2016-02-26 - PgBouncer 1.7.2 - “Finally Airborne”
Fix crash on stale pidfile removal. Problem introduced in 1.7.1.
Disable cleanup - it breaks takeover and is not useful for production loads. Problem introduced in 1.7.1.
After takeover, wait until pidfile is gone before booting. Slow shutdown due to memory cleanup exposed existing race. (#113)
2016-02-18 - PgBouncer 1.7.1 - “Forward To Five Friends Or Else”
WARNING: Since version 1.7,
server_reset_query is not executed
when database is in transaction-pooling mode. Seems this was not
highlighted enough in 1.7 announcement. If your apps depend on that
server_reset_query_always to restore previous
Otherwise main work of this release was to track down TLS-related memory leak, which turned out to not exist. Instead there is libssl build in Debian/wheezy which has 600k overhead per connection (without leaking) instead expected 20-30k. Something to keep an eye on when using TLS.
TLS: Rename sslmode “disabled” to “disable” as that is what PostgreSQL uses.
client_tls_sslmode=verify-ca/-full now reject
connections without client certificate.
client_tls_sslmode=allow/require do validate client
certificate if sent. Previously they left cert validation
unconfigured so connections with client cert failed.
Fix memleak when freeing database.
Fix potential memleak in tls_handshake().
Fix EOF handling in tls_handshake().
Fix too small memset in asn1_time_parse compat.
Fix non-TLS (
Fix various issues with Windows build. (#100)
TLS: Use SSL_MODE_RELEASE_BUFFERS to decrease memory usage of inactive connections.
Clean allocated memory on exit. Helps to run memory-leak checkers.
Add TLS options to sample config.
2015-12-18 - PgBouncer 1.7 - “Colors Vary After Resurrection”
Support TLS connections. OpenSSL/LibreSSL is used as backend implementation.
Support authentication via TLS client certificate.
Support “peer” authentication on Unix sockets.
Support Host Based Access control file, like pg_hba.conf in Postgres. This allows to configure TLS for network connections and “peer” authentication for local connections.
query_wait_timeout to 120s by default. Current default
(0) causes infinite queueing, which is not useful. That means
if client has pending query and has not been assigned to server
connection, the client connection will be dropped.
server_reset_query_always by default. Now reset
query is used only in pools that are in session mode.
Increase pkt_buf to 4096 bytes. Improves performance with TLS. The behaviour is probably load-specific, but it should be safe to do as since v1.2 the packet buffers are split from connections and used lazily from pool.
Support pipelining count expected ReadyForQuery packets. This avoids releasing server too early. Fixes #52.
Improved sbuf_loopcnt logic - socket is guarateed to be reprocessed even if there are no event from socket. Required for TLS as it has it’s own buffering.
Adapt system tests to work with modern BSD and MacOS. (Eric Radman)
Remove crypt auth. It’s obsolete and not supported by PostgreSQL since 8.4.
Fix plain “–with-cares” configure option - without argument it was broken.
2015-09-03 - PgBouncer 1.6.1 - “Studio Audience Approves”
server_reset_query_always. When set,
server_reset_query use on non-session pools.
PgBouncer introduces per-pool pool_mode, but session-pooling
and transaction-pooling should not use same reset query. In
fact, transaction-pooling should not use any reset query.
It is set in 1.6.x, but will be disabled in 1.7.
[SECURITY] Remove invalid assignment of
auth_user is set and client asks non-existing
username, client will log in as
auth_user. Not good.
Skip NoticeResponce in handle_auth_response. Otherwise verbose log levels on server cause login failures.
auth_user when auth_type=any. Otherwise
logging can crash (#67).
Various portability fixes (OpenBSD, Solaris, OSX).
2015-08-01 - PgBouncer 1.6 - “Zombies of the future”
Load user password hash from postgres database. New parameters:
Pooling mode can be configured both per-database and per-user. (Cody Cutrer)
Per-database and per-user connection limits: max_db_connections and max_user_connections. (Cody Cutrer / Pavel Stehule)
Add DISABLE/ENABLE commands to prevent new connections. (William Grant)
New DNS backend: c-ares. Only DNS backend that supports all interesting features: /etc/hosts with refresh, SOA lookup, large replies (via TCP/EDNS+UDP), IPv6. It is the preferred backend now, and probably will be only backend in the future, as it’s pointless to support zoo of inadequate libraries.
SNAFU: c-ares versions <= 1.10 have bug which breaks CNAME-s support when IPv6 has been enabled. (Fixed upstream.) As a workaround, c-ares <= 1.10 is used IPv4-only. So PgBouncer will drop other backends only when c-ares >1.10 (still unreleased) has been out some time…
Show remote_pid in SHOW CLIENTS/SERVERS. Available for clients that connect over unix sockets and both tcp and unix socket server. In case of tcp-server, the pid is taken from cancel key.
Add separate config param (dns_nxdomain_ttl) for controlling negative dns caching. (Cody Cutrer)
Add the client host IP address and port to application_name. This is enabled by a config parameter application_name_add_host which defaults to ‘off’. (Andrew Dunstan)
Config files have ‘%include FILENAME’ directive to allow configuration to be split into several files. (Andrew Dunstan)
log: wrap ipv6 address with 
log: On connect to server, show local ip and port
win32: use gnu-style for long args: –foo
Allow numbers in hostname, always try to parse with inet_pton
Fix deallocate_all() in FAQ
Fix incorrect keyword in example config file (Magnus Hagander)
Allow comments (with ‘;’) in auth files. (Guillaume Aubert)
Fix spelling mistakes in log messages and comments. (Dmitriy Olshevskiy)
fix launching new connections during maintenance (Cody Cutrer)
don’t load auth file twice at boot (Cody Cutrer)
Proper invalidation for autodbs
ipv6: Set IPV6_V6ONLY on listen socket.
win32: Don’t set SO_REUSEADDR on listen socket.
Fix IPv6 address memcpy
Fix cancellation of of waiting clients. (Mathieu Fenniak)
Small bug fix, must check calloc result (Heikki Linnakangas)
Add newline at the end of the PID file (Peter Eisentraut)
Don’t allow new server connections when PAUSE
Fix ‘bad packet’ during login when header is delayed. (Michał Trojnara, Marko Kreen)
Fix errors detected by Coverty. (Euler Taveira)
Disable server_idle_timeout when server count gets below min_pool (#60) (Marko Kreen)
2015-04-09 - PgBouncer 1.5.5 - “Play Dead To Win”
2012-11-28 - PgBouncer 1.5.4 - “No Leaks, Potty-Training Successful”
DNS: Fix memory leak in getaddrinfo_a() backend.
DNS: Fix memory leak in udns backend.
DNS: Fix stats calculation.
DNS: Improve error message handling for getaddrinfo_a().
Fix win32 compile.
Fix compiler dependency support check in configure.
Few documentation fixes.
2012-09-12 - PgBouncer 1.5.3 - “Quantum Toaster”
Too long database names can lead to crash, which is remotely triggerable if autodbs are enabled.
The original checks assumed all names come from config files, thus using fatal() was fine, but when autodbs are enabled - by ‘*’ in [databases] section - the database name can come from network thus making remote shutdown possible.
max_packet_size - config parameter to tune maximum packet size that is allowed through. Default is kept same: (2G-1), but now it can be made smaller.
In case of unparseable packet header, show it in hex in log and error message.
AntiMake: it used $(relpath) and $(abspath) to manupulate pathnames, but the result was build failure when source tree path contained symlinks. The code is now changed to work on plain strings only.
console: now SET can be used to set empty string values.
config.txt: show that all timeouts can be set in floats. This is well-hidden feature introduced in 1.4.
2012-05-29 - PgBouncer 1.5.2 - “Don’t Chew, Just Swallow”
2012-04-17 - PgBouncer 1.5.1 - “Abort, Retry, Ignore?”
Allow empty string for server-side variable - this is needed to get “application_name” properly working, as it’s the only parameter that does not have server-side default.
If connect string changes, require refresh of server parameters. Previously PgBouncer continued with old parameters, which breaks in case of Postgres upgrade.
If autodb connect string changes, drop old connections.
cf_setint: Use strtol() instead atoi() to parse integer config parameters. It allows hex, octal and better error detection.
Use sigqueue() to detect union sigval existence - fixes compilation on HPUX.
Remove ‘git’ command from Makefile, it throws random errors in case of plain-tarball build.
Document stats_period parameter. This tunes the period for stats output.
Require Asciidoc >= 8.4, seems docs are not compatible with earlier versions anymore.
Stop trying to retry on EINTR from close().
2012-01-05 - PgBouncer 1.5 - “Bouncing Satisified Clients Since 2007”
If you use more than 8 IPs behind one DNS name, you now need to use EDNS0 protocol to query. Only getaddrinfo_a()/getaddrinfo() and UDNS backends support it, libevent 1.x/2.x does not. To enable it for libc, add ‘options edns0’ to /etc/resolv.conf.
GNU Make 3.81+ is required for building.
Detect DNS reply changes and invalidate connections to IPs no longer present in latest reply. (Petr Jelinek)
DNS zone serial based hostname invalidation. When option dns_zone_check_period is set, all DNS zones will be queried for SOA, and when serial has changed, all hostnames will be queried. This is needed to get deterministic connection invalidation, because invalidation on lookup is useless when no lookups are performed. Works only with new UDNS backend.
New SHOW DNS_HOSTS, SHOW DNS_ZONES commands to examine DNS cache.
New param: min_pool_size - avoids dropping all connections when there is no load. (Filip Rembiałkowski)
idle_in_transaction_timeout - kill transaction if idle too long. Not set by default.
New libudns backend for DNS lookups. More featureful than evdns. Use –with-udns to activate. Does not work with IPv6 yet.
KILL command, to immediately kill all connections for one database. (Michael Tharp)
Move to Antimake build system to have better looking Makefiles. Now GNU Make 3.81+ is required for building.
DNS now works with IPv6 hostnames.
Don’t change connection state when NOTIFY arrives from server.
Various documentation fixes. (Dan McGee)
Console: Support ident quoting with “”. Originally we did not have any commands that took database names, so no quoting was needed.
Console: allow numbers at the stard of word regex. Trying to use strict parser makes things too complex here.
Don’t expire auto DBs that are paused. (Michael Tharp)
Create auto databases as needed when doing PAUSE. (Michael Tharp)
Fix wrong log message issued by RESUME command. (Peter Eisentraut)
When user= without password= is in database connect string, password will be taken from userlist.
Parse ‘*’ properly in takeover code.
autogen.sh: work with older autoconf/automake.
Fix run-as-service crash on win32 due to bad basename() from mingw/msvc runtime. Now compat basename() is always used.
2011-06-16 - PgBouncer 1.4.2 - “Strike-First Algorithm”
Affected OS-es: *BSD, Solaris, Win32.
Give CFLAGS to linker. Needed when using pthread-based getaddrinfo_a() fallback.
lib/find_modules.sh: Replace split() with index()+substr(). This should make it work with older AWKs.
<usual/endian.h>: Ignore system htoX/Xtoh defines. There may be only subset of macros defined.
<usual/signal.h>: Separate compat sigval from compat sigevent
<usual/socket.h>: Include <sys/uio.h> to get iovec
<usual/time.h>: Better function autodetection on win32
<usual/base_win32.h>: Remove duplicate sigval/sigevent declaration
2011-04-01 - PgBouncer 1.4.1 - “It Was All An Act”
Support listening/connect for IPv6 addresses. (Hannu Krosing)
Multiple listen addresses in ‘listen_addr’. For each getaddrinfo() is called, so names can also be used.
console: Send PgBouncer version as ‘server_version’ to client.
Disable getaddrinfo_a() on glibc < 2.9 as it crashes on older versions.
Notable affected OS’es: RHEL/CentOS 5.x (glibc 2.5), Ubuntu 8.04 (glibc 2.7). Also Debian/lenny (glibc 2.7) which has non-crashing getaddrinfo_a() but we have no good way to detect it.
Please use libevent 2.x on such OS’es, fallback getaddrinfo_a() is not meant for production systems. And read new ‘DNS lookup support’ section in README to see how DNS backend is picked.
(Hubert Depesz Lubaczewski, Dominique Hermsdorff, David Sommerseth)
Default to –enable-evdns if libevent 2.x is used.
Turn on tcp_keepalive by default, as that’s what Postgres also does. (Hubert Depesz Lubaczewski)
Set default server_reset_query to DISCARD ALL to be compatible with Postgres by default.
win32: Fix crashes with NULL unix socket addr. (Hiroshi Saito)
Fix autodb cleanup: old cleanup code was mixing up databases and pools: as soon as one empty pool was found, the database was tagged as ‘idle’, potentially later killing database with active users.
Reported-By: Hubert Depesz Lubaczewski
Make compat getaddrinfo_a() non-blocking, by using single parallel thread to do lookups.
Enable pthread compilation if compat getaddrinfo_a is used.
release_server missed setting ->last_lifetime_disconnect on lifetime disconnect. (Emmanuel Courreges)
win32: fix auth file on DOS line endings - load_file() did not take account of file shringage when loading. (Rich Schaaf)
<usual/endian.h>: add autoconf detection for enc/dec functions so it would not create conflicts on BSD. (James Pye)
Don’t crash when config file does not exist. (Lou Picciano)
Don’t crash on DNS lookup failure when logging on noise level (-v -v). (Hubert Depesz Lubaczewski, Dominique Hermsdorff)
Use backticks instead of $(cmd) in find_modules.sh to make it more portable. (Lou Picciano)
Use ‘awk’ instead of ‘sed’ in find_modules.sh to make it more portable. (Giorgio Valoti)
Log active async DNS backend info on startup.
Fix –disable-evdns to mean ‘no’ instead ‘yes’.
Mention in docs that -R requires unix_socket_dir.
Discuss server_reset_query in faq.txt.
Restore lost memset in slab allocator
Various minor portability fixes in libusual.
2011-01-11 - PgBouncer 1.4 - “Gore Code”
Async DNS lookup - instead of resolving hostnames at reload time, the names are now resolved at connect time, with configurable caching. (See dns_max_ttl parameter.)
By default it uses getaddrinfo_a() (glibc) as backend, if it does not exist, then getaddrinfo_a() is emulated via blocking(!) getaddrinfo().
When –enable-evdns argument to configure, libevent’s evdns is used as backend. It is not used by default, because libevent 1.3/1.4 contain buggy implementation. Only evdns in libevent 2.0 seems OK.
New config var: syslog_ident, to tune syslog name.
Proper support for
application_name startup parameter.
Command line long options (Guillaume Lelarge)
Solaris portability fixes (Hubert Depesz Lubaczewski)
New config var: disable_pqexec. Highly-paranoid environments can disable Simple Query Protocol with that. Requires apps that use only Extended Query Protocol.
Postgres compat: if database name is empty in startup packet, use user name as database.
DateStyle and TimeZone server params need to use exact case.
Console: send datetime, timezone and stdstr server params to client.
Use libusual library for low-level utility functions.
Remove fixed-length limit from server params.
2010-09-09 - PgBouncer 1.3.4 - “Bouncer is always right”
Apply fast-fail logic at connect time. So if server is failing, the clients get error when connecting.
Don’t tag automatically generated databases for checking on reload time, otherwise they get killed, because they don’t exist in config.
Ignore application_name parameter by default. This avoids the need for all Postgres 9.0 users to add it into ignore_startup_parameters= themselves.
Correct pg_auth quoting. ‘’ is not used there.
Better error reporting on console, show incoming query to user.
Support OS’es (OpenBSD) where tv_sec is not time_t.
Avoid too noisy warnings on gcc 4.5.
2010-05-10 - PgBouncer 1.3.3 - “NSFW”
Make listen(2) argument configurable: listen_backlog. This is useful on OS’es, where system max allowed is configurable.
Improve disconnect messages to show what username or dbname caused login to fail.
Move fast-fail relaunch logic around. Old one was annoying in case of permanently broken databases or users, by trying to retry even if there is no clients who want to login.
Make logging functions keep old errno, otherwise pgbouncer may act funny on higher loglevels and logging problems.
Increase the size of various startup-related buffers to handle EDB more noisy startup.
Detect V2 protocol startup request and give clear reason for disconnect.
2010-03-15 - PgBouncer 1.3.2 - “Boomerang Bullet”
New config var ‘query_wait_timeout’. If client does not get server connection in this many seconds, it will be killed.
If no server connection in pool and last connect failed, then don’t put client connections on hold but send error immediately.
This together with previous fix avoids unnecessary stalls if a database has gone down.
Track libevent state in sbuf.c to avoid double event_del(). Although it usually is safe, it does not seem to work 100%. Now we should always know whether it has been called or not.
Disable maintenance during SUSPEND. Otherwise with short timeouts the old bouncer could close few connections after sending them over.
Apply client_login_timeout to clients waiting for welcome packet (first server connection). Otherwise they can stay waiting infinitely, unless there is query_timeout set.
win32: Add switch -U/-P to -regservice to let user pick account to run service under. Old automatic choice between Local Service and Local System was not reliable enough.
console: Remove 0 from end of text columns. It was hard to notice, as C clients were fine with it.
Documentation improvements. (Greg Sabino Mullane)
Clarify few login-related log messages.
Change logging level for pooler-sent errors (usually on disconnect) from INFO to WARNING, as they signify problems.
Change log message for query_timeout to “query timeout”.
2009-07-06 - PgBouncer 1.3.1 - “Now fully conforming to NSA monitoring requirements”
Fix problem with sbuf_loopcnt which could make connections hang. If query or result length is nearby of multiple of (pktlen*sbuf_loopcnt) [10k by default], it could stay waiting for more data which will not appear.
Make database reconfigure immediate. Currently old connections could be reused after SIGHUP.
Fix SHOW DATABASES which was broken due to column addition.
Console access was disabled when “auth_mode=any” as pgbouncer dropped username. Fix: if “auth_mode=any”, allow any user to console as admin.
Fix bad CUSTOM_ALIGN macro. Luckily it’s unused if OS already defines ALIGN macro thus seems the bug has not happened in wild.
win32: call WSAStartup() always, not only in daemon mode as config parsing wants to resolve hosts.
win32: put quotes around config filename in service cmdline to allow spaces in paths. Executable path does not seem to need it due to some win32 magic.
Add STATS to SHOW HELP text.
doc/usage.txt: the time units in console results are in microseconds, not milliseconds.
2009-02-18 - PgBouncer 1.3 - “New Ki-Smash Finishing Move”
IANA has assigned port 6432 to be official port for PgBouncer. Thus the default port number has changed to 6432. Existing individual users do not need to change, but if you distribute packages of PgBouncer, please change the package default to official port.
Dynamic database creation (David Galoyan)
Now you can define database with name “*”. If defined, it’s connect string will be used for all undefined databases. Useful mostly for test / dev environments.
Windows support (Hiroshi Saito)
PgBouncer runs on Windows 2000+ now. Command line usage stays same, except it cannot run as daemon and cannot do online reboot. To run as service, define parameter service_name in config. Then:
> pgbouncer.exe config.ini -regservice > net start SERVICE_NAME
To stop and unregister:
> net stop SERVICE_NAME > pgbouncer.exe config.ini -unregservice
To use Windows Event Log, event DLL needs to be registered first:
> regsrv32 pgbevent.dll
Afterwards you can set “syslog = 1” in config.
Database names in config file can now be quoted with standard SQL ident quoting, to allow non-standard characters in db names.
New tunables: ‘reserve_pool_size’ and ‘reserve_pool_timeout’. In case there are clients in pool that have waited more that ‘reserve_pool_timeout’ seconds, ‘reserve_pool_size’ specifies the number of connections that can be added to pool. It can also set per-pool with ‘reserve_pool’ connection variable.
New tunable ‘sbuf_loopcnt’ to limit time spent on one socket.
In some situations - eg SMP server, local Postgres and fast network -pgbouncer can run recv()->send() loop many times without blocking on either side. But that means other connections will stall for a long time. To make processing more fair, limit the times of doing recv()->send() one socket. If count reaches limit, just proceed processing other sockets. The processing for that socket will resume on next event loop.
Thanks to Alexander Schöcke for report and testing.
crypt() authentication is now optional, as it was removed from Postgres. If OS does not provide it, pgbouncer works fine without it.
Add milliseconds to log timestamps.
Replace old MD5 implementation with more compact one.
Update ISC licence with the FSF clarification.
In case event_del() reports failure, just proceed with cleanup. Previously pgbouncer retried it, in case the failure was due ENOMEM. But this has caused log floods with inifinite repeats, so it seems libevent does not like it.
Why event_del() report failure first time is still mystery.
–enable-debug now just toggles whether debug info is stripped from binary. It no longer plays with -fomit-frame-pointer as it’s dangerous.
