Connection pooling: tame an exhausted pool

Front a small allocation of a Postgres-backed HTTP service with PgBouncer in transaction mode, drive it into pool exhaustion via an idle-in-transaction pattern, and bring it back under SLO — proving each step with measurements, not estimates.

• Stand up Postgres (max_connections = 100) plus PgBouncer in front of it, and a small HTTP service (Go/Node/JVM) with a write endpoint that does BEGIN, an INSERT, an external HTTP call (mock a payment/webhook with a tunable delay), then COMMIT — i.e. an external call held inside the transaction.
• Size both layers from the formulas: PgBouncer default_pool_size = (cores × 2) + spindles + ~50% headroom for your box; each worker client pool = concurrent_requests × db_calls × avg_ms / budget_ms. Write down the inputs and the computed numbers in the repo, and set pool_mode = transaction.
• Do the transaction-mode audit: grep the codebase for bare SET, LISTEN/NOTIFY, SQL-level PREPARE, and session-level pg_advisory_lock; for any hits, apply the safe substitute (ALTER ROLE / SET LOCAL, dedicated session connection, driver protocol-level prepared statements, pg_advisory_xact_lock). Record findings even if the list is empty.
• Wire observability: PgBouncer SHOW POOLS (cl_active, cl_waiting, sv_active, sv_idle) sampled on an interval, and a pg_stat_activity query grouping by state with max(now() - xact_start). Capture the healthy baseline at steady-state load.
• Induce exhaustion: set the mock external call's latency to several seconds (or have it hang), then load-test the write endpoint until cl_waiting climbs and the app returns 503s. Capture the death signature: backends in state = idle in transaction with growing xact age, cl_waiting greater than 0, pool fully checked out.
• Diagnose like an on-call engineer: from SHOW POOLS and pg_stat_activity identify that this is hold-time (idle-in-transaction), not undersizing. Show that naively raising default_pool_size does NOT fix it (more backends, same drain, worse Postgres contention).
• Apply the real fix: move the external call OUT of the transaction (commit first, then call, or use an outbox row), so the backend is released before the slow work. Re-run the identical load test and record after numbers next to before.
• Add the safety net: set idle_in_transaction_session_timeout (e.g. 60s) and PgBouncer query_wait_timeout (e.g. 10–30s); demonstrate that with the OLD buggy code path re-enabled, the timeout aborts the stuck transaction and logs instead of draining the pool.

• A before/after table measured under the same load: cl_waiting (peak), count of idle-in-transaction backends, p99 request latency, and error/503 rate — measured, not estimated.
• Evidence that the pool now holds: at sustained load, cl_waiting stays at 0 and no backend lingers in idle-in-transaction past a few hundred ms once the external call is outside the transaction.
• A demonstration that raising default_pool_size alone did not resolve the original drain (a captured run showing the queue persisting), justifying why the hold-time fix ranked above resizing.
• A one-paragraph write-up of the sizing math you used (both layers, with the input numbers) and why pool_size is tied to the Postgres core count rather than to client count.