On Mon, Jun 8, 2009 at 4:30 PM, Tom Lane<tgl@sss.pgh.pa.us> wrote:
> Greg Stark <stark@enterprisedb.com> writes:
>>> On Mon, 2009-06-08 at 09:47 -0400, Tom Lane wrote:
>>>> I think the proposed don't-restart flag is exceedingly ugly and will not
>>>> solve any real-world problem.
>
>> Hm. I'm not sure I see a solid use case for it -- in my experience you
>> want to be pretty sure you have a persistent problem before you fail
>> over.
>
> Yeah, and when you do fail over you want more guarantee than "none at
> all" that the primary won't start back up again on its own.
>
>> But I don't really see why it's ugly either.
>
> Because it's intentionally blowing a hole in one of the most prized
> properties of the database, ie, that it doesn't go down if it can help
> it. I want a *WHOLE* lot stronger rationale than "somebody might want
> it someday" before providing a switch that lets somebody thoughtlessly
> break a property we've sweated blood for ten years to ensure.
I see that you've carefully not quoted Greg's remark about "mechanism
not policy" with which I completely agree. This seems like a pretty
useful switch for people who want more control over how the database
gets restarted on those rare occasions when it wipes out (and possibly
for debugging crash-type problems as well). The amount of
blood-sweating that was required to make a robust automatic restart
mechanism doesn't seem relevant to this discussion, though it is
certainly a cool feature.
I also don't see any reason to assume that users will do this
"thoughtlessly". Perhaps someone will, but if our policy is to not
add any features on the theory that someone might use in a stupid way,
we'd better get busy reverting a significant fraction of the work done
for 8.4. I'm not going to go so far as to say that we should never
reject a feature because the danger of someone shooting themselves in
the foot is too high, but this doesn't even seem like a likely
candidate. If we put an option in postgresql.conf called
"automatic_restart_after_crash = on", anyone who switches that to
"off" should have a pretty good idea what the likely consequences of
that decision will be. The people who are too stupid to figure that
one out are likely to have a whole lot of other problems too, and
they're not the people at whom we should be targetting this product.
...Robert