Re: [HACKERS] Synchronization levels in SR

Wed, 26 May 2010 11:02:45 -0700 

On 26/05/10 20:40, Simon Riggs wrote:

On Wed, 2010-05-26 at 19:55 +0300, Heikki Linnakangas wrote:

If you set quorum to 1, it also becomes critical
infrastructure, because it's possible that a transaction has been
replicated to the test server but not the real production standby, and
a meteor strikes.


Why would you not want to use the test server?



Because your failover procedures known nothing about the test server. 
Even if the data is there in theory, it'd be completely impractical to 
fetch it from there.



If its the only thing
left protecting you, and you wish to be protected, then it sounds very
cool to me.  In my proposal this test server only gets data ahead of
other things if the "real production standby" responds too slowly.



There's many reasons why a test server could respond faster than the 
production standby. Maybe the standby is on a different continent. Maybe 
you have fsync=off on the test server because it's just a test server. 
Either way, you want the master to ignore it for the purpose of 
determining if a commit is safe.



It scares the **** out of people that a DBA can take down a server and
suddenly the sync protection you thought you had is turned off.



Yeah, it depends on what you're trying to accomplish. If durability is 
absolutely critical to you, (vs. availability), you don't want the 
commit to ever be acknowledged to the client until it's safely flushed 
to disk in the standby, even if it means refusing any further commits on 
the master, until the standby reconnects and catches up.



OTOH, if you're not that worried about durability, but you're load 
balancing queries to the standby, you want to ensure that when you run a 
query against the standby, a transaction that committed on the master is 
also visible in the standby. In that scenario, if a standby can't be 
reached, it is simply pronounced dead, and the master can just ignore it 
until it reconnects.



That way
of doing things means an application never knows the protection level
any piece of data has had. App designers want to be able to marks things
"handle with care" or "just do it quick, don't care much".


Yeah, that's useful too.

--
  Heikki Linnakangas
  EnterpriseDB   http://www.enterprisedb.com

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers





























					Reply via email to