiDhMeh q5tSgaE35SOibOeRtb9YW4iIdIoWRP8+G2I9ibD8YI1TA+USDLjUp2vagU9fk/1uQ2pL6PMJb1g g+msZIq6oVrD2wzAE1al4GA X-Google-Smtp-Source: AGHT+IF6echtxtXTGtX76kabrJMo1ygIc+3MMY57kCx6TLIgwpUR5SPqPIO12NKJtFyQ5q5gEF1VBw== X-Received: by 2002:a17:907:ca05:b0:b80:3fb3:bea0 with SMTP id a640c23a62f3a-b803fb3cademr129703966b.56.1766154464157; Fri, 19 Dec 2025 06:27:44 -0800 (PST) Received: from ddolgov-thinkpadt14sgen1.rmtde.csb (dslb-088-078-017-026.088.078.pools.vodafone-ip.de. [88.78.17.26]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-64b916adc61sm2369404a12.31.2025.12.19.06.27.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Dec 2025 06:27:43 -0800 (PST) Date: Fri, 19 Dec 2025 15:27:40 +0100 From: Dmitry Dolgov <9erthalion6@gmail.com> To: pgsql-hackers@postgresql.org Subject: File locks for data directory lockfile in the context of Linux namespaces Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="n6t6hie3zne7u6vd" Content-Disposition: inline List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --n6t6hie3zne7u6vd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, TL;DR This is a proposal to use file locking with a data directory lockfile at startup, which helps to avoid potential Linux PID namespace visibility issues. Recently I've stumbled upon a quite annoying problem, which will require a bit of explanation. Currently at startup if the data directory lock exists, postgres inspects it and assumes that if it contains the same PID as the current process, it must be a state file after a system reboot and assigning of the same PID again. But it seems there is another possible scenario: two postgres instances are running concurrently inside different PID namespaces, they don't see each other and have the same PID assigned withing the respective namespace. It's relatively easy to use pid/ipc/net namespaces to construct a situation, when two postgres instances run in parallel on the same data directory and do not notice a thing, something like this: sudo unshare --ipc --net --pid --fork --mount-proc \ bash -c 'sudo -u postgres postgres -D data' This of course can lead to all sorts of nasty issues, but looks very artificial at first -- obviously whoever is responsible for namespace management must also take care about data access isolation. But it turns out situations like this indeed could happen in practice, when it comes to container orchestration, mostly due to lack of knowledge or misunderstanding of documentation. Kubernetes has one particular access mode for volumes, ReadWriteOnce [1], which often assumed to be good enough -- but it guarantees only a single mount per node, not per pod. Kubernetes also allows a forced pod termination [2], which removes the pod from the API, but still gives some grace period for the pod to finish. All of this can lead to an unfortunate sequence of events: * A postgres pod got forcefully terminated and removed from the API right away. * A new postgres pod is started instead (there is nothing in the API, so why not), while the old one is still terminating. * If they were utilizing RWO mode, the new pod will immediately get the data volume and can access it while the old pod is still terminating. In the end we get a situation similar to what I've described above, and strangely enough it looks like this indeed happens in the field. It's fair to say that it's a Kubernetes issue (there are warnings about that in the documentation), and PostgreSQL doesn't have anything to do with that. But taking into account general possibility of confusing PostgreSQL with Linux namespaces it looks to me like one of those "shoot yourself in the foot" situation, and I became curious if there are any easy way to improve things. The root of the problem is lack of any time related information that PostgreSQL could use to distinguish between two scenarios: when a single container was killed and started again later; and when two containers run at the same time. After some experimenting it looks like the only plausible answer could be file locking for data directory lockfile. This approach was discussed many times in hackers, and from what I see there are few arguments against using file locking as the main mechanism for protecting the data directory content: * Portability. There are two types of file locks, advisory record locks (POSIX) and open file description locks (was non-POSIX). The former has set of flaws, but most importantly for this discussion is that advisory record locks are associated with a process and thus affected by PID namespace isolation. The later are associated with open file descriptors and are suitable solution to fix the problem. Originally open file description locks were non-POSIX, but looks like they have become a part of POSIX.1 2024, (see F_OFD_SETLK) [3]. * Issues with NFS. It turns out NFSv3 does not support open file description locks and convert them into advisory locks. For our purposes it means that the aproach will not change anything for NFSv3. Regarding NFSv4, it uses some sort of lease system for locking, and I haven't found anything claiming that locks will be converted to advisory. With this in mind, it seems to me that adding file locking to data directory lockfile as a "best efforts" approach (i.e. if it doesn't work, we continue as before) on top of already existing mechanism will improve most of things, while keeping status quo for some others. I've attached a quick sketch of how the patch might look like. Any thoughts / commentaries on that? [1]: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes [2]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination-forced [3]: https://pubs.opengroup.org/onlinepubs/9799919799/functions/fcntl.html --n6t6hie3zne7u6vd Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="v1-0001-Use-open-file-description-locks-for-data-director.patch"