musl 1.2.6 intentionally crashes when exit() is called recursively, which happened when a signal arrived while exit() was already in progress, e.g. when a server terminated a child that was already exiting. Set a flag when exit is in progress so exitOnSignal() ignores the signal and allows the in-flight exit() to complete. Reset the flag in exitInit() since a forked child may inherit it from a parent that was exiting.
Also call exitSafe() before notifying the parent in the server tests so a signal sent in response to the notification cannot arrive before the exit in progress flag is set.
Add Alpine 3.24 to CI to exercise the unit tests against musl 1.2.6, which is where this crash was found.
Drop the c-only restriction for the a321 CI job so the full unit and integration suites run on musl libc, exercising the integration tests (including SFTP) against Alpine in addition to glibc.
Apply the ssh-rsa HostKeyAlgorithms/PubkeyAcceptedAlgorithms workaround to a321 as well as u22, since Alpine 3.21 ships OpenSSH 9.x which no longer offers the SHA-1 ssh-rsa host-key algorithm by default and the libssh2 client requires it (otherwise the SFTP handshake fails key exchange with LIBSSH2_ERROR_KEX_FAILURE).
Suppress the libssh2_session_init_ex and libssh2_session_handshake "possibly lost" leaks reported by valgrind during SFTP integration. These are persistent allocations tied to the session lifetime and are flagged only on the Linux CI runner where valgrind wraps the integration test binary. The suppressions go in valgrind.suppress.none because integration tests always run with vm none.
Generalize hrnHostPgBinPath() to probe the Debian, RHEL, and Alpine PostgreSQL bin paths in turn rather than hardcoding two, and throw a clear assert if none match.
Add a321 to the default VM list, install PostgreSQL 15/16/17 on Alpine, and point VMDEF_PGSQL_BIN at the Alpine layout. Rebuild the a321 base image accordingly.
Debian 11 will be EOL just after the next release but it is also a blocker for some planned work due to old package versions. It seems fine to just expire it a bit early.
Also update the integration tests to run Debian 12 on Posix since Azure is not supported on i386.
Previously each read driver decided whether a missing file was an error, which duplicated the ignoreMissing logic across the Posix, SFTP, remote, S3, Azure, and GCS drivers. Now driver open() simply reports whether the file exists and StorageRead throws FileMissingError when missing files are not ignored.
Since the client now makes this decision, ignoreMissing no longer needs to be passed through the remote protocol and a missing file is reported locally rather than as an error raised from the remote.
When libbacktrace is enabled, throwing an error calls backtrace_full(), which unwinds the stack with libgcc's _Unwind_Backtrace. On aarch64 the unwinder (and glibc's _dl_find_object, which it calls to look up unwind tables) branches on values valgrind considers uninitialised. Since tests run under valgrind with --exit-on-first-error=yes, the false positive aborted any test that happened to trip it, e.g. storage/sftp.
Suppress Cond and Value8 errors that originate inside _Unwind_Backtrace when called from backtrace_full.
.github/ISSUE_TEMPLATE.md is no longer filling new issues even though it should still be working according to the documentation.
Rather than fight the system just move to the new format.
Add a repo-s3-service option that controls the SigV4 signing service name. Defaults to 's3' for standard S3 endpoints. Set to 's3-outposts' when using an S3 Outposts endpoint.
The signing service is used in the credential scope, HMAC signing key derivation, and authorization header. The option accepts free-form input to support future AWS service variants.
Previously, drivers constructed StorageRead/StorageWrite objects directly and stored metadata in a shared interface struct. Now, StorageRead/StorageWrite create the driver via storageInterfaceNewReadP()/NewWriteP() and mediate between IoRead/IoWrite and the driver. Drivers return opaque objects and own their metadata independently.
This loosens the tight coupling between drivers and the StorageRead/StorageWrite layer. The remote write driver replaces its back-pointer to StorageWrite with a filterGroup callback, eliminating the circular dependency. It makes retry in StorageRead much more readable.
Also move the logic for testing whether a file version could not be found out of the drivers and into StorageRead.
The syncPath value in StorageWrite is for informational purposes and does not determine if the path is actually synced or not.
Instead probe the Posix driver to make sure that syncPath is disabled so there is no error on CIFS.
On systems where uid/gid lookups are routed to a remote name service (sssd, systemd-userdbd, LDAP, etc.), every getpwuid()/getgrgid() call incurs a Unix socket round-trip. This dominates the manifest build phase for clusters with millions of files, even though the data files almost always share a single owner.
Add a small fixed-size (16-entry) per-process cache for userNameFromId() and groupNameFromId(). Linear scan is faster than a hash table at this size. Negative results (unknown ids) are also cached. Cache overflow falls through to uncached lookups.
This standard is over fifteen years old and the features we are interested in seem well supported on popular compilers.
The main advantage is that static_assert() will now display the specified message on error rather than the ever-cryptic `negative width
in bit-field '__error_if_negative'`. Now that we can depend on having
static_assert() we can replace our STATIC_ASSERT_STMT() macro.
Replace our ALIGN_OF() macro with alignof().
Replace our FN_NO_RETURN macro with noreturn. Include stdnoreturn.h in build.h to avoid needing to include it in many header files.
Use an anonymous union in common/type/json.c where it simplifies syntax.
Other uses of union seem better as they are.
In dark mode the black favicon was barely visible. Use a white favicon in dark mode instead.
Also, use the new SVG logo for the favicon and update logo.png to the new style.
When backups are running on multiple repositories simultaneously, the info command now reports per-repo progress in addition to the existing overall progress. A new repo array is included in JSON output for backup locks. This avoids confusing progress jumps when one repo finishes before another.
This job has never surfaced any useful data and now it is failing, so remove it.
It appears that CodeQL can now be automated directly within the Github interface, so that seems like a better route if we decide to reenable it.
Cirrus CI is shutting down on June 1 so migrate all tests. This could have been done before, probably, but it was not clear how to run FreeBSD on Github Actions. The cross-platforms-actions action solves that problem.
Fix a couple of minor test issues found on MacOS.
Also remove the dead make-cmd option. This has not been valid since the migration to meson.
Verify currently checks only backup directories present in the repository and does not validate consistency with backup.info. As a result, discrepancies between the repo contents and backup.info may go unnoticed.
Warn if a backup directory exists but is not described in backup.info. Warn if a backup is listed in backup.info but missing on disk. Add backups found only in backup.info (but not on disk) to the processing list so that verify command reports their status as manifest missing.
These are useful to denote elements that could be styled but currently work with defaults. However, CSS linters dislike empty rules so comment them out. This was already done with some rules but not followed consistently.
This allows logos to be displayed for sponsors in HTML on the homepage.
The markdown will continue to list sponsors in text but the list will be pulled from the new XML.
PostgreSQL 13 is EOL and no longer available in the yum.postgresql.org repository.
Update the base and upgrade versions of the RHEL and Debian documentation to better cover supported versions.
The unit tests do not require this field to be non-zero so in general it has not been set.
However, in production this field is always set and can be used to calculate timestamp deltas, which will be useful in a future commit.
Commit the test changes separately to show that there is no change in behavior.
The prior code issued a seek for each block even if the file was in the correct position. The extra call to lseek() was probably not too expensive but a flush was also required in case of a seek on the next loop. Flushing the write buffer after each block (which is often 8KiB) was definitely wasteful.
Fix this by adding seek to the IoWrite interface. That means the file position can be tracked and calls to seek/flush are only done when needed.
Seek during write is only used in PGDATA during restore so seek functionality is only added to the Posix driver.
This check was lost in the migration from autoconf which means that the UNCONSTIFY() macros has not been enforcing since then.
Add the check so UNCONSTIFY() enforces as expected.
David Steele
Artur Zakirov
ShivakumarAmbigiTR
GLFNSE
Andrew Jackson
Will Morland
Denis Garsh
Yegor
Yegor Zhmak