Thread: Synchronous commit not... synchronous?

On Wed, Oct 31, 2012 at 06:39:20PM -0700, Peter van Hardenberg wrote:
> This was rather surprising - my synchronous commit was... not
> cancelled.  Is this expected behaviour?

I believe it is.

Does the following do the right thing?

SET synchronous_commit='on';
BEGIN;
INSERT INTO data VALUES ('baz');
COMMIT;^c

Oh, and how did you get that cancel in?

Cheers,
David.
> 
> d5r5fdj6u5ieml=> begin;
> BEGIN
> d5r5fdj6u5ieml=> set synchronous_commit = 'on';
> SET
> d5r5fdj6u5ieml=> insert into data values ('baz');
> INSERT 0 1
> d5r5fdj6u5ieml=> commit;
> ^CCancel request sent
> WARNING:  canceling wait for synchronous replication due to user request
> DETAIL:  The transaction has already committed locally, but might not have
> been replicated to the standby.
> COMMIT
> d5r5fdj6u5ieml=> select * from data;
>  foo
> -----
>  bar
>  baz
> (2 rows)
> 
> d5r5fdj6u5ieml=> rollback;
> NOTICE:  there is no transaction in progress
> ROLLBACK
> d5r5fdj6u5ieml=>
> 
> 
> -- 
> Peter van Hardenberg
> San Francisco, California
> "Everything was beautiful, and nothing hurt." -- Kurt Vonnegut

-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

On Thu, Nov 01, 2012 at 01:31:34PM +0900, Michael Paquier wrote:
> On Thu, Nov 1, 2012 at 1:03 PM, David Fetter <david@fetter.org> wrote:
> > On Wed, Oct 31, 2012 at 06:39:20PM -0700, Peter van Hardenberg wrote:
> > > This was rather surprising - my synchronous commit was... not
> > > cancelled.  Is this expected behaviour?
> >
> > I believe it is.
> >
> > Does the following do the right thing?
> >
> > SET synchronous_commit='on';
> > BEGIN;
> > INSERT INTO data VALUES ('baz');
> > COMMIT;^c
> >
> > Oh, and how did you get that cancel in?
> >
> He enforced a manual cancel from client with something like Ctrl+C to
> cancel query.
> In this case you do not wait for the slave to confirm that the commit
> information has been flushed on its disk.

I guess my disk subsystem (it's a consumer-grade DAS SSD) doesn't have
enough latency for my reflexes to hit ^C fast enough.  Any way to
inject this fault deterministically?

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

On Thu, Nov 01, 2012 at 02:10:46PM +0900, Michael Paquier wrote:
> On Thu, Nov 1, 2012 at 1:48 PM, David Fetter <david@fetter.org> wrote:
> 
> > I guess my disk subsystem (it's a consumer-grade DAS SSD) doesn't have
> > enough latency for my reflexes to hit ^C fast enough.  Any way to
> > inject this fault deterministically?
> >
> If the point is to get this warning, you can always setup
> synchronous_standby_names with the application name of a slave that is not
> listed in pg_stat_replication to make the master hanging for a slave that
> does not exist :)
> But in this case there is virtually no slave to wait for, so perhaps it has
> no meaning... But it lets you all time you want to do a manual cancel and
> get this warning.

Great idea :)

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

On Wed, Oct 31, 2012 at 10:10 PM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> Btw, I believe that this is correct behavior, because in Peter's case the
> manual command gets the priority on the value of synchronous_commit, no?
> If anybody thinks that I am wrong, feel free to argue on that of course...

The idea of canceling a COMMIT statement causing a COMMIT seems pretty
strange to me.

I would also not expect a cancelled INSERT statement to INSERT, as
seems would happen by applying the same rules in the
autocommit/implicit commit case here.

--
fdr

On Fri, Nov 2, 2012 at 4:42 AM, Daniel Farina <daniel@heroku.com> wrote:
> On Wed, Oct 31, 2012 at 10:10 PM, Michael Paquier
> <michael.paquier@gmail.com> wrote:
>> Btw, I believe that this is correct behavior, because in Peter's case the
>> manual command gets the priority on the value of synchronous_commit, no?
>> If anybody thinks that I am wrong, feel free to argue on that of course...
>
> The idea of canceling a COMMIT statement causing a COMMIT seems pretty
> strange to me.
>
> I would also not expect a cancelled INSERT statement to INSERT, as
> seems would happen by applying the same rules in the
> autocommit/implicit commit case here.

