Merge 15.6 into develop

.github/workflows/publish-nix-pgupgrade-scripts.yml

@@ -72,6 +72,9 @@ jobs:
         id: process_release_version
         run: |
           VERSION=$(grep 'postgres-version' common-nix.vars.pkr.hcl | sed -e 's/postgres-version = "\(.*\)"/\1/g')
+          if [[ "${{ inputs.postgresVersion }}" != "" ]]; then
+            VERSION=${{ inputs.postgresVersion }}
+          fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Create a tarball containing pg_upgrade scripts

Dockerfile

@@ -36,7 +36,7 @@ ARG hypopg_release=1.3.1
 ARG pgvector_release=0.4.0
 ARG pg_tle_release=1.3.2
 ARG index_advisor_release=0.2.0
-ARG supautils_release=2.2.1
+ARG supautils_release=2.5.0
 ARG wal_g_release=2.0.1
 
 ####################

ansible/files/admin_api_scripts/pg_upgrade_scripts/common.sh

@@ -91,12 +91,24 @@ swap_postgres_and_supabase_admin() {
 alter database postgres connection limit 0;
 select pg_terminate_backend(pid) from pg_stat_activity where backend_type = 'client backend' and pid != pg_backend_pid();
 EOSQL
+
+    if [ -z "$IS_CI" ]; then
+        retry 5 systemctl restart postgresql
+    else
+        CI_start_postgres ""
+    fi
+
+    retry 8 pg_isready -h localhost -U supabase_admin
+
     run_sql <<'EOSQL'
 set statement_timeout = '600s';
 begin;
 create role supabase_tmp superuser;
 set session authorization supabase_tmp;
 
+-- to handle snowflakes that happened in the past
+revoke supabase_admin from authenticator;
+
 do $$
 begin
   if exists (select from pg_extension where extname = 'timescaledb') then
@@ -356,7 +368,8 @@ begin
                        end
                      , case when rec.grantee = 'postgres'::regrole then 'supabase_admin'
                             when rec.grantee = 'supabase_admin'::regrole then 'postgres'
-                            else rec.grantee::regrole
+                            when rec.grantee = 0 then 'public'
+                            else rec.grantee::regrole::text
                        end
                      ));
       end if;
@@ -382,7 +395,7 @@ begin
                             when obj->>'objtype' = 'T' then 'types'
                             when obj->>'objtype' = 'n' then 'schemas'
                        end
-                     , rec.grantee::regrole
+                     , case when rec.grantee = 0 then 'public' else rec.grantee::regrole::text end
                      , case when rec.is_grantable then 'with grant option' else '' end
                      ));
       end if;
@@ -443,7 +456,10 @@ begin
   foreach obj in array functions
   loop
     if obj->>'owner' = 'postgres' then
-      execute(format('alter routine %s(%s) owner to postgres;', (obj->>'oid')::regproc, pg_get_function_identity_arguments((obj->>'oid')::regproc)));
+      execute(format('alter %s %s(%s) owner to postgres;'
+                     , case when obj->>'kind' = 'p' then 'procedure' else 'function' end
+                     , (obj->>'oid')::regproc
+                     , pg_get_function_identity_arguments((obj->>'oid')::regproc)));
     end if;
     for rec in
       select grantor, grantee, privilege_type, is_grantable
@@ -528,9 +544,6 @@ $$;
 
 alter database postgres connection limit -1;
 
--- #incident-2024-09-12-project-upgrades-are-temporarily-disabled
-grant pg_read_all_data, pg_signal_backend to postgres;
-
 set session authorization supabase_admin;
 drop role supabase_tmp;
 commit;

ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh

@@ -78,6 +78,9 @@ EOF
 
         run_sql -c "$RECREATE_PG_CRON_QUERY"
     fi
+
+    # #incident-2024-09-12-project-upgrades-are-temporarily-disabled
+    run_sql -c "grant pg_read_all_data, pg_signal_backend to postgres"
 }
 
 function complete_pg_upgrade {

ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh

@@ -11,6 +11,7 @@
 # them depending on regtypes referencing system OIDs or outdated library files.
 EXTENSIONS_TO_DISABLE=(
     "pg_graphql"
+    "pg_stat_monitor"
 )
 
 PG14_EXTENSIONS_TO_DISABLE=(
@@ -38,6 +39,7 @@ MOUNT_POINT="/data_migration"
 LOG_FILE="/var/log/pg-upgrade-initiate.log"
 
