On Thu, 2020-10-29 at 11:42 +0900, Fujii Masao wrote:
> > But what if someone sets wal_level=none, performs some data modifications,
> > sets wal_level=archive and after dome more processing decides to restore from
> > a backup that was taken before the cluster was set to wal_level=none?
> > Then they would end up with a corrupted database, right?
>
> I think that the guard to prevent the server from starting up from
> the corrupted database in that senario is necessary.
That wouldn't apply, I think, because the backup from which you start
was taken with wal_level = replica, so the guard wouldn't alert.
But as I said in the other thread, changing wal_level emits a WAL
record, and I am sure that recovery will refuse to proceed if
wal_level < replica.
> I'm still not sure if it's worth supporting this feature in core.
> Because it can really really easily cause users to corrupt whole the database.
You mean, if they take no backup before setting wal_level = none
and then crash the database, so that they are stuck with an
unrecoverable database?
Yes, that feels somewhat too fast and loose...
It would at least require some fat warnings in the documentation
and in postgresql.conf.
Yours,
Laurenz Albe