WIP: using local_conn var. "conn" doesn't exist

* Added check for pg_checkpoint role presence

This commit provides the needed infrastructure in `repmgr` so if the `repmgr` database
user is a member of the `pg_checkpoint` role, and inherits its privileges, there is no 
need for such a user to be a superuser.

Co-authored-by: Martín Marqués <martin.marques@enterprisedb.com>

.github/CODEOWNERS

@@ -0,0 +1,7 @@
+# Each line is a file pattern followed by one or more owners.
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+# @global-owner1 and @global-owner2 will be requested for
+# review when someone opens a pull request.
+*       @EnterpriseDB/repmgr-dev

HISTORY

@@ -1,3 +1,9 @@
+5.4.1   2023-??-??
+        repmgrd: ensure witness node metadata is updated (Ian)
+
+5.4.0   2023-03-16
+        Support cloning replicas using pg-backup-api
+
 5.3.3   2022-10-17
         Support for PostgreSQL added
         repmgrd: ensure event notification script is called for event

README.md

@@ -7,8 +7,8 @@ replication capabilities with utilities to set up standby servers, monitor
 replication, and perform administrative tasks such as failover or switchover
 operations.
 
-The most recent `repmgr` version (5.3.2) supports all PostgreSQL versions from
+The most recent `repmgr` version (5.4.1) supports all PostgreSQL versions from
-9.5 to 14. PostgreSQL 9.4 is also supported, with some restrictions.
+10 to 16.
 
 `repmgr` is distributed under the GNU GPL 3 and maintained by EnterpriseDB.
 
@@ -40,7 +40,6 @@ Directories
  - `contrib/`: additional utilities
  - `doc/`: DocBook-based documentation files
  - `expected/`: expected regression test output
- - `scripts/`: example scripts
  - `sql/`: regression test input
 
 
@@ -57,8 +56,6 @@ There is a mailing list/forum to discuss contributions or issues:
 
 * https://groups.google.com/group/repmgr
 
-The IRC channel #repmgr is registered with freenode.
-
 Please report bugs and other issues to:
 
 * https://github.com/EnterpriseDB/repmgr
@@ -71,6 +68,13 @@ news are always welcome.
 Thanks from the repmgr core team.
 
 * Ian Barwick
+* Israel Barth
+* Mario González
+* Martín Marqués
+* Gianni Ciolli
+
+Past contributors:
+
 * Jaime Casanova
 * Abhijit Menon-Sen
 * Simon Riggs

dbutils.c

@@ -1852,6 +1852,51 @@ get_wal_receiver_pid(PGconn *conn)
 /* =============================== */
 
 
+/*
+ * Determine if the user associated with the current connection can execute CHECKPOINT command.
+ * User must be a supersuer or a member of the pg_checkpoint default role (available from PostgreSQL 15).
+ */
+bool
+can_execute_checkpoint(PGconn *conn)
+{
+	PQExpBufferData query;
+	PGresult   *res;
+	bool		has_pg_checkpoint_role = false;
+
+	/* superusers can do anything, no role check needed */
+	if (is_superuser_connection(conn, NULL) == true)
+		return true;
+
+	/* pg_checkpoint available from PostgreSQL 15 */
+	if (PQserverVersion(conn) < 150000)
+		return false;
+
+	initPQExpBuffer(&query);
+	appendPQExpBufferStr(&query,
+						 " SELECT pg_catalog.pg_has_role('pg_checkpoint','USAGE') ");
+
+	res = PQexec(conn, query.data);
+
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		log_db_error(conn, query.data,
+					 _("can_execute_checkpoint(): unable to query user roles"));
+	}
+	else
+	{
+		has_pg_checkpoint_role = atobool(PQgetvalue(res, 0, 0));
+	}
+	termPQExpBuffer(&query);
+	PQclear(res);
+
+	return has_pg_checkpoint_role;
+}
+
+
+/*
+ * Determine if the user associated with the current connection
+ * has sufficient permissions to use pg_promote function
+ */
 bool
 can_execute_pg_promote(PGconn *conn)
 {
@@ -1913,15 +1958,47 @@ can_disable_walsender(PGconn *conn)
 	if (is_superuser_connection(conn, NULL) == true)
 		return true;
 
