Michael Paquier <michael.paqu...@gmail.com> writes: > On Tue, Dec 5, 2017 at 10:51 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: >> Uh ... I'm confused? That particular change only concerns whether we emit >> a log message, not whether the action is attempted or succeeds.
> From the commit mentioned upthread, this switches one hard failure > when opening pg_tblspc to a LOG report: > @@ -3014,7 +3018,7 @@ RemovePgTempFiles(void) > */ > spc_dir = AllocateDir("pg_tblspc"); > - while ((spc_de = ReadDir(spc_dir, "pg_tblspc")) != NULL) > + while ((spc_de = ReadDirExtended(spc_dir, "pg_tblspc", LOG)) != NULL) > { That's not the same commit you just mentioned. The point with this one is that RemovePgTempFiles is a noncritical operation: if we fail to remove temp files, it's still safe to start up, because those temp files won't cause failures later. (This is the exact opposite of the situation for ResetUnloggedRelations's directory scans, which is why I changed that one in the opposite direction.) The general theory I'm operating on is that we should endeavor to let the database start in any situation where that doesn't involve a data-corruption hazard. Yeah, it might not be nice if we leave GB worth of temp files around, but is a postmaster start failure better? I don't think so. regards, tom lane