 POST_UPGRADE_EXTENSION_SCRIPT="/tmp/pg_upgrade/pg_upgrade_extensions.sql"
+POST_UPGRADE_POSTGRES_PERMS_SCRIPT="/tmp/pg_upgrade/pg_upgrade_postgres_perms.sql"
 OLD_PGVERSION=$(run_sql -A -t -c "SHOW server_version;")
 
 SERVER_LC_COLLATE=$(run_sql -A -t -c "SHOW lc_collate;")
@@ -46,7 +48,6 @@ SERVER_ENCODING=$(run_sql -A -t -c "SHOW server_encoding;")
 
 POSTGRES_CONFIG_PATH="/etc/postgresql/postgresql.conf"
 PGBINOLD="/usr/lib/postgresql/bin"
-PGLIBOLD="/usr/lib/postgresql/lib"
 
 PG_UPGRADE_BIN_DIR="/tmp/pg_upgrade_bin/$PGVERSION"
 NIX_INSTALLER_PATH="/tmp/persistent/nix-installer"
@@ -119,20 +120,38 @@ cleanup() {
         CI_start_postgres
     fi
 
+    retry 8 pg_isready -h localhost -U supabase_admin
+
     echo "Re-enabling extensions"
     if [ -f $POST_UPGRADE_EXTENSION_SCRIPT ]; then
-        run_sql -f $POST_UPGRADE_EXTENSION_SCRIPT
+        retry 5 run_sql -f $POST_UPGRADE_EXTENSION_SCRIPT
     fi
 
     echo "Removing SUPERUSER grant from postgres"
-    run_sql -c "ALTER USER postgres WITH NOSUPERUSER;"
+    retry 5 run_sql -c "ALTER USER postgres WITH NOSUPERUSER;"
 
     echo "Resetting postgres database connection limit"
-    run_sql -c "ALTER DATABASE postgres CONNECTION LIMIT -1;"
+    retry 5 run_sql -c "ALTER DATABASE postgres CONNECTION LIMIT -1;"
+
+    echo "Making sure postgres still has access to pg_shadow"
+    cat << EOF >> $POST_UPGRADE_POSTGRES_PERMS_SCRIPT
+DO \$\$
+begin
+  if exists (select from pg_authid where rolname = 'pg_read_all_data') then
+    execute('grant pg_read_all_data to postgres');
+  end if;
+end
+\$\$;
+grant pg_signal_backend to postgres;
+EOF
+
+    if [ -f $POST_UPGRADE_POSTGRES_PERMS_SCRIPT ]; then
+        retry 5 run_sql -f $POST_UPGRADE_POSTGRES_PERMS_SCRIPT
+    fi
 
     if [ -z "$IS_CI" ] && [ -z "$IS_LOCAL_UPGRADE" ]; then
         echo "Unmounting data disk from ${MOUNT_POINT}"
-        umount $MOUNT_POINT
+        retry 3 umount $MOUNT_POINT
     fi
     echo "$UPGRADE_STATUS" > /tmp/pg-upgrade-status
 
@@ -145,6 +164,14 @@ cleanup() {
 }
 
 function handle_extensions {
+    if [ -z "$IS_CI" ]; then
+        retry 5 systemctl restart postgresql
+    else
+        CI_start_postgres
+    fi
+
+    retry 8 pg_isready -h localhost -U supabase_admin
+
     rm -f $POST_UPGRADE_EXTENSION_SCRIPT
     touch $POST_UPGRADE_EXTENSION_SCRIPT
 
@@ -178,58 +205,6 @@ EOF
     done
 }
 
-function patch_wrappers {
-    local IS_NIX_UPGRADE=$1
-
-    WRAPPERS_ENABLED=$(run_sql -A -t -c "SELECT EXISTS(SELECT 1 FROM pg_extension WHERE extname = 'wrappers');")
-    if [ "$WRAPPERS_ENABLED" = "f" ]; then
-        echo "Wrappers extension not enabled. Skipping."
-        return
-    fi
-
-    # This is a workaround for older versions of wrappers which don't have the expected
-    #  naming scheme, containing the version in their library's file name
-    #  e.g. wrappers-0.1.16.so, rather than wrappers.so
-    # pg_upgrade errors out when it doesn't find an equivalent file in the new PG version's
-    #  library directory, so we're making sure the new version has the expected (old version's)
-    #  file name.
-    # After the upgrade completes, the new version's library file is used.
-    # i.e. 
-    #  - old version: wrappers-0.1.16.so
-    #  - new version: wrappers-0.1.18.so
-    #  - workaround to make pg_upgrade happy: copy wrappers-0.1.18.so to wrappers-0.1.16.so
-    if [ "$IS_NIX_UPGRADE" = "true" ]; then
-        if [ -d "$PGLIBOLD" ]; then
-            OLD_WRAPPER_LIB_PATH=$(find "$PGLIBOLD" -name "wrappers*so" -print -quit)
-            OLD_LIB_FILE_NAME=$(basename "$OLD_WRAPPER_LIB_PATH")
-
-            find /nix/store/ -name "wrappers*so" -print0 | while read -r -d $'\0' WRAPPERS_LIB_PATH; do
-                if [ -f "$WRAPPERS_LIB_PATH" ]; then
-                    WRAPPERS_LIB_PATH_DIR=$(dirname "$WRAPPERS_LIB_PATH")
-                    if [ "$WRAPPERS_LIB_PATH" != "$WRAPPERS_LIB_PATH_DIR/${OLD_LIB_FILE_NAME}" ]; then
-                        echo "Copying $WRAPPERS_LIB_PATH to $WRAPPERS_LIB_PATH_DIR/${OLD_LIB_FILE_NAME}"
-                        cp "$WRAPPERS_LIB_PATH" "$WRAPPERS_LIB_PATH_DIR/${OLD_LIB_FILE_NAME}"
-                    fi
-                fi
-            done
-        fi
-    else
-        if [ -d "$PGLIBOLD" ]; then
-            WRAPPERS_LIB_PATH=$(find "$PGLIBNEW" -name "wrappers*so" -print -quit)
-            if [ -f "$WRAPPERS_LIB_PATH" ]; then
-                OLD_WRAPPER_LIB_PATH=$(find "$PGLIBOLD" -name "wrappers*so" -print -quit)
-                if [ -f "$OLD_WRAPPER_LIB_PATH" ]; then
-                    LIB_FILE_NAME=$(basename "$OLD_WRAPPER_LIB_PATH")
-                    if [ "$WRAPPERS_LIB_PATH" != "$PGLIBNEW/${LIB_FILE_NAME}" ]; then
-                        echo "Copying $WRAPPERS_LIB_PATH to $PGLIBNEW/${LIB_FILE_NAME}"
-                        cp "$WRAPPERS_LIB_PATH" "$PGLIBNEW/${LIB_FILE_NAME}"
-                    fi
-                fi
-            fi
-        fi
-    fi
-}
-
 function initiate_upgrade {
     mkdir -p "$MOUNT_POINT"
     SHARED_PRELOAD_LIBRARIES=$(cat "$POSTGRES_CONFIG_PATH" | grep shared_preload_libraries | sed "s/shared_preload_libraries =\s\{0,1\}'\(.*\)'.*/\1/")
@@ -406,8 +381,6 @@ function initiate_upgrade {
         export LD_LIBRARY_PATH="${PGLIBNEW}"
     fi
 
-    patch_wrappers "$IS_NIX_UPGRADE"
-
     echo "9. Creating new data directory, initializing database"
     chown -R postgres:postgres "$MOUNT_POINT/"
     rm -rf "${PGDATANEW:?}/"
@@ -470,6 +443,7 @@ EOF
     cp -R /etc/postgresql-custom/* "$MOUNT_POINT/conf/"
     # removing supautils config as to allow the latest one provided by the latest image to be used
     rm -f "$MOUNT_POINT/conf/supautils.conf" || true
+    rm -rf "$MOUNT_POINT/conf/extension-custom-scripts" || true
 
     # removing wal-g config as to allow it to be explicitly enabled on the new instance
     rm -f "$MOUNT_POINT/conf/wal-g.conf"

ansible/files/adminapi.sudoers.conf

@@ -17,6 +17,8 @@ Cmnd_Alias PGBOUNCER = /bin/systemctl start pgbouncer.service, /bin/systemctl st
 %adminapi ALL= NOPASSWD: /usr/bin/systemctl restart postgresql.service
 %adminapi ALL= NOPASSWD: /usr/bin/systemctl show -p NRestarts postgresql.service
 %adminapi ALL= NOPASSWD: /usr/bin/systemctl restart adminapi.service
+%adminapi ALL= NOPASSWD: /usr/bin/systemctl is-active commence-backup.service
+%adminapi ALL= NOPASSWD: /usr/bin/systemctl start commence-backup.service
 %adminapi ALL= NOPASSWD: /bin/systemctl daemon-reload
 %adminapi ALL= NOPASSWD: /bin/systemctl restart services.slice
 %adminapi ALL= NOPASSWD: /usr/sbin/nft -f /etc/nftables/supabase_managed.conf

ansible/files/commence-backup.service.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=Async commence physical backup
+
+[Service]
+Type=simple
+User=adminapi
+ExecStart=/usr/bin/admin-mgr commence-backup --run-as-service true
+Restart=no
+OOMScoreAdjust=-1000
+
+[Install]
+WantedBy=multi-user.target

ansible/files/envoy_config/lds.yaml

@@ -254,8 +254,13 @@ resources:
                               type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
                       - match:
                           safe_regex:
+                            google_re2:
+                              max_program_size: 150
                             regex: >-
-                              /auth/v1/(verify|callback|authorize|sso/saml/(acs|metadata|slo))
+                              /auth/v1/(verify|callback|authorize|sso/saml/(acs|metadata|slo)|\.well-known/(openid-configuration|jwks\.json))
+                        request_headers_to_remove:
+                          - apikey
+                          - sb-opk
                         route:
                           cluster: gotrue
                           regex_rewrite:
@@ -269,6 +274,9 @@ resources:
                         typed_per_filter_config: *ref_0
                       - match:
                           prefix: /auth/v1/
+                        request_headers_to_remove:
+                          - apikey
+                          - sb-opk
                         route:
                           cluster: gotrue
                           prefix_rewrite: /
@@ -280,6 +288,7 @@ resources:
                               present_match: true
                         request_headers_to_remove:
                           - apikey
+                          - sb-opk
                         route:
                           cluster: postgrest
                           prefix_rewrite: /
@@ -293,6 +302,7 @@ resources:
                           prefix: /rest/v1/
                         request_headers_to_remove:
                           - apikey
+                          - sb-opk
                         route:
                           cluster: postgrest
                           prefix_rewrite: /
@@ -309,6 +319,7 @@ resources:
                               present_match: true
                         request_headers_to_remove:
                           - apikey
+                          - sb-opk
                         route:
                           cluster: postgrest_admin
                           prefix_rewrite: /
@@ -321,6 +332,7 @@ resources:
                           prefix: /rest-admin/v1/
                         request_headers_to_remove:
                           - apikey
+                          - sb-opk
                         route:
                           cluster: postgrest_admin
                           prefix_rewrite: /
@@ -330,18 +342,25 @@ resources:
                           header:
                             key: Content-Profile
                             value: graphql_public
+                        request_headers_to_remove:
+                          - apikey
+                          - sb-opk
                         route:
                           cluster: postgrest
                           prefix_rewrite: /rpc/graphql
                           timeout: 125s
                       - match:
                           prefix: /admin/v1/
+                        request_headers_to_remove:
+                          - sb-opk
                         route:
                           cluster: admin_api
                           prefix_rewrite: /
                           timeout: 600s
                       - match:
                           prefix: /customer/v1/privileged/
+                        request_headers_to_remove:
+                          - sb-opk
                         route:
                           cluster: admin_api
                           prefix_rewrite: /privileged/
@@ -365,6 +384,8 @@ resources:
                                           treat_missing_header_as_empty: true
                       - match:
                           prefix: /metrics/aggregated
+                        request_headers_to_remove:
+                          - sb-opk
                         route:
                           cluster: admin_api
                           prefix_rewrite: /supabase-internal/metrics

ansible/files/postgresql_config/postgresql.conf.j2

@@ -688,7 +688,7 @@ default_text_search_config = 'pg_catalog.english'
 #local_preload_libraries = ''
 #session_preload_libraries = ''
 
-shared_preload_libraries = 'pg_stat_statements, pg_stat_monitor, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter'	# (change requires restart)
+shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter'	# (change requires restart)
 jit_provider = 'llvmjit'		# JIT library to use
 
 # - Other Defaults -