Re: backup manifests - Mailing list pgsql-hackers
| From | Andres Freund |
|---|---|
| Subject | Re: backup manifests |
| Date | |
| Msg-id | 20200402172318.3kvfrrewxmemzpia@alap3.anarazel.de Whole thread Raw |
| In response to | Re: backup manifests (Robert Haas <robertmhaas@gmail.com>) |
| Responses |
Re: backup manifests
(Robert Haas <robertmhaas@gmail.com>)
|
| List | pgsql-hackers |
Hi, On 2020-04-02 13:04:45 -0400, Robert Haas wrote: > And here's another new patch set. After some experimentation, I was > able to manually test the timeline-switch-during-a-base-backup case > and found that it had bugs in both pg_validatebackup and the code I > added to the backend's basebackup.c. So I fixed those. Cool. > It would be > nice to have automated tests, but you need a large database (so that > backing it up takes non-trivial time) and a load on the primary (so > that WAL is being replayed during the backup) and there's a race > condition (because the backup has to not finish before the cascading > standby learns that the upstream has been promoted), so I don't at > present see a practical way to automate that. I did verify, in manual > testing, that a problem with WAL files on either timeline caused a > validation failure. I also verified that the LSNs at which the standby > began replay and reached consistency matched what was stored in the > manifest. I suspect its possible to control the timing by preventing the checkpoint at the end of recovery from completing within a relevant timeframe. I think configuring a large checkpoint_timeout and using a non-fast base backup ought to do the trick. The state can be advanced by separately triggering an immediate checkpoint? Or by changing the checkpoint_timeout? > I also implemented Noah's suggestion that we should write the backup > manifest under a temporary name and then rename it afterward. > Stephen's original complaint that you could end up with a backup that > validates successfully even though we died before we got the WAL is, > at this point, moot, because pg_validatebackup is now capable of > noticing that the WAL is missing. Nevertheless, this seems like a nice > belt-and-suspenders check. Yea, it's imo generally a good idea. > I think this responds to pretty much all of the complaints that I know > about and upon which we have a reasonable degree of consensus. There > are still some things that not everybody is happy about. In > particular, Stephen and David are unhappy about using CRC-32C as the > default algorithm, but Andres and Noah both think it's a reasonable > choice, even if not as robust as everybody will want. As I agree, I'm > going to stick with that choice. I think it might be worth looking, in a later release, at something like blake3 for a fast cryptographic checksum. By allowing for instruction parallelism (by independently checksuming different blocks in data, and only advancing the "shared" checksum separately) it achieves considerably higher throughput rates. I suspect we should also look at a better non-crypto hash. xxhash or whatever. Not just for these checksums, but also for in-memory. > Also, there is still some debate about what the tool ought to be > called. My previous suggestion to rename this from pg_validatebackup > to pg_validatemanifest seems wrong now that WAL validation has been > added; in fact, given that we now have two independent sanity checks > on a backup, I'm going to argue that it would be reasonable to extend > that by adding more kinds of backup validation, perhaps even including > the permissions check that Andres suggested before. FWIW, the only check I'd really like to see in this release is the crosscheck with the files length and the actually read data (to be able to disagnose FS issues). Greetings, Andres Freund
pgsql-hackers by date: