Thread: Better Upgrades

Folks,

While chatting with Bruce about how to make something better than
pg_upgrade, we (and by "we," I mean mostly Bruce) came up with the
following.

What needs improvement:

- pg_upgrade forces a down time event, no matter how cleverly it's done.
- pg_upgrade is very much a blocker for on-disk format changes.

The proposal:

- Add a new script--possibly Perl or Bash, which would:
    - Initdb a new cluster with the new version of PostgreSQL and a
      different port.
    - Start logical replication from the old version to the new
      version.
    - Poll until a pre-determined default amount of replication lag was observed, then:
      * Issue an ALTER SYSTEM on the new server to change its port to the old server's
      * Issue a pg_ctl stop -w to the old server
      * Issue a pg_ctl restart on the new server
      * Happiness!

Assumptions underlying it:

- Disk and similar resources are cheap enough for most users that
  doubling up during the upgrade is feasible.
- The default upgrade path should require exactly one step.
- Errors do not, by and large, have the capacity to violate an SLA.

The proposal has blockers: 

- We don't actually have logical decoding for DDL, although I'm given
  to understand that Álvaro Herrera has done some yeoman follow-up
  work on Dimitri Fontaine's PoC patches.
- We don't have logical decoding for DCL (GRANT/REVOKE)

We also came up with and, we believe, addressed an important issue,
namely how to ensure continuity.  When we issue a `pg_ctl stop -w`,
that's short for "Cancel current commands and stop cleanly."  At this
point, the new server will not have WAL to replay, so a pg_ctl restart
will load the new configuration and come up pretty much immediately,
and the next try will find a brand new server without a down time
event.

Does this seem worth coding up in its current form?

Best,
David.
-- 
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

On 2/5/18 19:09, David Fetter wrote:
> - Add a new script--possibly Perl or Bash, which would:
>     - Initdb a new cluster with the new version of PostgreSQL and a
>       different port.

This will need integration with the packaging system.  You'll want to
carry over settings from the old instance.  You might want to put the
new instance on a different host.

>     - Start logical replication from the old version to the new
>       version.

There is a step missing that does the DDL sync.  And various features
are not handled by logical replication.  So you'll need a pre-check mode
like pg_upgrade.

Also, you need to do this for each database, so you'll need to decide
whether you'll do it all in parallel or sequentially, where you will
continue when it fails part way through, etc.

>     - Poll until a pre-determined default amount of replication lag was observed, then:

Probably the replication lag should be zero, or perhaps you'll even want
to switch to synchronous replication.  Or perhaps you'll switch the
writing node while replication is still catching up.  A lot of that
depends on the application.

>       * Issue an ALTER SYSTEM on the new server to change its port to the old server's

Or you use a connection proxy and have that handle redirecting the
traffic, so you don't need to restart anything.

>       * Issue a pg_ctl stop -w to the old server
>       * Issue a pg_ctl restart on the new server

You can't use pg_ctl when using systemd.

> Does this seem worth coding up in its current form?

Logically, this should be a ten line script.  But I fear making it
actually work in a variety of practical scenarios will probably require
dozens of options and end up very complicated.

At this point, it might be worth more to actually try this procedure by
hand first and work out the details, e.g., how do you do the DDL sync,
how to you convert the configuration files, etc.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

On 02/05/2018 04:09 PM, David Fetter wrote:
> Does this seem worth coding up in its current form?

No. The pg_upgrade utility is awesome and I have commended Bruce on 
multiple occasions about his work with it. That being said, the
"solution" is to support in-place upgrades and our work should be toward 
that. The idea that we can support and upgrade to the catalog plus 
backward and forward support for changes to the page files (upgrade the 
page files as they are accessed/written to) is a much longer, more 
mature and reasonable approach to this problem[1].

JD

1. Props to Theo for bringing this up about a decade ago.


> Best,
> David.


-- 
Command Prompt, Inc. || http://the.postgres.company/ || @cmdpromptinc

PostgreSQL centered full stack support, consulting and development.
Advocate: @amplifypostgres || Learn: https://postgresconf.org
*****     Unless otherwise stated, opinions are my own.   *****

Folks,

While chatting with Bruce about how to make something better than
pg_upgrade, we (and by "we," I mean mostly Bruce) came up with the
following.

What needs improvement:

- pg_upgrade forces a down time event, no matter how cleverly it's done.
- pg_upgrade is very much a blocker for on-disk format changes.

