Thread: TIP 4: Don't 'kill -9' the postmaster
TIP 4: Don't 'kill -9' the postmaster
My impression of 7.2 (and probably earlier releases as well) is that you're
data is secure as long as your disks can read/write properly, because of all
the WAL work. I would like to think that my databases would be in good shape
even in the event of a power failure or a 'kill -9'. Is this the case? Under
what known circumstances might data be corrupted? I am mostly concerned with
7.2, since I plan to upgrade all of my servers anyway, but info about 7.1.x
would be helpful.
Regards,
Jeff
PS: for those wondering, my question was prompted by a comment under the
postgresql 7.2 announcement on slashdot, although I had been curious for some
time.
Jeff Davis <list-pgsql-general@dynworks.com> writes: > TIP 4: Don't 'kill -9' the postmaster > > My impression of 7.2 (and probably earlier releases as well) is that you're > data is secure as long as your disks can read/write properly, because of all > the WAL work. I would like to think that my databases would be in good shape > even in the event of a power failure or a 'kill -9'. Is this the case? Under > what known circumstances might data be corrupted? I am mostly concerned with > 7.2, since I plan to upgrade all of my servers anyway, but info about 7.1.x > would be helpful. WAL does seem to have made things pretty robust. The tip is directed at those people for whom 'kill -9' is the first resort, not the last. ;) Clean shutdown is *always* better than unclean if you can manage it. -Doug -- Let us cross over the river, and rest under the shade of the trees. --T. J. Jackson, 1863
Doug McNaught <doug@wireboard.com> writes:
> The tip is directed at those people for whom 'kill -9' is the first
> resort, not the last. ;) Clean shutdown is *always* better than
> unclean if you can manage it.
Agreed. But actually, the tip dates from several versions back, when
kill -9 was indeed dangerous.
Back then, if you killed the postmaster without letting it kill all its
child processes, it was possible to start a new postmaster (and then
have it launch new children) while old backends still remained running.
The old and new backends wouldn't know about each other, leading to
disaster if any conflicting updates were made.
There are now interlocks to prevent this scenario: a new postmaster will
look for extant backends in the same database, and refuse to start if it
finds any. So I believe that you cannot shoot yourself in the foot
that way anymore. (Digression: the ability to make this check is one of
the few good things about the SysV shared-memory interface.)
As of 7.1 or so, I think the tip could be rephrased as "kill -9 is not
the preferred way of shutting down the database" ;-)
regards, tom lane
Doug McNaught wrote: > Jeff Davis <list-pgsql-general@dynworks.com> writes: > > > TIP 4: Don't 'kill -9' the postmaster > > > > My impression of 7.2 (and probably earlier releases as well) is that you're > > data is secure as long as your disks can read/write properly, because of all > > the WAL work. I would like to think that my databases would be in good shape > > even in the event of a power failure or a 'kill -9'. Is this the case? Under > > what known circumstances might data be corrupted? I am mostly concerned with > > 7.2, since I plan to upgrade all of my servers anyway, but info about 7.1.x > > would be helpful. > > WAL does seem to have made things pretty robust. > > The tip is directed at those people for whom 'kill -9' is the first > resort, not the last. ;) Clean shutdown is *always* better than > unclean if you can manage it. Yes, I believe that is the point. No reason to yank things out from under the system. Also, I believe a clean shutdown may cause you to lose fewer transactions because it gives things a little time to settle down before stopping. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026