Patroni

-------------

Released 2023-02-16

**Bugfixes**

- Pass proper role name to an ``on_role_change`` callback script'. (Alexander Kukushkin, Polina Bungina)

Patroni used to erroneously pass ``promoted`` role to an ``on_role_change`` callback script on promotion. The passed role name changed back to ``master``. This regression was introduced in 3.0.0.

-------------

Released 2023-01-30

This version adds integration with `Citus <https://www.citusdata.com>`__ and makes it possible to survive temporary DCS outages without demoting primary.

.. warning::
- Version 3.0.0 is the last release supporting Python 2.7. Upcoming release will drop support of Python versions older than 3.7.

- The RAFT support is deprecated. We will do our best to maintain it, but take neither guarantee nor responsibility for possible issues.

- This version is the first step in getting rid of the "master", in favor of "primary". Upgrading to the next major release will work reliably only if you run at least 3.0.0.


**New features**

- DCS failsafe mode (Alexander Kukushkin, Polina Bungina)

If the feature is enabled it will allow Patroni cluster to survive temporary DCS outages. You can find more details in the :ref:`documentation <dcs_failsafe_mode>`.

- Citus support (Alexander Kukushkin, Polina Bungina, Jelte Fennema)

Patroni enables easy deployment and management of `Citus <https://www.citusdata.com>`__ clusters with HA. Please check :ref:`here <citus>` page for more information.


**Improvements**

- Suppress recurring errors when dropping unknown but active replication slots (Michael Banck)

Patroni will still write these logs, but only in DEBUG.

- Run only one monitoring query per HA loop (Alexander Kukushkin)

It wasn't the case if synchronous replication is enabled.

- Keep only latest failed data directory (William Albertus Dembo)

If bootstrap failed Patroni used to rename $PGDATA folder with timestamp suffix. From now on the suffix will be ``.failed`` and if such folder exists it is removed before renaming.

- Improved check of synchronous replication connections (Alexander Kukushkin)

When the new host is added to the ``synchronous_standby_names`` it will be set as synchronous in DCS only when it managed to catch up with the primary in addition to ``pg_stat_replication.sync_state = 'sync'``.


**Removed functionality**

- Remove ``patronictl scaffold`` (Alexander Kukushkin)

The only reason for having it was a hacky way of running standby clusters.

-------------

Released 2023-01-04

**Bugfixes**

- Fixed little incompatibilities with legacy python modules (Alexander Kukushkin)

They prevented from building/running Patroni on Debian buster/Ubuntu bionic.

-------------

Released 2022-12-30

**Improvements**

- Fix annoying exceptions on ssl socket shutdown (Alexander Kukushkin)

The HAProxy is closing connections as soon as it got the HTTP Status code leaving no time for Patroni to properly shutdown SSL connection.

- Adjust example Dockerfile for arm64 (Polina Bungina)

Remove explicit ``amd64`` and ``x86_64``, don't remove ``libnss_files.so.*``.


**Security improvements**

- Enforce ``search_path=pg_catalog`` for non-replication connections (Alexander Kukushkin)

Since Patroni is heavily relying on superuser connections, we want to protect it from the possible attacks carried out using user-defined functions and/or operators in ``public`` schema with the same name and signature as the corresponding objects in ``pg_catalog``. For that, ``search_path=pg_catalog`` is enforced for all connections created by Patroni (except replication connections).

- Prevent passwords from being recorded in ``pg_stat_statements`` (Feike Steenbergen)

It is achieved by setting ``pg_stat_statements.track_utility=off`` when creating users.


**Bugfixes**

- Declare ``proxy_address`` as optional (Denis Laxalde)

As it is effectively a non-required option.

- Improve behaviour of the insecure option (Alexander Kukushkin)

Ctl's ``insecure`` option didn't work properly when client certificates were used for REST API requests.

- Take watchdog configuration from ``bootstrap.dcs`` when the new cluster is bootstrapped (Matt Baker)

Patroni used to initially configure watchdog with defaults when bootstrapping a new cluster rather than taking configuration used to bootstrap the DCS.

