chore: merge release/15.6 changes into develop (#1320)

* fix: account for `public` grantee

* fix(ci): respect postgresVersion input (#1237)

* feat: bump gotrue version to v2.162.0 (#1241)

* fix: only grant pg_read_all_data if it exists (#1242)

* fix: only grant pg_read_all_data if it exists

* fix: prevent `public` from being casted into `regrole`

* fix(15.6): account for pg_stat_monitor major version upgrade (#1247)

* chore: release updates to run physical backup as a service to 15.6 image (#1248)

* chore: updates to run physical backups as a service (#1235)

* chore: init commence-backup service

* chore: bump adminapi and adminmgr

* chore: bump version

* fix: provide correct filename

* chore: bump postgres version

* fix(15.6/pg_upgrade): retry commands within the cleanup step; wait until PG is ready to accept connections (#1250)

* fix(15.6/upgrades): collision when patching wrappers lib locations for upgrades (#1252)

* feat: bump auth 2.162.1 on 15.6 (#1256)

* fix(15.6): disable pg_stat_monitor (#1260)

* fix: disable pg_stat_monitor

* chore: bump version

* fix(15.6): disable pg_stat_monitor (#1262)

* fix: disable pg_stat_monitor

* chore: bump version

* feat: bump gotrue to v2.162.2 (#1264)

* chore: add timescaledb 2.9.1; wrappers upgrade fix; wrappers & plv8 naming fix (#1259)

Co-authored-by: Bobbie Soedirgo <[email protected]>
Co-authored-by: Bobbie Soedirgo <[email protected]>
Co-authored-by: Kang Ming <[email protected]>
Co-authored-by: Stojan Dimitrovski <[email protected]>
Co-authored-by: Sam Rose <[email protected]>
fix(ci): respect postgresVersion input (#1237)
fix: only grant pg_read_all_data if it exists (#1242)
fix(15.6): disable pg_stat_monitor (#1260)

* chore(15.6): bump pg version (#1273)

* feat: bump auth to v2.163.0 on 15.6 (#1275)

* fix: restart PG during pre-upgrade steps to shed hanging connections (#1271)

* fix(upgrades): wrappers 4.2.0 -> wrappers 4.2.0 (#1278)

* fix: handle supabase_admin authenticator membership snowflake

* feat: add auth v2.163.1 to 15.6 (#1283)

* feat: bump gotrue to v2.163.2 (#1287)

* pg_net 0.11 on 15.6 release branch (#1290)

* bump pg_net to 0.11.0

* bump image to 15.6.1.135

* fix: don't copy custom extension scripts during pg_upgrade (#1291)

* fix: add recursive flag to custom extension script directory delete (#1292)

* [GEN-11027] chore: reserve a fixed amount of blocks for the data volume; remove ansible pkg + ppa (#1295)

* fix: grant predefined roles post-upgrade

* fix: add more roles to reserved_roles & reserved_memberships (#1303)

* fix: add more roles to reserved_roles & reserved_memberships

* Update common-nix.vars.pkr.hcl

* feat: update envoy lds config with auth jwks, oidc URLs, strip `sb-opk` header (#1296)

* chore: udpate package repo for salt (#1307)

* fix: use sudo for apt-get commands

* Update pg net to 0.13.0 on pg 15.6 branch (#1315)

* upgrade pg_net to 0.13.0 on 15.6

* bump postgres-version

* chore: cleanup pgbouncer.get_auth ownership accordingly

* chore: standardize

* feat: filter timescaledb to only be included on v15 (#1321)

* feat: filter timescaledb to only be included on v15

* chore: shuffle a bit to match what is needed for various versions

* chore: small fixes on sb wrappers and plv8 to merge in all needed install function

---------

Co-authored-by: Bobbie Soedirgo <[email protected]>
Co-authored-by: Bobbie Soedirgo <[email protected]>
Co-authored-by: Kang Ming <[email protected]>
Co-authored-by: angelico <[email protected]>
Co-authored-by: Stojan Dimitrovski <[email protected]>
Co-authored-by: Sam Rose <[email protected]>
Co-authored-by: Oliver Rice <[email protected]>

