Queue connections for worker slots instead of rejecting immediately

Replace the "reject immediately" pattern when max_workers is reached with
a blocking semaphore in FlightWorkerPool. A buffered channel of size
maxWorkers acts as both a concurrency limiter and a FIFO queue.

Clients now complete TLS + auth, then block at the ReadyForQuery stage
until a worker slot becomes available (or the queue timeout expires).
This eliminates retry storms from clients like Fivetran that reconnect
aggressively on "too many connections" errors.

Key changes:
- AcquireWorker(ctx) blocks on semaphore instead of returning ErrMaxWorkersReached
- RetireWorker/HealthCheckLoop crash paths release semaphore slots
- ShutdownAll closes shutdownCh to unblock all queued waiters
- New --worker-queue-timeout flag (default 30s) controls queue wait time
- Remove dead reap-and-retry code from Flight ingress (GetOrCreate)
- Remove MaxWorkersRetry Prometheus metrics and hooks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: fuziontech

config_resolution.go

@@ -28,14 +28,16 @@ type configCLIInputs struct {
 	MemoryRebalance           bool
 	MaxWorkers                int
 	MinWorkers                int
+	WorkerQueueTimeout        string
 	ACMEDomain                string
 	ACMEEmail                 string
 	ACMECacheDir              string
 	MaxConnections            int
 }
 
 type resolvedConfig struct {
-	Server server.Config
+	Server             server.Config
+	WorkerQueueTimeout time.Duration
 }
 
 func defaultServerConfig() server.Config {
@@ -69,6 +71,7 @@ func resolveEffectiveConfig(fileCfg *FileConfig, cli configCLIInputs, getenv fun
 	}
 
 	cfg := defaultServerConfig()
+	var workerQueueTimeout time.Duration
 
 	if fileCfg != nil {
 		if fileCfg.Host != "" {
@@ -210,6 +213,13 @@ func resolveEffectiveConfig(fileCfg *FileConfig, cli configCLIInputs, getenv fun
 		if fileCfg.MinWorkers != 0 {
 			cfg.MinWorkers = fileCfg.MinWorkers
 		}
+		if fileCfg.WorkerQueueTimeout != "" {
+			if d, err := time.ParseDuration(fileCfg.WorkerQueueTimeout); err == nil {
+				workerQueueTimeout = d
+			} else {
+				warn("Invalid worker_queue_timeout duration: " + err.Error())
+			}
+		}
 		if len(fileCfg.PassthroughUsers) > 0 {
 			cfg.PassthroughUsers = make(map[string]bool, len(fileCfg.PassthroughUsers))
 			for _, u := range fileCfg.PassthroughUsers {
@@ -365,6 +375,13 @@ func resolveEffectiveConfig(fileCfg *FileConfig, cli configCLIInputs, getenv fun
 			warn("Invalid DUCKGRES_MAX_WORKERS: " + err.Error())
 		}
 	}
+	if v := getenv("DUCKGRES_WORKER_QUEUE_TIMEOUT"); v != "" {
+		if d, err := time.ParseDuration(v); err == nil {
+			workerQueueTimeout = d
+		} else {
+			warn("Invalid DUCKGRES_WORKER_QUEUE_TIMEOUT duration: " + err.Error())
+		}
+	}
 	if v := getenv("DUCKGRES_ACME_DOMAIN"); v != "" {
 		cfg.ACMEDomain = v
 	}
@@ -456,6 +473,13 @@ func resolveEffectiveConfig(fileCfg *FileConfig, cli configCLIInputs, getenv fun
 	if cli.Set["max-workers"] {
 		cfg.MaxWorkers = cli.MaxWorkers
 	}
+	if cli.Set["worker-queue-timeout"] {
+		if d, err := time.ParseDuration(cli.WorkerQueueTimeout); err == nil {
+			workerQueueTimeout = d
+		} else {
+			warn("Invalid --worker-queue-timeout duration: " + err.Error())
+		}
+	}
 	if cli.Set["acme-domain"] {
 		cfg.ACMEDomain = cli.ACMEDomain
 	}
@@ -482,6 +506,7 @@ func resolveEffectiveConfig(fileCfg *FileConfig, cli configCLIInputs, getenv fun
 	}
 
 	return resolvedConfig{
-		Server: cfg,
+		Server:             cfg,
+		WorkerQueueTimeout: workerQueueTimeout,
 	}
 }

controlplane/control.go

@@ -28,6 +28,7 @@ type ControlPlaneConfig struct {
 	ConfigPath          string // Path to config file, passed to workers
 	HandoverSocket      string
 	HealthCheckInterval time.Duration
+	WorkerQueueTimeout  time.Duration // How long to wait for an available worker slot (default: 30s)
 }
 
 // ControlPlane manages the TCP listener and routes connections to Flight SQL workers.
@@ -62,6 +63,9 @@ func RunControlPlane(cfg ControlPlaneConfig) {
 	if cfg.HealthCheckInterval == 0 {
 		cfg.HealthCheckInterval = 2 * time.Second
 	}
+	if cfg.WorkerQueueTimeout == 0 {
+		cfg.WorkerQueueTimeout = 5 * time.Minute
+	}
 
 	// Enforce secure defaults for control-plane mode.
 	if err := validateControlPlaneSecurity(cfg); err != nil {
@@ -171,10 +175,11 @@ func RunControlPlane(cfg ControlPlaneConfig) {
 	// creation races between pre-warm and first external Flight requests.
 	if cfg.FlightPort > 0 {
 		flightIngress, err := NewFlightIngress(cfg.Host, cfg.FlightPort, tlsCfg, cfg.Users, sessions, FlightIngressConfig{
-			SessionIdleTTL:  cfg.FlightSessionIdleTTL,
-			SessionReapTick: cfg.FlightSessionReapInterval,
-			HandleIdleTTL:   cfg.FlightHandleIdleTTL,
-			SessionTokenTTL: cfg.FlightSessionTokenTTL,
+			SessionIdleTTL:     cfg.FlightSessionIdleTTL,
+			SessionReapTick:    cfg.FlightSessionReapInterval,
+			HandleIdleTTL:      cfg.FlightHandleIdleTTL,
+			SessionTokenTTL:    cfg.FlightSessionTokenTTL,
+			WorkerQueueTimeout: cfg.WorkerQueueTimeout,
 		})
 		if err != nil {
 			slog.Error("Failed to initialize Flight ingress.", "error", err)
@@ -261,6 +266,7 @@ func RunControlPlane(cfg ControlPlaneConfig) {
 		"flight_addr", cp.flightAddr(),
 		"min_workers", minWorkers,
 		"max_workers", maxWorkers,
+		"worker_queue_timeout", cfg.WorkerQueueTimeout,
 		"memory_budget", formatBytes(rebalancer.memoryBudget),
 		"memory_rebalance", cfg.MemoryRebalance)
 
@@ -478,9 +484,11 @@ func (cp *ControlPlane) handleConnection(conn net.Conn) {
 	cp.rateLimiter.RecordSuccessfulAuth(remoteAddr)
 	slog.Info("User authenticated.", "user", username, "remote_addr", remoteAddr)
 
-	// Create session on a worker
-	ctx := context.Background()
+	// Create session on a worker. The timeout controls how long we wait in the
+	// worker queue when all slots are occupied.
+	ctx, cancel := context.WithTimeout(context.Background(), cp.cfg.WorkerQueueTimeout)
 	pid, executor, err := cp.sessions.CreateSession(ctx, username)
+	cancel()
 	if err != nil {
 		slog.Error("Failed to create session.", "user", username, "remote_addr", remoteAddr, "error", err)
 		_ = server.WriteErrorResponse(writer, "FATAL", "53300", "too many connections")
@@ -741,9 +749,10 @@ func (cp *ControlPlane) recoverFlightIngressAfterFailedReload() {
 	}
 
 	flightIngress, err := NewFlightIngress(cp.cfg.Host, cp.cfg.FlightPort, cp.tlsConfig, cp.cfg.Users, cp.sessions, FlightIngressConfig{
-		SessionIdleTTL:  cp.cfg.FlightSessionIdleTTL,
-		SessionReapTick: cp.cfg.FlightSessionReapInterval,
-		HandleIdleTTL:   cp.cfg.FlightHandleIdleTTL,
+		SessionIdleTTL:     cp.cfg.FlightSessionIdleTTL,
+		SessionReapTick:    cp.cfg.FlightSessionReapInterval,
+		HandleIdleTTL:      cp.cfg.FlightHandleIdleTTL,
+		WorkerQueueTimeout: cp.cfg.WorkerQueueTimeout,
 	})
 	if err != nil {
 		slog.Error("Failed to recover Flight ingress after reload failure.", "error", err)

controlplane/flight_ingress.go

@@ -2,7 +2,6 @@ package controlplane
 
 import (
 	"crypto/tls"
-	"errors"
 
 	"github.com/posthog/duckgres/server/flightsqlingress"
 )
@@ -14,13 +13,9 @@ type FlightIngress = flightsqlingress.FlightIngress
 // NewFlightIngress creates a control-plane Flight SQL ingress listener.
 func NewFlightIngress(host string, port int, tlsConfig *tls.Config, users map[string]string, sm *SessionManager, cfg FlightIngressConfig) (*FlightIngress, error) {
 	return flightsqlingress.NewFlightIngress(host, port, tlsConfig, users, sm, cfg, flightsqlingress.Options{
-		IsMaxWorkersError: func(err error) bool {
-			return errors.Is(err, ErrMaxWorkersReached)
-		},
 		Hooks: flightsqlingress.Hooks{
 			OnSessionCountChanged: observeFlightAuthSessions,
 			OnSessionsReaped:      observeFlightSessionsReaped,
-			OnMaxWorkersRetry:     observeFlightMaxWorkersRetry,
 		},
 	})
 }

controlplane/flight_ingress_metrics.go

@@ -18,11 +18,6 @@ var flightSessionsReapedCounter = promauto.NewCounterVec(prometheus.CounterOpts{
 	Help: "Number of Flight auth sessions reaped",
 }, []string{"trigger"})
 
-var flightMaxWorkersRetryCounter = promauto.NewCounterVec(prometheus.CounterOpts{
-	Name: "duckgres_flight_max_workers_retry_total",
-	Help: "Number of max-worker retry outcomes when creating Flight auth sessions",
-}, []string{"outcome"})
-
 func observeFlightAuthSessions(count int) {
 	if count < 0 {
 		count = 0
@@ -43,7 +38,3 @@ func observeFlightSessionsReaped(trigger string, count int) {
 	}
 	flightSessionsReapedCounter.WithLabelValues(trigger).Add(float64(count))
 }
-
-func observeFlightMaxWorkersRetry(outcome string) {
-	flightMaxWorkersRetryCounter.WithLabelValues(outcome).Inc()
-}

controlplane/session_mgr.go

@@ -48,16 +48,21 @@ func NewSessionManager(pool *FlightWorkerPool, rebalancer *MemoryRebalancer) *Se
 // creates a session on it, and rebalances memory/thread limits across all active sessions.
 func (sm *SessionManager) CreateSession(ctx context.Context, username string) (int32, *server.FlightExecutor, error) {
 	// Acquire a worker: reuses idle pre-warmed workers or spawns a new one.
-	// Max-workers check is atomic inside AcquireWorker to prevent TOCTOU races.
-	worker, err := sm.pool.AcquireWorker()
+	// When max-workers is set, this blocks until a slot is available.
+	worker, err := sm.pool.AcquireWorker(ctx)
 	if err != nil {
 		return 0, nil, fmt.Errorf("acquire worker: %w", err)
 	}
 
