1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345
// Copyright Materialize, Inc. and contributors. All rights reserved.
//
// Use of this software is governed by the Business Source License
// included in the LICENSE file.
//
// As of the Change Date specified in that file, in accordance with
// the Business Source License, use of this software will be governed
// by the Apache License, Version 2.0.
use std::collections::BTreeSet;
use std::net::IpAddr;
use std::time::Duration;
use mz_ore::future::{InTask, OreFutureExt};
use mz_ore::option::OptionExt;
use mz_ore::task;
use mz_repr::GlobalId;
use mz_ssh_util::tunnel::{SshTimeoutConfig, SshTunnelConfig};
use mz_ssh_util::tunnel_manager::SshTunnelManager;
use serde::{Deserialize, Serialize};
use tokio::net::TcpStream as TokioTcpStream;
use tokio_postgres::config::{Host, ReplicationMode};
use tokio_postgres::tls::MakeTlsConnect;
use tokio_postgres::Client;
use tracing::{info, warn};
use crate::PostgresError;
macro_rules! bail_generic {
($fmt:expr, $($arg:tt)*) => {
return Err(PostgresError::Generic(anyhow::anyhow!($fmt, $($arg)*)))
};
($err:expr $(,)?) => {
return Err(PostgresError::Generic(anyhow::anyhow!($err)))
};
}
/// Configures an optional tunnel for use when connecting to a PostgreSQL
/// database.
#[derive(Debug, PartialEq, Clone)]
pub enum TunnelConfig {
/// Establish a direct TCP connection to the database host.
/// If `resolved_ips` is not None, the provided IPs will be used
/// rather than resolving the hostname.
Direct {
resolved_ips: Option<BTreeSet<IpAddr>>,
},
/// Establish a TCP connection to the database via an SSH tunnel.
/// This means first establishing an SSH connection to a bastion host,
/// and then opening a separate connection from that host to the database.
/// This is commonly referred by vendors as a "direct SSH tunnel", in
/// opposition to "reverse SSH tunnel", which is currently unsupported.
Ssh { config: SshTunnelConfig },
/// Establish a TCP connection to the database via an AWS PrivateLink
/// service.
AwsPrivatelink {
/// The ID of the AWS PrivateLink service.
connection_id: GlobalId,
},
}
// Some of these defaults were recommended by @ph14
// https://github.com/MaterializeInc/materialize/pull/18644#discussion_r1160071692
pub const DEFAULT_CONNECT_TIMEOUT: Duration = Duration::from_secs(30);
pub const DEFAULT_KEEPALIVE_INTERVAL: Duration = Duration::from_secs(10);
pub const DEFAULT_KEEPALIVE_IDLE: Duration = Duration::from_secs(10);
pub const DEFAULT_KEEPALIVE_RETRIES: u32 = 5;
// This is meant to be DEFAULT_KEEPALIVE_IDLE
// + DEFAULT_KEEPALIVE_RETRIES * DEFAULT_KEEPALIVE_INTERVAL
pub const DEFAULT_TCP_USER_TIMEOUT: Duration = Duration::from_secs(60);
/// Configurable timeouts for Postgres connections.
///
/// Currently only apply to non-ssh/privatelink connections.
#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
pub struct TcpTimeoutConfig {
pub connect_timeout: Option<Duration>,
pub keepalives_retries: Option<u32>,
pub keepalives_idle: Option<Duration>,
pub keepalives_interval: Option<Duration>,
pub tcp_user_timeout: Option<Duration>,
}
impl Default for TcpTimeoutConfig {
fn default() -> Self {
TcpTimeoutConfig {
connect_timeout: Some(DEFAULT_CONNECT_TIMEOUT),
keepalives_retries: Some(DEFAULT_KEEPALIVE_RETRIES),
keepalives_idle: Some(DEFAULT_KEEPALIVE_IDLE),
keepalives_interval: Some(DEFAULT_KEEPALIVE_INTERVAL),
tcp_user_timeout: Some(DEFAULT_TCP_USER_TIMEOUT),
}
}
}
pub const DEFAULT_SNAPSHOT_STATEMENT_TIMEOUT: Duration = Duration::ZERO;
/// Configuration for PostgreSQL connections.
