proxysql

Commit Graph

Author	SHA1	Message	Date
Rene Cannao	6d8dff2939	docs(chassis): mark query-hook ABI scaffold-state explicit + add TODO markers The chassis ABI 2 query-hook surface (ProxySQL_PluginQueryHookPayload / Result / Action plus register_query_hook / dispatch_configured_plugin_ query_hook) is wired through ProxySQL_PluginManager and exercised end- to-end by unit tests. But the production data plane never calls proxysql_dispatch_configured_plugin_query_hook — neither MySQL_Session nor PgSQL_Session has the integration point. Net effect today: a plugin can register a query hook successfully and unit tests can drive dispatch through it, but a real client query arriving over MySQL or PgSQL will never consult the hook. The DENY contract from the public ABI ("DENY prevents a query from dispatching") is currently a promise the production path doesn't keep. # Why scaffold-state instead of immediate full integration Wiring the dispatch into MySQL_Session::handler___status_WAITING_ CLIENT_DATA___STATE_SLEEP___MYSQL_COM_QUERY_qpo (and the COM_STMT_ PREPARE / COM_STMT_EXECUTE entries that share the qpo machinery) is mechanical but touches a 95k-LOC hot-path file. A bug in the integration would manifest as a query-blocking regression that's hard to debug and easy to ship. Same for PgSQL_Session. The integration deserves its own focused PR with TAP coverage that exercises both ALLOW and DENY paths against a fake plugin — not a side-quest in this PR which is already large. # What this commit does 1. Updates the ABI doc block in include/ProxySQL_Plugin.h to call out the scaffold state explicitly. A plugin author reading the header today would reasonably assume the hook fires in production; that assumption is wrong, and the doc block now says so. References the precise grep target ("TODO(plugin-query-hook)") that points at the missing injection sites. 2. Adds two TODO(plugin-query-hook) markers to MySQL_Session.cpp: - line ~3387 (COM_STMT_PREPARE → COM_QUERY shared codepath) - line ~5403 (the main COM_QUERY execution path) Each immediately follows the GloMyQPro->process_query call, where CurrentQuery is populated and the dispatch payload would be ready. 3. Adds one TODO(plugin-query-hook) marker to PgSQL_Session.cpp at line ~2387, following the GloPgQPro->process_query call. # What this commit deliberately does NOT do The actual dispatch wiring. The next person picking this up has: - A precise injection site (3 in MySQL, 1+ in PgSQL). - Pre-built ABI surface (proxysql_has_configured_plugin_query_hook for the lock-free fast-path probe; proxysql_dispatch_configured_ plugin_query_hook for the actual hook invocation under shared lock). - Existing test_helpers/fake_plugin.cpp with a HOOK_DENY env toggle that exercises the dispatch path under unit test today — extensible to TAP integration tests once the production wiring lands. Caught by an external review pass, finding #5. Filing as a deferred fix with explicit scaffold acknowledgement rather than rushing the integration.	3 weeks ago
Rene Cannao	e535a66ee1	fix(mysqlx): enforce per-user require_tls and allowed_auth_methods Two MysqlxResolvedIdentity fields were loaded from runtime_mysqlx_users into the in-memory store but never consulted by the auth path: identity_->require_tls // per-user "must be over TLS" identity_->allowed_auth_methods // per-user mechanism whitelist Net effect: - require_tls=1 did not reject MYSQL41-over-plaintext. Operators setting this column expected a hardening guarantee they did not actually get; an attacker bypassing TLS could still authenticate via MYSQL41 (which is challenge-response over plaintext, but leaks the user's full SHA1(SHA1(pw)) on a passive eavesdrop and is replayable for the duration of the auth_challenge_). - allowed_auth_methods='MYSQL41' did not reject PLAIN attempts (and vice versa). Operators expected to be able to lock down a user to a specific mechanism; the column was decorative. # Fix New helper MysqlxSession::enforce_identity_policy() called from both auth resolution sites (handle_auth_plain at line ~539, handler_auth_ challenge_sent at line ~664) immediately after identity_ resolves and before credential verification. It: - rejects with 1045 "User requires a TLS connection" when identity_->require_tls && !client_ds_.is_encrypted(). - rejects with 1045 "Authentication mechanism not allowed for user" when identity_->allowed_auth_methods is non-empty and auth_method_ is not in the comma-separated list (case- insensitive, whitespace-trimmed). Empty allowed_auth_methods preserves the historical "any wired method" default so existing rows don't require a backfill — the column already defaulted to '' in the table DDL. # What this commit does NOT cover backend_auth_mode is the third field in the same review finding (reviewer's #2). It's partially implemented today by side-effect: the backend_username being non-empty selects the service_account codepath, empty selects mapped. The pass_through mode would require forwarding the frontend AuthStart frame unmodified to the backend and is not implemented; it remains TBD pending issue #5693 (asymmetric TLS / AsClient) which has overlapping protocol-shape concerns. This commit deliberately scopes to the two policy checks that are unambiguously broken; backend_auth_mode pass_through gets its own commit when #5693 lands. # Verified 21 / 21 mysqlx unit tests still green. Caught by an external review pass, finding #2.	3 weeks ago
Rene Cannao	4e32f44196	fix(mysqlx): backend TLS honors endpoint use_ssl flag mysqlx_backend_endpoints.use_ssl is documented as forcing TLS on the proxy↔backend connection regardless of frontend TLS state. The flag was loaded into MysqlxBackendEndpoint at install_endpoints_from_admin time (mysqlx_config_store.cpp::load_endpoint_overrides applies the override on top of runtime_mysql_servers), but resolve_backend_target then copied only hostname and mysqlx_port into the session's per- target fields. The use_ssl flag was silently dropped. Backend TLS at line 1186 was gated only on client_ds_.is_encrypted() — frontend state. So: - plaintext client + endpoint use_ssl=1 → backend was plaintext (BUG) - TLS client + endpoint use_ssl=0 → backend was TLS (BUG, less severe — the client opted into TLS but the operator chose not to) The operator's intent (`mysqlx_backend_endpoints.use_ssl`) was simply not honored. # Fix Capture ep.use_ssl into a new target_use_ssl_ session field at resolve_backend_target. Reset it to false alongside target_address_/ target_port_ in the existing two reset paths. At the backend-auth setup site, gate the SSL_CTX install on `target_use_ssl_ \|\| client_ds_.is_encrypted()`. Both signals independently force backend TLS: - target_use_ssl_ is the operator-mandated posture (network-zone / compliance / cert-pinning concerns). - client_ds_.is_encrypted() is the existing "match what the client did" heuristic. The two are AND-required together would have been wrong (operators mandating backend TLS shouldn't have plaintext clients defeat it); the OR is the right combination. # Out of scope - Asymmetric TLS / AsClient mode where the proxy mirrors the client's choice on the backend with no operator override is tracked separately in #5693. - TLS passthrough (forward raw TLS records without decryption) is #5692. - The full multi-mode mysqlx_tls_backend_mode (DISABLED, PREFERRED, REQUIRED, AS_CLIENT) is also #5693 — this commit just stops the silent drop of the per-endpoint flag, restoring the documented behaviour. Other modes remain TBD. # Verified 21 / 21 mysqlx unit tests still green. Caught by an external review pass, finding #3.	3 weeks ago
Rene Cannao	bd49725a6e	fix(mysqlx): pool reuse decision must precede reset() Mysqlx_Thread::return_connection_to_cache called conn->reset() before deciding whether to keep the connection. MysqlxConnection::reset() unconditionally sets in_transaction_=false, has_prepared_stmt_=false, reusable_=true, then returns. Net effect: - A session that called set_has_prepared_statement(true) on its backend (mysqlx_session.cpp:762, the PREPARE_PREPARE handler) had that signal wiped seconds later when return_backend_to_pool ran. The pool then handed the same backend — still holding the prepared statement — to the next session that asked for a backend with matching {hostgroup, user, schema}. The next session would see "ER_UNKNOWN_STMT_HANDLER" or worse, a misrouted execute. - The dead-socket paths (handler_waiting_server_msg lines 884-895 after EOF or read error, handler_session_reset_waiting lines 945-951) all called return_backend_to_pool() unconditionally. reset() didn't mark the connection dead, so a closed fd ended up in the cache. The next checkout would hit ECONNRESET / EBADF on its first read. # Fix 1. Reorder: return_connection_to_cache now consults is_reusable() FIRST. If false, delete; only if true do we reset() and cache. 2. Tighten is_reusable() with state-machine disqualifiers that catch failure paths callers might have forgotten to translate into set_reusable(false): state_ == ERROR_STATE / CLOSED and auth_state_ == BACKEND_AUTH_ERROR. The previous version checked only in_transaction_ and has_prepared_stmt_ as soft disqualifiers plus the reusable_ flag. 3. Mark backend_conn_->set_reusable(false) explicitly at every dead-socket call site in MysqlxSession (lines that previously just called return_backend_to_pool when the backend fd was -1 or read_from_net returned 0 / -1). Belt-and-suspenders: even if a future is_reusable() refactor narrows the state-based check, the explicit caller signal still correctly disqualifies dead sockets. # Why is_reusable doesn't check fd_<0 Several unit-test fixtures construct MysqlxConnection objects with fd_=-1 placeholders (e.g. test_backend_reset_clears_auth, test_ connection_multiplexing). Adding fd_<0 to is_reusable would have broken those tests without catching any production path that the state checks don't already cover — production set_reusable(false) calls + state_ updates on the failure paths are the right source of truth for "this connection cannot be reused." # Verified 21 / 21 mysqlx unit tests still green, including the connection- multiplexing and pool-reuse fixtures that would surface a regression in is_reusable() shape. Caught by an external review pass, finding #1.	3 weeks ago
Rene Cannao	9c84ae4550	fix(mysqlx): clear data-stream revents after handler runs process_all_sessions() in plugins/mysqlx/src/mysqlx_thread.cpp:252 gates handler() invocation on whether a poll event has landed: short c_rev = sess->client_ds().get_revents(); short s_rev = sess->server_ds().get_revents(); bool fd_ready = (c_rev != 0) \|\| (s_rev != 0); if (fd_ready \|\| buffered \|\| sess->to_process) { sess->to_process = true; rc = sess->handler(); } The intent of this gate (per the inline comment immediately above) is "only invoke handler() when there is real work — forcing to_process on every tick burned the CPU at large session counts." But there was no code path that cleared the per-stream revents_ field after handler() consumed the event. The only existing reset is MysqlxDataStream::reset() (full stream tear- down). So once a session received one POLLIN, the same revents bitmask stayed set for the rest of its life: every poll cycle would re-enter handler() and hit EAGAIN, defeating the entire CPU-saving change. The hot loop scaled with session count. Fix: set_revents(0) on both streams immediately after handler returns. The next iteration only fires on a fresh poll event (or buffered work / explicit to_process), which is what the inline comment promised. Caught by an external review pass, finding #4. Verified locally: 21/21 mysqlx unit tests still green, including mysqlx_concurrent_unit-t (the 20-client burst that originally caught the listener O_NONBLOCK regression — would also surface here if the readiness clear introduced a stall).	3 weeks ago
Rene Cannao	f08206a2f9	build(plugins/mysqlx): mirror top-level feature-tier cascade A standalone `make -C plugins/mysqlx PROXYSQLGENAI=1` previously set only -DPROXYSQLGENAI; PROXYSQL40, PROXYSQL31, PROXYSQLFFTO, PROXYSQLTSDB all stayed unset because the four `ifeq ($(PROXYSQL_X),1)` blocks were independent. The resulting .so saw a different ProxySQL_PluginServices / ProxySQL_PluginDescriptor layout than libproxysql.a (which set every flag via the top-level cascade), and the chassis loader then read past the end of the plugin's static descriptor. The Makefile comment already warned about this and asked the caller to export every flag. CI works because workflow YAMLs list all five explicitly. The footgun was the standalone path. Mirror the top-level Makefile's cascade ladder before the per-flag -DPROXYSQL_X assignments: PROXYSQLGENAI=1 ⇒ PROXYSQL40=1 ⇒ PROXYSQL31=1 ⇒ PROXYSQLFFTO=1 + PROXYSQLTSDB=1 Now `make -C plugins/mysqlx PROXYSQLGENAI=1` produces the right five-flag set, matching the top-level build. Caught by an external review pass, finding #6.	3 weeks ago
René Cannaò	aa4a078988	Merge pull request #5700 from sysown/fix/test-mysqlx-plugin-load-phase-b fix(test): test_mysqlx_plugin_load-t needs Phase B between load and init	3 weeks ago
Rene Cannao	7de1ae3dcd	test(mysqlx): address PR-#5700 review feedback Two reviewers flagged the same area in the previous commit (ec0c5... oh wait wrong sha — `eebfbde2b`). Both findings legitimate and applied. # CodeRabbit nitpick: BAIL_OUT on Phase B failure If invoke_register_schemas_phase() returns false, every subsequent assertion in this test depends on tables(kind) state populated by Phase B. They would all spuriously fail as "not ok" and obscure the root cause (the same logic the existing load() guard already uses on line 41 — bail on the prerequisite, don't drown the operator in downstream noise). # Gemini: capture return value explicitly + drop redundant err.clear() Verified Gemini's claim by reading lib/ProxySQL_PluginManager.cpp: - invoke_register_schemas_phase clears err at line 417 (entry). - init_all clears err at line 489 (entry). So the previous commit's err.clear() between the two calls was dead code; removing it. And since reading err after a successful return is meaningless (it's empty by contract), the success/failure check should go through the bool return, not err.empty(). Matches the load() pattern at line 37 ("const bool loaded = mgr.load(...)") for consistency. # Verified locally $ ./test_mysqlx_plugin_load-t 1..7 ok 1 - load mysqlx plugin succeeds ok 2 - invoke_register_schemas_phase registers mysqlx schema ok 3 - init_all completes after schema registration ok 4 - mysqlx_users registered in admin_db ok 5 - mysqlx_users registered in config_db ok 6 - mysqlx_users admin schema includes allowed_auth_methods ok 7 - mysqlx_users config schema includes backend_auth_mode	3 weeks ago
Rene Cannao	eebfbde2b3	fix(test): test_mysqlx_plugin_load-t needs Phase B between load and init Pre-existing test bug surfaced by CI-unit-tests-asan-coverage on plugin-chassis (run 25202654334, head `bb199c6c`). 4 of 6 assertions failed: not ok 3 - mysqlx_users registered in admin_db not ok 4 - mysqlx_users registered in config_db not ok 5 - mysqlx_users admin schema includes allowed_auth_methods not ok 6 - mysqlx_users config schema includes backend_auth_mode Root cause: the mysqlx plugin (ABI 2+) registers its admin tables in register_schemas() — Phase B of the four-phase lifecycle — not in init() / Phase D. The test only does load() + init_all(), skipping Phase B entirely, so mgr.tables(admin_db) and mgr.tables(config_db) return empty vectors and find_table() returns nullptr for every table-existence assertion. The test was written before the four-phase lifecycle was finalised; when mysqlx_register_admin_schema moved into Phase B (the Phase B mysqlx_register_schemas wraps it; init_all() no longer touches the admin-table-registration path), this test was not updated. # Fix Insert mgr.invoke_register_schemas_phase(err) between load() and init_all(). For ABI-1 plugins that don't declare register_schemas the call is a no-op (returns true with err empty). The plan goes from 6 to 7 to cover the new assertion. Verified locally: $ ./test_mysqlx_plugin_load-t 1..7 ok 1 - load mysqlx plugin succeeds ok 2 - invoke_register_schemas_phase registers mysqlx schema ok 3 - init_all completes after schema registration ok 4 - mysqlx_users registered in admin_db ok 5 - mysqlx_users registered in config_db ok 6 - mysqlx_users admin schema includes allowed_auth_methods ok 7 - mysqlx_users config schema includes backend_auth_mode # Why now This wasn't caught earlier because the same plugin-load assertions were partially covered by sibling tests (test_mysqlx_admin_tables-t, plugin_manager_unit-t) that drove the full Phase A→B→D lifecycle. test_mysqlx_plugin_load-t was the only test with the load+init-only shortcut. CI-unit-tests-asan-coverage on plugin-chassis is the specific job that runs every *-t binary in test/tap/tests/unit (the file lives in test/tap/tests/, not unit/, but groups.json registers it with @proxysql_min_version:4.0 so the chassis gates are right).	3 weeks ago
René Cannaò	bb199c6cdd	Merge pull request #5690 from sysown/docs/plugin-chassis-abi3-update docs(plugin-chassis): align FILE_CHANGES/ABI/REVIEW_GUIDE/PLUGIN_API with PR #5688	3 weeks ago
Rene Cannao	29ee30daf9	docs(plugin-chassis): address PR-#5690 review feedback CodeRabbit + Gemini review pass surfaced four small doc-precision items, all legitimate. None were code bugs. # CodeRabbit (markdownlint nit) - doc/PLUGIN_API.md:455: fenced code block at "DISK ↔ MEMORY ↔ RUNTIME" lacked a language specifier. Added `text` to satisfy MD040 / fenced-code-language. # Gemini (3x same root: clarify the matching algorithm) The chassis dispatch matcher is case-insensitive whole-identifier substring match, but three docs described it loosely. Plugin authors deciding what table name to register need to know that runtime_X does not match runtime_X_extra or stats_runtime_X. - doc/PLUGIN_API.md:289 ("any admin SELECT against it") -> spell out the whole-identifier rule with the longer-prefix / longer-suffix rejection examples. - doc/plugin-chassis/ABI.md:156 ("appears in the SQL") -> "is referenced as a whole identifier in the SQL query (case-insensitive; identifier-aware, so runtime_X_extra or stats_runtime_X do not match runtime_X)". - doc/plugin-chassis/FILE_CHANGES.md:102 ("substring match") -> "case-insensitive whole-identifier substring match", matching the precise wording already used in section B for the sql_references_table_ci helper. Cross-section consistency. No source code touched. No new content sections, only existing prose tightened.	3 weeks ago
Rene Cannao	ef32d9df87	ci: register plugin_runtime_views_unit-t in groups.json Lint failure surfaced on PR #5690's CI run (job 73893199128) — the chassis runtime-view test added in PR #5688 was never registered in test/tap/groups/groups.json, and check_groups.py treats any unlisted TAP source as a lint error. Same group entry as the sibling plugin-chassis tests (plugin_dispatch _unit-t, plugin_manager_unit-t, etc.): "plugin_runtime_views_unit-t" : [ "unit-tests-g1","@proxysql_min_version:4.0" ] unit-tests-g1 is the standard host-only TAP group (no docker backend required); the @proxysql_min_version:4.0 attribute keeps it from running against pre-chassis builds. Trivial fix that belongs on the same PR as the doc updates because the lint failure is what surfaces on every PR opened against plugin-chassis until this lands.	3 weeks ago
Rene Cannao	64e7334297	docs(plugin-chassis): align FILE_CHANGES/ABI/REVIEW_GUIDE/PLUGIN_API with PR #5688 The four chassis docs still described the pre-fix architecture: - ABI version 2 (now 3 — register_runtime_view appended at services tail) - MysqlxConfigStore::load_from_runtime (removed; replaced by per-entity install/save/project triplets) - copy_table / copy_to_runtime as the LOAD/SAVE shovels (deleted) - Listener reconciler reading runtime_mysqlx_routes (now reads MysqlxConfigStore::snapshot_active_routes) - "Three-tier" disk/memory/runtime model with the empty-source-sync invariant applied uniformly (the runtime tier was wrong; runtime_<X> is now an admin-side projection of module state, not a tier; the invariant only applies to disk-tier copies) - Plugin-context layout listing a non-existent MysqlxStatsStore Updates per file (no source code touched): - FILE_CHANGES.md §A: PROXYSQL_PLUGIN_ABI_VERSION 2 → 3, services list gains register_runtime_view, ProxySQL_PluginRuntimeView struct documented, separation-of-duties contract spelled out. §B: PluginManager methods list gains register_runtime_view, refresh_runtime_views_for_query; service trampolines list gains register_runtime_view_service; sql_references_table_ci whole-identifier match described; services_phase_b_ wiring of register_runtime_view explained. §C: new pre-SELECT runtime-view dispatch site in GenericRefreshStatistics described — gated on if (admin), OUTSIDE the if (refresh==true) block, so any admin-port query gets the chassis dispatcher fired. §H: mysqlx_start() no longer does runtime sync; describes the four install_<X>_from_admin calls in their place. §I: copy_table removed from the description; new LOAD/SAVE callbacks calling MysqlxConfigStore install/save APIs; four refresh_<X>_runtime_view callbacks registered via services.register_runtime_view(). §J: MysqlxConfigStore reframed as the canonical source of truth (runtime_mysqlx_<X> are projections of it). API list replaced load_from_runtime with the four install/save/ project triplets, install_all_from_admin (test convenience), snapshot_active_routes, and MysqlxBackendEndpointOverride. §K: listener reconciler reads MysqlxConfigStore directly via snapshot_active_routes(); inline rationale notes why we must NOT read runtime_mysqlx_routes (empty between LOAD calls under the new architecture). - ABI.md: services availability matrix gains register_runtime_view (live in Phase B and D); current-ABI block 3/3; §5 retitled "Separation of duties" with the new contract; disk-tier exception keeps the empty-source-sync invariant. - REVIEW_GUIDE.md: ABI-surface bullets updated; mysqlx phase descriptions updated to point at install_*_from_admin / runtime-view projections / snapshot_active_routes-driven reconciler. - PLUGIN_API.md: descriptor table updated for ABI 3; services struct snippet shows the ABI-2 and ABI-3 tail extensions; new register_runtime_view callback section with the contract; "Three-Tier" section retitled "Separation of duties", clarifies that runtime_<X> is an admin-side projection (not a persistent tier) and the empty-source-sync invariant applies only to disk- tier copies; alias-handling note corrected. The only surviving "ABI version 2" mention is in PLUGIN_API.md line 46 ("plugins that declare ABI version 2 or higher") — that is a correct version-or-higher predicate, not a stale reference.	3 weeks ago
René Cannaò	f1587cf5c2	Merge pull request #5688 : Admin/module separation for mysqlx runtime tables (issue #5687 ) fix(mysqlx): Admin/module separation for runtime config tables	4 weeks ago
Rene Cannao	af270316b9	docs(mysqlx): correct ABI version, mysqlx_variables list, start() flow Doc-accuracy review pass found three substantive lies in README.md / ARCHITECTURE.md the previous doc rewrite missed. # ABI version Both README §13 and ARCHITECTURE §1 stated "ProxySQL Plugin ABI version 1". The plugin descriptor in mysqlx_plugin.cpp has used PROXYSQL_PLUGIN_ABI_VERSION since chassis introduction; that macro is now 3 (descriptor ABI 2 four-phase lifecycle + ABI-3 register_runtime_view services field). Updated both files to call the right number with a one-liner on what each ABI bump added. # mysqlx_variables list README §3.1 listed eight variables: mysqlx_thread_pool_size, mysqlx_connect_timeout, mysqlx_tls_mode, mysqlx_tls_cert, mysqlx_tls_key, mysqlx_tls_ca, mysqlx_tls_backend_mode, and mysqlx_max_cached_connections_per_thread. Only the four canonical scalars are wired through MysqlxConfigStore — load_variables() in mysqlx_config_store.cpp matches against four exact names and silently ignores everything else; save_variables_to_admin_table DELETEs the entire table and re-inserts only the four. So the TLS-related entries the README told operators to set are accepted into the table by the CHECK constraints, never read by LOAD, and deleted by the next SAVE. §8.2 example was equally misleading: it instructed operators to UPDATE mysqlx_tls_cert / mysqlx_tls_key paths and run LOAD MYSQLX VARIABLES TO RUNTIME, which is a silent no-op. Trim the §3.1 table to the four wired variables, add a paragraph explaining that other variable_name values are silently ignored by LOAD and deleted by SAVE, and trim §8.2 to the one TLS-related variable that actually round-trips (mysqlx_tls_mode). # start() flow README §2.3 step 6 said "The plugin's start() function loads configuration from runtime tables, ...". After the architectural fix mysqlx_start() syncs disk → memory for the editable mysqlx_* tables, then drives the four install__from_admin calls (each SELECTing the editable table plus the relevant cross-module runtime_mysql_ projection). Updated to spell out the actual flow. # Smaller corrections ARCHITECTURE §3.5 listed a "MysqlxStatsStore" in the plugin context — there is no such struct. Replaced with the actual context members. ARCHITECTURE §3.6 listed runtime_mysql_users as the only cross-module dependency for installs; install_endpoints also reads runtime_mysql_servers — added that.	4 weeks ago
Rene Cannao	becbf09ffa	fix(mysqlx): plugin_descriptor visibility + admin_tables test + dead decl Three issues code-review caught. # Plugin-descriptor visibility plugins/mysqlx/Makefile builds the .so with -fvisibility=hidden. The loader resolves proxysql_plugin_descriptor_v1 via dlsym(); without an explicit visibility-default override on this single exported function, the symbol stays hidden and ProxySQL_PluginManager::load() fails with "undefined symbol: proxysql_plugin_descriptor_v1". Add the __attribute__((visibility("default"))) override so the .so exports exactly one symbol — the descriptor entry point — and no others. Latent regression unblocked here (test_mysqlx_plugin_load-t was also affected). # test_mysqlx_admin_tables-t.cpp rewrite This integration-style TAP test (registered as unit-tests-g1, @proxysql_min_version:4.0) used to assert on runtime_mysqlx_<X> contents after each LOAD/SAVE call: mgr.dispatch_admin_command(ctx, "LOAD MYSQLX USERS TO RUNTIME", result); ok(admin_db.return_one_int("SELECT COUNT(*) FROM runtime_mysqlx_users") == 1, ...); Under the new architecture, LOAD updates MysqlxConfigStore and never writes runtime_mysqlx_users. The runtime view is repopulated only via the chassis pre-SELECT hook in ProxySQL_Admin::GenericRefreshStatistics — a path the test bypasses by reaching admin_db directly. The test also seeded only mysqlx_users without seeding runtime_mysql_users, so the cross-module-join in install_users_from_admin would silently drop every user. And the SAVE-after-modifying-runtime tests were asserting on a no-op (SAVE no longer reads runtime_mysqlx_users). Rewrite: - LOAD assertions now go via rows_affected from the callback and DELETE editable + SAVE roundtrip to confirm the in-memory store really held the rows. If SAVE re-materialises the rows the operator deleted from the editable table, they came from the store — exactly the contract LOAD is meant to install. - Cross-module canonical tables seeded explicitly: helper seed_canonical_tables creates runtime_mysql_users + runtime_mysql_servers via the canonical ADMIN_SQLITE_RUNTIME_MYSQL_USERS / ADMIN_SQLITE_TABLE_RUNTIME _MYSQL_SERVERS DDL. - SAVE-after-runtime-mutation tests (lines 263+) rewritten: instead of "modify runtime_mysqlx_users, then SAVE, expect change in mysqlx_users", they affirmatively assert the new contract — runtime-view edits do NOT propagate to mysqlx_users on SAVE. - backend_auth_mode values normalised to canonical enum values (service_account, pass_through, mapped) since mysqlx_backend_auth_mode_from_string collapses unknowns to `mapped` and would have hidden any round-trip bug otherwise. 45 / 0 asserts after rewrite. # Dead declaration MysqlxConfigStore::rebuild_hostgroup_endpoints_locked() declared in the header but never defined or called. Drop it. Code review found this in the same pass.	4 weeks ago
Rene Cannao	90e888e1d0	fix(chassis): runtime-view dispatch fires unconditionally on admin Doc-accuracy review found that proxysql_refresh_configured_plugin_ runtime_views was unreachable for plugin-registered tables. The call was placed inside if (refresh==true) { // ProxySQL_Admin.cpp:1637 ... if (admin) { // existing core runtime_* refreshes proxysql_refresh_configured_plugin_runtime_views(...) } } `refresh` only gets set to true by hardcoded substring matches against core's own table names (lines 1358-1634: runtime_mysql_users, runtime_mysql_servers, runtime_mysql_query_rules, etc.). None of those substrings match runtime_mysqlx_* (or any other plugin- registered view), so on a bare SELECT * FROM runtime_mysqlx_users the gate was false, my dispatch was skipped, the table was empty (or stale from a previous query that DID match a core substring), and the SELECT returned wrong data. The whole "on-demand projection" mechanism the previous commits documented was broken for the entry case. Issue #5687 / PR #5688. The fix is one-line structurally: hoist the dispatch out of the `if (refresh==true)` block and place it right after the substring- detection section, gated only on `if (admin)`. The chassis dispatcher itself (refresh_runtime_views_for_query in ProxySQL_PluginManager.cpp) already does its own per-view substring match against query_no_space, so a query that touches no registered view is a cheap no-op (one shared lock + N substring scans, N == registered-view count). Calling unconditionally on every admin query is therefore both correct and cheap. Test: new plugin_runtime_views_unit-t (20 ok asserts) drives ProxySQL_PluginManager::register_runtime_view + refresh_runtime_views_for_query directly. Covers: - register_runtime_view rejects null callback / empty name / case-insensitive duplicate. - Per-query dispatch fan-out: only matching callbacks fire, join queries fire all referenced views, unrelated queries fire nothing, case-insensitive match works, backtick-quoted identifiers match. - Whole-identifier boundary: longer-suffix overlap (runtime_ mysqlx_users_extra), left-prefix overlap (stats_runtime_ mysqlx_users), embedded-in-string-literal — none falsely match. Boundary cases (start of string, end of string) do match. This is the test the PR-#5688 review pass identified as the chassis- hook coverage gap. Builds standalone (no fake-plugin loader needed) since it drives the manager directly.	4 weeks ago
Rene Cannao	b4127156ed	fix(mysqlx): listener reconciler reads MysqlxConfigStore, not runtime view Code-review finding on PR #5688. mysqlx_reconcile_listeners_impl in plugins/mysqlx/src/mysqlx_listener_reconcile.cpp was still issuing a SELECT against runtime_mysqlx_routes to build its desired route set: SELECT name, bind FROM runtime_mysqlx_routes WHERE active=1 After the previous commit decoupled module state from the runtime_mysqlx_<X> projection, that table is empty until an admin SELECT triggers the projection callback. The reconciler runs from two non-admin paths: - mysqlx_plugin.cpp::mysqlx_start() at process startup, after install_routes_from_admin populates the store - load_routes_to_runtime() admin command, after install_routes_from_admin populates the store Both paths fire BEFORE any admin SELECT has projected the runtime view, so the reconciler would see ZERO desired routes. Net effect in production: no mysqlx listeners bind on startup, and LOAD MYSQLX ROUTES TO RUNTIME silently removes any listeners that were already mapped (the reconciler treats every mapped route as "no longer desired"). The unit tests didn't catch this because the weak symbol mysqlx_reconcile_listeners is null in unit-test binaries (the listener-reconcile pure variant is the one tested, and previously it was reading a pre-populated SQLite table). # Fix Read the desired route set from MysqlxConfigStore directly via a new public method: std::vector<std::pair<std::string,std::string>> MysqlxConfigStore::snapshot_active_routes() const It returns a (name, bind) pair for every active route under a shared lock. The reconciler consumes the snapshot the same way the previous SQL-driven version consumed result rows. The pure variant signature changes from void mysqlx_reconcile_listeners_impl(SQLite3DB& admindb, ...) to void mysqlx_reconcile_listeners_impl(const MysqlxConfigStore&, ...) which both restores the function's "no global state" purity (it no longer needs to reach into mysqlx_context() and never has) and makes the data-flow obvious: the store is the input. The strong weak-symbol entry mysqlx_reconcile_listeners(SQLite3DB&) is unchanged externally — it still takes admindb (now ignored, kept for ABI stability) and grabs the store from mysqlx_context() internally. Doc comment on the weak hook in include/mysqlx_plugin.h updated to describe the new data flow and to spell out explicitly why we do NOT read runtime_mysqlx_routes. # Test updates The two robustness tests that exercise the reconciler (test_listener_reconciliation, test_listener_reconciliation_bind_ change) used to set up a SQLite admindb with runtime_mysqlx_routes rows. They now construct a MysqlxConfigStore directly and populate it via install_for_test() — a smaller, more honest fixture that matches what the reconciler actually consumes. Note: MysqlxConfigStore is non-copyable/non-movable, so the bind-change test installs into two stack-local stores back-to- back via a helper lambda rather than rebuilding by value. # Status - All 21 mysqlx unit tests still green (646 ok, 0 not_ok). - Listener reconciler now sees the right state in both startup and LOAD MYSQLX ROUTES TO RUNTIME paths. Closes the BLOCKER from the PR #5688 review. Other concerns the review surfaced were all dismissed as not-bugs (ABI 1/2/3 loader compat, sql_references_table_ci whole-identifier match, lock ordering, sqlite_quote correctness, save semantics matching the canonical pattern).	4 weeks ago
Rene Cannao	e678d101a0	docs(mysqlx): rewrite architecture/README for module-owned runtime state Both files described the OLD model — runtime_mysqlx_<X> tables as persistent admin-side mirrors, MysqlxConfigStore::load_from_runtime as the canonical reload, copy_table as the LOAD/SAVE mechanism. None of that is true after the architectural fix on this branch. # ARCHITECTURE.md changes - §3.6 mysqlx_config_store row: Responsibility cell now identifies the store as the canonical source of truth and runtime_mysqlx_* as projections. Key methods cell lists the four install__from_admin / save__to_admin_table / project__to_ runtime_view triplets in place of the removed load_from_runtime. Thread-safety cell updated to match. - §3.8 mysqlx_admin_schema row: describes direct interaction with MysqlxConfigStore (no SQLite-to-SQLite copies) and the four refresh_<X>_runtime_view callbacks registered via the chassis services.register_runtime_view(). - §10.2 Admin Command Flow: replaced the single copy_table flow diagram with three flows (LOAD, runtime-view refresh on SELECT, SAVE). Added §10.2.5 explicitly contrasting the new model with the old "authoritative SQLite mirror" model so a reader who skimmed the old docs knows which mental model to discard. - §11 Thread Model: the call graph shows sync_disk_to_memory plus the four install_<X>_from_admin calls instead of the removed single load_from_runtime(). Startup prose updated. # README.md changes - §4.2 / §4.4 / §4.6: section titles changed from "Runtime Table" to "Runtime View"; bodies rewritten to describe the on-demand projection mechanism, with explicit "LOAD never writes / SAVE never reads" notes. - §4.7 (NEW): dedicated runtime_mysqlx_variables section so the documentation surface is symmetric across all four entities. Old §4.7/§4.8 stats sections renumbered to §4.8/§4.9. - §6.3 Dual-Mode Identity Resolution: corrected a stale claim that a user existing only in mysql_users (no mysqlx_users row) could still authenticate with default X Protocol settings. install_users_from_admin explicitly drops canonical-only users from the store; the doc now reflects that. # Intentional historical reference ARCHITECTURE.md §10.2.5 still names the obsolete identifiers (load_from_runtime, copy_table, "INSERT INTO runtime_mysqlx_users SELECT FROM mysqlx_users") — that paragraph is exactly the "what to unlearn" anchor for readers who internalized the old docs. README.md §4.2 still shows the literal SQL the projection callback emits (DELETE FROM ... INSERT INTO ...), which is the concrete mechanism description rather than a description of the old wrong path.	4 weeks ago
Rene Cannao	e5353ac922	test(mysqlx): update unit fixtures for module-owned runtime state The four config-store / route-store unit tests, plus mysqlx_admin_commands_unit-t, used to set up SQLite fixtures by inserting directly into runtime_mysqlx_<X> tables and calling MysqlxConfigStore::load_from_runtime(db, err). With the canonical separation in the previous commit, install__from_admin reads the editable mysqlx_<X> tables, so the fixtures had to move accordingly. Mechanical changes: CREATE TABLE runtime_mysqlx_<X> -> CREATE TABLE mysqlx_<X> INSERT INTO runtime_mysqlx_<X> -> INSERT INTO mysqlx_<X> store.load_from_runtime(db, err) -> store.install_all_from_admin(db, err) + add `comment` column to the editable DDLs (install__from_admin SELECTs comment). The cross-module dependencies (runtime_mysql_users, runtime_mysql_servers) stay unchanged in the fixtures: those are admin's projection of OTHER modules' runtime state, exactly what the mysqlx install path SELECTs from. Three semantic adjustments (not just renames): - mysqlx_config_store_pure: a few tests previously asserted that a canonical-only user (present in runtime_mysql_users, no row in mysqlx_users) showed up in identities_. The new install_users_from_admin drops those — a user with no x_enabled flag has no path to authenticate via X anyway. Assertions adjusted to reflect the dropped row. - mysqlx_admin_commands: the LOAD callback rows_affected now reports the active editable-table row count (was the runtime-table row count); the SAVE VARIABLES callback always writes the four canonical variables (was whatever happened to be in runtime_mysqlx_variables). Assertions updated. - mysqlx_admin_commands also adds explicit project_users_to_ runtime_view() calls before assertions that read runtime_mysqlx_ users contents — those assertions are exercising the projection, so they need the projection to actually run, since outside admin the chassis isn't there to fire it. Result: 21 / 21 mysqlx unit tests green (646 ok asserts, 0 not_ok), including 5/5 stable runs of mysqlx_concurrent_unit-t (the listener O_NONBLOCK regression guard from earlier in this PR series).	4 weeks ago
Rene Cannao	9da7300afe	fix(mysqlx): Admin/module separation for runtime config tables Previously, plugin-chassis stored authoritative mysqlx runtime state inside admin-db tables (runtime_mysqlx_users / _routes / _backend_ endpoints / _variables). LOAD/SAVE commands shuffled rows between mysqlx_<X> and runtime_mysqlx_<X> via plain INSERT ... SELECT, and MysqlxConfigStore::load_from_runtime read the runtime_<X> tables back out into its in-memory map. The data lived in three places (editable mysqlx_<X>, persistent runtime_mysqlx_<X>, in-memory store) with no detection of skew between them. Issue #5687. The canonical pattern (mysql_users / GloMyAuth / runtime_mysql_users in lib/ProxySQL_Admin.cpp::__refresh_users / save_mysql_users_runtime _to_database) keeps Admin and the module strictly separated: Admin owns the editable configuration table and provides a runtime_<X> view of module state Module owns runtime state in its own data structures runtime_<X> is rebuilt on demand from module state, not persistent storage This commit restructures the mysqlx plugin to match. # MysqlxConfigStore: per-entity install / save / project triplets Replaces the monolithic load_from_runtime() with three independent operations per entity (users / routes / endpoints / variables): install_<X>_from_admin(db, err) LOAD <X> TO RUNTIME path. SELECT the editable mysqlx_<X> table (and the cross-module runtime_mysql_users / runtime_mysql_servers projections where applicable), build a new local representation, atomically swap into the in-memory store under the store's mutex. save_<X>_to_admin_table(db) SAVE <X> [FROM RUNTIME] TO MEMORY path. Mirror save_mysql_ users_runtime_to_database(false): mark all rows in mysqlx_<X> inactive, then upsert the live store contents with active=1. Inactive rows the operator deactivated but didn't delete are preserved. project_<X>_to_runtime_view(db) Runtime-view refresh path invoked by the chassis before any admin SELECT touches runtime_mysqlx_<X>. Mirror save_mysql_ users_runtime_to_database(true): DELETE the projected table, then INSERT live store contents. install_all_from_admin() is a convenience wrapper that runs all four in sequence; production code calls the per-entity methods so each LOAD command only touches its own slice of state, and unit tests have a single entry point that exercises the whole pipeline. # MysqlxConfigStore data-model additions - MysqlxResolvedIdentity gains `comment` (preserved through round- trip; the canonical mysql_users path also preserves comments). - MysqlxRoute gains `comment` for the same reason. - New public MysqlxBackendEndpointOverride struct (replaces the file-local MysqlxEndpointOverride that used to be in the .cpp). - New endpoint_overrides_ map: per-(hostname,mysql_port) overrides preserved verbatim across LOAD calls so SAVE can round-trip and so the runtime-view projection can faithfully reflect what was loaded. Previously these overrides were dropped after being folded into hostgroup_endpoints_. # Plugin: register_runtime_view + rewritten LOAD/SAVE callbacks In mysqlx_admin_schema.cpp: - Removes copy_table() and reload_config_store(); they were the INSERT...SELECT shovel between editable and runtime tables that encoded the architectural mistake. - Each load_<X>_to_runtime callback now calls install_<X>_from_ admin(ctx.admindb, err) and never touches runtime_mysqlx_<X>. - Each save_<X>_from_runtime callback now calls save_<X>_to_admin_ table(ctx.admindb) and never reads runtime_mysqlx_<X>. - rows_affected on LOAD now reports the active row count in the editable table (the source); on SAVE it reports the row count in the editable table after the dump (the destination). - Adds four refresh_<X>_runtime_view free functions and registers them via services.register_runtime_view() during schema registration. The chassis invokes these before any admin SELECT against the projected table. In mysqlx_plugin.cpp::mysqlx_start(): - Drops copy_to_runtime() entirely (the old "copy editable mysqlx_<X> to runtime_mysqlx_<X> at startup" step that no longer has a purpose). - Replaces the single load_from_runtime call with the four install_<X>_from_admin calls so a failure in one entity is surfaced individually in the log. - Keeps sync_disk_to_memory() unchanged. Disk-tier persistence is legitimate admin behaviour; only the runtime-tier copy was wrong. # Net effect at the SQL level - INSERT INTO runtime_mysqlx_<X> ... no longer happens on any LOAD or SAVE. The only writes to runtime_mysqlx_<X> are the on-demand projections, triggered by the chassis pre-SELECT refresh path. - SELECT FROM runtime_mysqlx_<X> always reflects current MysqlxConfigStore state, even if the operator never ran LOAD since the last edit to mysqlx_<X>. - mysqlx_<X> remains the editable table the operator writes to. The bug-stay-out-of-runtime contract documented in include/ProxySQL_Plugin.h (the rewritten doc block) now matches what this plugin actually does.	4 weeks ago
Rene Cannao	f42c3ee1ab	feat(chassis): add register_runtime_view ABI for module-owned state Plugins that declare admin-side runtime views of their own in-memory state need a way to register a projection callback the chassis can invoke when admin SELECTs against the registered table. Without this hook, the only way for a plugin to surface its runtime state to admin operators was to persist a duplicate copy of the data into admin_db, which violates the separation of duties between Admin (owns configuration tables and views) and the module (owns runtime state). Refs #5687. ABI surface (in include/ProxySQL_Plugin.h): - struct ProxySQL_PluginRuntimeView { table_name, refresh, opaque } - new services.register_runtime_view callback - bumps PROXYSQL_PLUGIN_ABI_VERSION to 3 The new field is appended at the end of ProxySQL_PluginServices, so ABI-2 plugins keep working — they neither set nor read past the previous layout. ABI 3 plugins set abi_version=3 and use the new field. Loader accepts ABI 1, 2, and 3. Plumbing (in lib/ProxySQL_PluginManager.cpp): - register_runtime_view_service() free fn wires through to the manager's runtime_views_ vector - ProxySQL_PluginManager::register_runtime_view() rejects empty table names, null callbacks, and duplicate registrations - sql_references_table_ci() does whole-identifier substring match, so a SELECT on `runtime_mysqlx_users` doesn't fire the refresh for `runtime_mysqlx_users_extra` if both ever coexist - refresh_runtime_views_for_query() iterates registered views and invokes the matching refresh callbacks - proxysql_refresh_configured_plugin_runtime_views() is the Admin-callable wrapper that takes the manager shared lock Admin-handler integration (in lib/ProxySQL_Admin.cpp): - the existing pre-SELECT refresh block (where runtime_mysql_users triggers save_mysql_users_runtime_to_database(true), etc.) now also calls proxysql_refresh_configured_plugin_runtime_views(). This is the SAME refresh point the canonical core tables use, so plugin views are guaranteed to refresh before the admin query actually executes against admindb. Doc block at the bottom of ProxySQL_Plugin.h rewritten to spell out the separation-of-duties contract explicitly, replacing the previous "copy_table guidance" that incorrectly endorsed plugins persisting their runtime state to admin_db tables. This commit is the foundation only — no plugin uses the new API yet. The follow-up commits convert the mysqlx plugin's four entity pairs (users / routes / endpoints / variables) to the canonical pattern.	4 weeks ago
Rene Cannao	e68f72cf99	test(mysqlx): add diag logging + fix broken plan/schema in unit tests Two related changes to all mysqlx__unit-t.cpp files. # 1. Diagnostic logging across all 21 mysqlx unit tests Before this commit none of the mysqlx unit tests emitted any output beyond raw TAP `ok N`/`not ok N` lines. When CI-unit-tests-asan- coverage hung mid-run on plugin-chassis (run 25021206900), the per- test log file showed `ok 1 ... ok 6` and then nothing for ~110 minutes until the workflow's 120-minute timeout killed the job. We could not even tell which* test was hung — the bash loop in the workflow only logs `PASS:`/`FAIL:` after a binary exits. Each binary now does: - `setvbuf(stdout, nullptr, _IOLBF, 0)` as the first statement of main(). Without this, when CI redirects stdout to a file the default block-buffered mode swallows any output that hasn't filled a 4KB-ish buffer — including diag lines emitted just before a blocking syscall. Line-buffering means each `\n`-terminated diag is flushed before the syscall, so a hang has 1-line-resolution attribution in the log. - `diag("=== <filename> starting ===")` right after `plan(...)`, so the log always has at least one line proving the binary loaded and reached main() (rules out crashes during static init). - `diag(">>> %s", __func__)` at the top of every `static void test_()` subtest function called from main(), so a hang or assertion failure points at the responsible subtest. - In `mysqlx_concurrent_unit-t`, additional checkpoint diags inside `test_concurrent_handshakes` ("starting Mysqlx_Thread", "spawning N clients", "all clients spawned, joining", ..., "thr.stop() returned") since the surrounding test was the one that actually hung in CI; this gives a 7-checkpoint resolution within the body. This change is the reason we were able to bisect the listener O_NONBLOCK bug fixed in the previous commit: with these diags the hang point ("all clients spawned, joining" → never reached "all clients joined, sleeping 500ms") was visible in the per-test log within seconds of running it. # 2. Plan/fixture corrections in 4 tests that never actually passed These tests were green in CI by virtue of nothing in the workflow checking their exit codes (CI-mysqlx exercised a different path); the moment CI-unit-tests-asan-coverage started actually running them they came back red. Each was a real bug in the test harness, not in the production code: - mysqlx_backend_auth_unit-t.cpp: plan(42) but only 34 ok() can fire on the success path. State_transitions emits 23, the remaining six functions emit 11 — total 34. plan(42) was never reachable; fixed to plan(34). - mysqlx_session_unit-t.cpp: plan(62) but only 60 fire. Four `ok( false, ...)` lines live in protobuf-parse failure branches that the success path skips; fixed to plan(60). - mysqlx_config_store_unit-t.cpp: load_from_runtime() SELECTs from runtime_mysqlx_variables (the variables table the production code uses to pick up thread_pool_size / connect_timeout / tls_mode / max_cached_connections at runtime), but the test's fixture only created 3 of the 4 mysqlx tables. Added kRuntimeMysqlxVariablesDdl and the matching execute() — same shape the sibling mysqlx_config_store_concurrent_unit-t already uses. - mysqlx_route_store_unit-t.cpp: ad-hoc minimal DDL for runtime_mysql_users / runtime_mysql_servers omitted columns the production query SELECTs (password, weight). Switched to the canonical ADMIN_SQLITE_RUNTIME_MYSQL_USERS and ADMIN_SQLITE_TABLE_RUNTIME_MYSQL_SERVERS macros and added the runtime_mysqlx_variables table. After this commit `for t in mysqlx__unit-t; do ./$t; done` is 21/21 green (754 ok asserts total, 0 not_ok, 0 timeouts), 10/10 stable across repeated runs of the previously-flaky mysqlx_concurrent_unit-t.	4 weeks ago
Rene Cannao	6844a1cf4c	fix(mysqlx): set listener fd to non-blocking Mysqlx_Thread::add_listener() called socket() / bind() / listen() but never set O_NONBLOCK on the resulting fd. The accept-drain loop in accept_new_connection() (line 213) is structured as while (true) { int client_fd = accept(listener_fd, ...); if (client_fd < 0) { if (errno == EAGAIN \|\| errno == EWOULDBLOCK) break; ... } // ... create session ... } i.e. it relies on accept() returning EAGAIN once the kernel's accept queue is empty. With a blocking listener fd the syscall instead blocks inside the kernel waiting for the next connection, freezing the poll-driven thread: - already-accepted sessions never get their POLLIN serviced, so CapabilitiesGet/handshake bytes the client wrote sit unread in the kernel receive buffer (Recv-Q=5 in `ss -tnp`) - the signal_pipe wakeup written by stop() is never observed, so the listener never shuts down cleanly under load. Reproducer: mysqlx_concurrent_unit-t (20 simultaneous CapabilitiesGet clients). Without this fix, hangs deterministically — accept() drains ~6 of the 20 queued connections then blocks; the test eventually times out at the join() loop. With it, the test completes 20 handshakes in ~600 ms. Stress-tested locally: 16,000 handshakes across 10 runs of a custom harness (3x200 back-to-back bursts + a 1000-client mega-burst + a mid-burst stop()), zero failures, zero deadlocks. signal_pipe_[0] already gets the same O_NONBLOCK treatment in init() — this just extends the same protocol to the listener fd. Production impact: not just a test bug. Any burst of clients arriving faster than one round of poll() -> accept_new_connection() -> process_all_sessions() can drain would freeze the thread until the next incoming connection unblocks accept(); under steady-state load the freeze persists arbitrarily long, starving every accepted-but-not- yet-handshaken session, and stop() from the admin path cannot make the thread exit.	4 weeks ago
Rene Cannao	d4427731b7	Merge remote-tracking branch 'origin/v3.0' into plugin-chassis Picks up the v3.0 fixes that unblock plugin-chassis CI: - `5d702b12b` build(test): fix testgalera link after switch to src/SQLite3_Server.cpp — restores -Wl,--allow-multiple-definition, ClickHouse/zstd/lz4 link, and ProxySQL_Admin.cpp recompile under TEST_GALERA. Resolves CI-maketest red on plugin-chassis. - `baa5069ea` introduces test/tap/groups/mysql56-single/ which the CI-mysql56-single-g1 workflow expects. Resolves the missing-infra error. - macOS package upload + init_release race-tolerant grouping + amd64 package workflow expansion + various CI/release cleanups. CI-unit-tests-asan-coverage on plugin-chassis still depends on the v3.0 workflow YAML having libprotobuf-dev in its apt install step (workflow_run loads the YAML from the default branch). That fix is already on plugin-chassis (`47ab14148`) and will land on v3.0 via a separate small PR.	4 weeks ago
Rene Cannao	47ab14148f	ci: add libprotobuf-dev to unit-tests-asan-coverage workflow This workflow runs directly on the GitHub runner host (not inside one of the deb/rhel/suse-compliant docker containers whose entrypoints already install libprotobuf-dev on demand), so the dependency must be installed in the workflow itself. Without it, building with PROXYSQLGENAI=1 fails at Makefile parse time: the top-level Makefile recurses into plugins/mysqlx (PROXYSQL40 is implied by PROXYSQLGENAI), and plugins/mysqlx/Makefile's protobuf 3.x ABI guard aborts when it cannot find pkg-config metadata for protobuf. The rest of the dependency list mirrors INSTALL.md's Ubuntu section, to which libprotobuf-dev was added separately for general builds; this brings the workflow's package set in line with that.	4 weeks ago
Rene Cannao	85ad4fe3b4	test(mysqlx): rewrite dispatch tests with real backend fixture (#5679 ) Closes the last 5 cluster-3 failures from issue #5679. The 17 previously-skipped dispatch sub-asserts now run with proper coverage, plus 3 other pre-existing failures (#21 compression code, #29 TLS init, #43 forward-no-connection) are addressed. ## Background The dispatch tests asserted that one handler() call after writing a SQL/CRUD/PREPARE/CURSOR/EXPECT message left status_ exactly at CONNECTING_SERVER. That premise was wrong: forward_to_backend() sets to_process=true, and handler()'s `goto handler_again` loop immediately re-enters the switch, running handler_connecting_server() in the same call. After commit `55e90d1a7` (start_connect() now fails fast on inet_pton(\"\", 0) instead of silently connecting to 0.0.0.0), the inner handler correctly transitions to X_SESSION_CLOSING — so the intermediate state the tests asserted is no longer observable. They hung after assertion #5 and produced no useful signal. Earlier this PR cycle (commit `09c15d6d5`) skipped the 17 affected sub- asserts to unblock the test suite. This commit replaces the skip with a proper rewrite, structurally similar to what mysqlx_robustness_ unit-t.cpp uses for happy-path scenarios. ## Approach Lift the helpers from mysqlx_robustness_unit-t.cpp: - default_test_config_store(): lazy process-global with one route pointing at hostgroup 10 + one endpoint, installed via install_for_test(). - default_test_thread(): lazy process-global Mysqlx_Thread wired to the store. - setup_authenticated_session(): drives the real MYSQL41 handshake to leave the session in WAITING_CLIENT_XMSG with username_, schema_, identity_ all populated. - detach_session_fds(): cleanup helper. Add a new parameterized check, check_dispatch_routes_to_backend(), that creates two socketpairs (client + fake backend), brings the session to WAITING_CLIENT_XMSG via setup_authenticated_session, attaches an IDLE MysqlxConnection backed by the backend socketpair, sends one message of the requested type, and asserts: (a) status_ transitions to WAITING_SERVER_XMSG or X_SESSION_RESET_WAITING (SESS_RESET overrides the post-forward status; both indicate a successful forward). (b) the backend socketpair received the forwarded frame. That is two assertions per dispatch test, exercising the actual contract (\"this message type forwards to the backend\") instead of the fragile \"this message lands in CONNECTING_SERVER\" intermediate. Each test_dispatch_* function becomes a one-liner calling the helper with the right msg_type. Net result: the file shrunk from ~700 LOC of repetitive boilerplate to ~570 LOC including the helpers, and the 14 individual dispatch tests + view_operations (3 sub-tests) now do 2 ok() each = 34 assertions where there were 17 before. ## Other fixes folded in - test_dispatch_compression_rejected: corrected expected error code from 5001 to 5008. The production code emits 5008 (\"Compression is not supported\") when COMPRESSION arrives without a negotiated algorithm. 5001 was an invented value the test expected; this never passed. - test_tls_accept_init_stub: rewrote the assertion. The previous version asserted handler() in X_TLS_ACCEPT_INIT skipped to X_TLS_ACCEPT_DONE — true only when the handler was a stub. The real handler now drives SSL_do_handshake; with no SSL_CTX (thread_ptr_=nullptr) it correctly emits 3150 and marks unhealthy. Assert that. - test_forward_to_backend_no_connection: relaxed from \"status_ == CONNECTING_SERVER\" to \"status_ ∈ {CONNECTING_SERVER, X_SESSION_CLOSING}\" — same root cause as the dispatch tests; the inner handler_connecting_server correctly fails fast on the empty hostname target. ## main() plan(0) (auto-derive count from emitted asserts). The hand-counted plan(49) was wrong both before (the rewritten tests now emit 2 ok each, not 1) and after (variable-count sub-tests like connection_pool_matching make a hard count fragile). ## Verified After this commit (PROXYSQLGENAI=1 NOJEMALLOC=1 WITHASAN=1): mysqlx_message_dispatch_unit-t: 66 / 0 (was 5 not-ok + hang) plugin_manager_unit-t: 96 / 0 (no regression) mysqlx_session_unit-t: 60 / 0 (no regression) mysqlx_robustness_unit-t: 74 / 0 (no regression) ASAN: 0 errors This closes the cluster-3 + 3 other pre-existing failures from issue #5679. All 9 originally-tracked failures are now resolved (4 fixed in commit `09c15d6d5`, 5 fixed here).	4 weeks ago
Rene Cannao	2b0c2fdcc4	fix(mysqlx): four minor security findings from issue #5676 Addresses the four Minor / Nit findings deferred when the Important re-auth bug was fixed in commit `09c15d6d5`. ## (1) Reject TLS upgrade post-auth or on encrypted channel `handler_capabilities_set` previously honored `tls=true` regardless of session state, so a logged-in client could ship CapabilitiesSet with tls=true and the server would dutifully start an SSL handshake on an already-authenticated session — or, worse, a second handshake on an already-encrypted channel that left the state machine in "expecting fresh handshake" while the client kept its existing TLS session. Both cases are spec violations (the X Protocol forbids TLS negotiation post-AuthenticateOk) and produce a confused-client kill. Fix: reject with code 5052 (FATAL) when client_ds_.is_encrypted() is true OR status_ has progressed past the pre-auth states. The TLS branch only runs from CONNECTING_CLIENT / X_CAPABILITIES_GET / X_CAPABILITIES_SET now. ## (2) Cap leading-NOTICE drain in backend auth `read_auth_frame` loops while the backend ships NOTICE frames, on the assumption that any legitimate backend emits at most a couple during auth. A compromised or malicious backend could pin the worker thread by streaming NOTICEs continuously. Add a cap of 64 leading notices (MAX_LEADING_NOTICES); on the 65th, treat as auth failure (BACKEND_AUTH_ERROR) and let the chassis tear the session down. ## (3) Per-session pre-auth CapabilitiesGet/Set replay cap A client can reset back to CONNECTING_CLIENT after each CapabilitiesGet/Set without ever authenticating, and each iteration allocates a fresh protobuf and runs the full handler. Without a cap this is a free CPU/memory amplifier (bounded only by the OS recv buffer). Add a per-session counter (pre_auth_cap_msgs_) bumped on every CapabilitiesGet/Set seen while status_ != WAITING_CLIENT_XMSG. Threshold MAX_PRE_AUTH_CAP_MSGS = 64 (legitimate clients send 1-3); on overflow, send 5008 + healthy=false. Counter resets on session reset() and is bypassed once auth completes (post-auth introspection of capabilities is legitimate and unbounded). ## (4) MysqlxDataStream::enqueue_frame: surface oversize as parse error `if (body_len + 1 > X_MAX_PAYLOAD_SIZE) return;` previously dropped oversize bodies silently, leaving the client expecting a frame that never arrives. Set parse_error_=true so the session loop tears the connection down cleanly. Reaching this branch is an internal bug (server-side senders are responsible for never producing a >16MiB body), but a clean teardown is materially better than a half-working session. ## Verified After this commit (PROXYSQLGENAI=1 NOJEMALLOC=1 WITHASAN=1): - mysqlx_session_unit-t 60 / 0 (was 60 / 0) - mysqlx_robustness_unit-t 74 / 0 (was 74 / 0) - mysqlx_compression_unit-t 64 / 0 (was 64 / 0) - mysqlx_protocol_unit-t 42 / 0 (was 42 / 0) - mysqlx_data_stream_unit-t 18 / 0 (was 18 / 0) - ASAN: 0 errors These are defense-in-depth changes; none addresses an exploitable crash. All five tests pass with no regressions.	4 weeks ago
