Sync Rep: First Thoughts on Code

Hi, Simon.

Thanks for taking many hours to review the code!!

On Mon, Dec 1, 2008 at 8:42 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

Can you confirm that all the docs on the Wiki page are up to date? There
are a few minor discrepancies that make me think it isn't.

Documentation is ongoing. Sorry for my slow progress.

BTW, I'm going to add and change the sgml files listed on wiki.
http://wiki.postgresql.org/wiki/NTT%27s_Development_Projects#Documentation_Plan

Examples: "For example, to make a single multi-statement transaction
replication asynchronously when the default is the opposite, issue SET
LOCAL synchronous_commit TO OFF within the transaction."
Do we mean synchronous_replication in this sentence? I think you've
copied the text and not changed all of the necessary parts - please
re-read the whole section (probably the whole Wiki, actually).

Oops! It's just typo. Sorry for the confusion.
I will revise this section.

"wal_writer_delay" - do we mean wal_sender_delay?

Yes. I will fix it.

Is there some ability
to measure the amount of data to be sent and avoid the delay altogether,
when the server is sufficiently busy?

Why is the former ability required?

The latter is possible, I think. We can guarantee that the WAL is sent (in
more detail, called send(2)) once at least per wal_sender_delay. Of course,
it's dependent on the scheduler of a kernel.

The reaction to replication_timeout may need to be configurable. I might
not want to keep on processing if the information didn't reach the
standby.

OK. I will add new GUC variable (PGC_SIGHUP) to specify the reaction for
the timeout.

I would prefer in many cases that the transactions that were
waiting for walsender would abort, but the walsender kept processing.

Is it dangerous to abort the transaction with replication continued when
the timeout occurs? I think that the WAL consistency between two servers
might be broken. Because the WAL writing and sending are done concurrently,
and the backend might already write the WAL to disk on the primary when
waiting for walsender.

How can we restart the walsender if it shuts down?

Only restart the standby (with walreceiver). The standby connects to
the postmaster on the primary, then the postmaster forks new walsender.

Do we want a maximum
wait for a transaction and a maximum wait for the server?

ISTM that these feature are too much.

Do we report
stats on how long the replication has been taking? If the average rep
time is close to rep timeout then we will be fragile, so we need some
way to notice this and produce warnings. Or at least provide info to an
external monitoring system.

Sounds good. How about log_min_duration_replication? If the rep time
is greater than it, we produce warning (or log) like log_min_duration_xx.

How do we specify the user we use to connect to primary?

Yes, I need to add new option to specify the user name into
recovery.conf. Thanks for reminding me!

Definitely need more explanatory comments/README-style docs.

Completely agreed ;-)
I will write README together with other documents.

For example, 03_libpq seems simple and self-contained. I'm not sure why
we have a state called PGASYNC_REPLICATION; I was hoping that would be
dynamic, but I'm not sure where to look for that. It would be useful to
have a very long comment within the code to explain how the replication
messages work, and note on each function who the intended client and
server is.

OK. I will re-consider whether PGASYNC_REPLICATION is removable, and
write the comment about it.

02_pqcomm: What does HAVE_POLL mean?

It identifies whether poll(2) is available or not on the platform. We
use poll(2)
if it's defined, otherwise select(2). There is similar code at pqSocketPoll() in
fe-misc.c.

Do we need to worry about periodic
renegotiation of keys in be-secure.c?

What is "keys" you mean?

Not sure I understand why so many
new functions in there.

It's because walsender waits for the reply from the standby and the
request from the backend concurrently. So, we need poll(2) or select(2)
to make walsender wait for them, and some functions for non-blocking
receiving.

04_recovery_conf is a change I agree with, though I think it may not
work with EXEC_BACKEND for Windows.

OK. I will examine and fix it.

05... I need dome commentary to explain this better.

06 and 07 are large and will take substantial review time. So we must
get the overall architecture done first and then check the code that
implements that.

08 - I think I get this, but some docs will help to confirm.

Yes. I need more documentation.

