Re: Standalone synchronous master - Mailing list pgsql-hackers
| From | Josh Berkus |
|---|---|
| Subject | Re: Standalone synchronous master |
| Date | |
| Msg-id | 52CDD899.5030209@agliodbs.com Whole thread Raw |
| In response to | Standalone synchronous master (Rajeev rastogi <rajeev.rastogi@huawei.com>) |
| Responses |
Re: Standalone synchronous master
(Tom Lane <tgl@sss.pgh.pa.us>)
Re: Standalone synchronous master (Jeff Janes <jeff.janes@gmail.com>) |
| List | pgsql-hackers |
On 01/08/2014 01:49 PM, Tom Lane wrote: > Josh Berkus <josh@agliodbs.com> writes: >> If we really want auto-degrading sync rep, then we'd (at a minimum) need >> a way to determine *from the replica* whether or not it was in degraded >> mode when the master died. What good do messages to the master log do >> you if the master no longer exists? > > How would it be possible for a replica to know whether the master had > committed more transactions while communication was lost, if the master > dies without ever restoring communication? It sounds like pie in the > sky from here ... Oh, right. Because the main reason for a sync replica degrading is that it's down. In which case it isn't going to record anything. This would still be useful for sync rep candidates, though, and I'll document why below. But first, lemme demolish the case for auto-degrade. So here's the case that we can't possibly solve for auto-degrade. Anyone who wants auto-degrade needs to come up with a solution for this case as a first requirement: 1. A data center network/power event starts. 2. The sync replica goes down. 3. A short time later, the master goes down. 4. Data center power is restored. 5. The master is fried and is a permanent loss. The replica is ok, though. Question: how does the DBA know whether data has been lost or not? With current sync rep, it's easy: no data was lost, because the master stopped accepting writes once the replica went down. If we support auto-degrade, though, there's no way to know; the replica doesn't have that information, and anything which was on the master is permanently lost. And the point several people have made is: if you can live with indeterminancy, then you're better off with async rep in the first place. Now, what we COULD definitely use is a single-command way of degrading the master when the sync replica is down. Something like "ALTER SYSTEM DEGRADE SYNC". Right now you have to push a change to the conf file and reload, and there's no way to salvage the transaction which triggered the sync failure. This would be a nice 9.5 feature. HOWEVER, we've already kind of set up an indeterminate situation with allowing sync rep groups and candidate sync rep servers. Consider this: 1. Master server A is configured with sync replica B and candidate sync replica C 2. A rolling power/network failure event occurs, which causes B and C to go down sometime before A, and all of them to go down before the application does. 3. On restore, only C is restorable; both A and B are a total loss. Again, we have no way to know whether or not C was in sync replication when it went down. If C went down before B, then we've lost data; if B went down before C, we haven't. But we can't find out. *This* is where it would be useful to have C log whenever it went into (or out of) synchronous mode. -- Josh Berkus PostgreSQL Experts Inc. http://pgexperts.com
pgsql-hackers by date: