On Wed, 2011-03-09 at 15:37 +0100, Yeb Havinga wrote: > The current situation is definately unsafe because it forces people > that are in this state to do a fast shutdown.. but that fails as well, > so they are only left with immediate.
All the more reason not to change anything, since we disagree. The idea is that you're supposed to wait for the standby to come back up or do failover. If you shutdown the master its because you are choosing to failover. Shutting down the master and restarting without failover leads to a situation where some sync rep commits are not on both master and standby. Making it easier to shutdown encourages that, which I don't wish to do, at this stage. We may decide that this is the right approach but I don't wish to rush into that decision. I want to have clear agreement about all the changes we want and what we call them if we do them. Zero data loss is ultimately about users having confidence in us, not about specific features. Our disagreements on this patch risk damaging that confidence, whoever is right/wrong. Further changes can be made over the course of the next few weeks, based upon feedback from a wider pool of potential users. -- Simon Riggs http://www.2ndQuadrant.com/books/ PostgreSQL Development, 24x7 Support, Training and Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
