Simon Riggs <[EMAIL PROTECTED]> writes:
> I think the best way to handle this is to have two limits.
> First limit attempts to autovacuum, but can be cancelled.
> When we hit second limit, sometime later, then autovacuum cannot be
> cancelled.
This seems like uselessly complex overdesign.
Remember that we still have the 8.1-era mechanism of warning messages
and eventual shutdown of normal backends as the wrap point gets closer.
A DBA who persists in cancelling antiwraparound vacuums will start
getting nasty warnings, and if he still persists will eventually be
forced to do the vacuuming manually in a standalone backend (which will
go at full speed btw).
I concur with Simon's original argument that it's a terrible idea to
make a background vacuum cancel-proof. Pretty much the entire argument
for having vacuum at all (as opposed to say Oracle-style rollback) is
that it's good to be able to postpone maintenance overhead to a time of
the DBA's choosing. I don't see a reason why that doesn't apply to
anti-wraparound vacuuming too. If he postpones it too long, the
recovery will get unpleasant, but that's his choice.
An independent reason for minimizing complexity in this area is that
it's a corner case that (I trust) will never be hit by most
installations, which means it'll never get much field testing.
Poorly tested complicated code is dangerous.
In short: put in the automatic lock cancel for regular vacuums, disable
it for antiwraparound vacuums, but don't disable manual cancels; and
definitely don't invent a complicated new set of behaviors around that.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend
