On Tue, Feb 26, 2019 at 3:49 PM David Steele <da...@pgmasters.net> wrote: > > On 2/26/19 6:51 AM, Michael Paquier wrote: > > On Mon, Feb 25, 2019 at 08:17:27PM +0200, David Steele wrote: > >> Here's the really obvious bad thing: if users do not update their > >> procedures > >> and we ignore backup_label.pending on startup then they will end up with a > >> corrupt database because it will not replay from the correct checkpoint. > >> If > >> we error on the presence of backup_label.pending then we are right back to > >> where we started. > > > > Not really. If we error on backup_label.pending, we can make the > > difference between a backend which has crashed in the middle of an > > exclusive backup without replaying anything and a backend which is > > started based on a base backup, so an operator can take some action to > > see what's wrong with the server. If you issue an error, users can > > also see that their custom backup script is wrong because they forgot > > to rename the flag after taking a backup of the data folder(s). > > The operator still has a decision to make, manually, just as they do > now. The wrong decision may mean a corrupt database.
Even in non-exclusive backup mode, the wrong decision may mean a corrupt database. For example, what if the user may forget to save the backup_label in the backup taken by using non-exclusive backup method? So I'm not sure if this is the matter only for an exclusive backup. Regards, -- Fujii Masao
