Re: Sync Rep Design - Mailing list pgsql-hackers
From | Heikki Linnakangas |
---|---|
Subject | Re: Sync Rep Design |
Date | |
Msg-id | 4D2038BB.7000504@enterprisedb.com Whole thread Raw |
In response to | Re: Sync Rep Design (Josh Berkus <josh@postgresql.org>) |
Responses |
Re: Sync Rep Design
Re: Sync Rep Design Re: Sync Rep Design Base Backup Streaming (was: Sync Rep Design) Re: Sync Rep Design |
List | pgsql-hackers |
On 02.01.2011 00:40, Josh Berkus wrote: > On 1/1/11 5:59 AM, Stefan Kaltenbrunner wrote: >> well you keep saying that but to be honest I cannot really even see a >> usecase for me - what is "only a random one of a set of servers is sync >> at any time and I don't really know which one". >> My usecases would al involved 2 sync standbys and 1 or more async ones. >> but the second sync one would be in a different datacenter and I NEED to >> protect against a datacenter failure which your proposals says I cannot >> do :( > > As far as I know, *nobody* has written the bookkeeping code to actually > track which standbys have ack'd. We need to get single-ack synch > standby merged, tested and working before we add anything as complicated > as "each standby on this list must ack". That means that it's extremely > unlikely for 9.1 at this point. The bookkeeping will presumably consist of an XLogRecPtr in shared memory for each standby, tracking how far the standby has acknowledged. At commit, you scan the standby slots in shared memory and check that the required standbys have acknowledged your commit record. The bookkeeping required is the same whether or not we support a list of standbys that must ack or just one. > Frankly, if Simon hadn't already submitted code, I'd be pushing for > single-standby-only for 9.1, instead of "any one". Yes, we are awfully late, but let's not panic. BTW, there's a bunch of replication related stuff that we should work to close, that are IMHO more important than synchronous replication. Like making the standby follow timeline changes, to make failovers smoother, and the facility to stream a base-backup over the wire. I wish someone worked on those... >> Hmm, access control... We haven't yet discussed what privileges a >> standby needs to become synchronous. Perhaps it needs to be a separate >> privilege that can be granted, in addition to the replication privilege? > > No, I don't think so. An additional priv would just complicate life for > DBAs without providing any real benefit. You'd be guarding against the > very narrow hypothetical case where there's a server admin with limited > privs on the master, and authorization to create async standbies, but > not the authorization to create s synch standby. How likely is that to > *ever* happen? Very likely. A synchronous standby can bring the master to a halt, while an asynchronous one is rather harmless. If I were a DBA, and the data wasn't very sensitive, I would liberally hand out async privileges to my colleagues to set up reporting standbys, test servers etc. But I would *not* give them synchronous privileges, because sooner or later one would go "hmm, I wonder what happens if I make this synchronous", or haphazardly copy the config file from a synchronous standby. That would either bring down the master, or act as a "fake" standby, acknowledging commits before they're flushed to the real synchronous standby. Either one would be bad. -- Heikki Linnakangas EnterpriseDB http://www.enterprisedb.com
pgsql-hackers by date: