Re: Synchronous Standalone Master Redoux - Mailing list pgsql-hackers

From Shaun Thomas
Subject Re: Synchronous Standalone Master Redoux
Date
Msg-id 4FFD8294.3050902@optionshouse.com
Whole thread Raw
In response to Re: Synchronous Standalone Master Redoux  (Daniel Farina <daniel@heroku.com>)
Responses Re: Synchronous Standalone Master Redoux
Re: Synchronous Standalone Master Redoux
Re: Synchronous Standalone Master Redoux
Re: Synchronous Standalone Master Redoux
List pgsql-hackers
On 07/10/2012 06:02 PM, Daniel Farina wrote:

> For example, what if DRBD can only complete one page per second for
> some reason?  Does it it simply have the primary wait at this glacial
> pace, or drop synchronous replication and go degraded?  Or does it do
> something more clever than just a timeout?

That's a good question, and way beyond what I know about the internals. 
:) In practice though, there are configurable thresholds, and if 
exceeded, it will invalidate the secondary. When using Pacemaker, we've 
actually had instances where the 10G link we had between the servers 
died, so each node thought the other was down. That lead to the 
secondary node self-promoting and trying to steal the VIP from the 
primary. Throw in a gratuitous arp, and you get a huge mess.

That lead to what DRBD calls split-brain, because both nodes were 
running and writing to the block device. Thankfully, you can actually 
tell one node to discard its changes and re-subscribe. Doing that will 
replay the transactions from the "good" node on the "bad" one. And even 
then, it's a good idea to run an online verify to do a block-by-block 
checksum and correct any differences.

Of course, all of that's only possible because it's a block-level 
replication. I can't even imagine PG doing anything like that. It would 
have to know the last good transaction from the primary and do an 
implied PIT recovery to reach that state, then re-attach for sync commits.

> Regardless of what DRBD does, I think the problem with the
> async/sync duality as-is is there is no nice way to manage exposure
> to transaction loss under various situations and requirements.

Which would be handy. With synchronous commits, it's given that the 
protocol is bi-directional. Then again, PG can detect when clients 
disconnect the instant they do so, and having such an event implicitly 
disable synchronous_standby_names until reconnect would be an easy fix. 
The database already keeps transaction logs, so replaying would still 
happen on re-attach. It could easily throw a warning for every 
sync-required commit so long as it's in "degraded" mode. Those alone are 
very small changes that don't really harm the intent of sync commit.

That's basically what a RAID-1 does, and people have been fine with that 
for decades.

-- 
Shaun Thomas
OptionsHouse | 141 W. Jackson Blvd. | Suite 500 | Chicago IL, 60604
312-444-8534
sthomas@optionshouse.com



______________________________________________

See http://www.peak6.com/email_disclaimer/ for terms and conditions related to this email


pgsql-hackers by date:

Previous
From: Honza Horak
Date:
Subject: Re: Ability to listen on two unix sockets
Next
From: Dimitri Fontaine
Date:
Subject: Re: Synchronous Standalone Master Redoux