On Mon, Jul 15, 2024 at 02:30:42PM -0400, Robert Haas wrote: > On Sun, Jul 14, 2024 at 10:56 PM Fujii Masao > <masao.fu...@oss.nttdata.com> wrote: >> I don't think it's a rare scenario since summarize_wal can be enabled >> after starting the server with wal_level=minimal. Therefore, I believe >> such a configuration should be prohibited using a GUC check hook, >> as my patch does. > > I guess I'm in the group of people who doesn't understand how this can > possibly work. There's no guarantee about the order in which GUC check > hooks are called, so you don't know if the value of the other variable > has already been set to the final value or not, which seems like a > fatal problem even if the code happens to work correctly as of today. > Even if you have such a guarantee, you can't prohibit a configuration > change at pg_ctl reload time: the server can refuse to start in case > of an invalid configuration, but a running server can't decide to shut > down or stop working at reload time.
My understanding is that the correctness of this GUC check hook depends on wal_level being a PGC_POSTMASTER GUC. The check hook would always return true during startup, and there'd be an additional cross-check in PostmasterMain() that would fail startup if necessary. After that point, we know that wal_level cannot change, so the GUC check hook for summarize_wal can depend on wal_level. If it fails, my expectation would be that the server would just ignore that change and continue. -- nathan