The proposal:

- Add a new script--possibly Perl or Bash, which would:
    - Initdb a new cluster with the new version of PostgreSQL and a
      different port.
    - Start logical replication from the old version to the new
      version.
    - Poll until a pre-determined default amount of replication lag was observed, then:
      * Issue an ALTER SYSTEM on the new server to change its port to the old server's
      * Issue a pg_ctl stop -w to the old server
      * Issue a pg_ctl restart on the new server
      * Happiness!

Assumptions underlying it:

- Disk and similar resources are cheap enough for most users that
  doubling up during the upgrade is feasible.
- The default upgrade path should require exactly one step.
- Errors do not, by and large, have the capacity to violate an SLA.

The proposal has blockers:

- We don't actually have logical decoding for DDL, although I'm given
  to understand that Álvaro Herrera has done some yeoman follow-up
  work on Dimitri Fontaine's PoC patches.
- We don't have logical decoding for DCL (GRANT/REVOKE)

> On 06 Feb 2018, at 01:09, David Fetter <david@fetter.org> wrote:

> - pg_upgrade is very much a blocker for on-disk format changes.

I wouldn’t call it a blocker, but pg_upgrade across an on-disk format change
would be a very different experience from what we have today since it would
need to read and rewrite data rather than hardlink/copy.  Definitely not a
trivial change though, that I completely agree with.

> The proposal:
>
> - Add a new script--possibly Perl or Bash, which would:
>    - Initdb a new cluster with the new version of PostgreSQL and a
>      different port.
>    - Start logical replication from the old version to the new
>      version.
>    - Poll until a pre-determined default amount of replication lag was observed, then:
>      * Issue an ALTER SYSTEM on the new server to change its port to the old server's
>      * Issue a pg_ctl stop -w to the old server
>      * Issue a pg_ctl restart on the new server
>      * Happiness!

Considering how many that will want to build frontends for upgrade tools, or
include them in automation frameworks, I think it would be wise to make any new
upgrade tool capable of emitting machine parseable status information (or any
equivalent means of “what is it doing right now” interrogation).  Thats not
specific for this tool of course, more a general observation regarding upgrade
tools and their usage.

cheers ./daniel

On Tue, Feb  6, 2018 at 01:51:09PM +0100, Daniel Gustafsson wrote:
> > On 06 Feb 2018, at 01:09, David Fetter <david@fetter.org> wrote:
> 
> > - pg_upgrade is very much a blocker for on-disk format changes.
> 
> I wouldn’t call it a blocker, but pg_upgrade across an on-disk format change
> would be a very different experience from what we have today since it would
> need to read and rewrite data rather than hardlink/copy.  Definitely not a
> trivial change though, that I completely agree with.

Uh, not necessarily.  To allow for on-disk format changes, pg_upgrade
_could_ rewrite the data files as it copies them (not link), or we could
modify the backend to be able to read the old format.  We have already
done that for some changes to data and index types.

If we did add more backward-read capability to the backend, I think we
would need to add some housekeeping so we could know when the
read-old-format code could be removed.

I have to admit that the number of hurdles needed to use logical
replication to reduce downtime made me feel like it is cleaner to just
take the multi-minute downtime using link mode and have it be reliable. 
Even if you can get logical replication to work, the drain/switch over
time could be significant.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +

On 6 February 2018 at 03:13, Craig Ringer <craig@2ndquadrant.com> wrote:
> On 6 February 2018 at 09:51, Joshua D. Drake <jd@commandprompt.com> wrote:
>>
>> On 02/05/2018 04:09 PM, David Fetter wrote:
>>
>>> Does this seem worth coding up in its current form?
>>
>> No. The pg_upgrade utility is awesome and I have commended Bruce on
>> multiple occasions about his work with it. That being said, the
>> "solution" is to support in-place upgrades and our work should be toward
>> that.
>
> Yeah. Streaming upgrade is useful, but IMO it's a workaround for upgrade
> issues more than a solution in its self. Useful for people who want a
> conservative upgrade, but not that big a win. Sure you'd like to be able to
> downgrade again if it doesn't go right, but that requires a two-way sync,
> which introduces its own problems and failure modes.

My feeling is that worrying about in-place binary upgrades today is
wasted effort. Already the window for installations where this is
useful is narrow -- you have to be big enough that the resources for
deploying a second instance is significant but not so big that the
downtime and risk is untenable. I have the feeling that in-place
binary upgrades are going to end up sapping developer time and imposes
awkward constraints on the system for a legacy feature users are
recommended to never use anyways.

Running distributed systems with replication used to be a niche "HA"
solution. Today it's the norm to have configuration management systems
that automatically provision and deploy however many replicas you want
and set up repmgr/consul/whatever to do automatic failovers. In that
environment creating a couple new logical replicas using the new
version and doing a failover becomes an easy choice.


-- 
greg

> On 02 Mar 2018, at 12:59, Greg Stark <stark@mit.edu> wrote:

> My feeling is that worrying about in-place binary upgrades today is
> wasted effort. Already the window for installations where this is
> useful is narrow -- you have to be big enough that the resources for
> deploying a second instance is significant but not so big that the
> downtime and risk is untenable.

I might be colorblind from $dayjob, but I don’t think that these installations
(data warehouses et.al) are that uncommon.  They are also installations that
risk staying on an old version due to upgrades being non-trivial (not saying
that in-place is trivial, just that there are places where it may make sense).

> I have the feeling that in-place
> binary upgrades are going to end up sapping developer time

Having worked on supporting the 8.2->8.3 on-disk format change in pg_upgrade
for GPDB, I am not arguing against that.  Not at all.

cheers ./daniel

> On 02 Mar 2018, at 01:03, Bruce Momjian <bruce@momjian.us> wrote:
>
> On Tue, Feb  6, 2018 at 01:51:09PM +0100, Daniel Gustafsson wrote:
>>> On 06 Feb 2018, at 01:09, David Fetter <david@fetter.org> wrote:
>>
>>> - pg_upgrade is very much a blocker for on-disk format changes.
>>
>> I wouldn’t call it a blocker, but pg_upgrade across an on-disk format change
>> would be a very different experience from what we have today since it would
>> need to read and rewrite data rather than hardlink/copy.  Definitely not a
>> trivial change though, that I completely agree with.
>
> Uh, not necessarily.  To allow for on-disk format changes, pg_upgrade
> _could_ rewrite the data files as it copies them (not link), or we could
> modify the backend to be able to read the old format.  We have already
> done that for some changes to data and index types.

Right, that is another option.  I guess we’ll have to wait and see what the
impact will be for the available options when we get there, until there is an
actual on-disk change to reason around it’s a fairly academic discussion.

cheers ./daniel

On Mon, Mar 05, 2018 at 11:18:20AM +0100, Daniel Gustafsson wrote:
> > On 02 Mar 2018, at 12:59, Greg Stark <stark@mit.edu> wrote:
> 
> > My feeling is that worrying about in-place binary upgrades today
> > is wasted effort. Already the window for installations where this
> > is useful is narrow -- you have to be big enough that the
> > resources for deploying a second instance is significant but not
> > so big that the downtime and risk is untenable.
> 
> I might be colorblind from $dayjob,

I agree.

> but I don’t think that these installations (data warehouses et.al)
> are that uncommon.

Data warehouses are by no means rare. They also need backups, just as
any other system does, and that means at the very least duplicate
storage on at least one separate node, even if that node can't
actually bring the warehouse back up in the case of a catastrophic
failure of the original warehouse.

> They are also installations that risk staying on an old version due
> to upgrades being non-trivial (not saying that in-place is trivial,
> just that there are places where it may make sense).

I see in-place upgrades as the riskiest of the possible options, and
that's not just in the case of PostgreSQL.  Every other system with
that feature has had catastrophic failures that were impossible to
predict in advance.  That reality turns on the fundamentals of
constructing such systems, to wit:

- They take enormous amounts of deep knowledge to get right.
- The people who have that knowledge are not inclined to doing what
  amounts to an invisible feature.
- They are perforce done as the last thing before a release, often
  blocking other features and holding up the release process as a
  consequence.
- They can never really be tested for corner cases--see above for one
  of the reasons.
- There can be no realistic back-out plan when something goes wrong.

> > I have the feeling that in-place binary upgrades are going to end
> > up sapping developer time
> 
> Having worked on supporting the 8.2->8.3 on-disk format change in
> pg_upgrade for GPDB, I am not arguing against that.  Not at all.

Your experience reflects one of the fundamental problems with those
systems. It wasn't a one-off.

Best,
David.
-- 
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate