Tom Lane wrote:
>
> Now, killing the postmaster -9 and not cleaning up the backends has
> always been a good way to shoot yourself in the foot, but up to now the
> worst thing that was likely to happen to you was isolated corruption in
> specific tables. In the brave new world of WAL the stakes are higher,
> because the system will refuse to start up if it finds a corrupted
> checkpoint record. Clueless admins who resort to kill -9 as a routine
> admin tool *will* lose their databases. Moreover, the init scripts
> that are running around now are dangerous weapons if used with 7.1.
>
> I think we need a stronger interlock to prevent this scenario, but I'm
> unsure what it should be. Ideas?
>
Seems the simplest way is to inhibit starting postmaster
if the pid file exists.
Another way is to use flock() if flock() is available.
We could flock() the pid file so that another postmaster
could detect the lock of the file.
Regards,
Hiroshi Inoue
