mz_storage/source/postgres/snapshot.rs
1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10//! Renders the table snapshot side of the [`PostgresSourceConnection`] ingestion dataflow.
11//!
12//! # Snapshot reading
13//!
14//! Depending on the resumption LSNs the table reader decides which tables need to be snapshotted.
15//! Each table is partitioned across all workers using PostgreSQL's `ctid` (tuple identifier)
16//! column, which identifies the physical location of each row. This allows parallel snapshotting
17//! of large tables across all available workers.
18//!
19//! There are a few subtle points about this operation, described in the following sections.
20//!
21//! ## Consistent LSN point for snapshot transactions
22//!
23//! Given that all our ingestion is based on correctly timestamping updates with the LSN they
24//! happened at it is important that we run the `COPY` query at a specific LSN point that is
25//! relatable with the LSN numbers we receive from the replication stream. Such point does not
26//! necessarily exist for a normal SQL transaction. To achieve this we must force postgres to
27//! produce a consistent point and let us know of the LSN number of that by creating a replication
28//! slot as the first statement in a transaction.
29//!
30//! This is a temporary dummy slot that is only used to put our snapshot transaction on a
31//! consistent LSN point. Unfortunately no lighterweight method exists for doing this. See this
32//! [postgres thread] for more details.
33//!
34//! One might wonder why we don't use the actual real slot to provide us with the snapshot point
35//! which would automatically be at the correct LSN. The answer is that it's possible that we crash
36//! and restart after having already created the slot but before having finished the snapshot. In
37//! that case the restarting process will have lost its opportunity to run queries at the slot's
38//! consistent point as that opportunity only exists in the ephemeral transaction that created the
39//! slot and that is long gone. Additionally there are good reasons of why we'd like to move the
40//! slot creation much earlier, e.g during purification, in which case the slot will always be
41//! pre-created.
42//!
43//! [postgres thread]: https://www.postgresql.org/message-id/flat/CAMN0T-vzzNy6TV1Jvh4xzNQdAvCLBQK_kh6_U7kAXgGU3ZFg-Q%40mail.gmail.com
44//!
45//! ## Reusing the consistent point among all workers
46//!
47//! Creating replication slots is potentially expensive so the code makes is such that all workers
48//! cooperate and reuse one consistent snapshot among them. In order to do so we make use the
49//! "export transaction" feature of postgres. This feature allows one SQL session to create an
50//! identifier for the transaction (a string identifier) it is currently in, which can be used by
51//! other sessions to enter the same "snapshot".
52//!
53//! We accomplish this by picking one worker at random to function as the transaction leader. The
54//! transaction leader is responsible for starting a SQL session, creating a temporary replication
55//! slot in a transaction, exporting the transaction id, and broadcasting the transaction
56//! information to all other workers via a broadcasted feedback edge.
57//!
58//! During this phase the follower workers are simply waiting to hear on the feedback edge,
59//! effectively synchronizing with the leader. Once all workers have received the snapshot
60//! information they can all start to perform their assigned COPY queries.
61//!
62//! The leader and follower steps described above are accomplished by the [`export_snapshot`] and
63//! [`use_snapshot`] functions respectively.
64//!
65//! ## Coordinated transaction COMMIT
66//!
67//! When follower workers are done with snapshotting they commit their transaction, close their
68//! session, and then drop their snapshot feedback capability. When the leader worker is done with
69//! snapshotting it drops its snapshot feedback capability and waits until it observes the
70//! snapshot input advancing to the empty frontier. This allows the leader to COMMIT its
71//! transaction last, which is the transaction that exported the snapshot.
72//!
73//! It's unclear if this is strictly necessary, but having the frontiers made it easy enough that I
74//! added the synchronization.
75//!
76//! ## Snapshot rewinding
77//!
78//! Ingestion dataflows must produce definite data, including the snapshot. What this means
79//! practically is that whenever we deem it necessary to snapshot a table we must do so at the same
80//! LSN. However, the method for running a transaction described above doesn't let us choose the
81//! LSN, it could be an LSN in the future chosen by PostgresSQL while it creates the temporary
82//! replication slot.
83//!
84//! The definition of differential collections states that a collection at some time `t_snapshot`
85//! is defined to be the accumulation of all updates that happen at `t <= t_snapshot`, where `<=`
86//! is the partial order. In this case we are faced with the problem of knowing the state of a
87//! table at `t_snapshot` but actually wanting to know the snapshot at `t_slot <= t_snapshot`.
88//!
89//! From the definition we can see that the snapshot at `t_slot` is related to the snapshot at
90//! `t_snapshot` with the following equations:
91//!
92//!```text
93//! sum(update: t <= t_snapshot) = sum(update: t <= t_slot) + sum(update: t_slot <= t <= t_snapshot)
94//! |
95//! V
96//! sum(update: t <= t_slot) = sum(update: t <= snapshot) - sum(update: t_slot <= t <= t_snapshot)
97//! ```
98//!
99//! Therefore, if we manage to recover the `sum(update: t_slot <= t <= t_snapshot)` term we will be
100//! able to "rewind" the snapshot we obtained at `t_snapshot` to `t_slot` by emitting all updates
101//! that happen between these two points with their diffs negated.
102//!
103//! It turns out that this term is exactly what the main replication slot provides us with and we
104//! can rewind snapshot at arbitrary points! In order to do this the snapshot dataflow emits rewind
105//! requests to the replication reader which informs it that a certain range of updates must be
106//! emitted at LSN 0 (by convention) with their diffs negated. These negated diffs are consolidated
107//! with the diffs taken at `t_snapshot` that were also emitted at LSN 0 (by convention) and we end
108//! up with a TVC that at LSN 0 contains the snapshot at `t_slot`.
109//!
110//! # Parallel table snapshotting with ctid ranges
111//!
112//! Each table is partitioned across workers using PostgreSQL's `ctid` column. The `ctid` is a
113//! tuple identifier of the form `(block_number, tuple_index)` that represents the physical
114//! location of a row on disk. By partitioning the ctid range, each worker can independently
115//! fetch a portion of the table.
116//!
117//! The partitioning works as follows:
118//! 1. The snapshot leader queries `pg_class.relpages` to estimate the number of blocks for each
119//! table. This is much faster than querying `max(ctid)` which would require a sequential scan.
120//! 2. The leader broadcasts the block count estimates along with the snapshot transaction ID
121//! to all workers, ensuring all workers use consistent estimates for partitioning.
122//! 3. Each worker calculates its assigned block range and fetches rows using a `COPY` query
123//! with a `SELECT` that filters by `ctid >= start AND ctid < end`.
124//! 4. The last worker uses an open-ended range (`ctid >= start`) to capture any rows beyond
125//! the estimated block count (handles cases where statistics are stale or table has grown).
126//!
127//! This approach efficiently parallelizes large table snapshots while maintaining the benefits
128//! of the `COPY` protocol for bulk data transfer.
129//!
130//! ## PostgreSQL version requirements
131//!
132//! Ctid range scans are only efficient on PostgreSQL >= 14 due to TID range scan optimizations
133//! introduced in that version. For older PostgreSQL versions, the snapshot falls back to the
134//! single-worker-per-table mode where each table is assigned to one worker based on consistent
135//! hashing. This is implemented by having the leader broadcast all-zero block counts when
136//! PostgreSQL version < 14.
137//!
138//! # Snapshot decoding
139//!
140//! Each worker fetches its ctid range directly and decodes the COPY stream locally.
141//!
142//! ```text
143//! ╭──────────────────╮
144//! ┏━━━━━━━━━━━━v━┓ │ exported
145//! ┃ table ┃ ╭─────────╮ │ snapshot id
146//! ┃ readers ┠─>─┤broadcast├──╯
147//! ┃ (parallel) ┃ ╰─────────╯
148//! ┗━┯━━━━━━━━━━┯━┛
149//! raw│ │
150//! COPY│ │
151//! data│ │
152//! ┏━━━━┷━━━━┓ │
153//! ┃ COPY ┃ │
154//! ┃ decoder ┃ │
155//! ┗━━━━┯━━━━┛ │
156//! │ snapshot │rewind
157//! │ updates │requests
158//! v v
159//! ```
160
161use std::collections::BTreeMap;
162use std::convert::Infallible;
163use std::pin::pin;
164use std::rc::Rc;
165use std::sync::Arc;
166use std::time::Duration;
167
168use anyhow::bail;
169use differential_dataflow::AsCollection;
170use futures::{StreamExt as _, TryStreamExt};
171use itertools::Itertools;
172use mz_ore::cast::CastFrom;
173use mz_ore::future::InTask;
174use mz_postgres_util::desc::PostgresTableDesc;
175use mz_postgres_util::schemas::get_pg_major_version;
176use mz_postgres_util::{Client, Config, PostgresError, simple_query_opt};
177use mz_repr::{Datum, DatumVec, Diff, Row};
178use mz_sql_parser::ast::{Ident, display::AstDisplay};
179use mz_storage_types::connections::ConnectionContext;
180use mz_storage_types::errors::DataflowError;
181use mz_storage_types::parameters::PgSourceSnapshotConfig;
182use mz_storage_types::sources::{MzOffset, PostgresSourceConnection};
183use mz_timely_util::builder_async::{
184 Event as AsyncEvent, OperatorBuilder as AsyncOperatorBuilder, PressOnDropButton,
185};
186use timely::container::CapacityContainerBuilder;
187use timely::container::DrainContainer;
188use timely::dataflow::channels::pact::Pipeline;
189use timely::dataflow::operators::core::Map;
190use timely::dataflow::operators::{
191 Broadcast, CapabilitySet, Concat, ConnectLoop, Feedback, Operator,
192};
193use timely::dataflow::{Scope, Stream};
194use timely::progress::Timestamp;
195use tokio_postgres::error::SqlState;
196use tokio_postgres::types::{Oid, PgLsn};
197use tracing::trace;
198
199use crate::metrics::source::postgres::PgSnapshotMetrics;
200use crate::source::RawSourceCreationConfig;
201use crate::source::postgres::replication::RewindRequest;
202use crate::source::postgres::{
203 DefiniteError, ReplicationError, SourceOutputInfo, TransientError, verify_schema,
204};
205use crate::source::types::{SignaledFuture, SourceMessage, StackedCollection};
206use crate::statistics::SourceStatistics;
207
208/// Information broadcasted from the snapshot leader to all workers.
