Add new static_primary config option

In essence, this configuration option will ensure that a static
single-node Patroni cluster does not demote the master (the one member
of the cluster) unnecessarily.

Transient failures to update the leader lock in the DCS will not cause a
demotion when running with static_single_node=True.

When running as leader under normal circumstances, DCS exceptions will
not cause a demotion when running with `static_primary=thisNode`.

Even if replicas are added to the Patroni cluster, Patroni will
be able to protect itself from entering into unsafe states by checking
the value of static_primary. If the configured static_primary is not the
host node, then the replica will refuse to progress to postmaster boot.

.github/workflows/tests.yaml

@@ -15,6 +15,8 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu, windows, macos]
+    env:
+      PYTHONWARNINGS: ignore
 
     steps:
     - uses: actions/checkout@v1

docs/ENVIRONMENT.rst

@@ -11,6 +11,7 @@ Global/Universal
 -  **PATRONI\_NAME**: name of the node where the current instance of Patroni is running. Must be unique for the cluster.
 -  **PATRONI\_NAMESPACE**: path within the configuration store where Patroni will keep information about the cluster. Default value: "/service"
 -  **PATRONI\_SCOPE**: cluster name
+-  **PATRONI\_STATIC\_PRIMARY**: enables a few optimizations to ensure that a cluster configured with a static primary will not unnecessarily demote the cluster primary. This is useful for cases where a cluster is running as a single-node cluster. When this value is configured in the DCS, replicas will refuse to boot until the config value is removed.
 
 Log
 ---

docs/SETTINGS.rst

@@ -18,7 +18,8 @@ Dynamic configuration is stored in the DCS (Distributed Configuration Store) and
 -  **maximum\_lag\_on\_syncnode**: the maximum bytes a synchronous follower may lag before it is considered as an unhealthy candidate and swapped by healthy asynchronous follower. Patroni utilize the max replica lsn if there is more than one follower, otherwise it will use leader's current wal lsn. Default is -1, Patroni will not take action to swap synchronous unhealthy follower when the value is set to 0 or below. Please set the value high enough so Patroni won't swap synchrounous follower fequently during high transaction volume.
 -  **max\_timelines\_history**: maximum number of timeline history items kept in DCS.  Default value: 0. When set to 0, it keeps the full history in DCS.
 -  **master\_start\_timeout**: the amount of time a master is allowed to recover from failures before failover is triggered (in seconds). Default is 300 seconds. When set to 0 failover is done immediately after a crash is detected if possible. When using asynchronous replication a failover can cause lost transactions. Worst case failover time for master failure is: loop\_wait + master\_start\_timeout + loop\_wait, unless master\_start\_timeout is zero, in which case it's just loop\_wait. Set the value according to your durability/availability tradeoff.
-- **master\_stop\_timeout**: The number of seconds Patroni is allowed to wait when stopping Postgres and effective only when synchronous_mode is enabled. When set to > 0 and the synchronous_mode is enabled, Patroni sends SIGKILL to the postmaster if the stop operation is running for more than the value set by master_stop_timeout. Set the value according to your durability/availability tradeoff. If the parameter is not set or set <= 0, master_stop_timeout does not apply.
+-  **master\_stop\_timeout**: the number of seconds Patroni is allowed to wait when stopping Postgres and effective only when synchronous_mode is enabled. When set to > 0 and the synchronous_mode is enabled, Patroni sends SIGKILL to the postmaster if the stop operation is running for more than the value set by master_stop_timeout. Set the value according to your durability/availability tradeoff. If the parameter is not set or set <= 0, master_stop_timeout does not apply.
+-  **static\_primary**: enables a few optimizations to ensure that a cluster configured with a static primary will not unnecessarily demote the cluster primary. This is useful for cases where a cluster is running as a single-node cluster. When this value is configured in the DCS, replicas will refuse to boot until the config value is removed.
 -  **synchronous\_mode**: turns on synchronous replication mode. In this mode a replica will be chosen as synchronous and only the latest leader and synchronous replica are able to participate in leader election. Synchronous mode makes sure that successfully committed transactions will not be lost at failover, at the cost of losing availability for writes when Patroni cannot ensure transaction durability. See :ref:`replication modes documentation <replication_modes>` for details.
 -  **synchronous\_mode\_strict**: prevents disabling synchronous replication if no synchronous replicas are available, blocking all client writes to the master. See :ref:`replication modes documentation <replication_modes>` for details.
 -  **postgresql**:
@@ -182,7 +183,7 @@ ZooKeeper
 -  **key**: (optional) File with the client key.
 -  **key_password**: (optional) The client key password.
 -  **verify**: (optional) Whether to verify certificate or not. Defaults to ``true``.
--  **set_acls**: (optional) If set, configure Kazoo to apply a default ACL to each ZNode that it creates. ACLs will assume 'x509' schema and should be specified as a dictionary with the principal as the key and one or more permissions as a list in the value.  Permissions may be one of ``CREATE``, ``READ``, ``WRITE``, ``DELETE`` or ``ADMIN``.  For example, ``set_acls: {CN=principal1: [CREATE, READ], CN=principal2: [ALL]}``. 
+-  **set_acls**: (optional) If set, configure Kazoo to apply a default ACL to each ZNode that it creates. ACLs will assume 'x509' schema and should be specified as a dictionary with the principal as the key and one or more permissions as a list in the value.  Permissions may be one of ``CREATE``, ``READ``, ``WRITE``, ``DELETE`` or ``ADMIN``.  For example, ``set_acls: {CN=principal1: [CREATE, READ], CN=principal2: [ALL]}``.
 
 .. note::
     It is required to install ``kazoo>=2.6.0`` to support SSL.

docs/releases.rst

@@ -3,6 +3,15 @@
 Release notes
 =============
 
+Version 2.2.0
+-------------
+
+**New features**
+
+- Added support for ``static_primary`` configuration (Anthony Dodd)
+
+  This can be configured using the ``static_primary=<name>`` config value, which enables a few optimizations to ensure that a cluster configured with a static primary will not unnecessarily demote the cluster primary. This is useful for cases where a cluster is running as a single-node cluster. When this value is configured in the DCS, replicas will refuse to boot until the config value is removed.
+
 Version 2.1.3
 -------------
 
@@ -1036,7 +1045,7 @@ Version 1.6.1
 
 - Kill all children along with the callback process before starting the new one (Alexander Kukushkin)
 
-  Not doing so makes it hard to implement callbacks in bash and eventually can lead to the situation when two callbacks are running at the same time. 
+  Not doing so makes it hard to implement callbacks in bash and eventually can lead to the situation when two callbacks are running at the same time.
 
 - Fix 'start failed' issue (Alexander Kukushkin)
 

patroni/config.py

@@ -65,6 +65,7 @@ class Config(object):
         'check_timeline': False,
         'master_start_timeout': 300,
         'master_stop_timeout': 0,
+        'static_primary': None,
         'synchronous_mode': False,
         'synchronous_mode_strict': False,
         'synchronous_node_count': 1,
@@ -234,7 +235,7 @@ def _safe_copy_dynamic_configuration(self, dynamic_configuration):
                     if name in self.__DEFAULT_CONFIG['standby_cluster']:
                         config['standby_cluster'][name] = deepcopy(value)
             elif name in config:  # only variables present in __DEFAULT_CONFIG allowed to be overridden from DCS
-                if name in ('synchronous_mode', 'synchronous_mode_strict'):
+                if name in ('synchronous_mode', 'synchronous_mode_strict', 'static_primary'):
                     config[name] = value
                 else:
                     config[name] = int(value)
@@ -247,7 +248,7 @@ def _build_environment_configuration():
         def _popenv(name):
             return os.environ.pop(PATRONI_ENV_PREFIX + name.upper(), None)
 
-        for param in ('name', 'namespace', 'scope'):
+        for param in ('name', 'namespace', 'scope', 'static_primary'):
             value = _popenv(param)
             if value:
                 ret[param] = value
@@ -428,6 +429,10 @@ def _build_effective_configuration(self, dynamic_configuration, local_configurat
         if 'name' not in config and 'name' in pg_config:
             config['name'] = pg_config['name']
 
+        # if 'static_primary' not in config and 'static_primary' in local_configuration
+        if 'static_primary' in local_configuration:
+            config['static_primary'] = local_configuration['static_primary']
+
         updated_fields = (
             'name',
             'scope',

patroni/ha.py

@@ -128,6 +128,19 @@ def is_leader(self):
         with self._is_leader_lock:
             return self._is_leader > time.time()
 
+    def is_static_primary(self):
+        """Check if this node is configured as the static primary of the cluster."""
+        static_primary = self.patroni.config.get('static_primary')
+        name = self.patroni.config.get('name')
+        if static_primary is None or name is None:
+            return False
+        return static_primary == name
+
+    def is_static_primary_configured(self):
+        """Check if the Patroni cluster has been configured with a static primary."""
+        static_primary = self.patroni.config.get('static_primary')
+        return static_primary is not None
+
     def set_is_leader(self, value):
         with self._is_leader_lock:
             self._is_leader = time.time() + self.dcs.ttl if value else 0
@@ -689,7 +702,9 @@ def _is_healthiest_node(self, members, check_replication_lag=True):
     def is_failover_possible(self, members, check_synchronous=True, cluster_lsn=None):
         ret = False
         cluster_timeline = self.cluster.timeline
-        members = [m for m in members if m.name != self.state_handler.name and not m.nofailover and m.api_url]
+        is_static_primary = self.is_static_primary()
+        members = [m for m in members if m.name != self.state_handler.name \
+                   and not m.nofailover and m.api_url and not is_static_primary]
         if check_synchronous and self.is_synchronous_mode():
             members = [m for m in members if self.cluster.sync.matches(m.name)]
         if members:
@@ -966,7 +981,6 @@ def process_manual_failover_from_leader(self):
 
     def process_unhealthy_cluster(self):
         """Cluster has no leader key"""
-
         if self.is_healthiest_node():
             if self.acquire_lock():
                 failover = self.cluster.failover
@@ -991,6 +1005,9 @@ def process_unhealthy_cluster(self):
                         'promoted self to leader by acquiring session lock'
                     )
             else:
+                if self.is_static_primary():
+                    return 'no action as cluster is in static single node config mode'
+
                 return self.follow('demoted self after trying and failing to obtain lock',
                                    'following new leader after trying and failing to obtain lock')
         else:
@@ -1003,6 +1020,8 @@ def process_unhealthy_cluster(self):
             if self.patroni.nofailover:
                 return self.follow('demoting self because I am not allowed to become master',
                                    'following a different leader because I am not allowed to promote')
+            if self.is_static_primary():
+                return 'no action as cluster is in static single node config mode'
             return self.follow('demoting self because i am not the healthiest node',
                                'following a different leader because i am not the healthiest node')
 
@@ -1043,6 +1062,9 @@ def process_healthy_cluster(self):
                 if self.state_handler.is_leader():
                     if self.is_paused():
                         return 'continue to run as master after failing to update leader lock in DCS'
+                    if self.is_static_primary():
+                        return 'continue to run as master after failing to update leader lock in DCS \
+                                due to static_primary config'
                     self.demote('immediate-nolock')
                     return 'demoted self because failed to update leader lock in DCS'
                 else:
@@ -1346,6 +1368,12 @@ def _run_cycle(self):
                 self.state_handler.reset_cluster_info_state(None, self.patroni.nofailover)
                 raise
 
+            # If the cluster has been configured with a static primary,
+            # and we are not that primary, then do not proceed.
+            if self.is_static_primary_configured() and not self.is_static_primary():
+                return 'patroni cluster is configured with a static primary, \
+                        and this node is not the primary, refusing to start'
+
             if self.is_paused():
                 self.watchdog.disable()
                 self._was_paused = True
@@ -1487,7 +1515,8 @@ def _run_cycle(self):
         except DCSError:
             dcs_failed = True
             logger.error('Error communicating with DCS')
-            if not self.is_paused() and self.state_handler.is_running() and self.state_handler.is_leader():
+            if not self.is_paused() and self.state_handler.is_running() \
+                and self.state_handler.is_leader() and not self.is_static_primary():
                 self.demote('offline')
                 return 'demoted self because DCS is not accessible and i was a leader'
             return 'DCS is not accessible'

patroni/validator.py

@@ -313,6 +313,7 @@ def assert_(condition, message="Wrong value"):
 
 schema = Schema({
   "name": str,
+  Optional("static_primary"): str,
   "scope": str,
   "restapi": {
     "listen": validate_host_port_listen,

patroni/version.py

@@ -1 +1 @@
-__version__ = '2.1.3'
+__version__ = '2.2.0'

tests/test_config.py

@@ -31,6 +31,7 @@ def test_reload_local_configuration(self):
             'PATRONI_LOGLEVEL': 'ERROR',
             'PATRONI_LOG_LOGGERS': 'patroni.postmaster: WARNING, urllib3: DEBUG',
             'PATRONI_LOG_FILE_NUM': '5',
+            'PATRONI_STATIC_PRIMARY': 'postgres0',
             'PATRONI_RESTAPI_USERNAME': 'username',
             'PATRONI_RESTAPI_PASSWORD': 'password',
             'PATRONI_RESTAPI_LISTEN': '0.0.0.0:8008',