Patroni

-------------

Released 2023-01-30

This version adds integration with `Citus <https://www.citusdata.com>`__ and makes it possible to survive temporary DCS outages without demoting primary.

.. warning::
- Version 3.0.0 is the last release supporting Python 2.7. Upcoming release will drop support of Python versions older than 3.7.

- The RAFT support is deprecated. We will do our best to maintain it, but take neither guarantee nor responsibility for possible issues.

- This version is the first step in getting rid of the "master", in favor of "primary". Upgrading to the next major release will work reliably only if you run at least 3.0.0.


**New features**

- DCS failsafe mode (Alexander Kukushkin, Polina Bungina)

If the feature is enabled it will allow Patroni cluster to survive temporary DCS outages. You can find more details in the :ref:`documentation <dcs_failsafe_mode>`.

- Citus support (Alexander Kukushkin, Polina Bungina, Jelte Fennema)

Patroni enables easy deployment and management of `Citus <https://www.citusdata.com>`__ clusters with HA. Please check :ref:`here <citus>` page for more information.


**Improvements**

- Suppress recurring errors when dropping unknown but active replication slots (Michael Banck)

Patroni will still write these logs, but only in DEBUG.

- Run only one monitoring query per HA loop (Alexander Kukushkin)

It wasn't the case if synchronous replication is enabled.

- Keep only latest failed data directory (William Albertus Dembo)

If bootstrap failed Patroni used to rename $PGDATA folder with timestamp suffix. From now on the suffix will be ``.failed`` and if such folder exists it is removed before renaming.

- Improved check of synchronous replication connections (Alexander Kukushkin)

When the new host is added to the ``synchronous_standby_names`` it will be set as synchronous in DCS only when it managed to catch up with the primary in addition to ``pg_stat_replication.sync_state = 'sync'``.


**Removed functionality**

- Remove ``patronictl scaffold`` (Alexander Kukushkin)

The only reason for having it was a hacky way of running standby clusters.

-------------

Released 2023-01-04

**Bugfixes**

- Fixed little incompatibilities with legacy python modules (Alexander Kukushkin)

They prevented from building/running Patroni on Debian buster/Ubuntu bionic.

-------------

Released 2022-12-30

**Improvements**

- Fix annoying exceptions on ssl socket shutdown (Alexander Kukushkin)

The HAProxy is closing connections as soon as it got the HTTP Status code leaving no time for Patroni to properly shutdown SSL connection.

- Adjust example Dockerfile for arm64 (Polina Bungina)

Remove explicit ``amd64`` and ``x86_64``, don't remove ``libnss_files.so.*``.


**Security improvements**

- Enforce ``search_path=pg_catalog`` for non-replication connections (Alexander Kukushkin)

Since Patroni is heavily relying on superuser connections, we want to protect it from the possible attacks carried out using user-defined functions and/or operators in ``public`` schema with the same name and signature as the corresponding objects in ``pg_catalog``. For that, ``search_path=pg_catalog`` is enforced for all connections created by Patroni (except replication connections).

- Prevent passwords from being recorded in ``pg_stat_statements`` (Feike Steenbergen)

It is achieved by setting ``pg_stat_statements.track_utility=off`` when creating users.


**Bugfixes**

- Declare ``proxy_address`` as optional (Denis Laxalde)

As it is effectively a non-required option.

- Improve behaviour of the insecure option (Alexander Kukushkin)

Ctl's ``insecure`` option didn't work properly when client certificates were used for REST API requests.

- Take watchdog configuration from ``bootstrap.dcs`` when the new cluster is bootstrapped (Matt Baker)

Patroni used to initially configure watchdog with defaults when bootstrapping a new cluster rather than taking configuration used to bootstrap the DCS.

- Fix the way file extensions are treated while finding executables in WIN32 (Martín Marqués)

Only add ``.exe`` to a file name if it has no extension yet.

- Fix Consul TTL setup (Alexander Kukushkin)

We used ``ttl/2.0`` when setting the value on the HTTPClient, but forgot to multiply the current value by 2 in the class' property. It was resulting in Consul TTL off by twice.


**Removed functionality**

- Remove ``patronictl configure`` (Polina Bungina)

There is no more need for a separate ``patronictl`` config creation.

-------------

Released 2022-11-28

This version enhances compatibility with PostgreSQL 15 and declares Etcd v3 support as production ready. The Patroni on Raft remains in Beta.

**New features**

- Improve ``patroni --validate-config`` (Denis Laxalde)

Exit with code 1 if config is invalid and print errors to stderr.

- Don't drop replication slots in pause (Alexander Kukushkin)

Patroni is automatically creating/removing physical replication slots when members are joining/leaving the cluster. In pause slots will no longer be removed.

- Support the ``HEAD`` request method for monitoring endpoints (Robert Cutajar)

If used instead of ``GET`` Patroni will return only the HTTP Status Code.

- Support behave tests on Windows (Alexander Kukushkin)

Emulate graceful Patroni shutdown (``SIGTERM``) on Windows by introduce the new REST API endpoint ``POST /sigterm``.

- Introduce ``postgresql.proxy_address`` (Alexander Kukushkin)

It will be written to the member key in DCS as the ``proxy_url`` and could be used/useful for service discovery.


**Stability improvements**

- Call ``pg_replication_slot_advance()`` from a thread (Alexander Kukushkin)

On busy clusters with many logical replication slots the ``pg_replication_slot_advance()`` call was affecting the main HA loop and could result in the member key expiration.

- Archive possibly missing WALs before calling ``pg_rewind`` on the old primary (Polina Bungina)

If the primary crashed and was down during considerable time, some WAL files could be missing from archive and from the new primary. There is a chance that ``pg_rewind`` could remove these WAL files from the old primary making it impossible to start it as a standby. By archiving ``ready`` WAL files we not only mitigate this problem but in general improving continues archiving experience.

- Ignore ``403`` errors when trying to create Kubernetes Service (Nick Hudson, Polina Bungina)

Patroni was spamming logs by unsuccessful attempts to create the service, which in fact could already exist.

- Improve liveness probe (Alexander Kukushkin)

The liveness problem will start failing if the heartbeat loop is running longer than `ttl` on the primary or `2*ttl` on the replica. That will allow us to use it as an alternative for :ref:`watchdog <watchdog>` on Kubernetes.

- Make sure only sync node tries to grab the lock when switchover (Alexander Kukushkin, Polina Bungina)

Previously there was a slim chance that up-to-date async member could become the leader if the manual switchover was performed without specifying the target.

- Avoid cloning while bootstrap is running (Ants Aasma)

Do not allow a create replica method that does not require a leader to be triggered while the cluster bootstrap is running.

- Compatibility with kazoo-2.9.0 (Alexander Kukushkin)

Depending on python version the ``SequentialThreadingHandler.select()`` method may raise ``TypeError`` and ``IOError`` exceptions if ``select()`` is called on the closed socket.

- Explicitly shut down SSL connection before socket shutdown (Alexander Kukushkin)

Not doing it resulted in ``unexpected eof while reading`` errors with OpenSSL 3.0.

- Compatibility with `prettytable>=2.2.0` (Alexander Kukushkin)

Due to the internal API changes the cluster name header was shown on the incorrect line.


**Bugfixes**

- Handle expired token for Etcd lease_grant (monsterxx03)

In case of error get the new token and retry request.

- Fix bug in the ``GET /read-only-sync`` endpoint (Alexander Kukushkin)

It was introduced in previous release and effectively never worked.

- Handle the case when data dir storage disappeared (Alexander Kukushkin)

Patroni is periodically checking that the PGDATA is there and not empty, but in case of issues with storage the ``os.listdir()`` is raising the ``OSError`` exception, breaking the heart-beat loop.

- Apply ``master_stop_timeout`` when waiting for user backends to close (Alexander Kukushkin)

Something that looks like user backend could be in fact a background worker (e.g., Citus Maintenance Daemon) that is failing to stop.

- Accept ``*:<port>`` for ``postgresql.listen`` (Denis Laxalde)

The ``patroni --validate-config`` was complaining about it being invalid.

- Timeouts fixes in Raft (Alexander Kukushkin)

When Patroni or patronictl are starting they try to get Raft cluster topology from known members. These calls were made without proper timeouts.

- Forcefully update consul service if token was changed (John A. Lotoski)

Not doing so results in errors "rpc error making call: rpc error making call: ACL not found".

-------------

Released 2022-06-01

**New features**

- Improve ``pg_rewind`` behavior on typical Debian/Ubuntu systems (Gunnar "Nick" Bluth)

On Postgres setups that keep `postgresql.conf` outside of the data directory (e.g. Ubuntu/Debian packages), ``pg_rewind --restore-target-wal`` fails to figure out the value of the ``restore_command``.

- Allow setting ``TLSServerName`` on Consul service checks (Michael Gmelin)

Useful when checks are performed by IP and the Consul ``node_name`` is not a FQDN.

- Added ``ppc64le`` support in watchdog (Jean-Michel Scheiwiler)

And fixed watchdog support on some non-x86 platforms.

- Switched aws.py callback from ``boto`` to ``boto3`` (Alexander Kukushkin)

``boto`` 2.x is abandoned since 2018 and fails with python 3.9.

- Periodically refresh service account token on K8s (Haitao Li)

Since Kubernetes v1.21 service account tokens expire in 1 hour.

- Added ``/read-only-sync`` monitoring endpoint (Dennis4b)

It is similar to the ``/read-only`` but includes only synchronous replicas.


**Stability improvements**

- Don't copy the logical replication slot to a replica if there is a configuration mismatch in the logical decoding setup with the primary (Alexander Kukushkin)

A replica won't copy a logical replication slot from the primary anymore if the slot doesn't match the ``plugin`` or ``database`` configuration options. Previously, the check for whether the slot matches those configuration options was not performed until after the replica copied the slot and started with it, resulting in unnecessary and repeated restarts.

- Special handling of recovery configuration parameters for PostgreSQL v12+ (Alexander Kukushkin)

While starting as replica Patroni should be able to update ``postgresql.conf`` and restart/reload if the leader address has changed by caching current parameters values instead of querying them from ``pg_settings``.

- Better handling of IPv6 addresses in the ``postgresql.listen`` parameters (Alexander Kukushkin)

Since the ``listen`` parameter has a port, people try to put IPv6 addresses into square brackets, which were not correctly stripped when there is more than one IP in the list.

- Use ``replication`` credentials when performing divergence check only on PostgreSQL v10 and older (Alexander Kukushkin)

If ``rewind`` is enabled, Patroni will again use either ``superuser`` or ``rewind`` credentials on newer Postgres versions.


**Bugfixes**

- Fixed missing import of ``dateutil.parser`` (Wesley Mendes)

Tests weren't failing only because it was also imported from other modules.

- Ensure that ``optime`` annotation is a string (Sebastian Hasler)

In certain cases Patroni was trying to pass it as numeric.

- Better handling of failed ``pg_rewind`` attempt (Alexander Kukushkin)

If the primary becomes unavailable during ``pg_rewind``, ``$PGDATA`` will be left in a broken state. Following that, Patroni will remove the data directory even if this is not allowed by the configuration.

- Don't remove ``slots`` annotations from the leader ``ConfigMap``/``Endpoint`` when PostgreSQL isn't ready (Alexander Kukushkin)

If ``slots`` value isn't passed the annotation will keep the current value.

- Handle concurrency problem with K8s API watchers (Alexander Kukushkin)

Under certain (unknown) conditions watchers might become stale; as a result, ``attempt_to_acquire_leader()`` method could fail due to the HTTP status code 409. In that case we reset watchers connections and restart from scratch.

-------------

Released 2022-02-18

**New features**

- Added support for encrypted TLS keys for ``patronictl`` (Alexander Kukushkin)

It could be configured via ``ctl.keyfile_password`` or the ``PATRONI_CTL_KEYFILE_PASSWORD`` environment variable.

- Added more metrics to the /metrics endpoint (Alexandre Pereira)

Specifically, ``patroni_pending_restart`` and ``patroni_is_paused``.

- Make it possible to specify multiple hosts in the standby cluster configuration (Michael Banck)

If the standby cluster is replicating from the Patroni cluster it might be nice to rely on client-side failover which is available in ``libpq`` since PostgreSQL v10. That is, the ``primary_conninfo`` on the standby leader and ``pg_rewind`` setting ``target_session_attrs=read-write`` in the connection string. The ``pgpass`` file will be generated with multiple lines (one line per host), and instead of calling ``CHECKPOINT`` on the primary cluster nodes the standby cluster will wait for ``pg_control`` to be updated.

**Stability improvements**

- Compatibility with legacy ``psycopg2`` (Alexander Kukushkin)

For example, the ``psycopg2`` installed from Ubuntu 18.04 packages doesn't have the ``UndefinedFile`` exception yet.

- Restart ``etcd3`` watcher if all Etcd nodes don't respond (Alexander Kukushkin)

If the watcher is alive the ``get_cluster()`` method continues returning stale information even if all Etcd nodes are failing.

- Don't remove the leader lock in the standby cluster while paused (Alexander Kukushkin)

Previously the lock was maintained only by the node that was running as a primary and not a standby leader.

**Bugfixes**

- Fixed bug in the standby-leader bootstrap (Alexander Kukushkin)

Patroni was considering bootstrap as failed if Postgres didn't start accepting connections after 60 seconds. The bug was introduced in the 2.1.2 release.

- Fixed bug with failover to a cascading standby (Alexander Kukushkin)

When figuring out which slots should be created on cascading standby we forgot to take into account that the leader might be absent.

- Fixed small issues in Postgres config validator (Alexander Kukushkin)

Integer parameters introduced in PostgreSQL v14 were failing to validate because min and max values were quoted in the validator.py

- Use replication credentials when checking leader status (Alexander Kukushkin)

It could be that the ``remove_data_directory_on_diverged_timelines`` is set, but there is no ``rewind_credentials`` defined and superuser access between nodes is not allowed.

- Fixed "port in use" error on REST API certificate replacement (Ants Aasma)

When switching certificates there was a race condition with a concurrent API request. If there is one active during the replacement period then the replacement will error out with a port in use error and Patroni gets stuck in a state without an active API server.

- Fixed a bug in cluster bootstrap if passwords contain ``%`` characters (Bastien Wirtz)

The bootstrap method executes the ``DO`` block, with all parameters properly quoted, but the ``cursor.execute()`` method didn't like an empty list with parameters passed.

- Fixed the "AttributeError: no attribute 'leader'" exception (Hrvoje Milković)

It could happen if the synchronous mode is enabled and the DCS content was wiped out.

- Fix bug in divergence timeline check (Alexander Kukushkin)

Patroni was falsely assuming that timelines have diverged. For pg_rewind it didn't create any problem, but if pg_rewind is not allowed and the ``remove_data_directory_on_diverged_timelines`` is set, it resulted in reinitializing the former leader.