Patroni

This release improves management of Patroni cluster by bring in pause mode, improves maintenance with scheduled and conditional restarts, makes Patroni interaction with Etcd or Zookeeper more resilient and greatly enhances patronictl.

**Upgrade notice**

When upgrading from releases below 1.0 read about changing of credentials and configuration format at 1.0 release notes.

**Pause mode**
- Introduce pause mode to temporary detach Patroni from managing PostgreSQL instance (Murat Kabilov, Alexander Kukushkin, Oleksii Kliukin).

Previously, one had to send SIGKILL signal to Patroni to stop it without terminating PostgreSQL. The new pause mode detaches Patroni from PostgreSQL cluster-wide without terminating Patroni. It is similar to the maintenance mode in Pacemaker. Patroni is still responsible for updating member and leader keys in DCS, but it will not start, stop or restart PostgreSQL server in the process. There are a few exceptions, for instance, manual failovers, reinitializes and restarts are still allowed. You can read a [detailed description of this feature](https://github.com/zalando/patroni/blob/master/docs/pause.rst).

In addition, patronictl supports new `pause` and `resume` commands to toggle the pause mode.

**Scheduled and conditional restarts**
- Add conditions to the restart API command (Oleksii)

This change enhances Patroni restarts by adding a couple of conditions that can be verified in order to do the restart. Among the conditions are restarting when PostgreSQL role is either a master or a replica, checking the PostgreSQL version number or restarting only when restart is necessary in order to apply configuration changes.
- Add scheduled restarts (Oleksii)

It is now possible to schedule a restart in the future. Only one scheduled restart per node is supported. It is possible to clear the scheduled restart if it is not needed anymore. A combination of scheduled and conditional restarts is supported, making it possible, for instance, to scheduled minor PostgreSQL upgrades in the night, restarting only the instances that are running the outdated minor version without adding postgres-specific logic to administration scripts.
- Add support for conditional and scheduled restarts to patronictl (Murat).

patronictl restart supports several new options. There is also patronictl flush command to clean the scheduled actions.

**Robust DCS interaction**
- Set Kazoo timeouts depending on the loop_wait (Alexander)

Originally, ping_timeout and connect_timeout values were calculated from the negotiated session timeout. Patroni loop_wait was not taken into account. As
a result, a single retry could take more time than the session timeout, forcing Patroni to release the lock and demote.

This change set ping and connect timeout to half of the value of loop_wait, speeding up detection of connection issues and leaving enough time to retry the connection attempt before loosing the lock.
- Update Etcd topology only after original request succeed (Alexander)

Postpone updating the Etcd topology known to the client until after the original request. When retrieving the cluster topology, implement the retry timeouts depending on the known number of nodes in the Etcd cluster. This makes our client prefer to get the results of the request to having the up-to-date list of nodes.

Both changes make Patroni connections to DCS more robust in the face of network issues.

**Patronictl, monitoring and configuration**
- Return information about streaming replicas via the API (Feike Steenbergen)

Previously, there was no reliable way to query Patroni about PostgreSQL instances that fail to stream changes (for instance, due to connection issues). This change exposes the contents of pg_stat_replication via the /patroni endpoint.
- Add patronictl scaffold command (Oleksii)

Add a command to create cluster structure in Etcd. The cluster is created with user-specified sysid and leader, and both leader and member keys are made persistent. This command is useful to create so-called master-less configurations, where Patroni cluster consisting of only replicas replicate from the external master node that is unaware of Patroni. Subsequently, one
may remove the leader key, promoting one of the Patroni nodes and replacing
the original master with the Patroni-based HA cluster.
- Add configuration option `bin_dir` to locate PostgreSQL binaries (Ants Aasma)

It is useful to be able to specify the location of PostgreSQL binaries explicitly when Linux distros that support installing multiple PostgreSQL versions at the same time.
- Allow configuration file path to be overridden using `custom_conf` of (Alejandro Martínez)

Allows for custom configuration file paths, which will be unmanaged by Patroni, details:
https://github.com/zalando/patroni/blob/master/docs/SETTINGS.rst#postgresql

**Bug fixes and code improvements**
- Make Patroni compatible with new version schema in PostgreSQL 10 and above (Feike)

Make sure that Patroni understand 2-digits version numbers when doing conditional restarts based on the PostgreSQL version.
- Use pkgutil to find DCS modules (Alexander)

Use the dedicated python module instead of traversing directories manually in order to find DCS modules.
- Always call on_start callback when starting Patroni (Alexander)

Previously, Patroni did not call any callbacks when attaching to the already running node with the correct role. Since callbacks are often used to route
client connections that could result in the failure to register the running
node in the connection routing scheme. With this fix, Patroni calls on_start
callback even when attaching to the already running node.
- Do not drop active replication slots (Murat, Oleksii)

Avoid dropping active physical replication slots on master. PostgreSQL cannot
drop such slots anyway. This change makes possible to run non-Patroni managed
replicas/consumers on the master.
- Close Patroni connections during start of the PostgreSQL instance (Alexander)

Forces Patroni to close all former connections when PostgreSQL node is started. Avoids the trap of reusing former connections if postmaster was killed with SIGKILL.
- Replace invalid characters when constructing slot names from member names (Ants)

Make sure that standby names that do not comply with the slot naming rules don't cause the slot creation and standby startup to fail. Replace the dashes in the slot names with underscores and all other characters not allowed in slot names with their unicode codepoints.