So how should we handle the case where cancel request or SIGINT arrives
while COMMIT is waiting for its WAL to be replicated to the standby? It's hard
to rollback the COMMIT because its WAL has already been flushed to
the disk locally. You think that we should prevent COMMIT at that state
from being canceled?

Regards,

-- 
Fujii Masao

On Thu, Nov 1, 2012 at 12:42 PM, Daniel Farina <daniel@heroku.com> wrote:
> On Wed, Oct 31, 2012 at 10:10 PM, Michael Paquier
> <michael.paquier@gmail.com> wrote:
>> Btw, I believe that this is correct behavior, because in Peter's case the
>> manual command gets the priority on the value of synchronous_commit, no?
>> If anybody thinks that I am wrong, feel free to argue on that of course...
>
> The idea of canceling a COMMIT statement causing a COMMIT seems pretty
> strange to me.

It would be.  But you are not cancelling the commit, you are
*attempting* to cancel the commit.  The message you receive explains
to what extend your attempt succeeded.

Cheers,

Jeff

On 2 November 2012 16:27, Jeff Janes <jeff.janes@gmail.com> wrote:
> On Thu, Nov 1, 2012 at 12:42 PM, Daniel Farina <daniel@heroku.com> wrote:
>> On Wed, Oct 31, 2012 at 10:10 PM, Michael Paquier
>> <michael.paquier@gmail.com> wrote:
>>> Btw, I believe that this is correct behavior, because in Peter's case the
>>> manual command gets the priority on the value of synchronous_commit, no?
>>> If anybody thinks that I am wrong, feel free to argue on that of course...
>>
>> The idea of canceling a COMMIT statement causing a COMMIT seems pretty
>> strange to me.
>
> It would be.  But you are not cancelling the commit, you are
> *attempting* to cancel the commit.  The message you receive explains
> to what extend your attempt succeeded.

That is correct.

It is possible to cancel the COMMIT, but only until it happens.

If people want full two phase commit, that option exists also.

-- Simon Riggs                   http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services

On 11/02/2012 12:31 PM, Simon Riggs wrote:

> If people want full two phase commit, that option exists also.

I was about to say...  isn't that what savepoints are for?


-- 
Shaun Thomas
OptionsHouse | 141 W. Jackson Blvd. | Suite 500 | Chicago IL, 60604
312-444-8534
sthomas@optionshouse.com

______________________________________________

See http://www.peak6.com/email_disclaimer/ for terms and conditions related to this email

On Fri, Nov 2, 2012 at 1:06 PM, Jeff Janes <jeff.janes@gmail.com> wrote:
>> I see why it is implemented this way, but it's also still pretty
>> unsatisfying because it means that with cancellation requests clients
>> are in theory able to commit an unlimited number of transactions,
>> synchronous commit or no.
>
> What evil does this allow the client to perpetrate?

The client can commit against my will by accident in an automated
system whose behavior is at least moderately complex and hard to
understand completely for all involved, and then the client's author
subsequently writes me a desperate or angry support request asking why
data was lost. This is not the best time for me to ask "did you setup
a scheduled task to cancel hanging queries automatically? Because
yeah...there's this...thing."

>> It's probably close enough for most purposes, but what would you think
>> about a "2PC-ish" mode at the physical (rather than logical/PREPARE
>> TRANSACTION) level, whereby the master would insist that its standbys
>> have more data written (or at least received...or at least sent) than
>> it has guaranteed flushed to its own xlog at any point?
>
> Then if they interrupt the commit, the remote has it permanently but
> the local does not.  That would be corruption.

That is a good point.

When the server starts up it could interrogate it standbys for WAL to
apply. My ideal is to get a similar relationship between a master and
its 'local' pg_xlog, except over socket, and possibly (but entirely
optionally) to a non-Postgres receiver of WAL, that may buffer WAL and
then submit it directly to what is typically thought of as the
archives.  I have a number of reasons for doing that, but they can all
be summed as: block devices are much more prone to failures -- both
simple and byzantine -- than memory and network traffic with enough
fidelity checking (such as TLS), and the pain from block device
failures -- in particular, the byzantine ones -- is very high when
they occur.

The bar for "reliable" non-volatile storage for me are things like
Amazon's S3, and I think a lot of that has to do with the otherwise
relatively impoverished semantics it has, so I think this reliability
profile will be or has been duplicated elsewhere.

In general, this has some relation to remastering issues.

In the future, I'd like to be able to turn off the local pg_xlog, at my option.

This is something that I've been very slowly moving forward on for a
while, with the first step being writing a Postgres proxy, currently
underway.  The tool support for this kind of facility is not really in
existence yet, but I'll catch up some day...

> What the "DETAIL" doesn't make clear about the current system is that
> the commit *will* be replicated to the standby *eventually*, unless
> the master burns down first.  In particular, if any commit after this
> one makes it to the standby, then the interrupted one is guaranteed to
> have made it as well.
>
>> This would be a nice invariant to have when dealing with a large
>> number of systems, allowing for the catching of some tricky bugs, that
>> standbys are always greater-than-or-equal-to the master's XLogPos.
>
> Could you elaborate on that?

Sure. I'd like to sanity check failovers with as many simple
invariants as I can to catch problems.  Losing a cheap to confirm
invariant is losing a check, so that would be unfortunate when doing
more failovers simultaneously than humans can realistically be
involved with in a short amount of time, as the results of a bug there
are most unpleasant.

--
fdr

On 11/02/2012 09:46 PM, Daniel Farina wrote:
> The bar for "reliable" non-volatile storage for me are things like
> Amazon's S3, and I think a lot of that has to do with the otherwise
> relatively impoverished semantics it has, so I think this reliability
> profile will be or has been duplicated elsewhere.
>
> In general, this has some relation to remastering issues.
>
> In the future, I'd like to be able to turn off the local pg_xlog, at my option.
Have you tried things like mounting remote RAM drive
over NFS or similar for pg_xlog ?

You probably could even play with DRBD and have one or both
of the drives be RAM drives.

Hannu

On Fri, Nov 2, 2012 at 5:08 PM, Hannu Krosing <hannu@krosing.net> wrote:
> On 11/02/2012 09:46 PM, Daniel Farina wrote:
>>
>> The bar for "reliable" non-volatile storage for me are things like
>> Amazon's S3, and I think a lot of that has to do with the otherwise
>> relatively impoverished semantics it has, so I think this reliability
>> profile will be or has been duplicated elsewhere.
>>
>> In general, this has some relation to remastering issues.
>>
>> In the future, I'd like to be able to turn off the local pg_xlog, at my
>> option.
>
> Have you tried things like mounting remote RAM drive
> over NFS or similar for pg_xlog ?
>
> You probably could even play with DRBD and have one or both
> of the drives be RAM drives.
>
> Hannu

I'm not so interested in such creative workarounds, especially because
the operational maintenance cost is huge when magnified when all I
wish I could do is buffer WAL and forward to a socket, and then
unblock commits when my replication partner says 'alright', just as
they do in spirit for flushing pg_xlog -- what I want is simpler than
a full blown network file system. I also don't need this kind of thing
in the near future -- I'm way behind what's possible as-is.

And then there are issues like transport encryption and being able to
do this across a geography, ugh.

--
fdr

* Daniel Farina:

> The idea of canceling a COMMIT statement causing a COMMIT seems pretty
> strange to me.

Canceling commits is inherently racy, so I'm not sure if this behavior
so strange after all.

On Fri, Nov 2, 2012 at 1:46 PM, Daniel Farina <daniel@heroku.com> wrote:
> On Fri, Nov 2, 2012 at 1:06 PM, Jeff Janes <jeff.janes@gmail.com> wrote:
>>> I see why it is implemented this way, but it's also still pretty
>>> unsatisfying because it means that with cancellation requests clients
>>> are in theory able to commit an unlimited number of transactions,
>>> synchronous commit or no.
>>
>> What evil does this allow the client to perpetrate?
>
> The client can commit against my will by accident in an automated
> system whose behavior is at least moderately complex and hard to
> understand completely for all involved, and then the client's author
> subsequently writes me a desperate or angry support request asking why
> data was lost.

If people don't know when or if they are committing, then I would
think you will get such issues no matter what!


> This is not the best time for me to ask "did you setup
> a scheduled task to cancel hanging queries automatically? Because
> yeah...there's this...thing."

OK, I see your point here.  If an outside task cancels the commit, the
process that issued the commit does get a success response with
seemingly no indication that something may be amiss.  In DBD::Pg under
PrintError=>1, you do get the WARNING and DETAIL message on stderr,
but seemingly no sane way for the program to intercept that warning.

But I don't see any alternative, other than refusing to deliver any
response at all to the client.  The commit neither unambiguously
failed, nor unambiguously succeeded.

