From: | Simon Riggs <simon(at)2ndQuadrant(dot)com> |
---|---|
To: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> |
Cc: | Dimitri Fontaine <dfontaine(at)hi-media(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Synchronization levels in SR |
Date: | 2010-05-27 06:51:27 |
Message-ID: | 1274943087.6203.3753.camel@ebony |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, 2010-05-27 at 02:18 +0300, Heikki Linnakangas wrote:
> On 27/05/10 01:23, Simon Riggs wrote:
> > On Thu, 2010-05-27 at 00:21 +0300, Heikki Linnakangas wrote:
> >> On 26/05/10 23:31, Dimitri Fontaine wrote:
> >>> d. choice of commit or rollback at timeout
> >>
> >> Rollback is not an option. There is no going back after the commit
> >> record has been flushed to disk or sent to a standby.
> >
> > There's definitely no going back after the xid has been removed from
> > procarray because other transactions will then depend upon the final
> > state. Currently we PANIC if we abort after we've marked clog, though
> > that happens after XLogFlush(), which is where we're planning to wait
> > for synch rep. If we abort after having written a commit record to disk
> > we can still successfully generate an abort record as well. (Luckily, I
> > note HS does actually cope with that. Phew!)
> >
> > So actually, an abort is a reasonable possibility, though I know it
> > doesn't sound like it could be at first thought.
> Hmm, that's an interesting thought. Interesting, as in crazy ;-).
:-) It's a surprising thought for me also.
> I don't understand how HS could handle that. As soon as it sees the
> commit record, the transaction becomes visible to readers.
I meant not-barf completely.
> >> The choice is to either commit anyway after the timeout, or wait forever.
> >
> > Hmm, wait forever. What happens if we try to shutdown fast while there
> > is a transaction that is waiting forever? Is that then a commit, even
> > though it never made it to the standby? How would we know it was safe to
> > switchover or not? Hmm.
>
> Refuse to shut down until the standby acknowledges the commit. That's
> the only way to be sure..
>
> In practice, hard synchronous "don't return ever until the commit hits
> the standby" behavior is rarely what admins actually want, because it's
> disastrous from an availability point of view. More likely, admins want
> "wait for ack from standby, unless it's not responding, in which case to
> hell with redundancy and just act like a single server". It makes sense
> if you just want to make sure that the standby doesn't return stale
> results when it's working properly, and you're not worried about
> durability but I'm not sure it's very sound otherwise.
Which is also crazy. If you're using synch rep its because you care
deeply about durability. Some people wish to treat the COMMIT as a
guarantee, not just a shrug.
I agree that don't-return-ever isn't something anyone will want.
What we need is a "COMMIT with ERROR" message!
Note that Oracle gives the options of COMMIT | SHUTDOWN at this point.
Shutdown is an implicit abort for the writing transaction...
At this point the primary thinks standby is no longer available. If we
have a split brain situation then we should be assuming we will STONITH
and shutdown the primary anyway. If we have more than one standby we can
stay up and probably shouldn't be sending an abort after a commit.
The trouble is *every* option is crazy from some perspective, so we must
consider them all, to see whether they are practical or impractical.
--
Simon Riggs www.2ndQuadrant.com
From | Date | Subject | |
---|---|---|---|
Next Message | Pavel Stehule | 2010-05-27 06:54:39 | Re: functional call named notation clashes with SQL feature |
Previous Message | Pavel Stehule | 2010-05-27 06:50:18 | Re: functional call named notation clashes with SQL feature |