-	/*
+	PQExpBufferData query;
-	 * As of PostgreSQL 14, it is not possible for a non-superuser
+	PGresult   *res;
-	 * to execute ALTER SYSTEM, so further checks are superfluous.
+	bool		has_alter_system_priv = false;
-	 * This will need modifying for PostgreSQL 15.
-	 */
-	log_warning(_("\"standby_disconnect_on_failover\" specified, but repmgr user is not a superuser"));
-	log_detail(_("superuser permission required to disable standbys on failover"));
 
-	return false;
+	/* GRANT ALTER SYSTEM available from PostgreSQL 15 */
+	if (PQserverVersion(conn) >= 150000)
+	{
+		initPQExpBuffer(&query);
+		appendPQExpBufferStr(&query,
+						" SELECT pg_catalog.has_parameter_privilege('wal_retrieve_retry_interval', 'ALTER SYSTEM') ");
+
+		res = PQexec(conn, query.data);
+
+		if (PQresultStatus(res) != PGRES_TUPLES_OK)
+		{
+			log_db_error(conn, query.data,
+					_("can_disable_walsender(): unable to query user parameter privileges"));
+		}
+		else
+		{
+			has_alter_system_priv = atobool(PQgetvalue(res, 0, 0));
+		}
+		termPQExpBuffer(&query);
+		PQclear(res);
+	}
+
+	if (has_alter_system_priv == false)
+	{
+		log_warning(_("\"standby_disconnect_on_failover\" specified, but repmgr user is not authorized to perform ALTER SYSTEM wal_retrieve_retry_interval"));
+
+		if (PQserverVersion(conn) >= 150000)
+		{
+			log_detail(_("superuser or ALTER SYSTEM wal_retrieve_retry_interval permission required to disable standbys on failover"));
+		}
+		else
+		{
+			log_detail(_("superuser permission required to disable standbys on failover"));
+		}
+	}
+
+	return has_alter_system_priv;
 }
 
 /*
@@ -1947,13 +2024,13 @@ connection_has_pg_monitor_role(PGconn *conn, const char *subrole)
 	initPQExpBuffer(&query);
 	appendPQExpBufferStr(&query,
 						 "  SELECT CASE "
-						 "           WHEN pg_catalog.pg_has_role('pg_monitor','MEMBER') "
+						 "           WHEN pg_catalog.pg_has_role('pg_monitor','USAGE') "
 						 "             THEN TRUE ");
 
 	if (subrole != NULL)
 	{
 		appendPQExpBuffer(&query,
-						  "           WHEN pg_catalog.pg_has_role('%s','MEMBER') "
+						  "           WHEN pg_catalog.pg_has_role('%s','USAGE') "
 						  "             THEN TRUE ",
 						  subrole);
 	}
@@ -2460,7 +2537,10 @@ get_repmgr_extension_status(PGconn *conn, t_extension_versions *extversions)
 /* node management functions */
 /* ========================= */
 
-/* assumes superuser connection */
+/*
+ * Assumes the connection can execute CHECKPOINT command.
+ * A check can be executed via 'can_execute_checkpoint' function.
+ */
 void
 checkpoint(PGconn *conn)
 {

dbutils.h

@@ -453,6 +453,7 @@ TimeLineHistoryEntry *get_timeline_history(PGconn *repl_conn, TimeLineID tli);
 pid_t		get_wal_receiver_pid(PGconn *conn);
 
 /* user/role information functions */
+bool		can_execute_checkpoint(PGconn *conn);
 bool		can_execute_pg_promote(PGconn *conn);
 bool		can_disable_walsender(PGconn *conn);
 bool		connection_has_pg_monitor_role(PGconn *conn, const char *subrole);

doc/appendix-release-notes.xml

@@ -16,8 +16,44 @@
   </para>
 
   <!-- remember to update the release date in ../repmgr_version.h.in -->
+  <sect1 id="release-5.4.1">
+    <title id="release-current">Release 5.4.1</title>
+    <para><emphasis>??? ?? ??????, 202?</emphasis></para>
+    <para>
+      &repmgr; 5.4.1 is a minor release providing ...
+    </para>
+    <sect2>
+      <title>Bug fixes</title>
+      <para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              &repmgrd;: ensure witness node metadata is updated if the primary
+              node changed while the witness &repmgrd; was not running.
+            </para>
+          </listitem>
+        </itemizedlist>
+      </para>
+    </sect2>
+  </sect1>
+
+  <sect1 id="release-5.4.0">
+    <title>Release 5.4.0</title>
+    <para><emphasis>Thu 15 March, 2023</emphasis></para>
+    <para>
+      &repmgr; 5.4.0 is a major release.
+    </para>
+    <para>
+      This release provides support for cloning standbys using backups taken with <ulink url="http://www.pgbarman.org">barman</ulink>
+      with the use of <ulink url="https://github.com/EnterpriseDB/pg-backup-api">pg-backup-api</ulink>.
+    </para>
+    <para>
+      Minor fixes to the documentation.
+    </para>
+  </sect1>
+
   <sect1 id="release-5.3.3">
-    <title id="release-current">Release 5.3.3</title>
+    <title>Release 5.3.3</title>
     <para><emphasis>Mon 17 October, 2022</emphasis></para>
     <para>
       &repmgr; 5.3.3 is a minor release providing support for

doc/cloning-standbys.xml

@@ -225,6 +225,109 @@ description = "Main cluster"
    </note>
 
   </sect2>
+
+  <sect2 id="cloning-from-barman-pg_backupapi-mode" xreflabel="Using Barman through its API (pg-backup-api)">
+    <title>Using Barman through its API (pg-backup-api)</title>
+    <indexterm>
+      <primary>cloning</primary>
+      <secondary>pg-backup-api</secondary>
+    </indexterm>
+
+    <para>
+      You can find information on how to install and setup pg-backup-api in
+      <ulink url="https://www.enterprisedb.com/docs/supported-open-source/barman/pg-backup-api/">the pg-backup-api
+      documentation</ulink>.
+    </para>
+
+    <para>
+      This mode (`pg-backupapi`) was introduced in v5.4.0 as a way to further integrate with Barman letting Barman
+      handle the restore. This also reduces the ssh keys that need to share between the backup and postgres nodes.
+      As long as you have access to the API service by HTTP calls, you could perform recoveries right away.
+      You just need to instruct Barman through the API which backup you need and on which node the backup needs to
+      to be restored on.
+    </para>
+
+    <para>
+      In order to enable <literal>pg_backupapi mode</literal> support for <command>repmgr standby clone</command>,
+      you need the following lines in repmgr.conf:
+      <itemizedlist spacing="compact" mark="bullet">
+        <listitem><para>pg_backupapi_host: Where pg-backup-api is hosted</para></listitem>
+        <listitem><para>pg_backupapi_node_name: Name of the server as understood by Barman</para></listitem>
+        <listitem><para>pg_backupapi_remote_ssh_command: How Barman will be connecting as to the node</para></listitem>
+        <listitem><para>pg_backupapi_backup_id: ID of the existing backup you need to restore</para></listitem>
+      </itemizedlist>
+
+      This is an example of how repmgr.conf would look like:
+
+      <programlisting>
+        pg_backupapi_host = '192.168.122.154'
+        pg_backupapi_node_name = 'burrito'
+        pg_backupapi_remote_ssh_command = 'ssh john_doe@192.168.122.1'
+        pg_backupapi_backup_id = '20230223T093201'
+      </programlisting>
+    </para>
+
+    <para>
+      <literal>pg_backupapi_host</literal> is the variable name that enables this mode, and when you set it,
+      all the rest of the above variables are required. Also, remember that this service is just an interface
+      between Barman and repmgr, hence if something fails during a recovery, you should check Barman's logs upon
+      why the process couldn't finish properly.
+    </para>
+
+    <note>
+      <simpara>
+        Despite in Barman you can define shortcuts like "lastest" or "oldest", they are not supported for the
+        time being in pg-backup-api. These shortcuts will be supported in a future release.
+      </simpara>
+     </note>
+
+    <para>
+      This is a real example of repmgr's output cloning with the API. Note that during this operation, we stopped
+      the service for a little while and repmgr had to retry but that doesn't affect the final outcome. The primary
+      is listening on localhost's port 6001:
+
+      <programlisting>
+$ repmgr -f ~/nodes/node_3/repmgr.conf standby clone -U repmgr -p 6001 -h localhost
+NOTICE: destination directory "/home/mario/nodes/node_3/data" provided
+INFO: Attempting to use `pg_backupapi` new restore mode
+INFO: connecting to source node
+DETAIL: connection string is: user=repmgr port=6001 host=localhost
+DETAIL: current installation size is 8541 MB
+DEBUG: 1 node records returned by source node
+DEBUG: connecting to: "user=repmgr dbname=repmgr host=localhost port=6001 connect_timeout=2 fallback_application_name=repmgr options=-csearch_path="
+DEBUG: upstream_node_id determined as 1
+INFO: Attempting to use `pg_backupapi` new restore mode
+INFO: replication slot usage not requested;  no replication slot will be set up for this standby
+NOTICE: starting backup (using pg_backupapi)...
+INFO: Success creating the task: operation id '20230309T150647'
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+Incorrect reply received for that operation ID.
+INFO: Retrying...
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status IN_PROGRESS
+INFO: status DONE
+NOTICE: standby clone (from pg_backupapi) complete
+NOTICE: you can now start your PostgreSQL server
+HINT: for example: pg_ctl -D /home/mario/nodes/node_3/data start
+HINT: after starting the server, you need to register this standby with "repmgr standby register"
+      </programlisting>
+
+    </para>
+  </sect2> <!--END cloning-from-barman-pg_backupapi-mode !-->
  </sect1>
 
  <sect1 id="cloning-replication-slots" xreflabel="Cloning and replication slots">

doc/configuration-file-optional-settings.xml

@@ -10,8 +10,8 @@
   <note>
     <simpara>
       This section documents a subset of optional configuration settings; for a full
-      for a full and annotated view of all configuration options see the
+      and annotated view of all configuration options see the
-      see the <ulink url="https://raw.githubusercontent.com/EnterpriseDB/repmgr/master/repmgr.conf.sample">sample repmgr.conf file</ulink>
+      <ulink url="https://raw.githubusercontent.com/EnterpriseDB/repmgr/master/repmgr.conf.sample">sample repmgr.conf file</ulink>
     </simpara>
   </note>
 

doc/configuration-permissions.xml

@@ -79,6 +79,10 @@
         Alternatively the meta-role <varname>pg_monitor</varname> can be granted, which includes membership
         of the above predefined roles.
       </para>
+      <para>
+        PostgreSQL 15 introduced the <varname>pg_checkpoint</varname> predefined role which allows a 
+        non-superuser &repmgr; database user to perform a CHECKPOINT command.
+      </para>
       <para>
         Membership of these roles can be granted with e.g. <command>GRANT pg_read_all_stats TO repmgr</command>.
       </para>
@@ -148,6 +152,8 @@
               <link linkend="repmgr-standby-switchover">repmgr standby switchover</link>. This can only
               be executed by a superuser; if the &repmgr; user is not a superuser,
               the <option>-S</option>/<option>--superuser</option> should be used.
+              From PostgreSQL 15 the <varname>pg_checkpoint</varname> predefined role removes the need of
+              superuser permissions to perform <command>CHECKPOINT</command> command.
             </simpara>
             <simpara>
               If &repmgr; is not able to execute <command>CHECKPOINT</command>,
@@ -159,8 +165,10 @@
             <simpara>
               The <command>ALTER SYSTEM</command> is executed by &repmgrd; if
               <varname>standby_disconnect_on_failover</varname> is set to <literal>true</literal> in
-              <filename>repmgr.conf</filename>. <command>ALTER SYSTEM</command> can only be executed by
+              <filename>repmgr.conf</filename>. Until PostgreSQL 14 <command>ALTER SYSTEM</command> can only be executed by
               a superuser; if the &repmgr; user is not a superuser, this functionality will not be available.
+              From PostgreSQL 15 a specific ALTER SYSTEM privilege can be granted with e.g.
+              <command>GRANT ALTER SYSTEM ON PARAMETER wal_retrieve_retry_interval TO repmgr</command>.
             </simpara>
           </listitem>
         </itemizedlist>

doc/repmgr-node-service.xml

@@ -77,7 +77,8 @@
           </para>
           <para>
             Note that a superuser connection is required to be able to execute the
-             <command>CHECKPOINT</command> command.
+            <command>CHECKPOINT</command> command. From PostgreSQL 15 the <varname>pg_checkpoint</varname>
+            predefined role removes the need for superuser permissions to perform <command>CHECKPOINT</command> command.
           </para>
         </listitem>
      </varlistentry>

doc/repmgr-standby-switchover.xml

@@ -79,7 +79,8 @@
     <para>
       Note that <command>CHECKPOINT</command> requires database superuser permissions to execute.
       If the <literal>repmgr</literal> user is not a superuser, the name of a superuser should be
-      provided with the <option>-S</option>/<option>--superuser</option> option.
+      provided with the <option>-S</option>/<option>--superuser</option> option. From PostgreSQL 15 the <varname>pg_checkpoint</varname>
+      predefined role removes the need for superuser permissions to perform <command>CHECKPOINT</command> command.
     </para>
     <para>
       If &repmgr; is unable to execute the <command>CHECKPOINT</command> command, the switchover

doc/repmgrd-automatic-failover.xml

@@ -279,7 +279,9 @@
   <note>
     <para>
       <option>standby_disconnect_on_failover</option> is available with PostgreSQL 9.5 and later.
-      Additionally this requires that the <literal>repmgr</literal> database user is a superuser.
+      Until PostgreSQL 14 this requires that the <literal>repmgr</literal> database user is a superuser.
+      From PostgreSQL 15 a specific ALTER SYSTEM privilege can be granted to the <literal>repmgr</literal> database
+      user with e.g. <command>GRANT ALTER SYSTEM ON PARAMETER wal_retrieve_retry_interval TO repmgr</command>.
     </para>
   </note>
   <para>

repmgr-action-node.c

@@ -2365,18 +2365,25 @@ do_node_service(void)
 			conn = establish_db_connection_by_params(&source_conninfo, true);
 		}
 
-		if (is_superuser_connection(conn, NULL) == false)
+		if (can_execute_checkpoint(conn) == false)
 		{
 			if (runtime_options.dry_run == true)
 			{
-				log_warning(_("a CHECKPOINT would be issued here but no superuser connection is available"));
+				log_warning(_("a CHECKPOINT would be issued here but no authorized connection is available"));
 			}
 			else
 			{
-				log_warning(_("a superuser connection is required to issue a CHECKPOINT"));
+				log_warning(_("an authorized connection is required to issue a CHECKPOINT"));
 			}
 
-			log_hint(_("provide a superuser with -S/--superuser"));
+			if (PQserverVersion(conn) >= 150000)
+			{
+				log_hint(_("provide a superuser with -S/--superuser or grant pg_checkpoint role to repmgr user"));
+			}
+			else
+			{
+				log_hint(_("provide a superuser with -S/--superuser"));
+			}
 		}
 		else
 		{

repmgr-action-standby.c

@@ -5288,7 +5288,7 @@ do_standby_switchover(void)
 			checkpoint_conn = superuser_conn;
 		}
 
-		if (is_superuser_connection(checkpoint_conn, NULL) == true)
+		if (can_execute_checkpoint(checkpoint_conn) == true)
 		{
 			log_notice(_("issuing CHECKPOINT on node \"%s\" (ID: %i) "),
 					   config_file_options.node_name,
@@ -5297,7 +5297,16 @@ do_standby_switchover(void)
 		}
 		else
 		{
-			log_warning(_("no superuser connection available, unable to issue CHECKPOINT"));
+			log_warning(_("no authorized connection available, unable to issue CHECKPOINT"));
+
+			if (PQserverVersion(local_conn) >= 150000)
+			{
+				log_hint(_("provide a superuser with -S/--superuser or grant pg_checkpoint role to repmgr user"));
+			}
+			else
+			{
+				log_hint(_("provide a superuser with -S/--superuser"));
+			}
 		}
 	}
 