 	sessionToken, err := worker.CreateSession(ctx, username)
 	if err != nil {
-		// Clean up the worker we just spawned (but not if it was a pre-warmed idle worker)
-		sm.pool.RetireWorkerIfNoSessions(worker.ID)
+		// Clean up the worker we just spawned (but not if it was a pre-warmed idle worker
+		// that has sessions from other concurrent requests).
+		if !sm.pool.RetireWorkerIfNoSessions(worker.ID) {
+			// Worker wasn't retired (it has other sessions), but we still hold
+			// a semaphore slot for our failed request. Release it.
+			sm.pool.releaseWorkerSem()
+		}
 		return 0, nil, fmt.Errorf("create session on worker %d: %w", worker.ID, err)
 	}
 

controlplane/worker_mgr.go

@@ -5,7 +5,6 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"log/slog"
 	"os"
@@ -22,8 +21,6 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 )
 
-var ErrMaxWorkersReached = errors.New("max workers reached")
-
 // ManagedWorker represents a duckdb-service worker process.
 type ManagedWorker struct {
 	ID          int
@@ -55,6 +52,8 @@ type FlightWorkerPool struct {
 	sessionCounter SessionCounter // set after SessionManager is created
 	maxWorkers     int            // 0 = unlimited
 	shuttingDown   bool
+	workerSem      chan struct{} // buffered to maxWorkers; nil when unlimited
+	shutdownCh     chan struct{} // closed by ShutdownAll to unblock queued waiters
 }
 
 // NewFlightWorkerPool creates a new worker pool.
@@ -66,6 +65,10 @@ func NewFlightWorkerPool(socketDir, configPath string, maxWorkers int) *FlightWo
 		configPath: configPath,
 		binaryPath: binaryPath,
 		maxWorkers: maxWorkers,
+		shutdownCh: make(chan struct{}),
+	}
+	if maxWorkers > 0 {
+		pool.workerSem = make(chan struct{}, maxWorkers)
 	}
 	observeControlPlaneWorkers(0)
 	return pool
@@ -235,30 +238,31 @@ func (p *FlightWorkerPool) SpawnMinWorkers(count int) error {
 	return p.SpawnAll(count)
 }
 
-// AcquireWorker returns a worker for a new session. It first tries to claim an
-// idle pre-warmed worker (one with no active sessions). If none are available,
-// it spawns a new one. The max-workers check is performed atomically under the
-// write lock to prevent TOCTOU races from concurrent connections.
-func (p *FlightWorkerPool) AcquireWorker() (*ManagedWorker, error) {
+// AcquireWorker returns a worker for a new session. When maxWorkers is set,
+// callers block in FIFO order on the semaphore until a slot is available,
+// the context is cancelled, or the pool shuts down.
+// Once a slot is acquired, it first tries to claim an idle pre-warmed worker
+// (one with no active sessions). If none are available, it spawns a new one.
+func (p *FlightWorkerPool) AcquireWorker(ctx context.Context) (*ManagedWorker, error) {
+	// Block until a semaphore slot is available (FIFO via Go's sudog queue).
+	if p.workerSem != nil {
+		select {
+		case p.workerSem <- struct{}{}:
+			// Got a slot
+		case <-ctx.Done():
+			return nil, fmt.Errorf("timed out waiting for available worker (max_workers=%d): %w", p.maxWorkers, ctx.Err())
+		case <-p.shutdownCh:
+			return nil, fmt.Errorf("pool is shutting down")
+		}
+	}
+
 	p.mu.Lock()
 	if p.shuttingDown {
 		p.mu.Unlock()
+		p.releaseWorkerSem()
 		return nil, fmt.Errorf("pool is shutting down")
 	}
 
