On 07.02.2013 10:41, Simon Riggs wrote:
> On 6 February 2013 18:02, Robert Haas<robertmhaas@gmail.com> wrote:
>
>> So I would ask this question: why would someone want to turn off
>> fast-promote mode, assuming for the sake of argument that it isn't
>> buggy?
>
> You can write a question many ways, and lead people towards a
> conclusion as a result.
>
> Why would someone want to turn off safe-promote mode, assuming it was
> fast enough?
Okay, I'll bite..
Because in some of your servers, the safe/slow promotion is not fast
enough, and you want to use the same promotion script in both scenarios,
to keep things simple.
Because you're not sure if it's fast enough, and want to play it safe.
Because faster is nicer, even if the slow mode would be "fast enough".
It makes me uncomfortable that we're adding switches to pg_ctl promote
just because we're worried there might be bugs in our code. If we don't
trust the code as it is, it needs more testing. We can analyze the code
more thoroughly, to make an educated guess on what's likely to happen if
it's broken, and consider adding some sanity checks etc. to make the
consequences less severe. We should not put the burden on our users to
decide if the code is trustworthy enough to use.
Note that we still wouldn't do fast promotion in crash recovery, so
there's that escape hatch if there is indeed a bug in our code and fast
promotion fails.
- Heikki