209/// This includes the transaction snapshot ID, LSN, and estimated block counts for each table.
210#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
211struct SnapshotInfo {
212 /// The exported transaction snapshot identifier.
213 snapshot_id: String,
214 /// The LSN at which the snapshot was taken.
215 snapshot_lsn: MzOffset,
216 /// Estimated number of blocks (pages) for each table, keyed by OID.
217 /// This is derived from `pg_class.relpages` and used to partition ctid ranges.
218 table_block_counts: BTreeMap<u32, u64>,
219 /// The current upstream schema of each table.
220 upstream_info: BTreeMap<u32, PostgresTableDesc>,
221}
222
223/// Represents a ctid range that a worker should snapshot.
224/// The range is [start_block, end_block) where end_block is optional (None means unbounded).
225#[derive(Debug)]
226struct CtidRange {
227 /// The starting block number (inclusive).
228 start_block: u64,
229 /// The ending block number (exclusive). None means unbounded (open-ended range).
230 end_block: Option<u64>,
231}
232
233/// Calculate the ctid range for a given worker based on estimated block count.
234///
235/// The table is partitioned by block number across all workers. Each worker gets a contiguous
236/// range of blocks. The last worker gets an open-ended range to handle any rows beyond the
237/// estimated block count.
238///
239/// When `estimated_blocks` is 0 (either because statistics are unavailable, the table appears
240/// empty, or PostgreSQL version < 14 doesn't support ctid range scans), the table is assigned
241/// to a single worker determined by `config.responsible_for(oid)` and that worker scans the
242/// full table.
243///
244/// Returns None if this worker has no work to do.
245fn worker_ctid_range(
246 config: &RawSourceCreationConfig,
247 estimated_blocks: u64,
248 oid: u32,
249) -> Option<CtidRange> {
250 // If estimated_blocks is 0, fall back to single-worker mode for this table.
251 // This handles:
252 // - PostgreSQL < 14 (ctid range scans not supported)
253 // - Tables that appear empty in statistics
254 // - Tables with stale/missing statistics
255 // The responsible worker scans the full table with an open-ended range.
256 if estimated_blocks == 0 {
257 let fallback = if config.responsible_for(oid) {
258 Some(CtidRange {
259 start_block: 0,
260 end_block: None,
261 })
262 } else {
263 None
264 };
265 return fallback;
266 }
267
268 let worker_id = u64::cast_from(config.worker_id);
269 let worker_count = u64::cast_from(config.worker_count);
270
271 // If there are more workers than blocks, only assign work to workers with id < estimated_blocks
272 // The last assigned worker still gets an open range.
273 let effective_worker_count = std::cmp::min(worker_count, estimated_blocks);
274
275 if worker_id >= effective_worker_count {
276 // This worker has no work to do
277 return None;
278 }
279
280 // Calculate start block for this worker (integer division distributes blocks evenly)
281 let start_block = worker_id * estimated_blocks / effective_worker_count;
282
283 // The last effective worker gets an open-ended range
284 let is_last_effective_worker = worker_id == effective_worker_count - 1;
285 if is_last_effective_worker {
286 Some(CtidRange {
287 start_block,
288 end_block: None,
289 })
290 } else {
291 let end_block = (worker_id + 1) * estimated_blocks / effective_worker_count;
292 Some(CtidRange {
293 start_block,
294 end_block: Some(end_block),
295 })
296 }
297}
298
299/// Estimate the number of blocks for each table from pg_class statistics.
300/// This is used to partition ctid ranges across workers.
301async fn estimate_table_block_counts(
302 client: &Client,
303 table_oids: &[u32],
304) -> Result<BTreeMap<u32, u64>, TransientError> {
305 if table_oids.is_empty() {
306 return Ok(BTreeMap::new());
307 }
308
309 // Query relpages for all tables at once
310 let oid_list = table_oids
311 .iter()
312 .map(|oid| oid.to_string())
313 .collect::<Vec<_>>()
314 .join(",");
315 let query = format!(
316 "SELECT oid, relpages FROM pg_class WHERE oid IN ({})",
317 oid_list
318 );
319
320 let mut block_counts = BTreeMap::new();
321 // Initialize all tables with 0 blocks (in case they're not in pg_class)
322 for &oid in table_oids {
323 block_counts.insert(oid, 0);
324 }
325
326 // Execute the query and collect results
327 let rows = client.simple_query(&query).await?;
328 for msg in rows {
329 if let tokio_postgres::SimpleQueryMessage::Row(row) = msg {
330 let oid: u32 = row.get("oid").unwrap().parse().unwrap();
331 let relpages: i64 = row.get("relpages").unwrap().parse().unwrap_or(0);
332 // relpages can be -1 if never analyzed, treat as 0
333 let relpages = std::cmp::max(0, relpages).try_into().unwrap();
334 block_counts.insert(oid, relpages);
335 }
336 }
337
338 Ok(block_counts)
339}
340
341/// Renders the snapshot dataflow. See the module documentation for more information.