repmgr.conf.sample

@@ -12,7 +12,7 @@
 #
 # For details on the configuration file format see the documentation at:
 #
-#   https://repmgr.org/docs/current/configuration-file.html#CONFIGURATION-FILE-FORMAT
+#  https://repmgr.org/docs/current/configuration-file.html#CONFIGURATION-FILE-FORMAT
 #
 # =============================================================================
 # Required configuration items
@@ -76,7 +76,7 @@
 #location='default'		 # An arbitrary string defining the location of the node; this
 				 # is used during failover to check visibility of the
 				 # current primary node. For further details see:
-				 #   https://repmgr.org/docs/current/repmgrd-network-split.html
+				 #  https://repmgr.org/docs/current/repmgrd-network-split.html
 
 #use_replication_slots=no	 # whether to use physical replication slots
 				 # NOTE: when using replication slots,
@@ -181,8 +181,8 @@
 
 #pg_ctl_options=''			# Options to append to "pg_ctl"
 #pg_basebackup_options=''		# Options to append to "pg_basebackup"
-                                        # (Note: when cloning from Barman, repmgr will honour any
+					# (Note: when cloning from Barman, repmgr will honour any
-                                        # --waldir/--xlogdir setting present in "pg_basebackup_options"
+					# --waldir/--xlogdir setting present in "pg_basebackup_options"
 #rsync_options=''			# Options to append to "rsync"
 ssh_options='-q -o ConnectTimeout=10'	# Options to append to "ssh"
 
@@ -212,8 +212,8 @@ ssh_options='-q -o ConnectTimeout=10'	# Options to append to "ssh"
 
 #recovery_min_apply_delay=		# If provided, "recovery_min_apply_delay" will be set to
 					# this value (PostgreSQL 9.4 and later). Value can be
-                                        # an integer representing milliseconds, or a string
+					# an integer representing milliseconds, or a string
-                                        # representing a period of time (e.g. '5 min').
+					# representing a period of time (e.g. '5 min').
 
 
 #------------------------------------------------------------------------------
@@ -299,7 +299,7 @@ ssh_options='-q -o ConnectTimeout=10'	# Options to append to "ssh"
 					# a value of zero prevents the node being promoted to primary
 					# (default: 100)
 
-#connection_check_type=ping		# How to check availability of the upstream node; valid options:
+#connection_check_type='ping'		# How to check availability of the upstream node; valid options:
 					#  'ping': use PQping() to check if the node is accepting connections
 					#  'connection': attempt to make a new connection to the node
 					#  'query': execute an SQL statement on the node via the existing connection
@@ -340,22 +340,31 @@ ssh_options='-q -o ConnectTimeout=10'	# Options to append to "ssh"
 #repmgrd_exit_on_inactive_node=false	# If "true", and the node record is marked as "inactive", abort repmgrd startup
 #standby_disconnect_on_failover=false	# If "true", in a failover situation wait for all standbys to
 					# disconnect their WAL receivers before electing a new primary
-					# (PostgreSQL 9.5 and later only; repmgr user must be a superuser for this)
+					# Can be true in PostgreSQL 9.5 and later only. Until PostgreSQL 14 repmgr user must be a superuser to use this.
+					# From PostgreSQL 15 repmgr must be a superuser or have 'ALTER SYSTEM wal_retrieve_retry_interval' privilege.
+					# (see: https://repmgr.org/docs/current/repmgrd-standby-disconnection-on-failover.html )
 #sibling_nodes_disconnect_timeout=30	# If "standby_disconnect_on_failover" is true, the maximum length of time
-					#  (in seconds) to wait for other standbys to confirm they have disconnected their
+					# (in seconds) to wait for other standbys to confirm they have disconnected their
 					# WAL receivers
 #primary_visibility_consensus=false	# If "true", only continue with failover if no standbys have seen
 					# the primary node recently. *Must* be the same on all nodes.
 #always_promote=false			# Always promote a node, even if repmgr metadata is outdated
-#failover_validation_command=''		# Script to execute for an external mechanism to validate the failover
+#failover_validation_command=''	# Script to execute for an external mechanism to validate the failover
-					# decision made by repmgrd. One or both of the following parameter placeholders
+					# decision made by repmgrd. Each of the following parameter placeholders
-					# should be provided, which will be replaced by repmgrd with the appropriate
+					# should be provided, which will be replaced by repmgrd with the appropriate value:
-					# value: %n (node_id), %a (node_name). *Must* be the same on all nodes.
+					#   %n (node_id)
+					#   %a (node_name)
+					#   %v (number of visible nodes)
+					#   %u (number of shared upstream nodes)
+					#   %t (total number of nodes)
+					# *Must* be the same on all nodes.
 #election_rerun_interval=15		# if "failover_validation_command" is set, and the command returns
 					# an error, pause the specified amount of seconds before rerunning the election.
-					#
+
-					# The following items are relevant for repmgrd running on the primary,
+# The following items are relevant for repmgrd running on the primary,
-					# and will be ignored on non-primary nodes
+# and will be ignored on non-primary nodes.
+# (see: https://repmgr.org/docs/current/repmgrd-primary-child-disconnection.html )
+
 #child_nodes_check_interval=5		# Interval (in seconds) to check for attached child nodes (standbys)
 #child_nodes_connected_min_count=-1	# Minimum number of child nodes which must remain connected, otherwise
 					# disconnection command will be triggered
@@ -363,6 +372,7 @@ ssh_options='-q -o ConnectTimeout=10'	# Options to append to "ssh"
 					# (ignored if "child_nodes_connected_min_count" set)
 #child_nodes_disconnect_timeout=30	# Interval between child node disconnection and disconnection command execution
 #child_nodes_disconnect_command=''	# Command to execute if child node disconnection detected
+#child_nodes_connected_include_witness=false	# Whether to count the witness node (if in use) as a child node when determining whether to execute child_nodes_disconnect_command.
 