09 pg_standby changes: so more changes are coming there? OK. Can we
refer to those two options as failover and switchover?

You mean failover trigger and switchover one? ISTM that those names
and features might not suit.

Naming always bother me, and the current name "commit/abort trigger"
might tend to cause confusion. Is there any other suitable name?

There's no need
to change definitions that many Postgres people already use. This change
can be done without making any change to server behaviour, so this
change can have benefit to 8.2 and 8,3 people also.

Agreed.

01_signal_handling: I've looked at the LWlock acquires and releases in
the patch and am fairly happy, except for the ProcArrayLock acquire
during this sub-patch. Do we really need to do things this way? Is the
actual state important? Could we just do this with a counter which
cycles? So callers increment counter atomically and the reader just
polls to see if anybody has incremented? Or could we protect that part
of the proc with a different lock? Touching ProcArrayLock is bad news.

Agreed. I will add new lock for proc.signalFlags.

Anyway, feeling very positive about this. Hope we can get this reviewed
and committed in next 3-4 weeks.

I have many clues as to how to structure my own work also. Thanks.

Thanks again!

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Tue, 2008-12-02 at 21:37 +0900, Fujii Masao wrote:

Thanks for taking many hours to review the code!!

On Mon, Dec 1, 2008 at 8:42 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

Can you confirm that all the docs on the Wiki page are up to date? There
are a few minor discrepancies that make me think it isn't.

Documentation is ongoing. Sorry for my slow progress.

BTW, I'm going to add and change the sgml files listed on wiki.
http://wiki.postgresql.org/wiki/NTT%27s_Development_Projects#Documentation_Plan

I'm patient, I know it takes time. Happy to spend hours on the review,
but I want to do that knowing I agree with the higher level features and
architecture first.

This was just a first review, I expect to spend more time on it yet.

The reaction to replication_timeout may need to be configurable. I might
not want to keep on processing if the information didn't reach the
standby.

OK. I will add new GUC variable (PGC_SIGHUP) to specify the reaction for
the timeout.

I would prefer in many cases that the transactions that were
waiting for walsender would abort, but the walsender kept processing.

Is it dangerous to abort the transaction with replication continued when
the timeout occurs? I think that the WAL consistency between two servers
might be broken. Because the WAL writing and sending are done concurrently,
and the backend might already write the WAL to disk on the primary when
waiting for walsender.

The issue I see is that we might want to keep wal_sender_delay small so
that transaction times are not increased. But we also want
wal_sender_delay high so that replication never breaks. It seems better
to have the action on wal_sender_delay configurable if we have an
unsteady network (like the internet). Marcus made some comments on line
dropping that seem relevant here; we should listen to his experience.

Hmmm, dangerous? Well assuming we're linking commits with replication
sends then it sounds it. We might end up committing to disk and then
deciding to abort instead. But remember we don't remove the xid from
procarray or mark the result in clog until the flush is over, so it is
possible. But I think we should discuss this in more detail when the
main patch is committed.

Do we report
stats on how long the replication has been taking? If the average rep
time is close to rep timeout then we will be fragile, so we need some
way to notice this and produce warnings. Or at least provide info to an
external monitoring system.

Sounds good. How about log_min_duration_replication? If the rep time
is greater than it, we produce warning (or log) like log_min_duration_xx.

Maybe, lets put in something that logs if >50% (?) of timeout. Make that
configurable with a #define and see if we need that to be configurable
with a GUC later.

Do we need to worry about periodic
renegotiation of keys in be-secure.c?

What is "keys" you mean?

See the notes in that file for explanation.

I wondered whether it might be a perf problem for us?

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Tue, 2008-12-02 at 13:09 +0000, Simon Riggs wrote:

Is it dangerous to abort the transaction with replication continued when
the timeout occurs? I think that the WAL consistency between two servers
might be broken. Because the WAL writing and sending are done concurrently,
and the backend might already write the WAL to disk on the primary when
waiting for walsender.

The issue I see is that we might want to keep wal_sender_delay small so
that transaction times are not increased. But we also want
wal_sender_delay high so that replication never breaks. It seems better
to have the action on wal_sender_delay configurable if we have an
unsteady network (like the internet). Marcus made some comments on line
dropping that seem relevant here; we should listen to his experience.

Hmmm, dangerous? Well assuming we're linking commits with replication
sends then it sounds it. We might end up committing to disk and then
deciding to abort instead. But remember we don't remove the xid from
procarray or mark the result in clog until the flush is over, so it is
possible. But I think we should discuss this in more detail when the
main patch is committed.

What is the "it" in "it is possible"? It seems like there's still a
problem window in there.

Even if that could be made safe, in the event of a real network failure,
you'd just wait the full timeout every transaction, because it still
thinks it's replicating.

If the timeout is exceeded, it seems more reasonable to abandon the
slave until you could re-sync it and continue processing as normal. As
you pointed out, that's not necessarily an expensive operation because
you can use something like rsync. The process of re-syncing might be
made easier (or perhaps less costly), of course.

If we want to still allow processing to happen after a timeout, it seems
reasonable to have a configurable option to allow/disallow non-read-only
transactions when out of sync.

Regards,
Jeff Davis

On Tue, 2008-12-02 at 11:08 -0800, Jeff Davis wrote:

On Tue, 2008-12-02 at 13:09 +0000, Simon Riggs wrote:

Is it dangerous to abort the transaction with replication continued when
the timeout occurs? I think that the WAL consistency between two servers
might be broken. Because the WAL writing and sending are done concurrently,
and the backend might already write the WAL to disk on the primary when
waiting for walsender.

The issue I see is that we might want to keep wal_sender_delay small so
that transaction times are not increased. But we also want
wal_sender_delay high so that replication never breaks. It seems better
to have the action on wal_sender_delay configurable if we have an
unsteady network (like the internet). Marcus made some comments on line
dropping that seem relevant here; we should listen to his experience.

Hmmm, dangerous? Well assuming we're linking commits with replication
sends then it sounds it. We might end up committing to disk and then
deciding to abort instead. But remember we don't remove the xid from
procarray or mark the result in clog until the flush is over, so it is
possible. But I think we should discuss this in more detail when the
main patch is committed.

What is the "it" in "it is possible"? It seems like there's still a
problem window in there.

Marking a transaction aborted after we have written a commit record, but
before we have removed it from proc array and marked in clog. We'd need
a special kind of WAL record to do that.

Even if that could be made safe, in the event of a real network failure,
you'd just wait the full timeout every transaction, because it still
thinks it's replicating.

True, but I did suggest having two timeouts.

There is considerable reason to reduce the timeout as well as reason to
increase it - at the same time.

Anyway, lets wait for some user experience following commit.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Breaking down of patch into sections works very well for review. Should
allow us to get different reviewers on different parts of the code -
review wranglers please take note: Dave, Josh.

Fujii-san, could you break the patch up into several parts? We have quite
a few junior reviewers who are idle right now.

--
--Josh

Josh Berkus
PostgreSQL
San Francisco

Jeff,

Even if that could be made safe, in the event of a real network failure,
you'd just wait the full timeout every transaction, because it still
thinks it's replicating.

Hmmm. I'd suggest that if we get timeouts for more than 10xTimeout value
in a row, that replication stops. Unfortunatley, we should probably make
that *another* configuration setting.

--
--Josh

Josh Berkus
PostgreSQL
San Francisco

Hi,

On Wed, Dec 3, 2008 at 6:03 AM, Josh Berkus <josh@agliodbs.com> wrote:

Breaking down of patch into sections works very well for review. Should
allow us to get different reviewers on different parts of the code -
review wranglers please take note: Dave, Josh.

Fujii-san, could you break the patch up into several parts? We have quite
a few junior reviewers who are idle right now.

Yes, I divided the patch into 9 pieces. Do I need to divide it further?

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Fujii-san,

Yes, I divided the patch into 9 pieces. Do I need to divide it further?