.github/workflows/publish-nix-pgupgrade-scripts.yml

@@ -101,6 +101,9 @@ jobs:
         run: |
           VERSION=$(sudo nix run nixpkgs#yq -- '.postgres_release["postgres'${{ matrix.postgres_version }}'"]' ansible/vars.yml)
           VERSION=$(echo $PG_VERSION | tr -d '"')  # Remove any surrounding quotes
+          if [[ "${{ inputs.postgresVersion }}" != "" ]]; then
+            VERSION=${{ inputs.postgresVersion }}
+          fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Create a tarball containing pg_upgrade scripts

ansible/files/admin_api_scripts/pg_upgrade_scripts/common.sh

@@ -91,12 +91,24 @@ swap_postgres_and_supabase_admin() {
 alter database postgres connection limit 0;
 select pg_terminate_backend(pid) from pg_stat_activity where backend_type = 'client backend' and pid != pg_backend_pid();
 EOSQL
+
+    if [ -z "$IS_CI" ]; then
+        retry 5 systemctl restart postgresql
+    else
+        CI_start_postgres ""
+    fi
+
+    retry 8 pg_isready -h localhost -U supabase_admin
+
     run_sql <<'EOSQL'
 set statement_timeout = '600s';
 begin;
 create role supabase_tmp superuser;
 set session authorization supabase_tmp;
 
+-- to handle snowflakes that happened in the past
+revoke supabase_admin from authenticator;
+
 do $$
 begin
   if exists (select from pg_extension where extname = 'timescaledb') then

ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh

@@ -78,6 +78,9 @@ EOF
 
         run_sql -c "$RECREATE_PG_CRON_QUERY"
     fi
+
+    # #incident-2024-09-12-project-upgrades-are-temporarily-disabled
+    run_sql -c "grant pg_read_all_data, pg_signal_backend to postgres"
 }
 
 function complete_pg_upgrade {

ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh

@@ -39,6 +39,7 @@ MOUNT_POINT="/data_migration"
 LOG_FILE="/var/log/pg-upgrade-initiate.log"
 
 POST_UPGRADE_EXTENSION_SCRIPT="/tmp/pg_upgrade/pg_upgrade_extensions.sql"
+POST_UPGRADE_POSTGRES_PERMS_SCRIPT="/tmp/pg_upgrade/pg_upgrade_postgres_perms.sql"
 OLD_PGVERSION=$(run_sql -A -t -c "SHOW server_version;")
 
 SERVER_LC_COLLATE=$(run_sql -A -t -c "SHOW lc_collate;")
@@ -47,7 +48,6 @@ SERVER_ENCODING=$(run_sql -A -t -c "SHOW server_encoding;")
 
 POSTGRES_CONFIG_PATH="/etc/postgresql/postgresql.conf"
 PGBINOLD="/usr/lib/postgresql/bin"
-PGLIBOLD="/usr/lib/postgresql/lib"
 
 PG_UPGRADE_BIN_DIR="/tmp/pg_upgrade_bin/$PGVERSION"
 NIX_INSTALLER_PATH="/tmp/persistent/nix-installer"
@@ -133,6 +133,22 @@ cleanup() {
     echo "Resetting postgres database connection limit"
     retry 5 run_sql -c "ALTER DATABASE postgres CONNECTION LIMIT -1;"
 
+    echo "Making sure postgres still has access to pg_shadow"
+    cat << EOF >> $POST_UPGRADE_POSTGRES_PERMS_SCRIPT
+DO \$\$
+begin
+  if exists (select from pg_authid where rolname = 'pg_read_all_data') then
+    execute('grant pg_read_all_data to postgres');
+  end if;
+end
+\$\$;
+grant pg_signal_backend to postgres;
+EOF
+
+    if [ -f $POST_UPGRADE_POSTGRES_PERMS_SCRIPT ]; then
+        retry 5 run_sql -f $POST_UPGRADE_POSTGRES_PERMS_SCRIPT
+    fi
+
     if [ -z "$IS_CI" ] && [ -z "$IS_LOCAL_UPGRADE" ]; then
         echo "Unmounting data disk from ${MOUNT_POINT}"
         retry 3 umount $MOUNT_POINT
@@ -148,6 +164,14 @@ cleanup() {
 }
 
 function handle_extensions {
+    if [ -z "$IS_CI" ]; then
+        retry 5 systemctl restart postgresql
+    else
+        CI_start_postgres
+    fi
+
+    retry 8 pg_isready -h localhost -U supabase_admin
+
     rm -f $POST_UPGRADE_EXTENSION_SCRIPT
     touch $POST_UPGRADE_EXTENSION_SCRIPT
 
