On Mon, Aug 12, 2013 at 04:44:12PM -0400, Bruce Momjian wrote:
> On Mon, Aug 12, 2013 at 10:08:07PM +0200, Pavel Raiskup wrote:
> > > The patch moves the atexit setting up, as you suggested, but only does
> > > that when pg_ctl succeeds (we know we started the server),
> >
> > Yes, of course!
> >
> > > PG 9.1+ will allow pg_ctl -w start to succeed even if there are
> > > permissions problems; earlier versions will not and will keep the
> > > server running --- the user will have to stop the server after
> > > pg_upgrade says it is running.
> >
> > This makes it a complex, really.. We may not easily make the
> > stop_postmaster resistant to non-running server. Thus your solution must
> > be good enough.
>
> Well, stop_postmaster can run just fine with a stopped server, as we
> allow the atexit() shutdown to ignore errors. The larger question is
> whether we should ever stop a server we are not sure we started.
>
> The existing pg_upgrade logic checks if the servers are running first
> with start_postmaster(throw_error = false), so in our existing code, we
> could probably unconditionally shutdown the server even with a pg_ctl
> error when using throw_error = true, but pg_upgrade is complex so I am
> hesitant to make such a bold change. Does anyone else have an opinion?
>
> > > I am not going to backpatch this beyond 9.3 as it is risky code. I have
> > > improved the comments in this area.
> >
> > Agree, it is OK for me — thanks for your work.
>
> Sure. You gave me something to study today, and highlighted an area of
> the code that was very unclear.
I have applied a patch to shutdown the server on successful pg_ctl
start, but authentication failure. I have also added code that we might
want to be more aggressive someday.
I backpatched this to 9.3, but not further back as this is a risky area
of the code. Does anyone want to advocate further backpatching?
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ It's impossible for everything to be true. +
