mz_storage/source/postgres/snapshot.rs
1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10//! Renders the table snapshot side of the [`PostgresSourceConnection`] ingestion dataflow.
11//!
12//! # Snapshot reading
13//!
14//! Depending on the resumption LSNs the table reader decides which tables need to be snapshotted.
15//! Each table is partitioned across all workers using PostgreSQL's `ctid` (tuple identifier)
16//! column, which identifies the physical location of each row. This allows parallel snapshotting
17//! of large tables across all available workers.
18//!
19//! There are a few subtle points about this operation, described in the following sections.
20//!
21//! ## Consistent LSN point for snapshot transactions
22//!
23//! Given that all our ingestion is based on correctly timestamping updates with the LSN they
24//! happened at it is important that we run the `COPY` query at a specific LSN point that is
25//! relatable with the LSN numbers we receive from the replication stream. Such point does not
26//! necessarily exist for a normal SQL transaction. To achieve this we must force postgres to
27//! produce a consistent point and let us know of the LSN number of that by creating a replication
28//! slot as the first statement in a transaction.
29//!
30//! This is a temporary dummy slot that is only used to put our snapshot transaction on a
31//! consistent LSN point. Unfortunately no lighterweight method exists for doing this. See this
32//! [postgres thread] for more details.
33//!
34//! One might wonder why we don't use the actual real slot to provide us with the snapshot point
35//! which would automatically be at the correct LSN. The answer is that it's possible that we crash
36//! and restart after having already created the slot but before having finished the snapshot. In
37//! that case the restarting process will have lost its opportunity to run queries at the slot's
38//! consistent point as that opportunity only exists in the ephemeral transaction that created the
39//! slot and that is long gone. Additionally there are good reasons of why we'd like to move the
40//! slot creation much earlier, e.g during purification, in which case the slot will always be
41//! pre-created.
42//!
43//! [postgres thread]: https://www.postgresql.org/message-id/flat/CAMN0T-vzzNy6TV1Jvh4xzNQdAvCLBQK_kh6_U7kAXgGU3ZFg-Q%40mail.gmail.com
44//!
45//! ## Reusing the consistent point among all workers
46//!
47//! Creating replication slots is potentially expensive so the code makes is such that all workers
48//! cooperate and reuse one consistent snapshot among them. In order to do so we make use the
49//! "export transaction" feature of postgres. This feature allows one SQL session to create an
50//! identifier for the transaction (a string identifier) it is currently in, which can be used by
51//! other sessions to enter the same "snapshot".
52//!
53//! We accomplish this by picking one worker at random to function as the transaction leader. The
54//! transaction leader is responsible for starting a SQL session, creating a temporary replication
55//! slot in a transaction, exporting the transaction id, and broadcasting the transaction
56//! information to all other workers via a broadcasted feedback edge.
57//!
58//! During this phase the follower workers are simply waiting to hear on the feedback edge,
59//! effectively synchronizing with the leader. Once all workers have received the snapshot
60//! information they can all start to perform their assigned COPY queries.
61//!
62//! The leader and follower steps described above are accomplished by the [`export_snapshot`] and
63//! [`use_snapshot`] functions respectively.
64//!
65//! ## Coordinated transaction COMMIT
66//!
67//! When follower workers are done with snapshotting they commit their transaction, close their
68//! session, and then drop their snapshot feedback capability. When the leader worker is done with
69//! snapshotting it drops its snapshot feedback capability and waits until it observes the
70//! snapshot input advancing to the empty frontier. This allows the leader to COMMIT its
71//! transaction last, which is the transaction that exported the snapshot.
72//!
73//! It's unclear if this is strictly necessary, but having the frontiers made it easy enough that I
74//! added the synchronization.
75//!
76//! ## Snapshot rewinding
77//!
78//! Ingestion dataflows must produce definite data, including the snapshot. What this means
79//! practically is that whenever we deem it necessary to snapshot a table we must do so at the same
80//! LSN. However, the method for running a transaction described above doesn't let us choose the
81//! LSN, it could be an LSN in the future chosen by PostgresSQL while it creates the temporary
82//! replication slot.
83//!
84//! The definition of differential collections states that a collection at some time `t_snapshot`
85//! is defined to be the accumulation of all updates that happen at `t <= t_snapshot`, where `<=`
86//! is the partial order. In this case we are faced with the problem of knowing the state of a
87//! table at `t_snapshot` but actually wanting to know the snapshot at `t_slot <= t_snapshot`.
88//!
89//! From the definition we can see that the snapshot at `t_slot` is related to the snapshot at
90//! `t_snapshot` with the following equations:
91//!
92//!```text
93//! sum(update: t <= t_snapshot) = sum(update: t <= t_slot) + sum(update: t_slot <= t <= t_snapshot)
94//! |
95//! V
96//! sum(update: t <= t_slot) = sum(update: t <= snapshot) - sum(update: t_slot <= t <= t_snapshot)
97//! ```
98//!
99//! Therefore, if we manage to recover the `sum(update: t_slot <= t <= t_snapshot)` term we will be
100//! able to "rewind" the snapshot we obtained at `t_snapshot` to `t_slot` by emitting all updates
101//! that happen between these two points with their diffs negated.
102//!
103//! It turns out that this term is exactly what the main replication slot provides us with and we
104//! can rewind snapshot at arbitrary points! In order to do this the snapshot dataflow emits rewind
105//! requests to the replication reader which informs it that a certain range of updates must be
106//! emitted at LSN 0 (by convention) with their diffs negated. These negated diffs are consolidated
107//! with the diffs taken at `t_snapshot` that were also emitted at LSN 0 (by convention) and we end
108//! up with a TVC that at LSN 0 contains the snapshot at `t_slot`.
109//!
110//! # Parallel table snapshotting with ctid ranges
111//!
112//! Each table is partitioned across workers using PostgreSQL's `ctid` column. The `ctid` is a
113//! tuple identifier of the form `(block_number, tuple_index)` that represents the physical
114//! location of a row on disk. By partitioning the ctid range, each worker can independently
115//! fetch a portion of the table.
116//!
117//! The partitioning works as follows:
118//! 1. The snapshot leader queries `pg_class.relpages` to estimate the number of blocks for each
119//! table. This is much faster than querying `max(ctid)` which would require a sequential scan.
120//! 2. The leader broadcasts the block count estimates along with the snapshot transaction ID
121//! to all workers, ensuring all workers use consistent estimates for partitioning.
122//! 3. Each worker calculates its assigned block range and fetches rows using a `COPY` query
123//! with a `SELECT` that filters by `ctid >= start AND ctid < end`.
124//! 4. The last worker uses an open-ended range (`ctid >= start`) to capture any rows beyond
125//! the estimated block count (handles cases where statistics are stale or table has grown).
126//!
127//! This approach efficiently parallelizes large table snapshots while maintaining the benefits
128//! of the `COPY` protocol for bulk data transfer.
129//!
130//! ## PostgreSQL version requirements
131//!
132//! Ctid range scans are only efficient on PostgreSQL >= 14 due to TID range scan optimizations
133//! introduced in that version. For older PostgreSQL versions, the snapshot falls back to the
134//! single-worker-per-table mode where each table is assigned to one worker based on consistent
135//! hashing. This is implemented by having the leader broadcast all-zero block counts when
136//! PostgreSQL version < 14.
137//!
138//! # Snapshot decoding
139//!
140//! Each worker fetches its ctid range directly and decodes the COPY stream locally.
141//!
142//! ```text
143//! ╭──────────────────╮
144//! ┏━━━━━━━━━━━━v━┓ │ exported
145//! ┃ table ┃ ╭─────────╮ │ snapshot id
146//! ┃ readers ┠─>─┤broadcast├──╯
147//! ┃ (parallel) ┃ ╰─────────╯
148//! ┗━┯━━━━━━━━━━┯━┛
149//! raw│ │
150//! COPY│ │
151//! data│ │
152//! ┏━━━━┷━━━━┓ │
153//! ┃ COPY ┃ │
154//! ┃ decoder ┃ │
155//! ┗━━━━┯━━━━┛ │
156//! │ snapshot │rewind
157//! │ updates │requests
158//! v v
159//! ```
160
161use std::collections::BTreeMap;
162use std::convert::Infallible;
163use std::pin::pin;
164use std::rc::Rc;
165use std::sync::Arc;
166use std::time::Duration;
167
168use anyhow::bail;
169use differential_dataflow::AsCollection;
170use futures::{StreamExt as _, TryStreamExt};
171use itertools::Itertools;
172use mz_ore::cast::CastFrom;
173use mz_ore::future::InTask;
174use mz_postgres_util::desc::PostgresTableDesc;
175use mz_postgres_util::schemas::get_pg_major_version;
176use mz_postgres_util::{Client, Config, PostgresError, simple_query_opt};
177use mz_repr::{Datum, DatumVec, Diff, Row};
178use mz_sql_parser::ast::{Ident, display::AstDisplay};
179use mz_storage_types::connections::ConnectionContext;
180use mz_storage_types::errors::DataflowError;
181use mz_storage_types::parameters::PgSourceSnapshotConfig;
182use mz_storage_types::sources::{MzOffset, PostgresSourceConnection};
183use mz_timely_util::builder_async::{
184 Event as AsyncEvent, OperatorBuilder as AsyncOperatorBuilder, PressOnDropButton,
185};
186use timely::container::CapacityContainerBuilder;
187use timely::container::DrainContainer;
188use timely::dataflow::channels::pact::Pipeline;
189use timely::dataflow::operators::core::Map;
190use timely::dataflow::operators::{
191 Broadcast, CapabilitySet, Concat, ConnectLoop, Feedback, Operator,
192};
193use timely::dataflow::{Scope, Stream};
194use timely::progress::Timestamp;
195use tokio_postgres::error::SqlState;
196use tokio_postgres::types::{Oid, PgLsn};
197use tracing::trace;
198
199use crate::metrics::source::postgres::PgSnapshotMetrics;
200use crate::source::RawSourceCreationConfig;
201use crate::source::postgres::replication::RewindRequest;
202use crate::source::postgres::{
203 DefiniteError, ReplicationError, SourceOutputInfo, TransientError, verify_schema,
204};
205use crate::source::types::{SignaledFuture, SourceMessage, StackedCollection};
206use crate::statistics::SourceStatistics;
207
208/// Information broadcasted from the snapshot leader to all workers.