@@ -181,58 +205,6 @@ EOF
     done
 }
 
-function patch_wrappers {
-    local IS_NIX_UPGRADE=$1
-
-    WRAPPERS_ENABLED=$(run_sql -A -t -c "SELECT EXISTS(SELECT 1 FROM pg_extension WHERE extname = 'wrappers');")
-    if [ "$WRAPPERS_ENABLED" = "f" ]; then
-        echo "Wrappers extension not enabled. Skipping."
-        return
-    fi
-
-    # This is a workaround for older versions of wrappers which don't have the expected
-    #  naming scheme, containing the version in their library's file name
-    #  e.g. wrappers-0.1.16.so, rather than wrappers.so
-    # pg_upgrade errors out when it doesn't find an equivalent file in the new PG version's
-    #  library directory, so we're making sure the new version has the expected (old version's)
-    #  file name.
-    # After the upgrade completes, the new version's library file is used.
-    # i.e. 
-    #  - old version: wrappers-0.1.16.so
-    #  - new version: wrappers-0.1.18.so
-    #  - workaround to make pg_upgrade happy: copy wrappers-0.1.18.so to wrappers-0.1.16.so
-    if [ "$IS_NIX_UPGRADE" = "true" ]; then
-        if [ -d "$PGLIBOLD" ]; then
-            OLD_WRAPPER_LIB_PATH=$(find "$PGLIBOLD" -name "wrappers*so" -print -quit)
-            OLD_LIB_FILE_NAME=$(basename "$OLD_WRAPPER_LIB_PATH")
-
-            find /nix/store/ -name "wrappers*so" -print0 | while read -r -d $'\0' WRAPPERS_LIB_PATH; do
-                if [ -f "$WRAPPERS_LIB_PATH" ]; then
-                    WRAPPERS_LIB_PATH_DIR=$(dirname "$WRAPPERS_LIB_PATH")
-                    if [ "$WRAPPERS_LIB_PATH" != "$WRAPPERS_LIB_PATH_DIR/${OLD_LIB_FILE_NAME}" ]; then
-                        echo "Copying $WRAPPERS_LIB_PATH to $WRAPPERS_LIB_PATH_DIR/${OLD_LIB_FILE_NAME}"
-                        cp "$WRAPPERS_LIB_PATH" "$WRAPPERS_LIB_PATH_DIR/${OLD_LIB_FILE_NAME}" || true
-                    fi
-                fi
-            done
-        fi
-    else
-        if [ -d "$PGLIBOLD" ]; then
-            WRAPPERS_LIB_PATH=$(find "$PGLIBNEW" -name "wrappers*so" -print -quit)
-            if [ -f "$WRAPPERS_LIB_PATH" ]; then
-                OLD_WRAPPER_LIB_PATH=$(find "$PGLIBOLD" -name "wrappers*so" -print -quit)
-                if [ -f "$OLD_WRAPPER_LIB_PATH" ]; then
-                    LIB_FILE_NAME=$(basename "$OLD_WRAPPER_LIB_PATH")
-                    if [ "$WRAPPERS_LIB_PATH" != "$PGLIBNEW/${LIB_FILE_NAME}" ]; then
-                        echo "Copying $WRAPPERS_LIB_PATH to $PGLIBNEW/${LIB_FILE_NAME}"
-                        cp "$WRAPPERS_LIB_PATH" "$PGLIBNEW/${LIB_FILE_NAME}" || true
-                    fi
-                fi
-            fi
-        fi
-    fi
-}
-
 function initiate_upgrade {
     mkdir -p "$MOUNT_POINT"
     SHARED_PRELOAD_LIBRARIES=$(cat "$POSTGRES_CONFIG_PATH" | grep shared_preload_libraries | sed "s/shared_preload_libraries =\s\{0,1\}'\(.*\)'.*/\1/")
@@ -409,8 +381,6 @@ function initiate_upgrade {
         export LD_LIBRARY_PATH="${PGLIBNEW}"
     fi
 
-    patch_wrappers "$IS_NIX_UPGRADE"
-
     echo "9. Creating new data directory, initializing database"
     chown -R postgres:postgres "$MOUNT_POINT/"
     rm -rf "${PGDATANEW:?}/"
@@ -473,6 +443,7 @@ EOF
     cp -R /etc/postgresql-custom/* "$MOUNT_POINT/conf/"
     # removing supautils config as to allow the latest one provided by the latest image to be used
     rm -f "$MOUNT_POINT/conf/supautils.conf" || true
+    rm -rf "$MOUNT_POINT/conf/extension-custom-scripts" || true
 
     # removing wal-g config as to allow it to be explicitly enabled on the new instance
     rm -f "$MOUNT_POINT/conf/wal-g.conf"

ansible/files/postgresql_config/supautils.conf.j2

@@ -9,5 +9,5 @@ supautils.privileged_extensions_custom_scripts_path = '/etc/postgresql-custom/ex
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
 supautils.privileged_role_allowed_configs = 'auto_explain.log_min_duration, auto_explain.log_nested_statements, log_lock_waits, log_min_messages, pg_net.batch_size, pg_net.ttl, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing'
-supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, authenticator'
-supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_replication_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
+supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, authenticator'
+supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'

ansible/vars.yml

@@ -25,8 +25,8 @@ postgrest_release: "12.2.3"
 postgrest_arm_release_checksum: sha1:fbfd6613d711ce1afa25c42d5df8f1b017f396f9
 postgrest_x86_release_checksum: sha1:61c513f91a8931be4062587b9d4a18b42acf5c05
 