- Fix the way file extensions are treated while finding executables in WIN32 (Martín Marqués)

Only add ``.exe`` to a file name if it has no extension yet.

- Fix Consul TTL setup (Alexander Kukushkin)

We used ``ttl/2.0`` when setting the value on the HTTPClient, but forgot to multiply the current value by 2 in the class' property. It was resulting in Consul TTL off by twice.


**Removed functionality**

- Remove ``patronictl configure`` (Polina Bungina)

There is no more need for a separate ``patronictl`` config creation.

-------------

Released 2022-11-28

This version enhances compatibility with PostgreSQL 15 and declares Etcd v3 support as production ready. The Patroni on Raft remains in Beta.

**New features**

- Improve ``patroni --validate-config`` (Denis Laxalde)

Exit with code 1 if config is invalid and print errors to stderr.

- Don't drop replication slots in pause (Alexander Kukushkin)

Patroni is automatically creating/removing physical replication slots when members are joining/leaving the cluster. In pause slots will no longer be removed.

- Support the ``HEAD`` request method for monitoring endpoints (Robert Cutajar)

If used instead of ``GET`` Patroni will return only the HTTP Status Code.

- Support behave tests on Windows (Alexander Kukushkin)

Emulate graceful Patroni shutdown (``SIGTERM``) on Windows by introduce the new REST API endpoint ``POST /sigterm``.

- Introduce ``postgresql.proxy_address`` (Alexander Kukushkin)

It will be written to the member key in DCS as the ``proxy_url`` and could be used/useful for service discovery.


**Stability improvements**

- Call ``pg_replication_slot_advance()`` from a thread (Alexander Kukushkin)

On busy clusters with many logical replication slots the ``pg_replication_slot_advance()`` call was affecting the main HA loop and could result in the member key expiration.

- Archive possibly missing WALs before calling ``pg_rewind`` on the old primary (Polina Bungina)

If the primary crashed and was down during considerable time, some WAL files could be missing from archive and from the new primary. There is a chance that ``pg_rewind`` could remove these WAL files from the old primary making it impossible to start it as a standby. By archiving ``ready`` WAL files we not only mitigate this problem but in general improving continues archiving experience.

- Ignore ``403`` errors when trying to create Kubernetes Service (Nick Hudson, Polina Bungina)

Patroni was spamming logs by unsuccessful attempts to create the service, which in fact could already exist.

- Improve liveness probe (Alexander Kukushkin)

The liveness problem will start failing if the heartbeat loop is running longer than `ttl` on the primary or `2*ttl` on the replica. That will allow us to use it as an alternative for :ref:`watchdog <watchdog>` on Kubernetes.

- Make sure only sync node tries to grab the lock when switchover (Alexander Kukushkin, Polina Bungina)

Previously there was a slim chance that up-to-date async member could become the leader if the manual switchover was performed without specifying the target.

- Avoid cloning while bootstrap is running (Ants Aasma)

Do not allow a create replica method that does not require a leader to be triggered while the cluster bootstrap is running.

- Compatibility with kazoo-2.9.0 (Alexander Kukushkin)

Depending on python version the ``SequentialThreadingHandler.select()`` method may raise ``TypeError`` and ``IOError`` exceptions if ``select()`` is called on the closed socket.

- Explicitly shut down SSL connection before socket shutdown (Alexander Kukushkin)

Not doing it resulted in ``unexpected eof while reading`` errors with OpenSSL 3.0.

- Compatibility with `prettytable>=2.2.0` (Alexander Kukushkin)

Due to the internal API changes the cluster name header was shown on the incorrect line.


**Bugfixes**

- Handle expired token for Etcd lease_grant (monsterxx03)

In case of error get the new token and retry request.

- Fix bug in the ``GET /read-only-sync`` endpoint (Alexander Kukushkin)

It was introduced in previous release and effectively never worked.

- Handle the case when data dir storage disappeared (Alexander Kukushkin)

Patroni is periodically checking that the PGDATA is there and not empty, but in case of issues with storage the ``os.listdir()`` is raising the ``OSError`` exception, breaking the heart-beat loop.