209/// This includes the transaction snapshot ID, LSN, and estimated block counts for each table.
210#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
211struct SnapshotInfo {
212 /// The exported transaction snapshot identifier.
213 snapshot_id: String,
214 /// The LSN at which the snapshot was taken.
215 snapshot_lsn: MzOffset,
216 /// Estimated number of blocks (pages) for each table, keyed by OID.
217 /// This is derived from `pg_class.relpages` and used to partition ctid ranges.
218 table_block_counts: BTreeMap<u32, u64>,
219 /// The current upstream schema of each table.
220 upstream_info: BTreeMap<u32, PostgresTableDesc>,
221}
222
223/// Represents a ctid range that a worker should snapshot.
224/// The range is [start_block, end_block) where end_block is optional (None means unbounded).
225#[derive(Debug)]
226struct CtidRange {
227 /// The starting block number (inclusive).
228 start_block: u64,
229 /// The ending block number (exclusive). None means unbounded (open-ended range).
230 end_block: Option<u64>,
231}
232
233/// Calculate the ctid range for a given worker based on estimated block count.
234///
235/// The table is partitioned by block number across all workers. Each worker gets a contiguous
236/// range of blocks. The last worker gets an open-ended range to handle any rows beyond the
237/// estimated block count.
238///
239/// When `estimated_blocks` is 0 (either because statistics are unavailable, the table appears
240/// empty, or PostgreSQL version < 14 doesn't support ctid range scans), the table is assigned
241/// to a single worker determined by `config.responsible_for(oid)` and that worker scans the
242/// full table.
243///
244/// Returns None if this worker has no work to do.
245fn worker_ctid_range(
246 config: &RawSourceCreationConfig,
247 estimated_blocks: u64,
248 oid: u32,
249) -> Option<CtidRange> {
250 // If estimated_blocks is 0, fall back to single-worker mode for this table.
251 // This handles:
252 // - PostgreSQL < 14 (ctid range scans not supported)
253 // - Tables that appear empty in statistics
254 // - Tables with stale/missing statistics
255 // The responsible worker scans the full table with an open-ended range.
256 if estimated_blocks == 0 {
257 let fallback = if config.responsible_for(oid) {
258 Some(CtidRange {
259 start_block: 0,
260 end_block: None,
261 })
262 } else {
263 None
264 };
265 return fallback;
266 }
267
268 let worker_id = u64::cast_from(config.worker_id);
269 let worker_count = u64::cast_from(config.worker_count);
270
271 // If there are more workers than blocks, only assign work to workers with id < estimated_blocks
272 // The last assigned worker still gets an open range.
273 let effective_worker_count = std::cmp::min(worker_count, estimated_blocks);
274
275 if worker_id >= effective_worker_count {
276 // This worker has no work to do
277 return None;
278 }
279
280 // Calculate start block for this worker (integer division distributes blocks evenly)
281 let start_block = worker_id * estimated_blocks / effective_worker_count;
282
283 // The last effective worker gets an open-ended range
284 let is_last_effective_worker = worker_id == effective_worker_count - 1;
285 if is_last_effective_worker {
286 Some(CtidRange {
287 start_block,
288 end_block: None,
289 })
290 } else {
291 let end_block = (worker_id + 1) * estimated_blocks / effective_worker_count;
292 Some(CtidRange {
293 start_block,
294 end_block: Some(end_block),
295 })
296 }
297}
298
299/// Estimate the number of blocks for each table from pg_class statistics.
300/// This is used to partition ctid ranges across workers.
301async fn estimate_table_block_counts(
302 client: &Client,
303 table_oids: &[u32],
304) -> Result<BTreeMap<u32, u64>, TransientError> {
305 if table_oids.is_empty() {
306 return Ok(BTreeMap::new());
307 }
308
309 // Query relpages for all tables at once
310 let oid_list = table_oids
311 .iter()
312 .map(|oid| oid.to_string())
313 .collect::<Vec<_>>()
314 .join(",");
315 let query = format!(
316 "SELECT oid, relpages FROM pg_class WHERE oid IN ({})",
317 oid_list
318 );
319
320 let mut block_counts = BTreeMap::new();
321 // Initialize all tables with 0 blocks (in case they're not in pg_class)
322 for &oid in table_oids {
323 block_counts.insert(oid, 0);
324 }
325
326 // Execute the query and collect results
327 let rows = client.simple_query(&query).await?;
328 for msg in rows {
329 if let tokio_postgres::SimpleQueryMessage::Row(row) = msg {
330 let oid: u32 = row.get("oid").unwrap().parse().unwrap();
331 let relpages: i64 = row.get("relpages").unwrap().parse().unwrap_or(0);
332 // relpages can be -1 if never analyzed, treat as 0
333 let relpages = std::cmp::max(0, relpages).try_into().unwrap();
334 block_counts.insert(oid, relpages);
335 }
336 }
337
338 Ok(block_counts)
339}
340
341/// Renders the snapshot dataflow. See the module documentation for more information.
342pub(crate) fn render<G: Scope<Timestamp = MzOffset>>(
343 mut scope: G,
344 config: RawSourceCreationConfig,
345 connection: PostgresSourceConnection,
346 table_info: BTreeMap<u32, BTreeMap<usize, SourceOutputInfo>>,
347 metrics: PgSnapshotMetrics,
348) -> (
349 StackedCollection<G, (usize, Result<SourceMessage, DataflowError>)>,
350 Stream<G, RewindRequest>,
351 Stream<G, Infallible>,
352 Stream<G, ReplicationError>,
353 PressOnDropButton,
354) {
355 let op_name = format!("TableReader({})", config.id);
356 let mut builder = AsyncOperatorBuilder::new(op_name, scope.clone());
357
358 let (feedback_handle, feedback_data) = scope.feedback(Default::default());
359
360 let (raw_handle, raw_data) = builder.new_output();
361 let (rewinds_handle, rewinds) = builder.new_output::<CapacityContainerBuilder<_>>();
362 // This output is used to signal to the replication operator that the replication slot has been
363 // created. With the current state of execution serialization there isn't a lot of benefit
364 // of splitting the snapshot and replication phases into two operators.
365 // TODO(petrosagg): merge the two operators in one (while still maintaining separation as
366 // functions/modules)
367 let (_, slot_ready) = builder.new_output::<CapacityContainerBuilder<_>>();
368 let (snapshot_handle, snapshot) = builder.new_output::<CapacityContainerBuilder<_>>();
369 let (definite_error_handle, definite_errors) =
370 builder.new_output::<CapacityContainerBuilder<_>>();
371
372 // This operator needs to broadcast data to itself in order to synchronize the transaction
373 // snapshot. However, none of the feedback capabilities result in output messages and for the
374 // feedback edge specifically having a default conncetion would result in a loop.
375 let mut snapshot_input = builder.new_disconnected_input(&feedback_data, Pipeline);
376
377 // The export id must be sent to all workers, so we broadcast the feedback connection
378 snapshot.broadcast().connect_loop(feedback_handle);
379
380 let is_snapshot_leader = config.responsible_for("snapshot_leader");
381
382 // A global view of all outputs that will be snapshot by all workers.
383 let mut all_outputs = vec![];
384 // Table info for tables that need snapshotting. All workers will snapshot all tables,
385 // but each worker will handle a different ctid range within each table.
386 let mut tables_to_snapshot = BTreeMap::new();
387 // A collection of `SourceStatistics` to update for a given Oid. Same info exists in table_info,
388 // but this avoids having to iterate + map each time the statistics are needed.
389 let mut export_statistics = BTreeMap::new();
390 for (table, outputs) in table_info.iter() {
391 for (&output_index, output) in outputs {
392 if *output.resume_upper != [MzOffset::minimum()] {
393 // Already has been snapshotted.
394 continue;
395 }
396 all_outputs.push(output_index);
397 tables_to_snapshot
398 .entry(*table)
399 .or_insert_with(BTreeMap::new)
400 .insert(output_index, output.clone());
401 let statistics = config
402 .statistics
403 .get(&output.export_id)
404 .expect("statistics are initialized")
405 .clone();
406 export_statistics.insert((*table, output_index), statistics);
407 }
408 }
409
410 let (button, transient_errors) = builder.build_fallible(move |caps| {
411 let busy_signal = Arc::clone(&config.busy_signal);
412 Box::pin(SignaledFuture::new(busy_signal, async move {
413 let id = config.id;
414 let worker_id = config.worker_id;
415 let [
416 data_cap_set,
417 rewind_cap_set,
418 slot_ready_cap_set,
419 snapshot_cap_set,
420 definite_error_cap_set,
421 ]: &mut [_; 5] = caps.try_into().unwrap();
422
423 trace!(
424 %id,
425 "timely-{worker_id} initializing table reader \
426 with {} tables to snapshot",
427 tables_to_snapshot.len()
428 );
429
430 let connection_config = connection
431 .connection
432 .config(
433 &config.config.connection_context.secrets_reader,
434 &config.config,
435 InTask::Yes,
436 )
437 .await?;
438
439
440 // The snapshot operator is responsible for creating the replication slot(s).
441 // This first slot is the permanent slot that will be used for reading the replication
442 // stream. A temporary slot is created further on to capture table snapshots.
443 let replication_client = if is_snapshot_leader {
444 let client = connection_config
445 .connect_replication(&config.config.connection_context.ssh_tunnel_manager)
446 .await?;
447 let main_slot = &connection.publication_details.slot;
448
449 tracing::info!(%id, "ensuring replication slot {main_slot} exists");
450 super::ensure_replication_slot(&client, main_slot).await?;
451 Some(client)
452 } else {
453 None
454 };
455 *slot_ready_cap_set = CapabilitySet::new();
456
457 // Nothing needs to be snapshot.
458 if all_outputs.is_empty() {
459 trace!(%id, "no exports to snapshot");
460 // Note we do not emit a `ProgressStatisticsUpdate::Snapshot` update here,
461 // as we do not want to attempt to override the current value with 0. We
462 // just leave it null.
463 return Ok(());
464 }
465
466 // A worker *must* emit a count even if not responsible for snapshotting a table
467 // as statistic summarization will return null if any worker hasn't set a value.
468 // This will also reset snapshot stats for any exports not snapshotting.
469 // If no workers need to snapshot, then avoid emitting these as they will clear
470 // previous stats.
471 for statistics in config.statistics.values() {
472 statistics.set_snapshot_records_known(0);
473 statistics.set_snapshot_records_staged(0);
474 }
475
476 // Collect table OIDs for block count estimation
477 let table_oids: Vec<u32> = tables_to_snapshot.keys().copied().collect();
478
479 // replication client is only set if this worker is the snapshot leader
480 let client = match replication_client {
481 Some(client) => {
482 let tmp_slot = format!("mzsnapshot_{}", uuid::Uuid::new_v4()).replace('-', "");
483 let (snapshot_id, snapshot_lsn) = export_snapshot(&client, &tmp_slot, true).await?;
484
485 // Check PostgreSQL version. Ctid range scans are only efficient on PG >= 14
486 // due to improvements in TID range scan support.
487 let pg_version = get_pg_major_version(&client).await?;
488
489 // Estimate block counts for all tables from pg_class statistics.
490 // This must be done by the leader and broadcasted to ensure all workers
491 // use the same estimates for ctid range partitioning.
492 //
493 // For PostgreSQL < 14, we set all block counts to 0 to fall back to
494 // single-worker-per-table mode, as ctid range scans are not well supported.
495 let table_block_counts = if pg_version >= 14 {
496 estimate_table_block_counts(&client, &table_oids).await?
497 } else {
498 trace!(
499 %id,
500 "timely-{worker_id} PostgreSQL version {pg_version} < 14, \
501 falling back to single-worker-per-table snapshot mode"
502 );
503 // Return all zeros to trigger fallback mode
504 table_oids.iter().map(|&oid| (oid, 0u64)).collect()
505 };
506
507 report_snapshot_size(&client, &tables_to_snapshot, metrics, &config, &export_statistics).await?;
508
509 let upstream_info = {
510 // As part of retrieving the schema info, RLS policies are checked to ensure the
511 // snapshot can successfully read the tables. RLS policy errors are treated as
512 // transient, as the customer can simply add the BYPASSRLS to the PG account
513 // used by MZ.
514 match retrieve_schema_info(
515 &connection_config,
516 &config.config.connection_context,
517 &connection.publication,
518 &table_oids)
519 .await
520 {
521 // If the replication stream cannot be obtained in a definite way there is
522 // nothing else to do. These errors are not retractable.
523 Err(PostgresError::PublicationMissing(publication)) => {
524 let err = DefiniteError::PublicationDropped(publication);
525 for (oid, outputs) in tables_to_snapshot.iter() {
526 // Produce a definite error here and then exit to ensure
527 // a missing publication doesn't generate a transient
528 // error and restart this dataflow indefinitely.
529 //
530 // We pick `u64::MAX` as the LSN which will (in
531 // practice) never conflict any previously revealed
532 // portions of the TVC.
533 for output_index in outputs.keys() {
534 let update = (
535 (*oid, *output_index, Err(err.clone().into())),
536 MzOffset::from(u64::MAX),
537 Diff::ONE,
538 );
539 raw_handle.give_fueled(&data_cap_set[0], update).await;
540 }
541 }
542
543 definite_error_handle.give(
544 &definite_error_cap_set[0],
545 ReplicationError::Definite(Rc::new(err)),
546 );
547 return Ok(());
548 },
549 Err(e) => Err(TransientError::from(e))?,
550 Ok(i) => i,
551 }
552 };
553
554 let snapshot_info = SnapshotInfo {
555 snapshot_id,
556 snapshot_lsn,
557 upstream_info,
558 table_block_counts,
559 };
560 trace!(
561 %id,
562 "timely-{worker_id} exporting snapshot info {snapshot_info:?}");
563 snapshot_handle.give(&snapshot_cap_set[0], snapshot_info);
564
565 client
566 }
567 None => {
568 // Only the snapshot leader needs a replication connection.
569 let task_name = format!("timely-{worker_id} PG snapshotter");
570 connection_config
571 .connect(
572 &task_name,
573 &config.config.connection_context.ssh_tunnel_manager,
574 )
575 .await?
576 }
577 };
578
579 // Configure statement_timeout based on param. We want to be able to
580 // override the server value here in case it's set too low,
581 // respective to the size of the data we need to copy.
582 set_statement_timeout(
583 &client,
584 config
585 .config
586 .parameters
587 .pg_source_snapshot_statement_timeout,
588 )
589 .await?;
590
591 let snapshot_info = loop {
592 match snapshot_input.next().await {
593 Some(AsyncEvent::Data(_, mut data)) => {
594 break data.pop().expect("snapshot sent above")
595 }
596 Some(AsyncEvent::Progress(_)) => continue,
597 None => panic!(
598 "feedback closed \
599 before sending snapshot info"
600 ),
601 }
602 };
603 let SnapshotInfo {
604 snapshot_id,
605 snapshot_lsn,
606 table_block_counts,
607 upstream_info,
608 } = snapshot_info;
609
610 // Snapshot leader is already in identified transaction but all other workers need to enter it.
611 if !is_snapshot_leader {
612 trace!(%id, "timely-{worker_id} using snapshot id {snapshot_id:?}");
613 use_snapshot(&client, &snapshot_id).await?;
614 }
615
616 for (&oid, outputs) in tables_to_snapshot.iter() {
617 for (&output_index, info) in outputs.iter() {
618 if let Err(err) = verify_schema(oid, info, &upstream_info) {
619 raw_handle
620 .give_fueled(
621 &data_cap_set[0],
622 (
623 (oid, output_index, Err(err.into())),
624 MzOffset::minimum(),
625 Diff::ONE,
626 ),
627 )
628 .await;
629 continue;
630 }
631
632 // Get estimated block count from the broadcasted table statistics
633 let block_count = table_block_counts.get(&oid).copied().unwrap_or(0);
634
635 // Calculate this worker's ctid range based on estimated blocks.
636 // When estimated_blocks is 0 (PG < 14 or empty table), fall back to
637 // single-worker mode using responsible_for to pick the worker.
638 let Some(ctid_range) = worker_ctid_range(&config, block_count, oid) else {
639 // This worker has no work for this table (more workers than blocks)
640 trace!(
641 %id,
642 "timely-{worker_id} no ctid range assigned for table {:?}({oid})",
643 info.desc.name
644 );
645 continue;
646 };
647
648 trace!(
649 %id,
650 "timely-{worker_id} snapshotting table {:?}({oid}) output {output_index} \
651 @ {snapshot_lsn} with ctid range {:?}",
652 info.desc.name,
653 ctid_range
654 );
655
656 // To handle quoted/keyword names, we can use `Ident`'s AST printing, which
657 // emulate's PG's rules for name formatting.
658 let namespace = Ident::new_unchecked(&info.desc.namespace).to_ast_string_stable();
659 let table = Ident::new_unchecked(&info.desc.name).to_ast_string_stable();
660 let column_list = info
661 .desc
662 .columns
663 .iter()
664 .map(|c| Ident::new_unchecked(&c.name).to_ast_string_stable())
665 .join(",");
666
667
668 let ctid_filter = match ctid_range.end_block {
669 Some(end) => format!(
670 "WHERE ctid >= '({},0)'::tid AND ctid < '({},0)'::tid",
671 ctid_range.start_block, end
672 ),
673 None => format!("WHERE ctid >= '({},0)'::tid", ctid_range.start_block),
674 };
675 let query = format!(
676 "COPY (SELECT {column_list} FROM {namespace}.{table} {ctid_filter}) \
677 TO STDOUT (FORMAT TEXT, DELIMITER '\t')"
678 );
679 let mut stream = pin!(client.copy_out_simple(&query).await?);
680
681 let mut snapshot_staged = 0;
682 let mut update = ((oid, output_index, Ok(vec![])), MzOffset::minimum(), Diff::ONE);
683 while let Some(bytes) = stream.try_next().await? {
684 let data = update.0 .2.as_mut().unwrap();
685 data.clear();
686 data.extend_from_slice(&bytes);
687 raw_handle.give_fueled(&data_cap_set[0], &update).await;
688 snapshot_staged += 1;
689 if snapshot_staged % 1000 == 0 {
690 export_statistics[&(oid, output_index)].set_snapshot_records_staged(snapshot_staged);
691 }
692 }
693 // final update for snapshot_staged, using the staged values as the total is an estimate
694 export_statistics[&(oid, output_index)].set_snapshot_records_staged(snapshot_staged);
695 }
696 }
697
698 // We are done with the snapshot so now we will emit rewind requests. It is important
699 // that this happens after the snapshot has finished because this is what unblocks the
700 // replication operator and we want this to happen serially. It might seem like a good
701 // idea to read the replication stream concurrently with the snapshot but it actually
702 // leads to a lot of data being staged for the future, which needlessly consumed memory
703 // in the cluster.
704 //
705 // Since all workers now snapshot all tables (each with different ctid ranges), we only
706 // emit rewind requests from the worker responsible for each output to avoid duplicates.
707 for (&oid, output) in tables_to_snapshot.iter() {
708 for (output_index, info) in output {
709 // Only emit rewind request from one worker per output
710 if !config.responsible_for((oid, *output_index)) {
711 continue;
712 }
713 trace!(%id, "timely-{worker_id} producing rewind request for table {} output {output_index}", info.desc.name);
714 let req = RewindRequest { output_index: *output_index, snapshot_lsn };
715 rewinds_handle.give(&rewind_cap_set[0], req);
716 }
717 }
718 *rewind_cap_set = CapabilitySet::new();
719
720 // Failure scenario after we have produced the snapshot, but before a successful COMMIT
721 fail::fail_point!("pg_snapshot_failure", |_| Err(
722 TransientError::SyntheticError
723 ));
724
725 // The exporting worker should wait for all the other workers to commit before dropping
726 // its client since this is what holds the exported transaction alive.
727 if is_snapshot_leader {
728 trace!(%id, "timely-{worker_id} waiting for all workers to finish");
729 *snapshot_cap_set = CapabilitySet::new();
730 while snapshot_input.next().await.is_some() {}
731 trace!(%id, "timely-{worker_id} (leader) comitting COPY transaction");
732 client.simple_query("COMMIT").await?;
733 } else {
734 trace!(%id, "timely-{worker_id} comitting COPY transaction");
735 client.simple_query("COMMIT").await?;
736 *snapshot_cap_set = CapabilitySet::new();
737 }
738 drop(client);
739 Ok(())
740 }))
741 });
742
743 // We now decode the COPY protocol and apply the cast expressions
744 let mut text_row = Row::default();
745 let mut final_row = Row::default();
746 let mut datum_vec = DatumVec::new();
747 let snapshot_updates = raw_data
748 .unary(Pipeline, "PgCastSnapshotRows", |_, _| {
749 move |input, output| {
750 input.for_each_time(|time, data| {
751 let mut session = output.session(&time);
752 for ((oid, output_index, event), time, diff) in
753 data.flat_map(|data| data.drain())
754 {
755 let output = &table_info
756 .get(oid)
757 .and_then(|outputs| outputs.get(output_index))
758 .expect("table_info contains all outputs");
759
760 let event = event
761 .as_ref()
762 .map_err(|e: &DataflowError| e.clone())
763 .and_then(|bytes| {
764 decode_copy_row(bytes, output.casts.len(), &mut text_row)?;
765 let datums = datum_vec.borrow_with(&text_row);
766 super::cast_row(&output.casts, &datums, &mut final_row)?;
767 Ok(SourceMessage {
768 key: Row::default(),
769 value: final_row.clone(),
770 metadata: Row::default(),
771 })
772 });
773
774 session.give(((*output_index, event), *time, *diff));
775 }
776 });
777 }
778 })
779 .as_collection();
780
781 let errors = definite_errors.concat(&transient_errors.map(ReplicationError::from));
782
783 (
784 snapshot_updates,
785 rewinds,
786 slot_ready,
787 errors,
788 button.press_on_drop(),
789 )
790}
791
792/// Starts a read-only transaction on the SQL session of `client` at a consistent LSN point by
793/// creating a replication slot. Returns a snapshot identifier that can be imported in
794/// other SQL session and the LSN of the consistent point.
795async fn export_snapshot(
796 client: &Client,
797 slot: &str,
798 temporary: bool,
799) -> Result<(String, MzOffset), TransientError> {
800 match export_snapshot_inner(client, slot, temporary).await {
801 Ok(ok) => Ok(ok),
802 Err(err) => {
803 // We don't want to leave the client inside a failed tx
804 client.simple_query("ROLLBACK;").await?;
805 Err(err)
806 }
807 }
808}
809
810async fn export_snapshot_inner(
811 client: &Client,
812 slot: &str,
813 temporary: bool,
814) -> Result<(String, MzOffset), TransientError> {
815 client
816 .simple_query("BEGIN READ ONLY ISOLATION LEVEL REPEATABLE READ;")
817 .await?;
818
819 // Note: Using unchecked here is okay because we're using it in a SQL query.
820 let slot = Ident::new_unchecked(slot).to_ast_string_simple();
821 let temporary_str = if temporary { " TEMPORARY" } else { "" };
822 let query =
823 format!("CREATE_REPLICATION_SLOT {slot}{temporary_str} LOGICAL \"pgoutput\" USE_SNAPSHOT");
824 let row = match simple_query_opt(client, &query).await {
825 Ok(row) => Ok(row.unwrap()),
826 Err(PostgresError::Postgres(err)) if err.code() == Some(&SqlState::DUPLICATE_OBJECT) => {
827 return Err(TransientError::ReplicationSlotAlreadyExists);
828 }
829 Err(err) => Err(err),
830 }?;
831
832 // When creating a replication slot postgres returns the LSN of its consistent point, which is
833 // the LSN that must be passed to `START_REPLICATION` to cleanly transition from the snapshot
834 // phase to the replication phase. `START_REPLICATION` includes all transactions that commit at
835 // LSNs *greater than or equal* to the passed LSN. Therefore the snapshot phase must happen at
836 // the greatest LSN that is not beyond the consistent point. That LSN is `consistent_point - 1`
837 let consistent_point: PgLsn = row.get("consistent_point").unwrap().parse().unwrap();
838 let consistent_point = u64::from(consistent_point)
839 .checked_sub(1)
840 .expect("consistent point is always non-zero");
841
842 let row = simple_query_opt(client, "SELECT pg_export_snapshot();")
843 .await?
844 .unwrap();
845 let snapshot = row.get("pg_export_snapshot").unwrap().to_owned();
846
847 Ok((snapshot, MzOffset::from(consistent_point)))
848}
849
850/// Starts a read-only transaction on the SQL session of `client` at a the consistent LSN point of
851/// `snapshot`.
852async fn use_snapshot(client: &Client, snapshot: &str) -> Result<(), TransientError> {
853 client
854 .simple_query("BEGIN READ ONLY ISOLATION LEVEL REPEATABLE READ;")
855 .await?;
856 let query = format!("SET TRANSACTION SNAPSHOT '{snapshot}';");
857 client.simple_query(&query).await?;
858 Ok(())
859}
860
861async fn set_statement_timeout(client: &Client, timeout: Duration) -> Result<(), TransientError> {
862 // Value is known to accept milliseconds w/o units.
863 // https://www.postgresql.org/docs/current/runtime-config-client.html
864 client
865 .simple_query(&format!("SET statement_timeout = {}", timeout.as_millis()))
866 .await?;
867 Ok(())
868}
869
870/// Decodes a row of `col_len` columns obtained from a text encoded COPY query into `row`.
871fn decode_copy_row(data: &[u8], col_len: usize, row: &mut Row) -> Result<(), DefiniteError> {
872 let mut packer = row.packer();
873 let row_parser = mz_pgcopy::CopyTextFormatParser::new(data, b'\t', "\\N");
874 let mut column_iter = row_parser.iter_raw_truncating(col_len);
875 for _ in 0..col_len {
876 let value = match column_iter.next() {
877 Some(Ok(value)) => value,
878 Some(Err(_)) => return Err(DefiniteError::InvalidCopyInput),
879 None => return Err(DefiniteError::MissingColumn),
880 };
881 let datum = value.map(super::decode_utf8_text).transpose()?;
882 packer.push(datum.unwrap_or(Datum::Null));
883 }
884 Ok(())
885}
886
887/// Record the sizes of the tables being snapshotted in `PgSnapshotMetrics` and emit snapshot statistics for each export.
888async fn report_snapshot_size(
889 client: &Client,
890 tables_to_snapshot: &BTreeMap<u32, BTreeMap<usize, SourceOutputInfo>>,
891 metrics: PgSnapshotMetrics,
892 config: &RawSourceCreationConfig,
893 export_statistics: &BTreeMap<(u32, usize), SourceStatistics>,
894) -> Result<(), anyhow::Error> {
895 // TODO(guswynn): delete unused configs
896 let snapshot_config = config.config.parameters.pg_snapshot_config;
897
898 for (&oid, outputs) in tables_to_snapshot {
899 // Use the first output's desc to make the table name since it is the same for all outputs
900 let Some((_, info)) = outputs.first_key_value() else {
901 continue;
902 };
903 let table = format!(
904 "{}.{}",
905 Ident::new_unchecked(info.desc.namespace.clone()).to_ast_string_simple(),
906 Ident::new_unchecked(info.desc.name.clone()).to_ast_string_simple()
907 );
908 let stats =
909 collect_table_statistics(client, snapshot_config, &table, info.desc.oid).await?;
910 metrics.record_table_count_latency(table, stats.count_latency);
911 for &output_index in outputs.keys() {
912 export_statistics[&(oid, output_index)].set_snapshot_records_known(stats.count);
913 export_statistics[&(oid, output_index)].set_snapshot_records_staged(0);
914 }
915 }
916 Ok(())
917}
918
919#[derive(Default)]
920struct TableStatistics {
921 count: u64,
922 count_latency: f64,
923}
924
925async fn collect_table_statistics(
926 client: &Client,
927 config: PgSourceSnapshotConfig,
928 table: &str,
929 oid: u32,
930) -> Result<TableStatistics, anyhow::Error> {
931 use mz_ore::metrics::MetricsFutureExt;
932 let mut stats = TableStatistics::default();
933
934 let estimate_row = simple_query_opt(
935 client,
936 &format!("SELECT reltuples::bigint AS estimate_count FROM pg_class WHERE oid = '{oid}'"),
937 )
938 .wall_time()
939 .set_at(&mut stats.count_latency)
940 .await?;
941 stats.count = match estimate_row {
942 Some(row) => row.get("estimate_count").unwrap().parse().unwrap_or(0),
943 None => bail!("failed to get estimate count for {table}"),
944 };
945
946 // If the estimate is low enough we can attempt to get an exact count. Note that not yet
947 // vacuumed tables will report zero rows here and there is a possibility that they are very
948 // large. We accept this risk and we offer the feature flag as an escape hatch if it becomes
949 // problematic.
950 if config.collect_strict_count && stats.count < 1_000_000 {
951 let count_row = simple_query_opt(client, &format!("SELECT count(*) as count from {table}"))
952 .wall_time()
953 .set_at(&mut stats.count_latency)
954 .await?;
955 stats.count = match count_row {
956 Some(row) => row.get("count").unwrap().parse().unwrap(),
957 None => bail!("failed to get count for {table}"),
958 }
959 }
960
961 Ok(stats)
962}
963
964/// Validates that there are no blocking RLS polcicies on the tables and retrieves table schemas
965/// for the given publication.
966async fn retrieve_schema_info(
967 connection_config: &Config,
968 connection_context: &ConnectionContext,
969 publication: &str,
970 table_oids: &[Oid],
971) -> Result<BTreeMap<u32, PostgresTableDesc>, PostgresError> {
972 let schema_client = connection_config
973 .connect(
974 "snapshot schema info",
975 &connection_context.ssh_tunnel_manager,
976 )
977 .await?;
978 mz_postgres_util::validate_no_rls_policies(&schema_client, table_oids).await?;
979 mz_postgres_util::publication_info(&schema_client, publication, Some(table_oids)).await
980}