-gotrue_release: 2.162.0
-gotrue_release_checksum: sha1:855b23bd002577290c7d42d7042ac0f5316984b1
+gotrue_release: 2.163.2
+gotrue_release_checksum: sha1:31889bc8c498b924c2cb3b6c4084ef6e57ed97c0
 
 aws_cli_release: "2.2.7"
 

ebssurrogate/scripts/surrogate-bootstrap-nix.sh

@@ -110,6 +110,11 @@ function format_and_mount_rootfs {
 	fi
 
 	mkfs.ext4 /dev/xvdh
+
+	# Explicitly reserving 100MiB worth of blocks for the data volume
+	RESERVED_DATA_VOLUME_BLOCK_COUNT=$((100 * 1024 * 1024 / 4096))
+	tune2fs -r $RESERVED_DATA_VOLUME_BLOCK_COUNT /dev/xvdh
+
 	mkdir -p /mnt/data
 	mount -o defaults,discard /dev/xvdh /mnt/data
 }

flake.nix

@@ -213,9 +213,15 @@
           in map (path: pkgs.callPackage path { inherit postgresql; }) orioledbExtension;
 
         makeOurPostgresPkgs = version:
-          let postgresql = getPostgresqlPackage version;
-          in map (path: pkgs.callPackage path { inherit postgresql; }) ourExtensions;
-
+          let 
+            postgresql = getPostgresqlPackage version;
+            extensions = if version == "15"
+              then ourExtensions ++ [
+                ./nix/ext/timescaledb-2.9.1.nix
+              ]
+              else ourExtensions;
+          in 
+          map (path: pkgs.callPackage path { inherit postgresql; }) extensions;
         # Create an attrset that contains all the extensions included in a server for the orioledb version of postgresql + extension.
         makeOurOrioleDbPostgresPkgsSet = version: patchedPostgres:
           (builtins.listToAttrs (map

nix/ext/plv8.nix

@@ -97,23 +97,43 @@ stdenv.mkDerivation (finalAttrs: {
     ''}
   '';
 
-  postInstall = ''
+ postInstall = ''
     # Move the redirected to proper directory.
     # There appear to be no references to the install directories
     # so changing them does not cause issues.
     mv "$out/nix/store"/*/* "$out"
     rmdir "$out/nix/store"/* "$out/nix/store" "$out/nix"
 
-    ${lib.optionalString stdenv.isDarwin ''
-      install_name_tool -add_rpath "${v8}/lib" $out/lib/plv8-${finalAttrs.version}${postgresql.dlSuffix}
-      install_name_tool -add_rpath "${postgresql}/lib" $out/lib/plv8-${finalAttrs.version}${postgresql.dlSuffix}
-      install_name_tool -add_rpath "${stdenv.cc.cc.lib}/lib" $out/lib/plv8-${finalAttrs.version}${postgresql.dlSuffix}
-      install_name_tool -change @rpath/libv8_monolith.dylib ${v8}/lib/libv8_monolith.dylib $out/lib/plv8-${finalAttrs.version}${postgresql.dlSuffix}
-    ''}
-
-    ${lib.optionalString (!stdenv.isDarwin) ''
-      ${patchelf}/bin/patchelf --set-rpath "${v8}/lib:${postgresql}/lib:${stdenv.cc.cc.lib}/lib" $out/lib/plv8-${finalAttrs.version}${postgresql.dlSuffix}
-    ''}
+    # Handle different PostgreSQL versions
+    if [ "${lib.versions.major postgresql.version}" = "15" ]; then
+      mv "$out/lib/plv8-${finalAttrs.version}.so" "$out/lib/plv8.so"
+      ln -s "$out/lib/plv8.so" "$out/lib/plv8-${finalAttrs.version}.so"
+      sed -i 's|module_pathname = '"'"'$libdir/plv8-[0-9.]*'"'"'|module_pathname = '"'"'$libdir/plv8'"'"'|' "$out/share/postgresql/extension/plv8.control"
+      sed -i 's|module_pathname = '"'"'$libdir/plv8-[0-9.]*'"'"'|module_pathname = '"'"'$libdir/plv8'"'"'|' "$out/share/postgresql/extension/plcoffee.control"
+      sed -i 's|module_pathname = '"'"'$libdir/plv8-[0-9.]*'"'"'|module_pathname = '"'"'$libdir/plv8'"'"'|' "$out/share/postgresql/extension/plls.control"
+
+      ${lib.optionalString stdenv.isDarwin ''
+        install_name_tool -add_rpath "${v8}/lib" $out/lib/plv8.so
+        install_name_tool -add_rpath "${postgresql}/lib" $out/lib/plv8.so
+        install_name_tool -add_rpath "${stdenv.cc.cc.lib}/lib" $out/lib/plv8.so
+        install_name_tool -change @rpath/libv8_monolith.dylib ${v8}/lib/libv8_monolith.dylib $out/lib/plv8.so
+      ''}
+
+      ${lib.optionalString (!stdenv.isDarwin) ''
+        ${patchelf}/bin/patchelf --set-rpath "${v8}/lib:${postgresql}/lib:${stdenv.cc.cc.lib}/lib" $out/lib/plv8.so
+      ''}
+    else
+      ${lib.optionalString stdenv.isDarwin ''
+        install_name_tool -add_rpath "${v8}/lib" $out/lib/plv8-${finalAttrs.version}${postgresql.dlSuffix}
+        install_name_tool -add_rpath "${postgresql}/lib" $out/lib/plv8-${finalAttrs.version}${postgresql.dlSuffix}
+        install_name_tool -add_rpath "${stdenv.cc.cc.lib}/lib" $out/lib/plv8-${finalAttrs.version}${postgresql.dlSuffix}
+        install_name_tool -change @rpath/libv8_monolith.dylib ${v8}/lib/libv8_monolith.dylib $out/lib/plv8-${finalAttrs.version}${postgresql.dlSuffix}
+      ''}
+
+      ${lib.optionalString (!stdenv.isDarwin) ''
+        ${patchelf}/bin/patchelf --set-rpath "${v8}/lib:${postgresql}/lib:${stdenv.cc.cc.lib}/lib" $out/lib/plv8-${finalAttrs.version}${postgresql.dlSuffix}
+      ''}
+    fi
   '';
 
   meta = with lib; {

nix/ext/timescaledb-2.9.1.nix

@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub, cmake, postgresql, openssl, libkrb5 }:
+
+stdenv.mkDerivation rec {
+  pname = "timescaledb-apache";
+  version = "2.9.1";
+
+  nativeBuildInputs = [ cmake ];
+  buildInputs = [ postgresql openssl libkrb5 ];
+
+  src = fetchFromGitHub {
+    owner = "timescale";
+    repo = "timescaledb";
+    rev = version;
+    hash = "sha256-fvVSxDiGZAewyuQ2vZDb0I6tmlDXl6trjZp8+qDBtb8=";
+  };
+
+  cmakeFlags = [ "-DSEND_TELEMETRY_DEFAULT=OFF" "-DREGRESS_CHECKS=OFF" "-DTAP_CHECKS=OFF" "-DAPACHE_ONLY=1" ]
+    ++ lib.optionals stdenv.isDarwin [ "-DLINTER=OFF" ];
+
+  # Fix the install phase which tries to install into the pgsql extension dir,
+  # and cannot be manually overridden. This is rather fragile but works OK.
+  postPatch = ''
+    for x in CMakeLists.txt sql/CMakeLists.txt; do
+      substituteInPlace "$x" \
+        --replace 'DESTINATION "''${PG_SHAREDIR}/extension"' "DESTINATION \"$out/share/postgresql/extension\""
+    done
+
+    for x in src/CMakeLists.txt src/loader/CMakeLists.txt tsl/src/CMakeLists.txt; do
+      substituteInPlace "$x" \
+        --replace 'DESTINATION ''${PG_PKGLIBDIR}' "DESTINATION \"$out/lib\""
+    done
+  '';
+
+
+  # timescaledb-2.9.1.so already exists in the lib directory
+  # we have no need for the timescaledb.so or control file
+  postInstall = ''
+    rm $out/lib/timescaledb.so
+    rm $out/share/postgresql/extension/timescaledb.control
+  '';
+
+  meta = with lib; {
+    description = "Scales PostgreSQL for time-series data via automatic partitioning across time and space";
+    homepage = "https://www.timescale.com/";
+    changelog = "https://github.com/timescale/timescaledb/blob/${version}/CHANGELOG.md";
+    maintainers = with maintainers; [ samrose ];
+    platforms = postgresql.meta.platforms;
+    license = licenses.asl20;
+    broken = versionOlder postgresql.version "13";
+  };
+}