342pub(crate) fn render<G: Scope<Timestamp = MzOffset>>(
343 mut scope: G,
344 config: RawSourceCreationConfig,
345 connection: PostgresSourceConnection,
346 table_info: BTreeMap<u32, BTreeMap<usize, SourceOutputInfo>>,
347 metrics: PgSnapshotMetrics,
348) -> (
349 StackedCollection<G, (usize, Result<SourceMessage, DataflowError>)>,
350 Stream<G, RewindRequest>,
351 Stream<G, Infallible>,
352 Stream<G, ReplicationError>,
353 PressOnDropButton,
354) {
355 let op_name = format!("TableReader({})", config.id);
356 let mut builder = AsyncOperatorBuilder::new(op_name, scope.clone());
357
358 let (feedback_handle, feedback_data) = scope.feedback(Default::default());
359
360 let (raw_handle, raw_data) = builder.new_output();
361 let (rewinds_handle, rewinds) = builder.new_output::<CapacityContainerBuilder<_>>();
362 // This output is used to signal to the replication operator that the replication slot has been
363 // created. With the current state of execution serialization there isn't a lot of benefit
364 // of splitting the snapshot and replication phases into two operators.
365 // TODO(petrosagg): merge the two operators in one (while still maintaining separation as
366 // functions/modules)
367 let (_, slot_ready) = builder.new_output::<CapacityContainerBuilder<_>>();
368 let (snapshot_handle, snapshot) = builder.new_output::<CapacityContainerBuilder<_>>();
369 let (definite_error_handle, definite_errors) =
370 builder.new_output::<CapacityContainerBuilder<_>>();
371
372 // This operator needs to broadcast data to itself in order to synchronize the transaction
373 // snapshot. However, none of the feedback capabilities result in output messages and for the
374 // feedback edge specifically having a default conncetion would result in a loop.
375 let mut snapshot_input = builder.new_disconnected_input(&feedback_data, Pipeline);
376
377 // The export id must be sent to all workers, so we broadcast the feedback connection
378 snapshot.broadcast().connect_loop(feedback_handle);
379
380 let is_snapshot_leader = config.responsible_for("snapshot_leader");
381
382 // A global view of all outputs that will be snapshot by all workers.
383 let mut all_outputs = vec![];
384 // Table info for tables that need snapshotting. All workers will snapshot all tables,
385 // but each worker will handle a different ctid range within each table.
386 let mut tables_to_snapshot = BTreeMap::new();
387 // A collection of `SourceStatistics` to update for a given Oid. Same info exists in table_info,
388 // but this avoids having to iterate + map each time the statistics are needed.
389 let mut export_statistics = BTreeMap::new();
390 for (table, outputs) in table_info.iter() {
391 for (&output_index, output) in outputs {
392 if *output.resume_upper != [MzOffset::minimum()] {
393 // Already has been snapshotted.
394 continue;
395 }
396 all_outputs.push(output_index);
397 tables_to_snapshot
398 .entry(*table)
399 .or_insert_with(BTreeMap::new)
400 .insert(output_index, output.clone());
401 let statistics = config
402 .statistics
403 .get(&output.export_id)
404 .expect("statistics are initialized")
405 .clone();
406 export_statistics.insert((*table, output_index), statistics);
407 }
408 }
409
410 let (button, transient_errors) = builder.build_fallible(move |caps| {
411 let busy_signal = Arc::clone(&config.busy_signal);
412 Box::pin(SignaledFuture::new(busy_signal, async move {
413 let id = config.id;
414 let worker_id = config.worker_id;
415 let [
416 data_cap_set,
417 rewind_cap_set,
418 slot_ready_cap_set,
419 snapshot_cap_set,
420 definite_error_cap_set,
421 ]: &mut [_; 5] = caps.try_into().unwrap();
422
423 trace!(
424 %id,
425 "timely-{worker_id} initializing table reader \
426 with {} tables to snapshot",
427 tables_to_snapshot.len()
428 );
429
430 let connection_config = connection
431 .connection
432 .config(
433 &config.config.connection_context.secrets_reader,
434 &config.config,
435 InTask::Yes,
436 )
437 .await?;
438
439
440 // The snapshot operator is responsible for creating the replication slot(s).
441 // This first slot is the permanent slot that will be used for reading the replication
442 // stream. A temporary slot is created further on to capture table snapshots.
443 let replication_client = if is_snapshot_leader {
444 let client = connection_config
445 .connect_replication(&config.config.connection_context.ssh_tunnel_manager)
446 .await?;
447 let main_slot = &connection.publication_details.slot;
448
449 tracing::info!(%id, "ensuring replication slot {main_slot} exists");
450 super::ensure_replication_slot(&client, main_slot).await?;
451 Some(client)
452 } else {
453 None
454 };
455 *slot_ready_cap_set = CapabilitySet::new();
456
457 // Nothing needs to be snapshot.
458 if all_outputs.is_empty() {
459 trace!(%id, "no exports to snapshot");
460 // Note we do not emit a `ProgressStatisticsUpdate::Snapshot` update here,
461 // as we do not want to attempt to override the current value with 0. We
462 // just leave it null.
463 return Ok(());
464 }
465
466 // A worker *must* emit a count even if not responsible for snapshotting a table
467 // as statistic summarization will return null if any worker hasn't set a value.
468 // This will also reset snapshot stats for any exports not snapshotting.
469 // If no workers need to snapshot, then avoid emitting these as they will clear
470 // previous stats.
471 for statistics in config.statistics.values() {
472 statistics.set_snapshot_records_known(0);
473 statistics.set_snapshot_records_staged(0);
474 }
475
476 // Collect table OIDs for block count estimation
477 let table_oids: Vec<u32> = tables_to_snapshot.keys().copied().collect();
478
479 // replication client is only set if this worker is the snapshot leader
480 let client = match replication_client {
481 Some(client) => {
482 let tmp_slot = format!("mzsnapshot_{}", uuid::Uuid::new_v4()).replace('-', "");
483 let (snapshot_id, snapshot_lsn) =
484 export_snapshot(&client, &tmp_slot, true).await?;
485
486 // Check PostgreSQL version. Ctid range scans are only efficient on PG >= 14
487 // due to improvements in TID range scan support.
488 let pg_version = get_pg_major_version(&client).await?;
489
490 // Estimate block counts for all tables from pg_class statistics.
491 // This must be done by the leader and broadcasted to ensure all workers
492 // use the same estimates for ctid range partitioning.
493 //
494 // For PostgreSQL < 14, we set all block counts to 0 to fall back to
495 // single-worker-per-table mode, as ctid range scans are not well supported.
496 let table_block_counts = if pg_version >= 14 {
497 estimate_table_block_counts(&client, &table_oids).await?
498 } else {
499 trace!(
500 %id,
501 "timely-{worker_id} PostgreSQL version {pg_version} < 14, \
502 falling back to single-worker-per-table snapshot mode"
503 );
504 // Return all zeros to trigger fallback mode
505 table_oids.iter().map(|&oid| (oid, 0u64)).collect()
506 };
507
508 report_snapshot_size(
509 &client,
510 &tables_to_snapshot,
511 metrics,
512 &config,
513 &export_statistics,
514 )
515 .await?;
516
517 let upstream_info = {
518 // As part of retrieving the schema info, RLS policies are checked to ensure the
519 // snapshot can successfully read the tables. RLS policy errors are treated as
520 // transient, as the customer can simply add the BYPASSRLS to the PG account
521 // used by MZ.
522 match retrieve_schema_info(
523 &connection_config,
524 &config.config.connection_context,
525 &connection.publication,
526 &table_oids)
527 .await
528 {
529 // If the replication stream cannot be obtained in a definite way there is
530 // nothing else to do. These errors are not retractable.
531 Err(PostgresError::PublicationMissing(publication)) => {
532 let err = DefiniteError::PublicationDropped(publication);
533 for (oid, outputs) in tables_to_snapshot.iter() {
534 // Produce a definite error here and then exit to ensure
535 // a missing publication doesn't generate a transient
536 // error and restart this dataflow indefinitely.
537 //
538 // We pick `u64::MAX` as the LSN which will (in
539 // practice) never conflict any previously revealed
540 // portions of the TVC.
541 for output_index in outputs.keys() {
542 let update = (
543 (*oid, *output_index, Err(err.clone().into())),
544 MzOffset::from(u64::MAX),
545 Diff::ONE,
546 );
547 raw_handle.give_fueled(&data_cap_set[0], update).await;
548 }
549 }
550
551 definite_error_handle.give(
552 &definite_error_cap_set[0],
553 ReplicationError::Definite(Rc::new(err)),
554 );
555 return Ok(());
556 },
557 Err(e) => Err(TransientError::from(e))?,
558 Ok(i) => i,
559 }
560 };
561
562 let snapshot_info = SnapshotInfo {
563 snapshot_id,
564 snapshot_lsn,
565 upstream_info,
566 table_block_counts,
567 };
568 trace!(
569 %id,
570 "timely-{worker_id} exporting snapshot info {snapshot_info:?}");
571 snapshot_handle.give(&snapshot_cap_set[0], snapshot_info);
572
573 client
574 }
575 None => {
576 // Only the snapshot leader needs a replication connection.
577 let task_name = format!("timely-{worker_id} PG snapshotter");
578 connection_config
579 .connect(
580 &task_name,
581 &config.config.connection_context.ssh_tunnel_manager,
582 )
583 .await?
584 }
585 };
586
587 // Configure statement_timeout based on param. We want to be able to
588 // override the server value here in case it's set too low,
589 // respective to the size of the data we need to copy.
590 set_statement_timeout(
591 &client,
592 config
593 .config
594 .parameters
595 .pg_source_snapshot_statement_timeout,
596 )
597 .await?;
598
599 let snapshot_info = loop {
600 match snapshot_input.next().await {
601 Some(AsyncEvent::Data(_, mut data)) => {
602 break data.pop().expect("snapshot sent above")
603 }
604 Some(AsyncEvent::Progress(_)) => continue,
605 None => panic!(
606 "feedback closed \
607 before sending snapshot info"
608 ),
609 }
610 };
611 let SnapshotInfo {
612 snapshot_id,
613 snapshot_lsn,
614 table_block_counts,
615 upstream_info,
616 } = snapshot_info;
617
618 // Snapshot leader is already in identified transaction but all other workers need to enter it.
619 if !is_snapshot_leader {
620 trace!(%id, "timely-{worker_id} using snapshot id {snapshot_id:?}");
621 use_snapshot(&client, &snapshot_id).await?;
622 }
623
624 for (&oid, outputs) in tables_to_snapshot.iter() {
625 for (&output_index, info) in outputs.iter() {
626 if let Err(err) = verify_schema(oid, info, &upstream_info) {
627 raw_handle
628 .give_fueled(
629 &data_cap_set[0],
630 (
631 (oid, output_index, Err(err.into())),
632 MzOffset::minimum(),
633 Diff::ONE,
634 ),
635 )
636 .await;
637 continue;
638 }
639
640 // Get estimated block count from the broadcasted table statistics
641 let block_count = table_block_counts.get(&oid).copied().unwrap_or(0);
642
643 // Calculate this worker's ctid range based on estimated blocks.
644 // When estimated_blocks is 0 (PG < 14 or empty table), fall back to
645 // single-worker mode using responsible_for to pick the worker.
646 let Some(ctid_range) = worker_ctid_range(&config, block_count, oid) else {
647 // This worker has no work for this table (more workers than blocks)
648 trace!(
649 %id,
650 "timely-{worker_id} no ctid range assigned for table {:?}({oid})",
651 info.desc.name
652 );
653 continue;
654 };
655
656 trace!(
657 %id,
658 "timely-{worker_id} snapshotting table {:?}({oid}) output {output_index} \
659 @ {snapshot_lsn} with ctid range {:?}",
660 info.desc.name,
661 ctid_range
662 );
663
664 // To handle quoted/keyword names, we can use `Ident`'s AST printing, which
665 // emulate's PG's rules for name formatting.
666 let namespace = Ident::new_unchecked(&info.desc.namespace)
667 .to_ast_string_stable();
668 let table = Ident::new_unchecked(&info.desc.name)
669 .to_ast_string_stable();
670 let column_list = info
671 .desc
672 .columns
673 .iter()
674 .map(|c| Ident::new_unchecked(&c.name).to_ast_string_stable())
675 .join(",");
676
677
678 let ctid_filter = match ctid_range.end_block {
679 Some(end) => format!(
680 "WHERE ctid >= '({},0)'::tid AND ctid < '({},0)'::tid",
681 ctid_range.start_block, end
682 ),
683 None => format!("WHERE ctid >= '({},0)'::tid", ctid_range.start_block),
684 };
685 let query = format!(
686 "COPY (SELECT {column_list} FROM {namespace}.{table} {ctid_filter}) \
687 TO STDOUT (FORMAT TEXT, DELIMITER '\t')"
688 );
689 let mut stream = pin!(client.copy_out_simple(&query).await?);
690
691 let mut snapshot_staged = 0;
692 let mut update =
693 ((oid, output_index, Ok(vec![])), MzOffset::minimum(), Diff::ONE);
694 while let Some(bytes) = stream.try_next().await? {
695 let data = update.0 .2.as_mut().unwrap();
696 data.clear();
697 data.extend_from_slice(&bytes);
698 raw_handle.give_fueled(&data_cap_set[0], &update).await;
699 snapshot_staged += 1;
700 if snapshot_staged % 1000 == 0 {
701 let stat = &export_statistics[&(oid, output_index)];
702 stat.set_snapshot_records_staged(snapshot_staged);
703 }
704 }
705 // final update for snapshot_staged, using the staged
706 // values as the total is an estimate
707 let stat = &export_statistics[&(oid, output_index)];
708 stat.set_snapshot_records_staged(snapshot_staged);
709 }
710 }
711
712 // We are done with the snapshot so now we will emit rewind requests. It is important
713 // that this happens after the snapshot has finished because this is what unblocks the
714 // replication operator and we want this to happen serially. It might seem like a good
715 // idea to read the replication stream concurrently with the snapshot but it actually
716 // leads to a lot of data being staged for the future, which needlessly consumed memory
717 // in the cluster.
718 //
719 // Since all workers now snapshot all tables (each with different ctid ranges), we only
720 // emit rewind requests from the worker responsible for each output to avoid duplicates.
721 for (&oid, output) in tables_to_snapshot.iter() {
722 for (output_index, info) in output {
723 // Only emit rewind request from one worker per output
724 if !config.responsible_for((oid, *output_index)) {
725 continue;
726 }
727 trace!(%id, "timely-{worker_id} producing rewind request for table {} output {output_index}", info.desc.name);
728 let req = RewindRequest { output_index: *output_index, snapshot_lsn };
729 rewinds_handle.give(&rewind_cap_set[0], req);
730 }
731 }
732 *rewind_cap_set = CapabilitySet::new();
733
734 // Failure scenario after we have produced the snapshot, but before a successful COMMIT
735 fail::fail_point!("pg_snapshot_failure", |_| Err(
736 TransientError::SyntheticError
737 ));
738
739 // The exporting worker should wait for all the other workers to commit before dropping
740 // its client since this is what holds the exported transaction alive.
741 if is_snapshot_leader {
742 trace!(%id, "timely-{worker_id} waiting for all workers to finish");
743 *snapshot_cap_set = CapabilitySet::new();
744 while snapshot_input.next().await.is_some() {}
745 trace!(%id, "timely-{worker_id} (leader) comitting COPY transaction");
746 client.simple_query("COMMIT").await?;
747 } else {
748 trace!(%id, "timely-{worker_id} comitting COPY transaction");
749 client.simple_query("COMMIT").await?;
750 *snapshot_cap_set = CapabilitySet::new();
751 }
752 drop(client);
753 Ok(())
754 }))
755 });
756
757 // We now decode the COPY protocol and apply the cast expressions
758 let mut text_row = Row::default();
759 let mut final_row = Row::default();
760 let mut datum_vec = DatumVec::new();
761 let snapshot_updates = raw_data
762 .unary(Pipeline, "PgCastSnapshotRows", |_, _| {
763 move |input, output| {
764 input.for_each_time(|time, data| {
765 let mut session = output.session(&time);
766 for ((oid, output_index, event), time, diff) in
767 data.flat_map(|data| data.drain())
768 {
769 let output = &table_info
770 .get(oid)
771 .and_then(|outputs| outputs.get(output_index))
772 .expect("table_info contains all outputs");
773
774 let event = event
775 .as_ref()
776 .map_err(|e: &DataflowError| e.clone())
777 .and_then(|bytes| {
778 decode_copy_row(bytes, output.casts.len(), &mut text_row)?;
779 let datums = datum_vec.borrow_with(&text_row);
780 super::cast_row(&output.casts, &datums, &mut final_row)?;
781 Ok(SourceMessage {
782 key: Row::default(),
783 value: final_row.clone(),
784 metadata: Row::default(),
785 })
786 });
787
788 session.give(((*output_index, event), *time, *diff));
789 }
790 });
791 }
792 })
793 .as_collection();
794
795 let errors = definite_errors.concat(&transient_errors.map(ReplicationError::from));
796
797 (
798 snapshot_updates,
799 rewinds,
800 slot_ready,
801 errors,
802 button.press_on_drop(),
803 )
804}
805
806/// Starts a read-only transaction on the SQL session of `client` at a consistent LSN point by
807/// creating a replication slot. Returns a snapshot identifier that can be imported in
808/// other SQL session and the LSN of the consistent point.
809async fn export_snapshot(
810 client: &Client,
811 slot: &str,
812 temporary: bool,
813) -> Result<(String, MzOffset), TransientError> {
814 match export_snapshot_inner(client, slot, temporary).await {
815 Ok(ok) => Ok(ok),
816 Err(err) => {
817 // We don't want to leave the client inside a failed tx
818 client.simple_query("ROLLBACK;").await?;
819 Err(err)
820 }
821 }
822}
823
824async fn export_snapshot_inner(
825 client: &Client,
826 slot: &str,
827 temporary: bool,
828) -> Result<(String, MzOffset), TransientError> {
829 client
830 .simple_query("BEGIN READ ONLY ISOLATION LEVEL REPEATABLE READ;")
831 .await?;
832
833 // Note: Using unchecked here is okay because we're using it in a SQL query.
834 let slot = Ident::new_unchecked(slot).to_ast_string_simple();
835 let temporary_str = if temporary { " TEMPORARY" } else { "" };
836 let query =
837 format!("CREATE_REPLICATION_SLOT {slot}{temporary_str} LOGICAL \"pgoutput\" USE_SNAPSHOT");
838 let row = match simple_query_opt(client, &query).await {
839 Ok(row) => Ok(row.unwrap()),
840 Err(PostgresError::Postgres(err)) if err.code() == Some(&SqlState::DUPLICATE_OBJECT) => {
841 return Err(TransientError::ReplicationSlotAlreadyExists);
842 }
843 Err(err) => Err(err),
844 }?;
845
846 // When creating a replication slot postgres returns the LSN of its consistent point, which is
847 // the LSN that must be passed to `START_REPLICATION` to cleanly transition from the snapshot
848 // phase to the replication phase. `START_REPLICATION` includes all transactions that commit at
849 // LSNs *greater than or equal* to the passed LSN. Therefore the snapshot phase must happen at
850 // the greatest LSN that is not beyond the consistent point. That LSN is `consistent_point - 1`
851 let consistent_point: PgLsn = row.get("consistent_point").unwrap().parse().unwrap();
852 let consistent_point = u64::from(consistent_point)
853 .checked_sub(1)
854 .expect("consistent point is always non-zero");
855
856 let row = simple_query_opt(client, "SELECT pg_export_snapshot();")
857 .await?
858 .unwrap();
859 let snapshot = row.get("pg_export_snapshot").unwrap().to_owned();
860
861 Ok((snapshot, MzOffset::from(consistent_point)))
862}
863
864/// Starts a read-only transaction on the SQL session of `client` at a the consistent LSN point of
865/// `snapshot`.
866async fn use_snapshot(client: &Client, snapshot: &str) -> Result<(), TransientError> {
867 client
868 .simple_query("BEGIN READ ONLY ISOLATION LEVEL REPEATABLE READ;")
869 .await?;
870 let query = format!("SET TRANSACTION SNAPSHOT '{snapshot}';");
871 client.simple_query(&query).await?;
872 Ok(())
873}
874
875async fn set_statement_timeout(client: &Client, timeout: Duration) -> Result<(), TransientError> {
876 // Value is known to accept milliseconds w/o units.
877 // https://www.postgresql.org/docs/current/runtime-config-client.html
878 client
879 .simple_query(&format!("SET statement_timeout = {}", timeout.as_millis()))
880 .await?;
881 Ok(())
882}
883
884/// Decodes a row of `col_len` columns obtained from a text encoded COPY query into `row`.
885fn decode_copy_row(data: &[u8], col_len: usize, row: &mut Row) -> Result<(), DefiniteError> {
886 let mut packer = row.packer();
887 let row_parser = mz_pgcopy::CopyTextFormatParser::new(data, b'\t', "\\N");
888 let mut column_iter = row_parser.iter_raw_truncating(col_len);
889 for _ in 0..col_len {
890 let value = match column_iter.next() {
891 Some(Ok(value)) => value,
892 Some(Err(_)) => return Err(DefiniteError::InvalidCopyInput),
893 None => return Err(DefiniteError::MissingColumn),
894 };
895 let datum = value.map(super::decode_utf8_text).transpose()?;
896 packer.push(datum.unwrap_or(Datum::Null));
897 }
898 Ok(())
899}
900
901/// Record the sizes of the tables being snapshotted in `PgSnapshotMetrics` and emit snapshot statistics for each export.
902async fn report_snapshot_size(
903 client: &Client,
904 tables_to_snapshot: &BTreeMap<u32, BTreeMap<usize, SourceOutputInfo>>,
905 metrics: PgSnapshotMetrics,
906 config: &RawSourceCreationConfig,
907 export_statistics: &BTreeMap<(u32, usize), SourceStatistics>,
908) -> Result<(), anyhow::Error> {
909 // TODO(guswynn): delete unused configs
910 let snapshot_config = config.config.parameters.pg_snapshot_config;
911
912 for (&oid, outputs) in tables_to_snapshot {
913 // Use the first output's desc to make the table name since it is the same for all outputs
914 let Some((_, info)) = outputs.first_key_value() else {
915 continue;
916 };
917 let table = format!(
918 "{}.{}",
919 Ident::new_unchecked(info.desc.namespace.clone()).to_ast_string_simple(),
920 Ident::new_unchecked(info.desc.name.clone()).to_ast_string_simple()
921 );
922 let stats =
923 collect_table_statistics(client, snapshot_config, &table, info.desc.oid).await?;
924 metrics.record_table_count_latency(table, stats.count_latency);
925 for &output_index in outputs.keys() {
926 export_statistics[&(oid, output_index)].set_snapshot_records_known(stats.count);
927 export_statistics[&(oid, output_index)].set_snapshot_records_staged(0);
928 }
929 }
930 Ok(())
931}
932
933#[derive(Default)]
934struct TableStatistics {
935 count: u64,
936 count_latency: f64,
937}
938
939async fn collect_table_statistics(
940 client: &Client,
941 config: PgSourceSnapshotConfig,
942 table: &str,
943 oid: u32,
944) -> Result<TableStatistics, anyhow::Error> {
945 use mz_ore::metrics::MetricsFutureExt;
946 let mut stats = TableStatistics::default();
947
948 let estimate_row = simple_query_opt(
949 client,
950 &format!("SELECT reltuples::bigint AS estimate_count FROM pg_class WHERE oid = '{oid}'"),
951 )
952 .wall_time()
953 .set_at(&mut stats.count_latency)
954 .await?;
955 stats.count = match estimate_row {
956 Some(row) => row.get("estimate_count").unwrap().parse().unwrap_or(0),
957 None => bail!("failed to get estimate count for {table}"),
958 };
959
960 // If the estimate is low enough we can attempt to get an exact count. Note that not yet
961 // vacuumed tables will report zero rows here and there is a possibility that they are very
962 // large. We accept this risk and we offer the feature flag as an escape hatch if it becomes
963 // problematic.
964 if config.collect_strict_count && stats.count < 1_000_000 {
965 let count_row = simple_query_opt(client, &format!("SELECT count(*) as count from {table}"))
966 .wall_time()
967 .set_at(&mut stats.count_latency)
968 .await?;
969 stats.count = match count_row {
970 Some(row) => row.get("count").unwrap().parse().unwrap(),
971 None => bail!("failed to get count for {table}"),
972 }
973 }
974
975 Ok(stats)
976}
977
978/// Validates that there are no blocking RLS polcicies on the tables and retrieves table schemas
979/// for the given publication.
980async fn retrieve_schema_info(
981 connection_config: &Config,
982 connection_context: &ConnectionContext,
983 publication: &str,
984 table_oids: &[Oid],
985) -> Result<BTreeMap<u32, PostgresTableDesc>, PostgresError> {
986 let schema_client = connection_config
987 .connect(
988 "snapshot schema info",
989 &connection_context.ssh_tunnel_manager,
990 )
991 .await?;
992 mz_postgres_util::validate_no_rls_policies(&schema_client, table_oids).await?;
993 mz_postgres_util::publication_info(&schema_client, publication, Some(table_oids)).await
994}