Andres Freund <andres@2ndquadrant.com> writes:
> On 2014-01-08 14:42:37 -0800, Joshua D. Drake wrote:
>> Using the model (as I understand it) that is being discussed we have
>> increased our failure rate because the moment db1:down we also lose db0. The
>> node db0 may be up but if it isn't going to process transactions it is
>> useless. I can tell you that I have exactly 0 customers that would want that
>> model because a single node failure would cause a double node failure.
> That's why you should configure a second standby as another (candidate)
> synchronous replica, also listed in synchronous_standby_names.
Right. If you want to tolerate one node failure, *and* have a guarantee
that committed data is on at least two nodes, you need at least three
nodes. Simple arithmetic. If you only have two nodes, you only get to
have one of those properties.
regards, tom lane