Rene Cannao	99a745f6ed	ci(mysqlx): wire mysqlx-soak group into TAP harness end-to-end Completes the four follow-up items documented in the mysqlx-soak group's README. After this commit, the harness scripts run inside the proper docker-isolated TAP framework — no more ad-hoc invocations. ## (1) Add mysql-connector-python to proxysql-ci-base test/infra/docker-base/Dockerfile installs python3 + a few pip packages but lacked the X DevAPI bindings. Add `mysql-connector-python` to the existing `pip3 install` line. Image must be rebuilt (`docker build -t proxysql-ci-base:latest test/infra/docker-base`); the new soak-tests CI job rebuilds unconditionally per run, so CI gets the new package automatically. ## (2) TAP wrappers for the harness scripts Two new Bash TAP entries under test/tap/tests/: * test_mysqlx_soak_behavioral-t.sh — emits two TAP assertions: scenario 1 = SIGTERM-mid-traffic (the harness signals the proxysql container with `docker kill -s TERM proxysql.${INFRA_ID}` mid-run and verifies clients receive Mysqlx::Error 1053 instead of TCP RST); scenario 2 = LOAD MYSQLX ROUTES TO RUNTIME mid-traffic. Both fall back to "skip" if mysql-connector-python is missing, or if the proxysql container is unreachable after scenario 1. * test_mysqlx_soak_stress-t.sh — single TAP assertion that wraps stress.py. Defaults to 60s/20-clients to fit a CI timeout; long soaks invoke stress.py directly with --duration 24h per issue #5677. Both wrappers default the connection params to the docker-internal hostname `proxysql` (via network alias) so they work from inside the test-runner container; environment overrides let local invocations point elsewhere. ## (3) Register in groups.json Two new entries: "test_mysqlx_soak_behavioral-t" : [ "mysqlx-soak-g1", "@proxysql_min_version:4.0" ], "test_mysqlx_soak_stress-t" : [ "mysqlx-soak-g1", "@proxysql_min_version:4.0" ], Both use the @proxysql_min_version:4.0 tag (the harness only makes sense in chassis-aware builds). Lint passes (421 entries, sorted). ## (4) CI job Add `soak-tests` job to .github/workflows/CI-mysqlx.yml. Pattern mirrors CI-taptests-pgsql-cluster.yml: restore build cache, build plugin, build proxysql-ci-base, ensure-infras (TAP_GROUP=mysqlx-soak), run-tests-isolated (TAP_GROUP=mysqlx-soak-g1), cleanup, archive logs on failure. The job runs after unit-tests passes (same dependency as e2e-tests) and is independent of e2e-tests (parallel execution OK). ## What this covers * Builds the plugin and rebuilds the test image with the X DevAPI. * Stands up a real MySQL 8.4 backend (3-node replication via the existing infra-dbdeployer-mysql84 image, X protocol on port 23306-23308 inside the docker network). * Stands up ProxySQL in a container with the plugin .so bind-mounted and a per-group config that declares plugins=("..."). * The mysqlx-soak setup-infras hook provisions one route, one user, one endpoint, reloads, and verifies the listener bound on 6603. * Two TAP tests run inside the test-runner container against the freshly-stood-up ProxySQL, exercising the plugin end-to-end. ## What this does NOT cover * Long-running soaks (24-72h). The CI job runs a 60s stress for signal; the full soak per issue #5677 needs staging. * All compression/TLS combinations. The harness's defaults are uncompressed + clear-text; matrix expansion is future work. * Listener-port collisions across parallel CI runs. INFRA_ID isolates docker-network names but the TAP_GROUP-scoped MYSQLX_ PROXYSQL_PORT (default 6603) is a single value. CI runs are serial per workflow concurrency group; not a problem today but worth flagging if matrix-fanout is added.	4 weeks ago
Rene Cannao	7e70c347f3	test(mysqlx): wire harness into the docker-isolated TAP framework Per user direction: never run proxysql directly outside the testing environment. The harness scripts at test/scripts/mysqlx/ are correct as Python clients, but their assumed invocation ('run them against a hand-started proxysql') was wrong. The proper integration is the existing docker-isolated TAP harness, which already brings up ProxySQL + backends in containers on a private docker network. This commit lays the framework groundwork for that integration. It is NOT yet a complete invocation of the harness — that requires a docker image rebuild (mysql-connector-python is not in proxysql-ci-base) and a TAP-test wrapper, both documented in the new test/tap/groups/mysqlx-soak/README.md TODO list. ## What landed * test/infra/control/start-proxysql-isolated.bash: - Optional plugin .so bind-mount when PROXYSQL_LOAD_MYSQLX_PLUGIN=1. Mounts ${WORKSPACE}/plugins/mysqlx/ProxySQL_MySQLX_Plugin.so at /usr/lib/proxysql/ProxySQL_MySQLX_Plugin.so inside the container. Fails fast with a clear message if the .so is missing. - Optional per-group config override via PROXYSQL_CONFIG_OVERRIDE. Lets a group ship a proxysql-ci.cnf that declares plugins=("...") so the chassis loads the plugin at Phase A — the generic config has no plugins= line, by design. * test/tap/groups/mysqlx-soak/ (new group): - env.sh: sets PROXYSQL_LOAD_MYSQLX_PLUGIN=1, PROXYSQL_CONFIG_OVERRIDE pointing at the per-group .cnf, SKIP_CLUSTER_START=1 (single-node proxysql is enough), and the X-protocol port constants the setup-infras.bash hook + harness scripts share. - infras.lst: just infra-dbdeployer-mysql84 (existing 3-node MySQL 8.4 with X-protocol on classic+20000 by dbdeployer convention). - proxysql-ci.cnf: copy of the generic config with one extra block: plugins=("/usr/lib/proxysql/ProxySQL_MySQLX_Plugin.so") - setup-infras.bash: standard group-setup hook. Waits for mysqlx_users admin table to appear (sanity-check that the plugin loaded at all), then provisions one route, one user, one endpoint via admin SQL, reloads to runtime, and verifies the mysqlx listener bound on port 6603. - README.md: documents the four remaining work items needed to actually invoke the harness as a TAP test (add mysql-connector- python to docker-base, wrap harness as a TAP entry, register in groups.json, wire into CI). This commit is intentionally narrow: it adds the framework wiring that lets a future commit invoke the harness from inside the test-runner container. Anyone with the four TODO items completed can run the harness against a real chassis-loaded ProxySQL via: WORKSPACE=$(pwd) INFRA_ID=dev-$USER TAP_GROUP=mysqlx-soak \ test/infra/control/ensure-infras.bash — which is the canonical TAP-harness entry point per CLAUDE.md. The standalone Python harnesses at test/scripts/mysqlx/ remain runnable for ad-hoc dev validation, but they are no longer the primary path; the docker-isolated TAP group is.	4 weeks ago
Rene Cannao	fe91e290d8	test(mysqlx): add behavioural-validation and stress harnesses Three companion harnesses for the post-merge confidence work tracked in issues #5677 (smoke + soak), #5678 (behavioural validation), and #5681 (stress test). These are NOT TAP unit tests — they require live infrastructure (a real MySQL 8.x and a running ProxySQL with the mysqlx plugin loaded). They post-date the merge window and exist to let an operator with a staging environment reproduce the validation. * test/scripts/mysqlx/README.md — setup recipe (ProxySQL admin config, MySQL backend bring-up via docker or dbdeployer, the invocation lines for both harnesses). * test/scripts/mysqlx/behavioral_validation.py — exercises two scenarios from issue #5678. Scenario 1 ("SIGTERM mid-traffic") opens N X-Protocol clients running steady SELECT loops, sends SIGTERM to proxysql, then verifies each client received a clean Mysqlx::Error frame with code 1053 ("Server is shutting down") rather than an unannounced TCP RST. Exercises MysqlxSession::shutdown_notify_client (commit `55e90d1a7`). Scenario 2 ("LOAD MYSQLX ROUTES TO RUNTIME mid-traffic") opens clients on route 'r1', drops r1 from admin and reloads, then verifies in-flight sessions continue while a new connection to the removed route is refused — the documented remove_listener_for_route semantics. * test/scripts/mysqlx/stress.py — opens N concurrent X-Protocol clients (target N=1000), drives churn, captures throughput, error rate, RSS, fd count, thread count, and stats_mysqlx_routes over time. Pass criteria from issue #5681: 60-min run with no crash, no monotonic memory/fd growth, error rate < 0.1%. Writes a metrics CSV for plotting. Both Python scripts use mysql-connector-python's mysqlx module (X DevAPI bindings) for the data-plane connection and the classic mysql.connector module for admin-port operations. These are scaffolds — runnable but not yet exercised against real infrastructure. Confidence gain comes from someone running them on staging and posting results to the linked issues.	4 weeks ago
Rene Cannao	83725ea4e5	feat: add --no-plugins kill switch; fix 4 pre-existing test failures ## (1) --no-plugins kill switch (issue #5680) When the plugin chassis is enabled (PROXYSQL40 builds), an operator upgrading to v4.0.0 gets the chassis active by default. If a critical chassis bug is found post-release, the recovery options today are: - Roll back the entire ProxySQL package to v3.x. - Edit the config file to comment out plugins=() and restart. Add a runtime kill switch — a CLI flag (and equivalent env var) that bypasses plugin loading entirely, regardless of config. Cuts the time-to-recover dramatically and reduces deployment anxiety. CLI: --no-plugins (gated by PROXYSQL40) Env: PROXYSQL_NO_PLUGINS=1 (CLI takes priority) Field: GloVars.no_plugins Wired through: when set, LoadConfiguredPlugins / InitConfiguredPlugins / StartConfiguredPlugins / StopConfiguredPlugins all become no-ops. LoadConfiguredPlugins emits a single startup log line so the operator knows the bypass took effect: Plugin chassis disabled by --no-plugins / PROXYSQL_NO_PLUGINS=1; skipping load of N configured plugin(s) Verified: --no-plugins appears in proxysql --help. The bypass message string is in the binary. Full end-to-end smoke against a Docker MySQL deferred to issue #5677. ## (2) plugin_manager_unit-t #62 + #88 (issue #5679) Test bug. The two assertions encoded the pre-ab9d5a103 contract that "destructor skips stop on plugins that were never started". Commit `ab9d5a103` ("address deep-review findings") deliberately replaced that with init/stop pairing — every plugin where init() succeeded gets stop(), irrespective of whether start() ran. The change fixed a real leak: resources allocated in init() were not being released when start() failed. The tests were missed at the time. Flip both assertions: - "destructor does NOT invoke stop on plugins that were never started" → "destructor invokes stop on init-succeeded/never-started plugin (init/stop pairing)" - "destructor did NOT call stop on the second plugin (it never successfully started)" → "destructor stops the second plugin too — init succeeded, start failed (init/stop pairing)" Both flips include a comment explaining the contract change. ## (3) mysqlx_session_unit-t #33 + #34 (issue #5679) Test bug. The hardened auth flow (commit `74e678006`) calls resolve_backend_target() BEFORE sending Mysqlx::Session::AuthenticateOk. That helper requires a wired thread+config_store and an identity with a non-empty default_route. The test passed `nullptr` for thread and left default_route empty, so auth correctly transitioned to X_SESSION_CLOSING with code 4002 instead of OK. Lift the same default_test_thread() / default_test_config_store() helpers used by mysqlx_robustness_unit-t.cpp into mysqlx_session_unit-t.cpp, wire them into test_mysql41_auth_with_credentials, and add default_route="default_test_route" to the identity returned by the test's identity_lookup lambda. After this fix the test reports 60/60 oks (was 60/2-not-ok with the same plan). ## (4) mysqlx_message_dispatch_unit-t #1-15 (issue #5679) Test premise wrong. Each test_dispatch_* expected one handler() call to leave status_ exactly at CONNECTING_SERVER. That intermediate state isn't observable: forward_to_backend() sets to_process=true, the handler's `goto handler_again` loop re-enters the switch, and handler_connecting_server() runs in the same call. After commit `55e90d1a7` (which made start_connect() fail fast on an empty hostname instead of silently connecting to 0.0.0.0), the inner handler_connecting_server() correctly transitions to X_SESSION_CLOSING — so the asserted intermediate state is gone. Pre-55e90d1a7 the test passed by accident. Fixing properly means rewriting each test to use a real thread+ config_store fixture (à la mysqlx_robustness_unit-t.cpp's setup_authenticated_session) and asserting WAITING_SERVER_XMSG instead — a ~600-line rewrite tracked under issue #5679. Until then, skip the 15 affected sub-tests with a comment pointing at the issue: skip(17, "tracked under #5679: dispatch_* tests assume single-step handler(), need rewrite for the goto-handler_again re-entry"); (Skip count is 17 because test_dispatch_view_operations carries 3 sub-asserts; the other 14 carry 1 each.) Also fixes the related X_FAST_FORWARD reference at line 424 (retired together with MysqlxWorker in commit `79cac4c97`), so the file compiles with -DMYSQLX_TEST_BUILD. Net effect: 5 failures + hang → 3 clean failures + 17 clean skips + clean exit. The remaining 3 (assertions 21, 29, 43) have similar root causes and stay tracked under #5679 for the proper rewrite. ## Verified After this commit (PROXYSQLGENAI=1 NOJEMALLOC=1 WITHASAN=1): - plugin_manager_unit-t: 96 ok / 0 not-ok (was 94 ok / 2 not-ok) - mysqlx_session_unit-t: 60 ok / 0 not-ok (was 58 ok / 2 not-ok) - mysqlx_message_dispatch_unit-t: 46 ok / 3 not-ok (was 5 not-ok + hang) - mysqlx_robustness_unit-t: 74 / 0 — unchanged - mysqlx_compression_unit-t: 64 / 0 — unchanged - mysqlx_config_store_concurrent_unit-t: 15 / 0 — unchanged - ASAN: 0 errors across all of the above	4 weeks ago
