On Sat, Feb 21, 2009 at 1:43 AM, Michael Monnerie
<michael.monnerie@is.it-management.at> wrote:
> I managed to recover the data that was still readable. About 650
> messageblock entries got lost. What makes me nervous a bit is that
> postgres kept running despite (partially) being destroyed. It should
> really have shutdown itself after the first problem was found. That
> database is for mails, and I would understand to have lost some from the
> time before the power loss, but I even lost entries from *after* the
> crash. That means the error happened after the system was up again and
> happily did it's work, but lost entries to a table. Could there be a
> better way to check the db at crash recovery startup time?
>
> If someone is interested, I have a full postgres log with every single
> command done to the database.
We preach this again and again. PostgreSQL can only survive a power
outage type failure ONLY if the hardware / OS / filesystem don't lie
about fsync. If they do, all bets are off, and this kind of failure
means you should really failover to another machine or restore a
backup.
It's why you have to do possibly destructive tests to see if your
server stands at least some chance of surviving this kind of failure,
log shipping for recovery, and / or replication of another form (slony
etc...) to have a reliable server.
The recommendations for recovery of data are just that, recovery
oriented. They can't fix a broken database at that point. You need
to take it offline after this kind of failure if you can't trust your
hardware.
Usually when it finds something wrong it just won't start up.
