On Thu, 2009-01-08 at 15:04 -0500, Tom Lane wrote:
> Simon Riggs <simon@2ndQuadrant.com> writes:
> > On Thu, 2009-01-08 at 14:19 -0500, Tom Lane wrote:
> >> If the btree in question is a critical system index, your value of
> >> "work" is going to be pretty damn small.
>
> > So if its a system index we can throw a PANIC, else just LOG. Whilst a
> > corrupt index is annoying in the extreme, a total server outage is not
> > something we should allow. IMHO.
>
> I think an appropriate solution would be to institute some mechanism
> that forces a reindex of the corrupted index at completion of recovery.
> Merely fooling around with message severity levels doesn't fix anything
> at all, it just opens the door to more trouble than you've already got.
Well you know I agree on the longer term solution.
But with a down server, you just force people to do pg_resetxlog, which
loses both the corruption (probably) and real, useful data (likely) and
*then* they bring up the server. I don't see why we should force people
to take a manual action and lose data to bring up the server. It's not
like they'll just look at it and say how much of a shame it is it won't
start. They will be bringing up the server, somehow, or they get the
sack. IMHO. I'll say no more though; its not an argument.
--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support
