Am Donnerstag, den 14.03.2019, 15:26 +0100 schrieb Magnus Hagander: > Given that the failure is data corruption, I don't think big fat > warning is enough. We should really make it impossible to start up the > postmaster by mistake during the checksum generation. People don't > read the documentation until it's too late. And it might not even be > under their control - some automated tool might go in and try to start > postgres, and boom, corruption.
I guess you're right.
> One big-hammer method could be similar to what pg_upgrade does -- > temporarily rename away the controlfile so postgresql can't start, and > when done, put it back.
That sounds like a good solution to me. I've made PoC patch for that, see attached.
The downside with this method is we can't get a nice error message during the attempted startup. But it should at least be safe, which is the most important part. And at least it's clear what's happening once you list the files and see the name of the temporary one.
