RE: Postgres failover implementation

-----Original Message-----
From: Tom Lane [mailto:tgl(at)sss(dot)pgh(dot)pa(dot)us]
Sent: Tuesday, December 12, 2000 10:10 AM

>Performance across an NFS mount will doubtless suck badly.

It's a fact of life at this point. I'm hoping performance won't suck that
much with 1 GB ethernet and NAS/RAID. In any case, we can't run postmaster
on NFS mount machine.

> Seems like this still means a single point of failure, ie the NFS box. So
what's the point?

The idea is to have a failover for postmaster itself. I realize you stated
that postmaster crashes are rare, but if the primary machine goes down we
will want a secondary to come up with postmaster and other processes
running.

> You could remove that check, perhaps, but then you'd have to remove the
PID file manually anytime you had a postmaster crash.

I don't want to touch postmaster.pid code, but I am working on similar code
for a seperate lockfile. From what I understand, one of the only options is
to use fcntl to lock a file on NFS mount. If I create the file, lock it, and
postmaster machine dies, I'm hoping the lock will go away and the secondary
will be able to lock it. That way I wouldn't need to manually remove it.
Which brings me to another question - does postgres use file locking for
isolation level or other database operations? If so, am I going to run into
problems if the database is on NFS mount?

Thanks again for your comments.
Peter Schmidt

"Peter Schmidt" <peterjs(at)home(dot)com> writes:
> My company is looking for a way to implement failover w/Postgres.
> I've determined that two postmasters running on different machines
(FreeBSD)
> can share a single $PGDATA directory(NFS mount) as long as only one
> postmaster is running at a time.

Performance across an NFS mount will doubtless suck badly. That might
be acceptable as an emergency backup mode of operation ... but if the
machine with the disk is up, you might as well be running the postmaster
there.

It sounds like you intend to have both the primary and secondary
database servers access an NFS server. Seems like this still means a
single point of failure, ie the NFS box. So what's the point?

> Originally I thought I might be able to use
> postmaster.pid to lock out the second postmaster, but the pid file is
> overwritten by the second postmaster when it starts.

The lockfile code assumes that if the PID in the file doesn't belong to
a live process *on the local machine*, then it's left over from a
crashed postmaster. You could remove that check, perhaps, but then
you'd have to remove the PID file manually anytime you had a postmaster
crash. (However, postmaster crashes are rare, so this might be OK.)

regards, tom lane