Fix include order, as otherwise system includes could come before internal ones. Was problem for new md5.h include file.
Include COPYRIGHT file in .tgz…
2008-08-08 - PgBouncer 1.2.3 - “Carefully Selected Bytes”
Thanks to Devrim GÜNDÜZ and Bjoern Metzdorf for problem reports and testing.
2008-08-06 - PgBouncer 1.2.2 - “Barf-bag Included”
2008-08-04 - PgBouncer 1.2.1 - “Waterproof”
2008-07-29 - PgBouncer 1.2 - “Ordinary Magic Flute”
PgBouncer 1.2 now requires libevent version 1.3b or newer. Older libevent versions crash with new restart code.
Command line option (-u) and config parameter (user=) to support user switching at startup. Also now pgbouncer refuses to run as root.
More descriptive usage text (-h). (Jacob Coby)
New database option: connect_query to allow run a query on new connections before they are taken into use.
New config var ‘ignore_startup_parameters’ to allow and ignore extra parameters in startup packet. By default only ‘database’ and ‘user’ are allowed, all others raise error. This is needed to tolerate overenthusiastic JDBC wanting to unconditionally set ‘extra_float_digits=2’ in startup packet.
Logging to syslog: new parameters syslog=0/1 and syslog_facility=daemon/user/local0.
Less scary online restart (-R)
Move FD loading before fork, so it logs to console and can be canceled by ^C
Keep SHUTDOWN after fork, so ^C would be safe
A connect() is attempted to unix socket to see if anyone is listening. Now -R can be used even when no previous process was running. If there is previous process, but -R is not used, startup fails.
New console commands:
SHOW TOTALS that shows stats summary (as goes to log) plus mem usage.
SHOW ACTIVE_SOCKETS - like show sockets; but filter only active ones.
Less visible features
suspend_timeout - drop stalled conns and long logins. This brings additional safety to reboot.
When remote database throws error on logging in, notify clients.
Removing a database from config and reloading works - all connections are killed and the database is removed.
Fake some parameters on console SHOW/SET commands to be more Postgres-like. That was needed to allow psycopg to connect to console. (client_encoding/default_transaction_isolation/datestyle/timezone)
Make server_lifetime=0 disconnect server connection immediately after first use. Previously “0” made PgBouncer ignore server age. As this behavior was undocumented, there should not be any users depending on it.
Packet buffers are allocated lazily and reused. This should bring huge decrease in memory usage. This also makes realistic to use big pktbuf with lot of connections.
Lot’s of error handling improvements, PgBouncer should now survive OOM situations gracefully.
Use slab allocator for memory management.
Lots of code cleanups.
2007-12-10 - PgBouncer 1.1.2 - “The Hammer”
Online upgrade 1.0 -> 1.1 problems:
1.0 does not track server parameters, so they stay NULL but 1.1 did not expect it and crashed.
If server params are unknown, but client ones are set, then issue a SET for them, instead complaining.
Remove temp debug statements that were accidentally left in code on INFO level, so they polluted logs.
2007-10-26 - PgBouncer 1.1.1 - “Breakdancing Bee”
Server parameter cache could stay uninitialized, which caused unnecessary SET of them. This caused problem on 8.1 which does not allow touching standard_conforming_strings. (Thanks to Dimitri Fontaine for report & testing.)
Some doc fixes.
Include doc/fixman.py in .tgz.
2007-10-09 - PgBouncer 1.1 - “Mad-Hat Toolbox”
Keep track of following server parameters:
client_encoding datestyle, timezone, standard_conforming_strings
Database connect string enhancements:
2007-06-18 - PgBouncer 1.0.8 - “Undead Shovel Jutsu”
2007-04-19 - PgBouncer 1.0.7 - “With Vitamin A-Z”
2007-04-12 - PgBouncer 1.0.6 - “Daily Dose”
2007-04-11 - PgBouncer 1.0.5 - “Enough for today”
2007-04-11 - PgBouncer 1.0.4 - “Last ‘last’ bug”
2007-04-11 - PgBouncer 1.0.3 - “Fearless Fork”
2007-03-28 - PgBouncer 1.0.2 - “Supersonic Spoon”
2007-03-15 - PgBouncer 1.0.1 - “Alien technology”
2007-03-13 - PgBouncer 1.0 - “Tuunitud bemm”