- Apply ``master_stop_timeout`` when waiting for user backends to close (Alexander Kukushkin)

Something that looks like user backend could be in fact a background worker (e.g., Citus Maintenance Daemon) that is failing to stop.

- Accept ``*:<port>`` for ``postgresql.listen`` (Denis Laxalde)

The ``patroni --validate-config`` was complaining about it being invalid.

- Timeouts fixes in Raft (Alexander Kukushkin)

When Patroni or patronictl are starting they try to get Raft cluster topology from known members. These calls were made without proper timeouts.

- Forcefully update consul service if token was changed (John A. Lotoski)

Not doing so results in errors "rpc error making call: rpc error making call: ACL not found".

-------------

Released 2022-06-01

**New features**

- Improve ``pg_rewind`` behavior on typical Debian/Ubuntu systems (Gunnar "Nick" Bluth)

On Postgres setups that keep `postgresql.conf` outside of the data directory (e.g. Ubuntu/Debian packages), ``pg_rewind --restore-target-wal`` fails to figure out the value of the ``restore_command``.

- Allow setting ``TLSServerName`` on Consul service checks (Michael Gmelin)

Useful when checks are performed by IP and the Consul ``node_name`` is not a FQDN.

- Added ``ppc64le`` support in watchdog (Jean-Michel Scheiwiler)

And fixed watchdog support on some non-x86 platforms.

- Switched aws.py callback from ``boto`` to ``boto3`` (Alexander Kukushkin)

``boto`` 2.x is abandoned since 2018 and fails with python 3.9.

- Periodically refresh service account token on K8s (Haitao Li)

Since Kubernetes v1.21 service account tokens expire in 1 hour.

- Added ``/read-only-sync`` monitoring endpoint (Dennis4b)

It is similar to the ``/read-only`` but includes only synchronous replicas.


**Stability improvements**

- Don't copy the logical replication slot to a replica if there is a configuration mismatch in the logical decoding setup with the primary (Alexander Kukushkin)

A replica won't copy a logical replication slot from the primary anymore if the slot doesn't match the ``plugin`` or ``database`` configuration options. Previously, the check for whether the slot matches those configuration options was not performed until after the replica copied the slot and started with it, resulting in unnecessary and repeated restarts.

- Special handling of recovery configuration parameters for PostgreSQL v12+ (Alexander Kukushkin)

While starting as replica Patroni should be able to update ``postgresql.conf`` and restart/reload if the leader address has changed by caching current parameters values instead of querying them from ``pg_settings``.

- Better handling of IPv6 addresses in the ``postgresql.listen`` parameters (Alexander Kukushkin)

Since the ``listen`` parameter has a port, people try to put IPv6 addresses into square brackets, which were not correctly stripped when there is more than one IP in the list.

- Use ``replication`` credentials when performing divergence check only on PostgreSQL v10 and older (Alexander Kukushkin)

If ``rewind`` is enabled, Patroni will again use either ``superuser`` or ``rewind`` credentials on newer Postgres versions.


**Bugfixes**

- Fixed missing import of ``dateutil.parser`` (Wesley Mendes)

Tests weren't failing only because it was also imported from other modules.

- Ensure that ``optime`` annotation is a string (Sebastian Hasler)

In certain cases Patroni was trying to pass it as numeric.

- Better handling of failed ``pg_rewind`` attempt (Alexander Kukushkin)

If the primary becomes unavailable during ``pg_rewind``, ``$PGDATA`` will be left in a broken state. Following that, Patroni will remove the data directory even if this is not allowed by the configuration.

- Don't remove ``slots`` annotations from the leader ``ConfigMap``/``Endpoint`` when PostgreSQL isn't ready (Alexander Kukushkin)

If ``slots`` value isn't passed the annotation will keep the current value.

- Handle concurrency problem with K8s API watchers (Alexander Kukushkin)

Under certain (unknown) conditions watchers might become stale; as a result, ``attempt_to_acquire_leader()`` method could fail due to the HTTP status code 409. In that case we reset watchers connections and restart from scratch.