This release introduces the global dynamic configuration that allows dynamic changes of the PostgreSQL and Patroni configuration parameters for the entire HA cluster. It also delivers numerous bugfixes.

**Upgrade notice**

When upgrading from v0.90 or below, always upgrade all replicas before the master. Since we don't store replication credentials in DCS anymore, an old replica won't be able to connect to the new master.

**Dynamic Configuration**
- Implement the dynamic global configuration (Alexander Kukushkin)

Introduce new REST API endpoint /config to provide PostgreSQL and Patroni configuration parameters that should be set globally for the entire HA cluster (master and all the replicas). Those parameters are set in DCS and in many cases can be applied without disrupting PostgreSQL or Patroni. Patroni sets a special flag called "pending restart" visible via the API when some of the values require the PostgreSQL restart. In that case, restart should be issued manually via the API.

Patroni SIGHUP or POST to /reload will make it re-read the configuration file.

See the [dynamic configuration](https://github.com/zalando/patroni/blob/master/docs/dynamic_configuration.rst) for the details on which parameters can be changed and the order of processing difference configuration sources.

The configuration file format _has changed_ since the v0.90. Patroni is still compatible with the old configuration files, but in order to take advantage of the bootstrap parameters one needs to change it. Users are encourage to update them by referring to the [documentation](https://github.com/zalando/patroni/blob/master/docs/dynamic_configuration.rst).

**More flexible configuration***
- Make postgresql configuration and database name Patroni connects to configurable (Misja Hoebe)

Introduce `database` and `config_base_name` configuration parameters. Among others, it makes possible to run Patroni with PipelineDB and other PostgreSQL forks.
- Implement possibility to configure some Patroni configuration parameters via environment (Alexander)

Those include the scope, the node name and the namespace, as well as the secrets and makes it easier to run Patroni in a dynamic environment, i.e. Kubernetes Please, refer to the [supported environment variables](https://github.com/zalando/patroni/blob/master/docs/ENVIRONMENT.rst) for further details.
- Update the built-in Patroni docker container to take advantage of environment-based configuration (Feike Steenbergen).
- Add Zookeeper support to Patroni docker image (Alexander)
- Split the Zookeeper and Exhibitor configuration options (Alexander)
- Make patronictl reuse the code from Patroni to read configuration (Alexander)

This allows patronictl to take advantage of environment-based configuration.
- Set application name to node name in primary_conninfo (Alexander)

This simplifies identification and configuration of synchronous replication for a given node.

**Stability, security and usability improvements**
- Reset sysid and do not call pg_controldata when restore of backup in progress (Alexander)

This change reduces the amount of noise generated by Patroni API health checks during the lengthy initialization of this node from the backup.
- Fix a bunch of pg_rewind corner-cases (Alexander)

Avoid running pg_rewind if the source cluster is not the master.

In addition, avoid removing the data directory on an unsuccessful rewind, unless the new parameter _remove_data_directory_on_rewind_failure_ is set to true. By default it is false.
- Remove passwords from the replication connection string in DCS (Alexander)

Previously, Patroni always used the replication credentials from the Postgres URL in DCS. That is now changed to take the credentials from the patroni configuration. The secrets (replication username and password) and no longer exposed in DCS.
- Fix the asynchronous machinery around the demote call (Alexander)

Demote now runs totally asynchronously without blocking the DCS interactions.
- Make patronictl always send the authorization header if it is configured (Alexander)

This allows patronictl to issue "protected" requests, i.e. restart or reinitialize, when Patroni is configured to require authorization on those.
- Handle the SystemExit exception correctly (Alexander)

Avoids the issues of Patroni not stopping properly when receiving the SIGTERM
- Sample haproxy templates for confd (Alexander)

Generates and dynamically changes haproxy configuration from the patroni state in the DCS using confide
- Improve and restructure the documentation to make it more friendly to the new users (Lauri Apple)
- API must report role=master during pg_ctl stop (Alexander)

Makes the callback calls more reliable, particularly in the cluster stop case. In addition, introduce the `pg_ctl_timeout` option to set the timeout for the start, stop and restart calls via the `pg_ctl`.
- Fix the retry logic in etcd (Alexander)

Make retries more predictable and robust.
- Make Zookeeper code more resilient against short network hiccups (Alexander)

Reduce the connection timeouts to make Zookeeper connection attempts more frequent.