 #------------------------------------------------------------------------------
 # service control commands
@@ -385,20 +395,20 @@ ssh_options='-q -o ConnectTimeout=10'	# Options to append to "ssh"
 #
 # For example, to use systemd, you can set
 #
-#    service_start_command = 'sudo systemctl start postgresql-9.6'
+#    service_start_command = 'sudo systemctl start postgresql-16'
 #    (...)
 #
 # and then use the following sudoers configuration:
 #
 #    # this is required when running sudo over ssh without -t:
 #    Defaults:postgres !requiretty
-#    postgres ALL = NOPASSWD: /usr/bin/systemctl stop postgresql-9.6, \
+#    postgres ALL = NOPASSWD: /usr/bin/systemctl stop postgresql-16, \
-#	/usr/bin/systemctl start postgresql-9.6, \
+#        /usr/bin/systemctl start postgresql-16, \
-#	/usr/bin/systemctl restart postgresql-9.6
+#        /usr/bin/systemctl restart postgresql-16
 #
 # Debian/Ubuntu users: use "sudo pg_ctlcluster" to execute service control commands.
 #
-# For more details, see: https://repmgr.org/docs/current/configuration-file-service-commands.html
+# For further details, see: https://repmgr.org/docs/current/configuration-file-service-commands.html
 
 #service_start_command = ''
 #service_stop_command = ''
@@ -441,4 +451,3 @@ ssh_options='-q -o ConnectTimeout=10'	# Options to append to "ssh"
 					# "repmgr standby switchover" to warn about potential
 					# issues with shutting down the demotion candidate.
 
-

repmgrd-physical.c

@@ -2394,6 +2394,17 @@ monitor_streaming_witness(void)
 			terminate(ERR_BAD_CONFIG);
 		}
 
+		/*
+		 * It's possible that the primary changed while the witness repmgrd was not
+		 * running. This does not affect the functionality of the witness repmgrd, but
+		 * does mean outdated node metadata will be displayed, so update that.
+		 */
+		if (local_node_info.upstream_node_id != primary_node_id)
+		{
+			update_node_record_set_upstream(primary_conn, local_node_info.node_id, primary_node_id);
+			local_node_info.upstream_node_id = primary_node_id;
+		}
+
 		initPQExpBuffer(&event_details);
 
 		appendPQExpBuffer(&event_details,