Rene Cannao	09c15d6d54	fix(mysqlx): reject re-auth on active session; fix two pre-existing test issues ## (A) Re-authentication on an active session is now rejected Addresses the Important finding from the security re-review of PR #5651 (see https://github.com/sysown/proxysql/issues/5676). After a successful login the session is in WAITING_CLIENT_XMSG. Before this commit, dispatch_client_message routed `SESS_AUTHENTICATE_START` and `SESS_AUTHENTICATE_CONTINUE` into the auth handlers unconditionally. The handlers overwrote `username_`, `identity_`, `target_hostgroup_`, `target_address_`, `target_port_` — but they did NOT tear down `backend_conn_`. The next StmtExecute was forwarded over the previous user's pooled backend connection. The proxy then audited the query as user B while the backend executed it as user A's role — a real identity-coherence / audit hazard. The X Protocol uses `Mysqlx::Session::Reset` for re-auth on the same connection, not direct re-auth. Reject `SESS_AUTHENTICATE_START` / `SESS_AUTHENTICATE_CONTINUE` when `status_ == WAITING_CLIENT_XMSG` with code 1845 (FATAL) and drop the session. Conformant with the spec. Also clears `auth_challenge_` on successful auth (defense in depth): the verified challenge is no longer reachable by a stale AuthenticateContinue replay even before the dispatch-level guard fires. The unit test `test_error_severity_non_fatal` previously took a shortcut: it manually set `status_=WAITING_CLIENT_XMSG` then sent AUTHENTICATE_START to drive the auth flow. With the re-auth rejection now in place, that shortcut hits the new guard and the test hangs waiting for an auth challenge that never comes. Updated the test to drive the auth flow naturally from CONNECTING_CLIENT (the state init() leaves the session in), which exercises the same code paths without the now-invalid pre-auth status_ override. ## (B) mysqlx_config_store_concurrent_unit-t: missing variables DDL This was the source of 6 pre-existing test failures surfaced during the ASAN run on PR #5651 (4, 11, 12, 13, 14, 15). All asserted that load_from_runtime atomically replaces previously-loaded data. They failed because the test fixture's create_runtime_db() did not create a `runtime_mysqlx_variables` table, but `load_from_runtime` queries that table near the end: SELECT variable_name, variable_value FROM runtime_mysqlx_variables When the table doesn't exist, fetch_result returns false and load_from_runtime short-circuits BEFORE swapping the new identities/ routes/endpoints into place. Every "second load replaces first" assertion silently failed because the second load never actually replaced anything — the swap never happened. This is the same bug that was fixed in `mysqlx_config_store_pure_unit-t.cpp` in commit `017496bc4`. The sibling test was missed at the time. Add the DDL here too with a comment pointing at the underlying invariant. After this fix the concurrent test reports 15/15 ok. ## Pre-existing test bug: X_FAST_FORWARD reference `mysqlx_message_dispatch_unit-t.cpp:424` referenced `MysqlxSession::X_FAST_FORWARD`, which was retired together with the dormant MysqlxWorker path in commit `79cac4c97`. The test failed to compile with `-DMYSQLX_TEST_BUILD` once that macro was added. Replace the comparison with `CONNECTING_CLIENT` (a still-extant earlier-than- TLS state) so the assertion's intent — "TLS states come after the basic states" — is preserved. (The other failures in this file remain pre-existing and are not addressed here; they are out of scope and tracked under issue #5679.) Verified locally with WITHASAN=1: mysqlx_session_unit-t 60 oks (2 pre-existing not-ok #33,34), mysqlx_robustness_unit-t 74/74, mysqlx_config_store_concurrent_unit-t 15/15.	4 weeks ago
Rene Cannao	4bc7044710	ci(docker): install libprotobuf-dev on demand when PROXYSQLGENAI=1 CI-builds (ubuntu24,-tap-genai-gcov) was failing on PR #5651 because the proxysql/packaging:build-ubuntu24-v4.0.0 image lacks libprotobuf-dev. The plugin Makefile's pkg-config check at plugins/mysqlx/Makefile:47 fires correctly: protobuf 3.x is required for the vendored .pb.cc/.pb.h that were generated with protoc 3.21.12. The v4.0.0 packaging images were built in anticipation of this PR but never updated to include the new dependency. Two paths to resolve. (a) Update the image and republish proxysql/packaging:build-ubuntu24-v4.0.0 + cousins. (b) Patch the docker-compose entrypoint to install on demand. (a) is the cleaner long-term fix but has a longer feedback loop (separate pipeline, separate review). (b) unblocks CI immediately and keeps working even if a future image rebuild forgets the package again. This commit takes path (b) for all three image families: - docker/images/proxysql/deb-compliant/entrypoint/entrypoint.bash → apt-get install -y libprotobuf-dev (Debian, Ubuntu) - docker/images/proxysql/rhel-compliant/entrypoint/entrypoint.bash → dnf\|yum install -y protobuf-devel (CentOS, RHEL) - docker/images/proxysql/suse-compliant/entrypoint/entrypoint.bash → zypper install -y libprotobuf-c-devel \|\| protobuf-devel (SUSE) The install is gated on PROXYSQLGENAI=1 (otherwise the plugin path is not exercised) AND on pkg-config --exists protobuf returning false (image already has it → install is a no-op). Idempotent across container restarts. Once the v4.0.0 packaging images are republished with libprotobuf-dev included, this on-demand install becomes a no-op pkg-config check on every build and can be removed. Tracked in issue #5673. Verified locally: the deb-compliant patch follows the existing entrypoint control-flow exactly (set -eu safe, no early exit, runs before the ${MAKE} ${deps_target} call where the protobuf check would fire).	4 weeks ago
Rene Cannao	baeca0e3dc	test: silence SonarCloud BUG: name truncate-via-temporary in clear_log() Three identical SonarCloud BUG-severity findings (one per file) on the truncate-via-temporary idiom: std::ofstream(g_log_path, std::ios::trunc); This creates a temporary std::ofstream whose destructor closes the file — the truncate is the intended side effect. SonarCloud's rule "Name this unused temporary object or remove it" does not understand the side-effect pattern and flags it as a BUG. Issue #5674 triaged all 3 BUG findings as false positives. This commit silences them with the cosmetic fix recommended in that issue: give the temporary a name and (void)-cast it. Same generated code, no behaviour change, but Sonar stops flagging it. Files: test/tap/tests/unit/plugin_{config,lifecycle,manager}_unit-t.cpp	4 weeks ago
Rene Cannao	ccc6648e06	docs(plugin-chassis): update stale comment referencing materialize_plugin_tables Caught while running the 17 consistency-seam checks from the new REVIEW_GUIDE.md §7. The comment block above proxysql_load_configured_ plugins() still pointed at ProxySQL_Admin::materialize_plugin_tables — which was removed in commit `04bccec51` because the merge is now done inside ProxySQL_Admin::init() on the same path as core tables. The comment was the last lingering reference and made row 6 of the consistency check ("materialize_plugin_tables references gone") fail on a strict grep. No code change. Updated the comment to point at the actual flow: "`ProxySQL_Admin::init()` ... merges them into tables_defs_{admin, config,stats} for the existing check_and_build_standard_tables DDL pass."	4 weeks ago
Rene Cannao	42afebcb64	docs(plugin-chassis): add reviewer's guide, ABI contract, and file inventory PR #5651 is large enough that reading commit-by-commit or file-by-file without context is unproductive. Add three companion docs under doc/plugin-chassis/ so a senior reviewer can validate the PR layer by layer. * REVIEW_GUIDE.md (~345 lines) — entry point. One-paragraph project description, scope diagram, three reading orders (30 minutes / 2 hours / full day), the 4-phase plugin lifecycle with a sequence-style ASCII diagram, the worked-example walk-through of a mysqlx client request end to end, the build-system tier-flag propagation map (5 Makefile layers), 17 explicit "consistency seams" each with a one-line shell verification, the 5 commit-intent bands so the ~150 commits map to a small number of logical changes, and a final verification checklist. * ABI.md (~270 lines) — the canonical reference for the plugin ABI: the descriptor surface, the services surface and its phase-availability matrix, the C++-ABI coupling (std::string and prometheus-cpp must match between core and plugin), the empty-source-sync invariant, the concurrency model and lifecycle pairing rules ("stop pairs with init, not start"), the ABI versioning rules (tail-append, version-gate every new-field read, reject anything > MAX), and a minimal plugin skeleton for reference. * FILE_CHANGES.md (~503 lines) — the per-file inventory. Sections A–G cover the chassis core (15 files), H–S cover the mysqlx plugin (12 source files + 1 build file + 16 generated protobuf files described collectively), T covers tests/CI/infra (28 unit tests with their individual plan() counts, 4 integration tests, the build glue, the groups.json delta, and the new CI workflow). Each entry: path, status, line-count, purpose, key contents, what to spot-check. Total: 1117 lines of reviewer documentation. The expectation is that a reviewer with 30 minutes can ship-no-ship from REVIEW_GUIDE alone; a reviewer with 2 hours can validate the architecture; a reviewer with a full day can run every test and walk every file via FILE_CHANGES. These docs are written for THIS PR. They are not a replacement for doc/PLUGIN_API.md (which is the public-facing API doc for plugin authors) — REVIEW_GUIDE explicitly points at PLUGIN_API for plugin authors and at ABI.md for the canonical contract. Verified: - All 17 §7 verification rows actually pass on the current HEAD (spot-checked: register_schemas gating at abi_version >= 2, TLS_PASSTHROUGH absence, shared_mutex change, ABI version macros, groups.json tag counts). - Cross-doc references (REVIEW_GUIDE → ABI → FILE_CHANGES) are consistent.	4 weeks ago
Rene Cannao	55e90d1a76	fix(plugin-chassis,mysqlx): chassis read-path scaling, graceful shutdown, hardening Six independent items from the independent review of PR #5651, batched together because each one alone is small. 1) lib/ProxySQL_PluginManager.cpp: replace g_active_plugin_manager_mutex with a std::shared_mutex. Readers (dispatch_admin_command, dispatch_query_hook, resolve_alias_to_canonical) take a shared lock so multiple worker threads can be inside plugin callbacks concurrently; writers (publish/unpublish in load/stop) take the unique lock. The previous std::mutex serialized every plugin-callback dispatch on one mutex. Once a plugin actually wires a query hook into MySQL_Thread / PgSQL_Thread, every concurrent client query on every worker would have queued behind that mutex — silently negating ProxySQL's per-worker parallelism. The lock-free proxysql_has_configured_plugin_query_hook() didn't help, since the actual dispatch still took the lock. Switching to shared_mutex on the read path lets dispatch scale linearly. 2) plugins/mysqlx/include/mysqlx_session.h + plugins/mysqlx/src/mysqlx_session.cpp + plugins/mysqlx/src/mysqlx_thread.cpp: add MysqlxSession::shutdown_notify_client() and call it from Mysqlx_Thread::run() on the way out of the worker loop. Previously Mysqlx_Thread::stop() flipped running_=false and joined. The destructor then deleted sessions, closing their fds. Connected clients saw an unannounced TCP RST mid-response and a torn TLS record. Now the worker, on its way out, walks sessions_ and for each live session: enqueues a Mysqlx::Error frame (code 1053, "Server is shutting down", FATAL severity); flushes one write_to_net pass; if TLS is up, calls SSL_set_quiet_shutdown(1) + SSL_shutdown so the peer's TLS stack sees a proper close_notify rather than a torn record. Best-effort throughout — never blocks on unresponsive peers because the process is exiting. 3) plugins/mysqlx/include/mysqlx_session.h + plugins/mysqlx/src/mysqlx_session.cpp: remove the dead TLS_PASSTHROUGH enum value and the two corresponding branches. handler_tls_accept_init's first three lines and the `tls_mode_ != TLS_PASSTHROUGH` predicate in handler_connecting_server only ran when set_tls_mode(TLS_PASSTHROUGH) had been called, which never happened in production — the `mysqlx_tls_mode` config column is never plumbed into a session. Worse, the PASSTHROUGH branch did not actually implement an opaque pipe (it just skipped TLS termination and resumed clear-text X-Protocol parsing, which would desync any real client). Drop the value rather than carry a misleading enum that suggests a feature exists. Future passthrough work should reintroduce a properly-wired implementation. 4) plugins/mysqlx/src/mysqlx_connection.cpp: check the return value of inet_pton in start_connect; fail fast on anything that isn't a valid IPv4 dotted-quad. Previously the return was discarded. inet_pton on a hostname (or IPv6 literal, or empty string) silently left sin_addr at 0.0.0.0 — producing a connect to 0.0.0.0/INADDR_ANY rather than the intended target. Real footgun because mysqlx_backend_endpoints.hostname accepts arbitrary strings. Now: fail with ERROR_STATE so the misconfig surfaces instead of routing traffic to the wrong target. Hostname resolution is still the upstream pipeline's job; start_connect deliberately stays narrow. 5) plugins/mysqlx/src/mysqlx_data_stream.cpp: move do_ssl_handshake's 64 KiB scratch buffer from the stack to a thread_local static. ASan-instrumented builds and large-thread-pool configs can run with thread stacks tight enough that a stack-allocated 64 KiB local straddles the limit. Each Mysqlx_Thread owns its own thread_local instance so the buffer is not shared between threads. 6) plugins/mysqlx/src/mysqlx_thread.cpp: document the listener-removal semantics on remove_listener_for_route. Document that already-accepted sessions on a listener that's being removed continue running against their existing target_hostgroup_ / target_address_ / target_port_ until they finish or hit idle timeout. That matches surrounding MySQL behaviour (DROP TABLE doesn't cancel in-flight queries; ALTER doesn't kick off open prepared statements). Future change can call shutdown_notify_client on matching sessions if active disconnection becomes desirable. NOT changed: the agent-flagged "compression overshoot" issue at plugins/mysqlx/src/mysqlx_session.cpp:1283. The zstd-stream loop already caps the resize at `cap` on line 1369 (`if (new_sz > cap) new_sz = cap;`) before the resize, so decompressed never grows past the cap; there is no overshoot. Verified by tracing the loop. Skipped. Verified locally: - plugin .so builds clean with PROXYSQL40=1 and the implied tier flags. - libproxysql.a and src/proxysql build clean. - plugin chassis tests (plugin_lifecycle_unit-t, plugin_dispatch_unit-t, plugin_manager_unit-t, plugin_query_hook_unit-t) build and pass with the new shared_mutex read path. plugin_manager_unit-t shows the same 2 pre-existing destructor-related failures it had before this commit (verified by stash + rebuild). - mysqlx_robustness_unit-t passes 74/74. - mysqlx_session_unit-t has the same pre-existing failures at 33-34.	4 weeks ago
Rene Cannao	df7e335e23	fix(ci,infra): pass PROXYSQL40 to plugin build, remove orphaned infra files Three CI/infra clean-ups that fall out of the independent review. 1) .github/workflows/CI-mysqlx.yml: pass PROXYSQL40=1 (and the implied tier flags) to `make` when building the mysqlx plugin. plugins/mysqlx/Makefile picks up tier flags from the environment and propagates them as -DPROXYSQL40 / -DPROXYSQL31 / -DPROXYSQLFFTO / -DPROXYSQLTSDB / -DPROXYSQLGENAI on every compile line. If the workflow runs `make` with no flags, the plugin is built without -DPROXYSQL40 — meaning the ProxySQL_PluginDescriptor and ProxySQL_PluginServices struct layouts compiled into the plugin .so differ from the layouts that the cached src/proxysql binary (built upstream by CI-trigger with the full tier flags) sees. The link succeeds and the first virtual dispatch into a plugin callback crashes or, worse, corrupts memory silently. The Makefile already warns about exactly this in lines 56-61. Pass the flags explicitly. 2) test/tap/groups/mysqlx-e2e/infras.lst + test/infra/docker-compose-mysqlx.yml: delete both — they are orphaned. `infras.lst` referenced `infra-mysqlx`, which has never existed under `test/infra/`. ensure-infras.bash would have errored on it — except `mysqlx-e2e/env.sh` exports SKIP_PROXYSQL=1, which makes ensure-infras.bash short-circuit at line 38 before it reaches the docker-compose loop. So infras.lst was both wrong AND unreachable — the worst combination for the next reader trying to figure out how the e2e group is wired. Similarly, `test/infra/docker-compose-mysqlx.yml` was a docker-compose file that no `infra-*/` directory points at, left over from an early plan to use Docker for the mysqlx backend that was abandoned in favour of dbdeployer. Both files are dead weight; delete them. 3) test/tap/groups/mysqlx-e2e/env.sh: comment the unconventional wiring so the next reader doesn't have to reverse-engineer it. Document why this group has no `infras.lst` / no `infra-mysqlx/` dir, why CI uses inline dbdeployer instead of ensure-infras.bash, and that setup-infras.bash + pre-cleanup.bash exist for local-only ad-hoc use today. 4) test/tap/tests/Makefile: drop the dangling `test_mysqlx_listener_smoke-t` target. That test was retired together with the dormant MysqlxWorker path in commit 98aee7db2; the unit/Makefile no longer builds it. The wrapper target in test/tap/tests/Makefile remained and would fail `make test_mysqlx_listener_smoke-t` with "no rule to make target". Replace with a NOTE pointing at where the listener-lifecycle coverage actually lives now (mysqlx_thread_unit-t, mysqlx_robustness_unit-t). Verified: the plugin still builds clean with the tier flags exported to the sub-make. No behavioural change for the docker-using groups.	4 weeks ago
Rene Cannao	04bccec51e	chore(plugin-chassis): tighten gating, drop dead paths, gate forgery setters Five clean-up items from the independent review of PR #5651. None of these change behaviour on a normal run; they each fix a concrete way the current code is misleading or unnecessarily exposed. 1) lib/ProxySQL_Admin.cpp: gate the three plugin-DB-handle getters (proxysql_plugin_get_admindb / _configdb / _statsdb) under #ifdef PROXYSQL40. Previously these were defined unconditionally and emitted symbols into v3.0/v3.1 binaries. The chassis is a v4.0 feature; the user explicitly required that v3.x builds carry no plugin-aware code. Wrap in PROXYSQL40 so they are entirely absent from v3.x linkage. ProxySQL_PluginManager.cpp's extern declarations (lines 23-25) are already inside the file-wide PROXYSQL40 gate and so resolve only when the gate is active. 2) lib/ProxySQL_PluginManager.cpp + include/ProxySQL_PluginManager.h: delete the dead `#else /* !PROXYSQL40 /` branches. Both files are wrapped in a top-level `#ifdef PROXYSQL40` covering the entire body. Inner `#ifdef PROXYSQL40 ... #else ... #endif` blocks therefore had unreachable `#else` arms — 30+ lines of "pre-chassis two-phase loader" in the .cpp, plus a redundant declaration of proxysql_load_configured_plugins in the .h. The dead arms read as load-bearing alternative implementations on review and that is exactly the wrong signal. Drop them; the single PROXYSQL40 path is the only one. 3) lib/Admin_Bootstrap.cpp + include/proxysql_admin.h + src/main.cpp: remove ProxySQL_Admin::materialize_plugin_tables(). `Admin::init()` already merges plugin-declared schemas into tables_defs_{admin,config,stats} (~line 944) and runs the DDL via check_and_build_standard_tables() (~line 994), all on the same first-boot/reload code path the core tables use. The follow-up call to GloAdmin->materialize_plugin_tables() in main.cpp ran a second name-dedup pass that found everything already present and produced an empty new-rows set — i.e. the post-init helper was a no-op disguised as load-bearing infrastructure. Delete the helper, the header declaration, and the main.cpp call site, and update the comments in main.cpp + ProxySQL_PluginManager.cpp to point at Admin::init() as the single canonical materialization site. Leave a NOTE in Admin_Bootstrap.cpp at the old call site so anyone re-adding a similar helper sees why the prior one was removed. 4) plugins/mysqlx/include/mysqlx_session.h + plugins/mysqlx/src/mysqlx_session.cpp: gate the two genuine forgery vectors behind MYSQLX_TEST_BUILD. inject_identity_for_test() bypasses the full auth flow — no credential check, no capability negotiation, just sets identity_ to a caller-supplied MysqlxResolvedIdentity. resolve_backend_target_ for_test() drives a private routing helper without an authenticated identity. Both are necessary for unit tests but should not be reachable at all in shipped binaries; an in-process exploit reaching the session can call inject_identity_for_test() to forge an authenticated identity. Wrap them in #ifdef MYSQLX_TEST_BUILD; define -DMYSQLX_TEST_BUILD in the test Makefile only. The remaining target__for_test() getters are read-only state observers and are left unconditional — they cannot mutate the session and a debugger could observe the same state regardless. 5) test/tap/tests/unit/Makefile: define -DMYSQLX_TEST_BUILD on every unit test compile line via OPT. This is the test-only knob that re-enables the gated forgery methods so unit tests still compile. plugins/mysqlx/Makefile does NOT define this macro, so the production .so does not compile in the entry points. Verified locally: - plugins/mysqlx/ProxySQL_MySQLX_Plugin.so builds clean with PROXYSQL40=1 PROXYSQL31=1 PROXYSQLFFTO=1 PROXYSQLTSDB=1 PROXYSQLGENAI=1 (no MYSQLX_TEST_BUILD). - test/tap/tests/unit/mysqlx_robustness_unit-t builds and runs: 74/74 assertions pass, including the ones that exercise inject_identity_for_test (visible only because the test Makefile defines MYSQLX_TEST_BUILD).	4 weeks ago
Rene Cannao	4bd4b462be	fix(mysqlx): three blocking protocol/pool correctness bugs Three independent issues, fixed together because they all sit on the data-plane critical path and each one alone is enough to corrupt the session state machine. 1) MysqlxConnection::reset() did not scrub backend_ds_ buffers. The pooled-connection reuse path (Mysqlx_Thread::return_connection_ to_cache → reset → next session's get_connection_from_cache) calls MysqlxConnection::reset() between sessions. The previous version of reset() cleared in_transaction_, has_prepared_stmt_, reusable_, and auth_state_ but left the underlying MysqlxDataStream's read_buf_, write_buf_, ssl_write_buf_, and complete_frames_ untouched. Any straggler frame the prior session left in flight — for example a NOTICE that arrived after the terminal frame, an unread row that the prior session abandoned, or a half-parsed frame whose body had not finished arriving — would be served to the next session as if it were the response to its first query. That is a real cross-session data leak, not just a robustness issue. Adds MysqlxDataStream::clear_io_buffers() which scrubs the I/O queues without touching fd_, ssl_, rbio_ssl_, wbio_ssl_, or encrypted_. Preserving the SSL state is critical: rebuilding the SSL* would force a fresh TLS handshake on every pool checkout and would discard ALPN / cipher negotiation already done. Calls it from MysqlxConnection::reset(). 2) handler_capabilities_set silently accepted unparseable CapabilitiesSet messages. In plugins/mysqlx/src/mysqlx_session.cpp the previous logic was `if (cap_set.ParseFromArray(...))` { ... } and on parse failure fell through to the unconditional `pop_frame(); send_ok(); status_=CONNECTING_CLIENT;`. A buggy or hostile client that ships an unparseable capability payload would be told the negotiation succeeded — the server then proceeded with default capabilities while the client believed it had selected something. This is the exact kind of confused-state bug the X Protocol error codes exist to prevent. Returns send_error(5051, "Invalid CapabilitiesSet payload") on parse failure. 5051 is the X Protocol convention for an unrecognized/unparseable capability message; 5052 is reserved for "supported capability with rejected value" and is already used for the compression-value-not-supported path two blocks down. 3) step_auth_authenticate_start_sent ignored the return of AuthenticateContinue::ParseFromArray. In plugins/mysqlx/src/mysqlx_connection.cpp the backend-side auth state machine called `cont.ParseFromArray(frame->data() + 5, frame->size() - 5)` and discarded the bool. A backend (or a MITM that has bypassed TLS, or a misbehaving X-Protocol-aware proxy between us and the backend) returning a malformed AuthenticateContinue would produce an empty auth_data() field; the resulting empty challenge was then handed to mysqlx_mysql41_scramble() which would compute a scramble against a zero-length challenge — undefined-input territory. Backend auth would still fail eventually, but only after operating on uninitialized protobuf fields. Now: on parse failure, mark BACKEND_AUTH_ERROR and return -1 so the failure surfaces immediately and we never trust the half-parsed message body. Verified: plugins/mysqlx builds cleanly with PROXYSQL40=1 PROXYSQL31=1 PROXYSQLFFTO=1 PROXYSQLTSDB=1 PROXYSQLGENAI=1. Existing unit tests for protocol parsing and auth state are unchanged in expected behaviour (the new code paths trip only on malformed inputs that no current test exercises).	4 weeks ago
Rene Cannao	9f5ed235b8	fix(build,test groups): unblock CI on plugin-chassis Two unrelated CI blockers, fixed together because each one alone leaves the pipeline red and they are trivially independent: 1) `make cleanbuild` (and any other goal that recurses into plugins/mysqlx on a v3.0/v3.1 box without libprotobuf-dev) failed in plugins/mysqlx/Makefile because the protobuf-3.x ABI check fires at parse time. The check is correct for building the plugin — running pre-generated .pb.cc against an ABI-incompatible libprotobuf would produce a .so that links cleanly and crashes on first virtual dispatch — but it has no business firing for `clean`/`cleanall`, which only delete object files. Wrap the check in `ifeq ($(filter clean cleanall,$(MAKECMDGOALS)),)` so the safety guarantee is preserved on build paths and clean is now usable on a bare host. CI-builds was failing every job at Makefile:540 cleanbuild for this reason, and the failure cascaded through every dependent test workflow. 2) `mysqlx_compression_unit-t` was added in the X-Protocol Phase-1/2/3 compression commits but never registered in `test/tap/groups/groups.json`. The lint workflow `check_groups.py --source` flagged it as "executable test missing from groups.json" and exited 1, blocking the entire CI run. Add the entry to `unit-tests-g1` with the `@proxysql_min_version:4.0` tag, matching every other mysqlx unit test in the file. Also restore six MySQL test entries that lost their `mysql90-g3`, `mysql95-g3` tags during the `d2e03fae3` conflict-resolution commit, plus `test_noise_injection-t` which lost the same two. Confirmed against origin/v3.0 — these were valid groupings on v3.0 that should have been preserved through the merge but were silently dropped. Verified locally: - `cd plugins/mysqlx && make clean` succeeds without libprotobuf installed (was: fatal `$(error)` at parse time). - `python3 test/tap/groups/lint_groups_json.py` → "OK (419 entries, sorted, compact)". - `python3 test/tap/groups/check_groups.py` → "OK: All 29 executable tests are registered in groups.json".	4 weeks ago
René Cannaò	ce39154731	Merge pull request #5593 from sysown/ProtocolX feat: MySQL X Protocol plugin (dynamically loaded)	4 weeks ago
Rene Cannao	31d7ae9ecb	docs(mysqlx): reconcile comprehensive-testing plan against ProtocolX-rebased Audit the 14-task plan from 2026-04-09 against the actual test tree on ProtocolX-rebased and record the result inline. Findings: - Tasks 1-8, 10-14: every Tier-1 / Tier-2 / Tier-3 target file exists with a plan() at or above the assertion budget the plan called for. Tasks 5, 6, 8, 12 went well beyond their targets through interim expansion work; the others land exactly on plan. - Task 9 is obsolete: test_mysqlx_listener_smoke-t.cpp was deleted in `98aee7db2` together with the dormant MysqlxWorker path it exercised. Listener-lifecycle coverage is now provided by mysqlx_thread_unit-t and mysqlx_robustness_unit-t, which exist in the same tree but were not in scope when this plan was written. - 17 additional mysqlx/plugin unit-test files have landed beyond the plan, including the new mysqlx_compression_unit-t covering Phase 1-3 of the X Protocol compression work (zstd_stream + lz4_message capability negotiation, decompression with anti-bomb 16 MiB cap, and outbound batched compression). The plan does not enumerate these because they post-date it. Concretely this commit: - adds a "Reconciliation audit (2026-04-19)" section near the top with a per-task target/actual/status table and a pointer to the obsoleted task, - flips all 14 task-level "Commit:" checkboxes from [ ] to [x], - prepends an "(OBSOLETE)" tag and explanatory note to Task 9 so that anyone re-reading the plan understands why its sub-checkboxes are intentionally left unchecked. No code changes — this is purely a plan-status update so the plan is no longer misleading about what's left to do on the testing front.	4 weeks ago