This releases adds support for Consul, includes a new _noloadbalance_ tag, changes the behavior of the _clonefrom_ tag, improves _pg_rewind_ handling and improves _patronictl_ control program.

**Consul support**
- Implement Consul support (Alexander Kukushkin)

Patroni runs against Consul, in addition to Etcd and Zookeeper. the connection parameters can be configured in the YAML file.

**New and improved tags**
- Implement _noloadbalance_ tag (Alexander)

This tag makes Patroni always return that the replica is not available to the load balancer.
- Change the implementation of the _clonefrom_ tag (Alexander)

Previously, a node name had to be supplied to the _clonefrom_, forcing a tagged replica to clone from the specific node. The new implementation makes _clonefrom_ a boolean tag: if it is set to true, the replica becomes a candidate for other replicas to clone from it. When multiple candidates are present, the replicas picks one randomly.

**Stability and security improvements**
- Numerous reliability improvements (Alexander)

Removes some spurious error messages, improves the stability of the failover, addresses some corner cases with reading data from DCS, shutdown, demote and reattaching of the former leader.
- Improve systems script to avoid killing Patroni children on stop (Jan Keirse, Alexander Kukushkin)

Previously, when stopping Patroni, _systemd_ also sent a signal to PostgreSQL. Since Patroni also tried to stop PostgreSQL by itself, it resulted in sending to different shutdown requests (the smart shutdown, followed by the fast shutdown). That resulted in replicas disconnecting too early and a former master not being able to rejoin after demote. Fix by Jan with prior research by Alexander.
- Eliminate some cases where the former master was unable to call pg_rewind before rejoining as a replica (Oleksii Kliukin)

Previously, we only called _pg_rewind_ if the former master had crashed. Change this to always run pg_rewind for the former master as long as pg_rewind is present in the system. This fixes the case when the master is shut down before the replicas managed to get the latest changes (i.e. during the "smart" shutdown).
- Numerous improvements to unit- and acceptance- tests, in particular, enable support for Zookeeper and Consul (Alexander).
- Make Travis CI faster and implement support for running tests against Zookeeper (Exhibitor) and Consul (Alexander)

Both unit and acceptance tests run automatically against Etcd, Zookeeper and Consul on each commit or pull-request.
- Clear environment variables before calling PostgreSQL commands from Patroni (Feike Steenbergen)

This prevents a possibility of reading system environment variables by connecting to the PostgreSQL cluster managed by Patroni.

**Configuration and control changes**
- Unify patronictl and Patroni configuration (Feike)

patronictl can use the same configuration file as Patroni itself.
- Enable Patroni to read the configuration from the environment variables (Oleksii)

This simplifies generating configuration for Patroni automatically, or merging a single configuration from different sources.
- Include database system identifier in the information returned by the API (Feike)
- Implement _delete_cluster_ for all available DCSs (Alexander)

Enables support for DCSs other than Etcd in patronictl.

This release adds support for _cascading replication_ and simplifies Patroni management by providing _scheduled failovers_. One may use older versions of Patroni (in particular, 0.78) combined with this one in order to migrate to the new release. Note that the scheduled failover and cascading replication related features will only work with Patroni 0.80 and above.

**Cascading replication**
- Add support for the _replicatefrom_ and _clonefrom_ tags for the patroni node (Oleksii Kliukin).

The tag _replicatefrom_ allows a replica to use an arbitrary node a source, not necessary the master. The _clonefrom_ does the same for the initial backup. Together, they enable Patroni to fully support cascading replication.
- Add support for running replication methods to initialize the replica even without a running replication connection (Oleksii).

This is useful in order to create replicas from the snapshots stored on S3 or FTP. A replication method that does not require a running replication connection should supply _no_master: true_ in the yaml configuration. Those scripts will still be called in order if the replication connection is present.

**Patronictl, API and DCS improvements**
- Implement scheduled failovers (Feike Steenbergen).

Failovers can be scheduled to happen at a certain time in the future, using either patronictl, or API calls.
- Add support for _dbuser_ and _password_ parameters in patronictl (Feike).
- Add PostgreSQL version to the health check output (Feike).
- Improve Zookeeper support in patronictl (Oleksandr Shulgin)
- Migrate to python-etcd 0.43 (Alexander Kukushkin)

**Configuration**
- Add a sample systems configuration script for Patroni (Jan Keirse).
- Fix the problem of Patroni ignoring the superuser name specified in the configuration file for DB connections (Alexander).
- Fix the handling of CTRL-C by creating a separate session ID and process group for the postmaster launched by Patroni (Alexander).

**Tests**
- Add acceptance tests with _behave_ in order to check real-world scenarios of running Patroni (Alexander, Oleksii).

The tests can be launched manually using the _behave_ command. They are also launched automatically for pull requests and after commits.

Fix a problem with pg_rewind sometimes being unable to rewind a perfectly normal former master.

And some bug fixes.