///
/// This wraps [`tokio_postgres::Config`] to allow the configuration of a
/// tunnel via a [`TunnelConfig`].
#[derive(Clone, Debug)]
pub struct Config {
inner: tokio_postgres::Config,
tunnel: TunnelConfig,
in_task: InTask,
ssh_timeout_config: SshTimeoutConfig,
}
impl Config {
pub fn new(
inner: tokio_postgres::Config,
tunnel: TunnelConfig,
tcp_timeouts: TcpTimeoutConfig,
ssh_timeout_config: SshTimeoutConfig,
in_task: InTask,
) -> Result<Self, PostgresError> {
let config = Self {
inner,
tunnel,
in_task,
ssh_timeout_config,
}
.tcp_timeouts(tcp_timeouts);
// Early validate that the configuration contains only a single TCP
// server.
config.address()?;
Ok(config)
}
fn tcp_timeouts(mut self, tcp_timeouts: TcpTimeoutConfig) -> Config {
if let Some(connect_timeout) = tcp_timeouts.connect_timeout {
self.inner.connect_timeout(connect_timeout);
}
if let Some(keepalives_retries) = tcp_timeouts.keepalives_retries {
self.inner.keepalives_retries(keepalives_retries);
}
if let Some(keepalives_idle) = tcp_timeouts.keepalives_idle {
self.inner.keepalives_idle(keepalives_idle);
}
if let Some(keepalives_interval) = tcp_timeouts.keepalives_interval {
self.inner.keepalives_interval(keepalives_interval);
}
if let Some(tcp_user_timeout) = tcp_timeouts.tcp_user_timeout {
self.inner.tcp_user_timeout(tcp_user_timeout);
}
self
}
/// Connects to the configured PostgreSQL database.
pub async fn connect(
&self,
task_name: &str,
ssh_tunnel_manager: &SshTunnelManager,
) -> Result<Client, PostgresError> {
self.connect_traced(task_name, |_| (), ssh_tunnel_manager)
.await
}
/// Starts a replication connection to the configured PostgreSQL database.
pub async fn connect_replication(
&self,
ssh_tunnel_manager: &SshTunnelManager,
) -> Result<Client, PostgresError> {
self.connect_traced(
"postgres_connect_replication",
|config| {
config.replication_mode(ReplicationMode::Logical);
},
ssh_tunnel_manager,
)
.await
}
fn address(&self) -> Result<(&str, u16), PostgresError> {
match (self.inner.get_hosts(), self.inner.get_ports()) {
([Host::Tcp(host)], [port]) => Ok((host, *port)),
_ => bail_generic!("only TCP connections to a single PostgreSQL server are supported"),
}
}
async fn connect_traced<F>(
&self,
task_name: &str,
configure: F,
ssh_tunnel_manager: &SshTunnelManager,
) -> Result<Client, PostgresError>
where
F: FnOnce(&mut tokio_postgres::Config),
{
let (host, port) = self.address()?;
let address = format!(
"{}@{}:{}/{}",
self.get_user().display_or("<unknown-user>"),
host,
port,
self.get_dbname().display_or("<unknown-dbname>")
);
info!(%task_name, %address, "connecting");
match self
.connect_internal(task_name, configure, ssh_tunnel_manager)
.await
{
Ok(t) => {
info!(%task_name, %address, "connected");
Ok(t)
}
Err(e) => {
warn!(%task_name, %address, "connection failed: {e:#}");
Err(e)
}
}
}
async fn connect_internal<F>(
&self,
task_name: &str,
configure: F,
ssh_tunnel_manager: &SshTunnelManager,
) -> Result<Client, PostgresError>
where
F: FnOnce(&mut tokio_postgres::Config),
{
let mut postgres_config = self.inner.clone();
configure(&mut postgres_config);
let mut tls = mz_tls_util::make_tls(&postgres_config).map_err(|tls_err| match tls_err {
mz_tls_util::TlsError::Generic(e) => PostgresError::Generic(e),
mz_tls_util::TlsError::OpenSsl(e) => PostgresError::PostgresSsl(e),
})?;
match &self.tunnel {
TunnelConfig::Direct { resolved_ips } => {
if let Some(ips) = resolved_ips {
let host = match postgres_config.get_hosts() {
[Host::Tcp(host)] => host,
_ => bail_generic!(
"only TCP connections to a single PostgreSQL server are supported"
),
}
.to_owned();
// Associate each resolved ip with the exact same, singular host, for tls
// verification. We are required to do this dance because `tokio-postgres`
// enforces that the number of 'host' and 'hostaddr' values must be the same.
for (idx, ip) in ips.iter().enumerate() {
if idx != 0 {
postgres_config.host(&host);
}
postgres_config.hostaddr(ip.clone());
}
};
let (client, connection) = async move { postgres_config.connect(tls).await }
.run_in_task_if(self.in_task, || "pg_connect".to_string())
.await?;
task::spawn(|| task_name, connection);
Ok(client)
}
TunnelConfig::Ssh { config } => {
let (host, port) = self.address()?;
let tunnel = ssh_tunnel_manager
.connect(
config.clone(),
host,
port,
self.ssh_timeout_config,
self.in_task,
)
.await
.map_err(PostgresError::Ssh)?;
let tls = MakeTlsConnect::<TokioTcpStream>::make_tls_connect(&mut tls, host)?;
let tcp_stream = TokioTcpStream::connect(tunnel.local_addr())
.await
.map_err(PostgresError::SshIo)?;
// Because we are connecting to a local host/port, we don't configure any TCP
// keepalive settings. The connection is entirely local to the machine running the
// process and we trust the kernel to keep a local connection alive without keepalives.
//
// Ideally we'd be able to configure SSH to enable TCP keepalives on the other
// end of the tunnel, between the SSH bastion host and the PostgreSQL server,
// but SSH does not expose an option for this.
let (client, connection) =
async move { postgres_config.connect_raw(tcp_stream, tls).await }
.run_in_task_if(self.in_task, || "pg_connect".to_string())
.await?;
task::spawn(|| task_name, async {
let _tunnel = tunnel; // Keep SSH tunnel alive for duration of connection.
if let Err(e) = connection.await {
warn!("postgres connection failed: {e}");
}
});
Ok(client)
}
TunnelConfig::AwsPrivatelink { connection_id } => {
// This section of code is somewhat subtle. We are overriding the host
// for the actual TCP connection to be the PrivateLink host, but leaving the host
// for TLS verification as the original host. Managing the
// `tokio_postgres::Config` to do this is somewhat confusing, and requires we edit
// the singular host in place.
let privatelink_host = mz_cloud_resources::vpc_endpoint_name(*connection_id);
// `net::lookup_host` requires a port to be specified, but the port has no effect
// on the lookup so use a dummy one
let privatelink_addrs = tokio::net::lookup_host((privatelink_host, 11111)).await?;
// Override the actual IPs to connect to for the TCP connection, leaving the original host in-place
// for TLS verification
let host = match postgres_config.get_hosts() {
[Host::Tcp(host)] => host,
_ => bail_generic!(
"only TCP connections to a single PostgreSQL server are supported"
),
}
.to_owned();
// Associate each resolved ip with the exact same, singular host, for tls
// verification. We are required to do this dance because `tokio-postgres`
// enforces that the number of 'host' and 'hostaddr' values must be the same.
for (idx, addr) in privatelink_addrs.enumerate() {
if idx != 0 {
postgres_config.host(&host);
}
postgres_config.hostaddr(addr.ip());
}
let (client, connection) = async move { postgres_config.connect(tls).await }
.run_in_task_if(self.in_task, || "pg_connect".to_string())
.await?;
task::spawn(|| task_name, connection);
Ok(client)
}
}
}
pub fn get_user(&self) -> Option<&str> {
self.inner.get_user()
}
pub fn get_dbname(&self) -> Option<&str> {
self.inner.get_dbname()
}
}