-	// Check max-workers cap atomically under the write lock
-	if p.maxWorkers > 0 && len(p.workers) >= p.maxWorkers {
-		// Even at the cap, we may have idle pre-warmed workers to reuse.
-		// Only fail if all existing workers are busy.
-		idle := p.findIdleWorkerLocked()
-		if idle != nil {
-			p.mu.Unlock()
-			return idle, nil
-		}
-		p.mu.Unlock()
-		return nil, fmt.Errorf("%w (%d)", ErrMaxWorkersReached, p.maxWorkers)
-	}
-
 	// Try to claim an idle pre-warmed worker before spawning a new one
 	idle := p.findIdleWorkerLocked()
 	if idle != nil {
@@ -271,16 +275,28 @@ func (p *FlightWorkerPool) AcquireWorker() (*ManagedWorker, error) {
 	p.mu.Unlock()
 
 	if err := p.SpawnWorker(id); err != nil {
+		p.releaseWorkerSem()
 		return nil, err
 	}
 
 	w, ok := p.Worker(id)
 	if !ok {
+		p.releaseWorkerSem()
 		return nil, fmt.Errorf("worker %d not found after spawn", id)
 	}
 	return w, nil
 }
 
+// releaseWorkerSem drains one token from the semaphore (non-blocking).
+func (p *FlightWorkerPool) releaseWorkerSem() {
+	if p.workerSem != nil {
+		select {
+		case <-p.workerSem:
+		default:
+		}
+	}
+}
+
 // findIdleWorkerLocked returns a live worker with no active sessions, or nil.
 // Caller must hold p.mu (read or write lock).
 func (p *FlightWorkerPool) findIdleWorkerLocked() *ManagedWorker {
@@ -312,18 +328,23 @@ func (p *FlightWorkerPool) RetireWorker(id int) {
 	p.mu.Unlock()
 	observeControlPlaneWorkers(workerCount)
 
+	// Release semaphore slot so a queued waiter can proceed.
+	p.releaseWorkerSem()
+
 	// Run the actual process cleanup asynchronously so DestroySession
 	// doesn't block the connection handler goroutine for up to 3s+.
 	go retireWorkerProcess(w)
 }
 
 // RetireWorkerIfNoSessions retires a worker only if it has no active sessions.
 // Used to clean up on session creation failure without retiring pre-warmed workers.
-func (p *FlightWorkerPool) RetireWorkerIfNoSessions(id int) {
+// Returns true if the worker was retired (and its semaphore slot released).
+func (p *FlightWorkerPool) RetireWorkerIfNoSessions(id int) bool {
 	if p.sessionCounter != nil && p.sessionCounter.SessionCountForWorker(id) > 0 {
-		return
+		return false
 	}
 	p.RetireWorker(id)
+	return true
 }
 
 // retireWorkerProcess handles the actual process shutdown and socket cleanup.
@@ -384,6 +405,9 @@ func (p *FlightWorkerPool) ShutdownAll() {
 	}
 	p.mu.Unlock()
 
+	// Unblock all goroutines waiting in AcquireWorker's semaphore select.
+	close(p.shutdownCh)
+
 	for _, w := range workers {
 		if w.cmd.Process != nil {
 			slog.Info("Shutting down worker.", "id", w.ID, "pid", w.cmd.Process.Pid)
@@ -483,6 +507,7 @@ func (p *FlightWorkerPool) HealthCheckLoop(ctx context.Context, interval time.Du
 							_ = w.client.Close()
 						}
 						_ = os.Remove(w.socketPath)
+						p.releaseWorkerSem()
 					default:
 						// Worker is alive, do a health check.
 						// Recover nil-pointer panics: w.client.Close() (from a
@@ -535,6 +560,7 @@ func (p *FlightWorkerPool) HealthCheckLoop(ctx context.Context, interval time.Du
 										_ = w.client.Close()
 									}
 									_ = os.Remove(w.socketPath)
+									p.releaseWorkerSem()
 								}
 							}
 						} else {