On Wed, 2011-03-09 at 15:37 +0100, Yeb Havinga wrote:
> The current situation is definately unsafe because it forces people
> that are in this state to do a fast shutdown.. but that fails as well,
> so they are only left with immediate.
All the more reason not to change anything, since we disagree.
The idea is that you're supposed to wait for the standby to come back up
or do failover. If you shutdown the master its because you are choosing
to failover.
Shutting down the master and restarting without failover leads to a
situation where some sync rep commits are not on both master and
standby. Making it easier to shutdown encourages that, which I don't
wish to do, at this stage.
We may decide that this is the right approach but I don't wish to rush
into that decision. I want to have clear agreement about all the changes
we want and what we call them if we do them. Zero data loss is
ultimately about users having confidence in us, not about specific
features. Our disagreements on this patch risk damaging that confidence,
whoever is right/wrong.
Further changes can be made over the course of the next few weeks, based
upon feedback from a wider pool of potential users.
-- Simon Riggs http://www.2ndQuadrant.com/books/PostgreSQL Development, 24x7 Support, Training and Services