Cheers,

Jeff

On Sat, Nov 3, 2012 at 5:44 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Daniel Farina:
>> The idea of canceling a COMMIT statement causing a COMMIT seems pretty
>> strange to me.
>
> Canceling commits is inherently racy, so I'm not sure if this behavior
> so strange after all.

Yeah.  You can't make the local fsync() and the remote fsync() happen
at exactly the same moment in time.  No implementation can do that,
anywhere, ever.  Our implementation happens to require the local
fsync() to always be done first.  With sufficient smarts, that could
possibly be relaxed to allow them to run concurrently (if after a
crash the master tried to fetch remotely committed WAL from its
slave), but you still have the possibility that one fsync gets done
and the other does not, and that would actually allow more weird edge
cases than we have now - the main argument for it is performance.  And
because of the way our WAL stream works, once the commit record is
fsync'd, it's too late to get cold feet.  I daresay that will be true
in any system, too.  Once the local commit record hits the disk, the
absolute best you could do, even theoretically, is *try* to take it
back.  And you had better be prepared for that to fail, because the
system might crash or the take-back write might itself fail.

Atomicity in a distributed system is not an easy problem.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 10/31/12 9:39 PM, Peter van Hardenberg wrote:
> This was rather surprising - my synchronous commit was... not cancelled.
> Is this expected behaviour?
> 
> d5r5fdj6u5ieml=> begin;
> BEGIN
> d5r5fdj6u5ieml=> set synchronous_commit = 'on';
> SET
> d5r5fdj6u5ieml=> insert into data values ('baz');
> INSERT 0 1
> d5r5fdj6u5ieml=> commit;
> ^CCancel request sent
> WARNING:  canceling wait for synchronous replication due to user request
> DETAIL:  The transaction has already committed locally, but might not
> have been replicated to the standby.
> COMMIT
> d5r5fdj6u5ieml=> select * from data;
>  foo 
> -----
>  bar
>  baz
> (2 rows)

Did the inserted row also arrive at the standby?

On Fri, Nov 2, 2012 at 10:31 AM, Simon Riggs <simon@2ndquadrant.com> wrote:
> On 2 November 2012 16:27, Jeff Janes <jeff.janes@gmail.com> wrote:
>> It would be.  But you are not cancelling the commit, you are
>> *attempting* to cancel the commit.  The message you receive explains
>> to what extend your attempt succeeded.
>
> That is correct.
>
> It is possible to cancel the COMMIT, but only until it happens.
>
> If people want full two phase commit, that option exists also.

I see why it is implemented this way, but it's also still pretty
unsatisfying because it means that with cancellation requests clients
are in theory able to commit an unlimited number of transactions,
synchronous commit or no.

It's probably close enough for most purposes, but what would you think
about a "2PC-ish" mode at the physical (rather than logical/PREPARE
TRANSACTION) level, whereby the master would insist that its standbys
have more data written (or at least received...or at least sent) than
it has guaranteed flushed to its own xlog at any point?

This would be a nice invariant to have when dealing with a large
number of systems, allowing for the catching of some tricky bugs, that
standbys are always greater-than-or-equal-to the master's XLogPos.

--
fdr

On Fri, Nov 2, 2012 at 11:41 AM, Daniel Farina <daniel@heroku.com> wrote:
> On Fri, Nov 2, 2012 at 10:31 AM, Simon Riggs <simon@2ndquadrant.com> wrote:
>> On 2 November 2012 16:27, Jeff Janes <jeff.janes@gmail.com> wrote:
>>> It would be.  But you are not cancelling the commit, you are
>>> *attempting* to cancel the commit.  The message you receive explains
>>> to what extend your attempt succeeded.
>>
>> That is correct.
>>
>> It is possible to cancel the COMMIT, but only until it happens.
>>
>> If people want full two phase commit, that option exists also.
>
> I see why it is implemented this way, but it's also still pretty
> unsatisfying because it means that with cancellation requests clients
> are in theory able to commit an unlimited number of transactions,
> synchronous commit or no.

What evil does this allow the client to perpetrate?

> It's probably close enough for most purposes, but what would you think
> about a "2PC-ish" mode at the physical (rather than logical/PREPARE
> TRANSACTION) level, whereby the master would insist that its standbys
> have more data written (or at least received...or at least sent) than
> it has guaranteed flushed to its own xlog at any point?

Then if they interrupt the commit, the remote has it permanently but
the local does not.  That would be corruption.

What the "DETAIL" doesn't make clear about the current system is that
the commit *will* be replicated to the standby *eventually*, unless
the master burns down first.  In particular, if any commit after this
one makes it to the standby, then the interrupted one is guaranteed to
have made it as well.

> This would be a nice invariant to have when dealing with a large
> number of systems, allowing for the catching of some tricky bugs, that
> standbys are always greater-than-or-equal-to the master's XLogPos.

Could you elaborate on that?

Cheers,

Jeff

On Sun, Nov 4, 2012 at 6:00 PM, Robert Haas <robertmhaas@gmail.com> wrote:
> On Sat, Nov 3, 2012 at 5:44 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
>> * Daniel Farina:
>>> The idea of canceling a COMMIT statement causing a COMMIT seems pretty
>>> strange to me.
>>
>> Canceling commits is inherently racy, so I'm not sure if this behavior
>> so strange after all.
>
> Yeah.  You can't make the local fsync() and the remote fsync() happen
> at exactly the same moment in time.  No implementation can do that,
> anywhere, ever.  Our implementation happens to require the local
> fsync() to always be done first.

I don't think there is a (unachievable) requirement of simultaneous
flush, only that two machines have flushed (or met whatever durability
criteria) strictly more than the position of the commit in question.
This mean some changes are written to some place once, but
acknowledging commit requires proof of two-safety.

I can see how in some corner cases this might cause orphaning of
synchronous standbys that write, but cannot acknowledge.

If the point of synchronous commit is to reach exact two-safety by
waiting a while for other agents to process data, it would seem that
the current model could use some less-invasive tweaking, as-is one can
succeed in an unbounded number of commits in a degenerate case.

--
fdr

On Mon, Nov 5, 2012 at 2:59 PM, Daniel Farina <daniel@heroku.com> wrote:
> On Sun, Nov 4, 2012 at 6:00 PM, Robert Haas <robertmhaas@gmail.com> wrote:
>> On Sat, Nov 3, 2012 at 5:44 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
>>> * Daniel Farina:
>>>> The idea of canceling a COMMIT statement causing a COMMIT seems pretty
>>>> strange to me.
>>>
>>> Canceling commits is inherently racy, so I'm not sure if this behavior
>>> so strange after all.
>>
>> Yeah.  You can't make the local fsync() and the remote fsync() happen
>> at exactly the same moment in time.  No implementation can do that,
>> anywhere, ever.  Our implementation happens to require the local
>> fsync() to always be done first.
>
> I don't think there is a (unachievable) requirement of simultaneous
> flush, only that two machines have flushed (or met whatever durability
> criteria) strictly more than the position of the commit in question.
> This mean some changes are written to some place once, but
> acknowledging commit requires proof of two-safety.

Right, but what you're complaining about is that you can't cancel the
transaction after beginning to make it 2-safe.

> I can see how in some corner cases this might cause orphaning of
> synchronous standbys that write, but cannot acknowledge.
>
> If the point of synchronous commit is to reach exact two-safety by
> waiting a while for other agents to process data, it would seem that
> the current model could use some less-invasive tweaking, as-is one can
> succeed in an unbounded number of commits in a degenerate case.

Well, feel free to make a suggestion.  We could have a mode where a
commit, once initiated, is not user-cancellable, but that doesn't seem
like a usability improvement to me.  That just forces somebody to
bounce the server in a situation where it isn't necessary.  The
warning is not unclear about what has happened.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On Mon, Nov 5, 2012 at 1:19 PM, Robert Haas <robertmhaas@gmail.com> wrote:
> Well, feel free to make a suggestion.  We could have a mode where a
> commit, once initiated, is not user-cancellable, but that doesn't seem
> like a usability improvement to me.  That just forces somebody to
> bounce the server in a situation where it isn't necessary.  The
> warning is not unclear about what has happened.

Yeah, I'm not quite so far as thinking about the best way (much less
any way) of solving the problem, only so far as "it's definitely
possible to successfully commit as much as you want, in violation of
2-safety, syncrep setting or no," and that seems like an interesting
violation of an invariant one might presume.

The warning is there, but it does render the feature a more fragile
for exposing through the very thin channel one has when dealing with
database users at arm's length, as I must.  Only so many caveats and
fine print can be shoved to the user -- this is why, for example,
support of pooling has been a heady proposition for me.

I think this is still in the realm of brain-food, since there is no
obvious model to fix this in sight.

--
fdr