Rene Cannao	aef01ef0be	feat(mysqlx): compress outbound server frames (Phase 3) Phase 3 of three-phase X Protocol compression support: server→client compression on outbound frames. Wraps up the MVP — CapabilitiesSet negotiation (Phase 1), inbound decompression (Phase 2), and now outbound compression all roundtrip. What this commit does ===================== forward_frame_to_client() — the chokepoint for backend→client frame forwarding — now routes through send_to_client_compressed(), which: 1. Returns early to plain client_ds_.enqueue_frame() when compression is not negotiated OR the body is below COMPRESSION_MIN_OUTPUT_BYTES (50 bytes — same threshold the upstream MySQL X plugin uses; per- message envelope + framing overhead would otherwise dwarf savings). 2. With combine_mixed_messages = false: emits one Compression frame per body. The protobuf has server_messages set to the original frame's msg_type and uncompressed_size set to the original body length, so a spec-compliant client can decompress in place. 3. With combine_mixed_messages = true: appends a fully-framed copy of the body to compress_batch_framed_ and bumps compress_batch_count_. Once the count reaches max_combine_messages (defaulting to 64 if the client didn't supply one), or flush_compression_batch() is invoked at a natural boundary, all buffered frames are emitted as one Compression message with NEITHER server_messages nor client_messages set — payload is the concatenated stream of framed X messages, matching the spec's third payload shape. The flush points are: - handler_waiting_server_msg() when it sees a terminal frame (end of a result set / final OK / etc.) — the response is "done" so anything still buffered must reach the wire before we go back to WAITING_CLIENT_XMSG. - handler_session_reset_waiting() on the ERROR path before write_to_net(), same reasoning. Mid-response we deliberately do NOT flush — that would defeat the combine_mixed_messages benefit by emitting a Compression message per batch hit, which is exactly what we're trying to avoid for streaming result sets. The count cap bounds how long a single batch can grow. Compressor selection mirrors Phase 2: - zstd_stream uses ZSTD_compressCCtx() with a per-session ZSTD_CCtx that's lazily allocated and freed in reset_compression_state(). - lz4_message uses LZ4_compress_default() one-shot. On compressor failure (ZSTD_isError or lz4 returning <= 0) the helper falls back to enqueueing the body uncompressed — losing compression benefit beats dropping the message. The session itself stays healthy. Tests ===== mysqlx_compression_unit-t now plans 64 sub-tests, all passing: - Phase 1: 22 sub-tests for capability negotiation - Phase 2: 17 sub-tests for inbound decompression - Phase 3 (new, 25 sub-tests): - zstd round-trip: frame on the wire is COMPRESSION with server_messages = NOTICE; payload decompresses back to the exact original 200-byte body - lz4 round-trip, same shape - below-threshold passthrough: 20-byte body emitted as plain NOTICE, not COMPRESSION (verifies the fast path) - combine_mixed_messages with max_combine_messages=3: three successive sends produce ONE Compression frame whose decompressed payload contains all three NOTICE bodies in order, with neither server_messages nor client_messages set - compression-disabled passthrough: when no negotiation, the helper acts as a plain enqueue_frame() (proves a client that never opts in is unaffected) A few new test-only accessors expose the batch state and send_to_client_compressed() entry point so tests can exercise the output path without wiring a fake backend (which would block on connect() in the dispatcher anyway). Verification ============ Top-level `PROXYSQLGENAI=1 make` builds cleanly. mysqlx_compression_unit-t passes 64/64. plugin_lifecycle_unit-t (26/26) passes unchanged. mysqlx_session_unit-t still has its two pre-existing failures at sub-tests 33-34 (auth flow), unrelated to compression and present on this branch before the Phase 1 commit.	4 weeks ago
Rene Cannao	b1fd6b31fc	feat(mysqlx): decompress incoming Compression messages (Phase 2) Phase 2 of three-phase X Protocol compression support: client→server decompression. Compression on the server→client path (Phase 3) still goes out uncompressed; CapabilitiesSet stores the negotiation in Phase 1 and this commit consumes it. What this commit does ===================== When the client sends a Mysqlx.Connection.Compression message AND compression has been negotiated, we now: 1. Parse the Compression protobuf — payload bytes, optional uncompressed_size hint, optional client_messages tag. 2. Decompress the payload using the negotiated algorithm: - zstd_stream: streaming decompression via a ZSTD_DCtx that persists across messages on the same session (per spec — successive Compression frames may continue a single zstd stream, so we cannot recreate the context per frame). - lz4_message: one-shot LZ4_decompress_safe. The X spec defines lz4_message as one independent frame per message, so no persistent context is needed. 3. Feed the decompressed bytes back into client_ds_.feed_bytes() so the existing frame parser picks them up. Two payload shapes per spec are handled: - client_messages set: payload is one decompressed body of that type — we re-frame with a 5-byte X header in front. - neither set: payload is already a sequence of fully-framed X messages — fed verbatim. 4. The dispatch loop re-enters on the same handler tick (to_process set), so a Compression-wrapped StmtExecute runs end-to-end without an extra network roundtrip. If client_messages is unset and server_messages IS set, the message is rejected (5008): server_messages on the c→s path is always wrong. Anti-bomb / bounds ================== COMPRESSION_MAX_DECOMPRESSED_BYTES = 16 MiB caps how much output a single Compression message can produce, mirroring MysqlxDataStream's existing on-the-wire X_MAX_PAYLOAD_SIZE so a Compression frame never expands beyond what the rest of the data plane can handle anyway. If the client provides an uncompressed_size hint smaller than 16 MiB we honor that as the tighter bound. Hint of 0 with non-empty payload is treated as malformed. For zstd, the decompression loop re-checks the cap before each ZSTD_decompressStream call and bails (with 5008) the moment the output buffer would exceed it. A no-progress condition (zout.pos == 0 with input remaining) also bails — that catches malformed streams that would otherwise spin forever. For lz4, LZ4_decompress_safe(dstCapacity = cap) naturally enforces the limit: the decompressor refuses to write past dstCapacity and returns an error code we map to 5008. Linkage / build =============== The plugin .so is dlopen'd with RTLD_LOCAL, so symbols from libzstd / liblz4 that the proxysql binary may already pull in are NOT visible to the plugin. This commit links the static deps/zstd/zstd/lib/libzstd.a + deps/lz4/lz4/lib/liblz4.a archives directly into the .so so the plugin is self-contained. The session header forward-declares ZSTD_DCtx / ZSTD_CCtx so the zstd headers don't leak through include/mysqlx_session.h into other translation units. Tests ===== mysqlx_compression_unit-t now covers Phase 2 end-to-end (39 sub- tests total, all passing): - Phase 1: capability negotiation (22 sub-tests, unchanged) - decompress zstd_stream client_messages=SQL_STMT_EXECUTE, inner StmtExecute reaches dispatch (no 5008, session moves past WAITING_CLIENT_XMSG) - same for lz4_message - oversize bomb attempt: lie about uncompressed_size, send a 1 MiB-of-zeros payload — rejected with 5008 - garbage compressed payload: rejected with 5008 - sanity: COMPRESSION before negotiation still 5008 Verification ============ Top-level `PROXYSQLGENAI=1 make` builds cleanly; the plugin .so links against the static zstd + lz4 archives. plugin_lifecycle_unit-t (26/26) passes unchanged. mysqlx_session_unit-t still has its two pre-existing failures at sub-tests 33-34, identical to behavior before this commit (verified by stashing only the Phase 2 edits to plugins/mysqlx/{src,include}/* + Makefile and rebuilding). The mysqlx_thread_unit-t / mysqlx_concurrent_unit-t hangs are also pre-existing and reproduce on the unmodified branch.	4 weeks ago
Rene Cannao	f19be5f3a0	feat(mysqlx): negotiate X Protocol compression capability (Phase 1) Phase 1 of three-phase X Protocol compression support: capability negotiation only. The COMPRESSION message itself is still rejected with error 5008 in dispatch_client_message(); Phase 2 wires up decompression on input and Phase 3 wires up compression on output. What this commit does ===================== - send_capabilities() now advertises a `compression` capability listing the algorithms the plugin can support: zstd_stream and lz4_message. Both libraries (libzstd, liblz4) are already statically linked into libproxysql.a / pulled into the unit-test link line, so this does not introduce any new runtime dependency. - handler_capabilities_set() detects when a client sets the `compression` capability and parses the OBJECT value's sub-keys: - `algorithm` (required string) — must match an advertised value; anything else is rejected with X-Protocol error 5052 (the capability-prepare-failed code per the spec). - `server_combine_mixed_messages` / `combine_mixed_messages` (bool) - `server_max_combine_messages` / `max_combine_messages` (uint) Both spelling variants are accepted because mysql-connector-python emits the short form while libmysqlclient emits the spec form, and the upstream MySQL server tolerates both. - Negotiation outcome is stored on MysqlxSession via three new members (compression_algo_, compression_combine_mixed_messages_, compression_max_combine_messages_). Phase 2 / Phase 3 will read these to drive (de)compression. They are reset by both init() and reset() so a session reuse does not inherit stale negotiation. - Unsupported algorithms (e.g. deflate_stream) and structurally malformed values (wrong protobuf type, missing algorithm field) are rejected with a non-fatal X-Protocol Error frame — the session remains healthy so the client can either retry CapabilitiesSet or proceed without compression. Why 5052 (non-fatal) and not 5008 --------------------------------- 5008 is the runtime "compression message arrived but compression is disabled" error and stays in dispatch_client_message() for now. 5052 is the spec-defined "capability prepare failed" status used during the CapabilitiesSet handshake; treating an unknown algorithm as a capability error matches the upstream MySQL X plugin's behavior and lets compliant clients downgrade to no-compression on the same connection. Tests ===== New unit test: test/tap/tests/unit/mysqlx_compression_unit-t.cpp (22 sub-tests, all passing). Covers: - CapGet response advertises `compression` with both algorithms - CapSet zstd_stream + combine hints accepted, stored on session - CapSet lz4_message accepted, stored on session - CapSet deflate_stream rejected with 5052 (non-fatal), session remains healthy with no algorithm set - CapSet with wrong-shape compression value (scalar instead of object) rejected with 5052 Existing mysqlx_session_unit-t / plugin_lifecycle_unit-t still pass (the two pre-existing failures in mysqlx_session_unit-t at sub-tests 33-34, "auth succeeded for correct password" and "session in WAITING_CLIENT_XMSG after auth", are present on this branch before this commit and unrelated to compression — verified by stashing only the mysqlx_session.{cpp,h} edits and re-running). Build infra fix piggy-backed on this commit ------------------------------------------- test/tap/tests/unit/Makefile referenced $(SQLITE3_LDIR)/../libsqlite_rembed.a in the GenAI-tier link line, but that .a is no longer produced on this branch (it was the artifact of the now-removed sqlite-rembed Rust extension). Without removing this stale reference, no plugin/mysqlx unit test can link, which blocks verifying the new compression test alongside the existing mysqlx tests required by the task. Mirrors the upstream fix that already landed on sibling branches as commit `44a6c9d58` ("build(test): drop libsqlite_rembed.a from TAP and rag test link order"). Phase 2 (decompression) and Phase 3 (compression on output) will follow as separate commits; the COMPRESSION dispatch handler still emits 5008 until Phase 2 lands.	4 weeks ago
Rene Cannao	79cac4c976	chore(mysqlx): retire MysqlxFrontendSession, MysqlxBackendSession, X_FAST_FORWARD Three pieces of dead code that survived the MysqlxWorker retirement (commit `98aee7db2`) and the v2 event-driven rewrite: * `MysqlxFrontendSession` and `MysqlxBackendSession` (plugins/mysqlx/ include/* + src/): an alternative session implementation from the pre-event-driven days. Compiled into the .so but not instantiated anywhere — `Mysqlx_Thread::accept_new_connection` creates a `MysqlxSession` directly. The Phase-1 placeholder in `MysqlxFrontendSession::handler_capabilities_set` (returning "TLS capability not supported by mysqlx plugin in Phase 1") was particularly misleading on review since the real, TLS-aware `MysqlxSession::handler_capabilities_set` in mysqlx_session.cpp:202 has full TLS negotiation wired up. `X_FAST_FORWARD` enum value, `handler_fast_forward()` declaration, dispatch case, and empty body (plugins/mysqlx/src/mysqlx_session.cpp): state was declared but no code path ever set `status_ = X_FAST_FORWARD`, so the dispatch case was unreachable and the handler body was empty. Drop the four files from `plugins/mysqlx/Makefile`'s SRCS list and delete them. Plugin .so size drops from ~9.3 MB to ~8.5 MB (approximately 800 KB of dead code eliminated). Build clean under PROXYSQLGENAI=1.	4 weeks ago
René Cannaò	6ef036a00c	Merge pull request #5671 from sysown/v3.0-fix-macos-release-upload ci: fix macOS package naming and release upload	1 month ago
Rene Cannao	78f06fcade	ci: fix macOS package naming and release upload The 6 macOS workflows had three interacting bugs: 1. All three tier variants (stable/v31/genai) produced tarballs with the same filename (proxysql-${GIT_VERSION}-macos-<arch>.tar.gz), where GIT_VERSION came straight from `git describe`. The Makefile bumps the version for v31/genai builds, but the workflow did not mirror that — so a v3.1 or v4.0 binary was packaged under a 3.0.x name. 2. `gh release upload --clobber` then overwrote the tarballs of the sibling tier jobs racing on the same filename, leaving only one surviving macOS artifact per arch across the three tiers. 3. `gh release create v3.0-head --draft 2>/dev/null \|\| true` spawned extra duplicate drafts, and `gh release upload v3.0-head` picked a non-deterministic draft (often a stale SHA) rather than the canonical current-SHA draft used by the Linux package workflows. Fixes, matching the Linux CI-package-* workflows: - Add an `init_release` job that finds or creates the canonical draft for the current SHA+tag via a race-tolerant lowest-id-wins loop, and passes RELEASE_ID to the build job. - Compute the tarball version by mirroring the Makefile's tier bump (major+1 for GENAI, minor+1 for 31), so artifacts are named proxysql-3.0.8-…, proxysql-3.1.8-…, proxysql-4.0.8-… — consistent with the Linux RPM/DEB naming convention. - Upload by release ID with per-asset delete-if-exists, eliminating cross-tier clobber and stale-draft targeting.	1 month ago

1 2 3 4 5 ...

9934 Commits (6d8dff293973edd1be9cc67be03aac400e85cb4c) All Branches Search

9934 Commits (6d8dff293973edd1be9cc67be03aac400e85cb4c)

All Branches