That's plenty. Where do reviews find the 9 pieces?

--
Josh Berkus
PostgreSQL
San Francisco

Hi,

On Wed, Dec 3, 2008 at 3:21 PM, Josh Berkus <josh@agliodbs.com> wrote:

Fujii-san,

Yes, I divided the patch into 9 pieces. Do I need to divide it further?

That's plenty. Where do reviews find the 9 pieces?

The latest patch set (v4) is on wiki.
http://wiki.postgresql.org/wiki/NTT%27s_Development_Projects#Patch_set

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Hello,

On Tue, Dec 2, 2008 at 10:09 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

The reaction to replication_timeout may need to be configurable. I might
not want to keep on processing if the information didn't reach the
standby.

OK. I will add new GUC variable (PGC_SIGHUP) to specify the reaction for
the timeout.

I would prefer in many cases that the transactions that were
waiting for walsender would abort, but the walsender kept processing.

Is it dangerous to abort the transaction with replication continued when
the timeout occurs? I think that the WAL consistency between two servers
might be broken. Because the WAL writing and sending are done concurrently,
and the backend might already write the WAL to disk on the primary when
waiting for walsender.

The issue I see is that we might want to keep wal_sender_delay small so
that transaction times are not increased. But we also want
wal_sender_delay high so that replication never breaks.

Are you assuming only asynch case? In synch case, since walsender is
awoken by the signal from the backend, we don't need to keep the delay
so small. And, wal_sender_delay has no relation with the mis-termination
of replication.

It seems better
to have the action on wal_sender_delay configurable if we have an
unsteady network (like the internet). Marcus made some comments on line
dropping that seem relevant here; we should listen to his experience.

OK, I would look for his comments. Please let me know which thread has
the comments if you know.

Hmmm, dangerous? Well assuming we're linking commits with replication
sends then it sounds it. We might end up committing to disk and then
deciding to abort instead. But remember we don't remove the xid from
procarray or mark the result in clog until the flush is over, so it is
possible. But I think we should discuss this in more detail when the
main patch is committed.

If the transaction is aborted while the backend is waiting for replication,
the transaction commit command returns "false" indication to the client.
But the transaction commit record might be written in the primary and
standby. As you say, it may not be dangerous as long as the primary is
alive. But, when we recover the failed primary, clog of the transaction
is marked with "success" because of the commit record. Is it safe?

And, in that case, the transaction is treated as "sucess" on the standby,
and visible for the read-only query. On the other hand, it's invisible on
the primary. Isn't it dangerous?

Do we need to worry about periodic
renegotiation of keys in be-secure.c?

What is "keys" you mean?

See the notes in that file for explanation.

Thanks! I would check it.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Hi,

On Wed, Dec 3, 2008 at 4:08 AM, Jeff Davis <pgsql@j-davis.com> wrote:

Even if that could be made safe, in the event of a real network failure,
you'd just wait the full timeout every transaction, because it still
thinks it's replicating.

If walsender detects a real network failure, the transaction doesn't need to
wait for the timeout. Configuring keepalive options would help walsender to
detect it. Of course, though keepalive on linux might not work as expected.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Hi,

On Tue, Dec 2, 2008 at 10:09 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Tue, 2008-12-02 at 21:37 +0900, Fujii Masao wrote:

Thanks for taking many hours to review the code!!

On Mon, Dec 1, 2008 at 8:42 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

Can you confirm that all the docs on the Wiki page are up to date? There
are a few minor discrepancies that make me think it isn't.

Documentation is ongoing. Sorry for my slow progress.

BTW, I'm going to add and change the sgml files listed on wiki.
http://wiki.postgresql.org/wiki/NTT%27s_Development_Projects#Documentation_Plan

I'm patient, I know it takes time. Happy to spend hours on the review,
but I want to do that knowing I agree with the higher level features and
architecture first.

Since I thought that the figure was more intelligible for some people
than my poor English, I illustrated the architecture first.
http://wiki.postgresql.org/wiki/NTT%27s_Development_Projects#Detailed_Design

Are there any other parts which should be illustrated for review?

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Wed, 2008-12-03 at 21:37 +0900, Fujii Masao wrote:

Since I thought that the figure was more intelligible for some people
than my poor English, I illustrated the architecture first.
http://wiki.postgresql.org/wiki/NTT%27s_Development_Projects#Detailed_Design

Are there any other parts which should be illustrated for review?

Those are very useful, thanks.

Some questions to check my understanding (expected answers in brackets)

* Diagram on p.2 has two Archives. We have just one (yes)

* We send data continuously, whether or not we are in sync/async? (yes)
So the only difference between sync/async is whether we wait when we
flush the commit? (yes)

* If we have synchronous_commit = off do we ignore
synchronous_replication = on (yes)

* If two transactions commit almost simultaneously and one is sync and
the other async then only the sync backend will wait? (Yes)

Do we definitely need the archiver to move the files written by
walreceiver to archive and then move them back out again? Seems like we
can streamline that part in many (all?) cases.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Hi,

On Wed, Dec 3, 2008 at 11:33 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

I'm patient, I know it takes time. Happy to spend hours on the review,
but I want to do that knowing I agree with the higher level features and
architecture first.

I wrote the features and restrictions of Synch Rep. Please also check
it together with the figures of architecture.
http://wiki.postgresql.org/wiki/NTT%27s_Development_Projects#User_Overview

Some questions to check my understanding (expected answers in brackets)

* Diagram on p.2 has two Archives. We have just one (yes)

No, we need archive in both the primary and standby. The primary needs
archive because a base backup is required when starting the standby.
Meanwhile, the standby needs archive for cooperating with pg_standby.

If the directory where pg_standby checks is the same as the directory
where walreceiver writes the WAL, the halfway WAL file might be
restored by pg_standby, and continuous recovery would fail. So, we have
to separate the directories, and I assigned pg_xlog and archive to them.

Another idea; walreceiver writes the WAL to the file with temporary name,
and rename it to the formal name when it fills. So, pg_standby doesn't
restore a halfway WAL file. But it's more difficult to perform the failover
because the unrenamed WAL file remains.

Do you have any other good idea?

* We send data continuously, whether or not we are in sync/async? (yes)

Yes.

So the only difference between sync/async is whether we wait when we
flush the commit? (yes)

Yes.
And, in asynch case, the backend basically doesn't send the wakeup-signal
to walsender.

* If we have synchronous_commit = off do we ignore
synchronous_replication = on (yes)

No, we can configure them independently. synchronous_commit covers
only local writing of the WAL. If synch_*commit* should cover both local
writing and replication, I'd like to add new GUC which covers only local
writing (synchronous_local_write?).

* If two transactions commit almost simultaneously and one is sync and
the other async then only the sync backend will wait? (Yes)

Yes.

Do we definitely need the archiver to move the files written by
walreceiver to archive and then move them back out again?

Yes, it's because of cooperating with pg_standby.

Seems like we
can streamline that part in many (all?) cases.

Agreed. But I thought that such streaming was TODO of next time.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Hi,

On Wed, Dec 3, 2008 at 3:38 PM, Fujii Masao <masao.fujii@gmail.com> wrote:

Do we need to worry about periodic
renegotiation of keys in be-secure.c?

What is "keys" you mean?

See the notes in that file for explanation.

Thanks! I would check it.

The key is used only when we use SSL for the connection of
replication. As far as I examined, secure_write() renegotiates
the key if needed. Since walsender calls secure_write() when
sending the WAL to the standby, the key is renegotiated
periodically. So, I think that we don't need to worry about the
obsolescence of the key. Am I missing something?

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Thu, 2008-12-04 at 17:57 +0900, Fujii Masao wrote:

On Wed, Dec 3, 2008 at 3:38 PM, Fujii Masao <masao.fujii@gmail.com> wrote:

Do we need to worry about periodic
renegotiation of keys in be-secure.c?

What is "keys" you mean?

See the notes in that file for explanation.

Thanks! I would check it.

The key is used only when we use SSL for the connection of
replication. As far as I examined, secure_write() renegotiates
the key if needed. Since walsender calls secure_write() when
sending the WAL to the standby, the key is renegotiated
periodically. So, I think that we don't need to worry about the
obsolescence of the key.

Understood. Is the periodic renegotiation of keys something that would
interfere with the performance or robustness of replication? Is the
delay likely to effect sync rep? I'm just checking we've thought about
it.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Thu, 2008-12-04 at 16:10 +0900, Fujii Masao wrote:

* Diagram on p.2 has two Archives. We have just one (yes)

No, we need archive in both the primary and standby. The primary needs
archive because a base backup is required when starting the standby.
Meanwhile, the standby needs archive for cooperating with pg_standby.

If the directory where pg_standby checks is the same as the directory
where walreceiver writes the WAL, the halfway WAL file might be
restored by pg_standby, and continuous recovery would fail. So, we have
to separate the directories, and I assigned pg_xlog and archive to them.

Another idea; walreceiver writes the WAL to the file with temporary name,
and rename it to the formal name when it fills. So, pg_standby doesn't
restore a halfway WAL file. But it's more difficult to perform the failover
because the unrenamed WAL file remains.

WAL sending is either via archiver or via streaming. We must switch
cleanly from one mode to the other and not half-way through a WAL file.

When WAL sending is about to begin, issue xlog switch. Then tell
archiver to shutdown once it has got to the last file. All files after
that point are streamed. So there need be no conflict in filename.

We must avoid having two archives, because people will configure this
incorrectly.

* If we have synchronous_commit = off do we ignore
synchronous_replication = on (yes)

No, we can configure them independently. synchronous_commit covers
only local writing of the WAL. If synch_*commit* should cover both local
writing and replication, I'd like to add new GUC which covers only local
writing (synchronous_local_write?).

The only sensible settings are
synchronous_commit = on, synchronous_replication = on
synchronous_commit = on, synchronous_replication = off
synchronous_commit = off, synchronous_replication = off

This doesn't make any sense: (does it??)
synchronous_commit = off, synchronous_replication = on

Do we definitely need the archiver to move the files written by
walreceiver to archive and then move them back out again?

Yes, it's because of cooperating with pg_standby.

It seems very easy to make this happen the way we want. We could make
pg_standby look into pg_xlog also, for example.

I was expecting you to have walreceiver and startup share an end of WAL
address via shared memory, so that startup never tries to read past end.
That way we would be able to begin reading a WAL file *before* it was
filled. Waiting until a file fills means we still have to have
archive_timeout set to ensure we switch regularly.

We need the existing mechanisms for the start of replication (base
backup etc..) but we don't need them after that point.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Simon Riggs wrote:

On Thu, 2008-12-04 at 17:57 +0900, Fujii Masao wrote:

On Wed, Dec 3, 2008 at 3:38 PM, Fujii Masao <masao.fujii@gmail.com> wrote:

Do we need to worry about periodic
renegotiation of keys in be-secure.c?

What is "keys" you mean?

See the notes in that file for explanation.

Thanks! I would check it.

The key is used only when we use SSL for the connection of
replication. As far as I examined, secure_write() renegotiates
the key if needed. Since walsender calls secure_write() when
sending the WAL to the standby, the key is renegotiated
periodically. So, I think that we don't need to worry about the
obsolescence of the key.

Understood. Is the periodic renegotiation of keys something that would
interfere with the performance or robustness of replication? Is the
delay likely to effect sync rep? I'm just checking we've thought about
it.

It will certainly add an extra piece of delay. But if you are worried
about performance for it, you are likely not running SSL. Plus, if you
don't renegotiate the key, you gamble with security.

If it does have a negative effect on the robustness of the replication,
we should just recommend against using it - or refuse to use - not
disable renegotiation.

/Magnus

On Thu, 2008-12-04 at 12:41 +0100, Magnus Hagander wrote:

Understood. Is the periodic renegotiation of keys something that would
interfere with the performance or robustness of replication? Is the
delay likely to effect sync rep? I'm just checking we've thought about
it.

It will certainly add an extra piece of delay. But if you are worried
about performance for it, you are likely not running SSL. Plus, if you
don't renegotiate the key, you gamble with security.

If it does have a negative effect on the robustness of the replication,
we should just recommend against using it - or refuse to use - not
disable renegotiation.

I didn't mean to imply renegotiation might optional. I just wanted to
check whether there is anything to worry about as a result of it, there
may not be. *If* it took a long time, I would not want sync commits to
wait for it.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Hi,

On Thu, Dec 4, 2008 at 6:29 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

The only sensible settings are
synchronous_commit = on, synchronous_replication = on
synchronous_commit = on, synchronous_replication = off
synchronous_commit = off, synchronous_replication = off

This doesn't make any sense: (does it??)
synchronous_commit = off, synchronous_replication = on

If the standby replies before writing the WAL, that strategy can improve
the performance with moderate reliability, and sounds sensible.
IIRC, MySQL Cluster might use that strategy.

I was expecting you to have walreceiver and startup share an end of WAL
address via shared memory, so that startup never tries to read past end.
That way we would be able to begin reading a WAL file *before* it was
filled. Waiting until a file fills means we still have to have
archive_timeout set to ensure we switch regularly.

You mean that not pg_standby but startup process waits for the next
WAL available? If so, I agree with you in the future. That is, I just think
that this is next TODO because there are many problems which we
should resolve carefully to achieve it. But, if it's essential for 8.4, I will
tackle it. What is your opinion? I'd like to clear up the goal for 8.4.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Hello,

On Fri, Dec 5, 2008 at 12:09 PM, Fujii Masao <masao.fujii@gmail.com> wrote:

I was expecting you to have walreceiver and startup share an end of WAL
address via shared memory, so that startup never tries to read past end.
That way we would be able to begin reading a WAL file *before* it was
filled. Waiting until a file fills means we still have to have
archive_timeout set to ensure we switch regularly.

You mean that not pg_standby but startup process waits for the next
WAL available? If so, I agree with you in the future. That is, I just think
that this is next TODO because there are many problems which we
should resolve carefully to achieve it. But, if it's essential for 8.4, I will
tackle it. What is your opinion? I'd like to clear up the goal for 8.4.

Umm.. on second thought, this feature (continuous recovery without
pg_standby) seems to be essential for 8.4. So, I will try it.

Development plan:
- Share the end of WAL address via shared memory <--- Done!
- Change ReadRecord() to wait for the next WAL *record* available.
- Change ReadRecord() to restore the WAL from archive by using
pg_standby before reaching the replication starting position, then
read the half-streaming WAL from pg_xlog.
- Add new trigger for promoting the standby to the primary. As the
trigger, when fast shudown (SIGINT) is requested during recovery,
the standby would recover the WAL up to end and become the
primary.

What system call does walreceiver have to call against the WAL
before startup process reads it? Probably we need to call write(2),
and don't need fsync(2) in Linux. How about other platform?

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Hi, sorry for my consecutive posting.

On Fri, Dec 5, 2008 at 4:00 PM, Fujii Masao <masao.fujii@gmail.com> wrote:

Hello,

On Fri, Dec 5, 2008 at 12:09 PM, Fujii Masao <masao.fujii@gmail.com> wrote:

I was expecting you to have walreceiver and startup share an end of WAL
address via shared memory, so that startup never tries to read past end.
That way we would be able to begin reading a WAL file *before* it was
filled. Waiting until a file fills means we still have to have
archive_timeout set to ensure we switch regularly.

You mean that not pg_standby but startup process waits for the next
WAL available? If so, I agree with you in the future. That is, I just think
that this is next TODO because there are many problems which we
should resolve carefully to achieve it. But, if it's essential for 8.4, I will
tackle it. What is your opinion? I'd like to clear up the goal for 8.4.

Umm.. on second thought, this feature (continuous recovery without
pg_standby) seems to be essential for 8.4. So, I will try it.

Development plan:
- Share the end of WAL address via shared memory <--- Done!
- Change ReadRecord() to wait for the next WAL *record* available.
- Change ReadRecord() to restore the WAL from archive by using
pg_standby before reaching the replication starting position, then
read the half-streaming WAL from pg_xlog.
- Add new trigger for promoting the standby to the primary. As the
trigger, when fast shudown (SIGINT) is requested during recovery,
the standby would recover the WAL up to end and become the
primary.

What system call does walreceiver have to call against the WAL
before startup process reads it? Probably we need to call write(2),
and don't need fsync(2) in Linux. How about other platform?

I added the figures about the latest architecture into PDF file.
Please check P6, 7. Is this architecture close to your imege?
http://wiki.postgresql.org/wiki/NTT%27s_Development_Projects#Detailed_Design

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Fri, 2008-12-05 at 16:00 +0900, Fujii Masao wrote:

On Fri, Dec 5, 2008 at 12:09 PM, Fujii Masao <masao.fujii@gmail.com> wrote:

I was expecting you to have walreceiver and startup share an end of WAL
address via shared memory, so that startup never tries to read past end.
That way we would be able to begin reading a WAL file *before* it was
filled. Waiting until a file fills means we still have to have
archive_timeout set to ensure we switch regularly.

You mean that not pg_standby but startup process waits for the next
WAL available? If so, I agree with you in the future. That is, I just think
that this is next TODO because there are many problems which we
should resolve carefully to achieve it. But, if it's essential for 8.4, I will
tackle it. What is your opinion? I'd like to clear up the goal for 8.4.

Umm.. on second thought, this feature (continuous recovery without
pg_standby) seems to be essential for 8.4. So, I will try it.

Sounds good. Perhaps you can share what changed your mind in those 4
hours...

Could we start with pictures and some descriptions first, so we know
we're on the right track? I foresee no coding issues.

My understanding is that we start with a normal log shipping
architecture, then we switch into continuous recovery mode. So we do use
pg_standby at beginning, but then it gets turned off.

Let's look at all of the corner cases also:
* standby keeps pace with primary (desired state)
* standby falls behind primary
* standby restarts to change shmmem settings
etc

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Fri, 2008-12-05 at 12:09 +0900, Fujii Masao wrote:

On Thu, Dec 4, 2008 at 6:29 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

The only sensible settings are
synchronous_commit = on, synchronous_replication = on
synchronous_commit = on, synchronous_replication = off
synchronous_commit = off, synchronous_replication = off

This doesn't make any sense: (does it??)
synchronous_commit = off, synchronous_replication = on

If the standby replies before writing the WAL, that strategy can improve
the performance with moderate reliability, and sounds sensible.

Do you think it likely that your replication time is consistently and
noticeably less than your time-to-disk? If not, you'll wait just as long
but be less robust. I guess its possible.

On a related thought: presumably we force a sync rep if forceSyncCommit
is set?

IIRC, MySQL Cluster might use that strategy.

Not the most convincing argument I've heard.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Hi,

On Fri, Dec 5, 2008 at 7:09 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Fri, 2008-12-05 at 12:09 +0900, Fujii Masao wrote:

On Thu, Dec 4, 2008 at 6:29 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

The only sensible settings are
synchronous_commit = on, synchronous_replication = on
synchronous_commit = on, synchronous_replication = off
synchronous_commit = off, synchronous_replication = off

This doesn't make any sense: (does it??)
synchronous_commit = off, synchronous_replication = on

If the standby replies before writing the WAL, that strategy can improve
the performance with moderate reliability, and sounds sensible.

Do you think it likely that your replication time is consistently and
noticeably less than your time-to-disk?

It depends on a system environment.
- How many miles two servers? same rack? separate continent?
- Does system have high-end storage? cheap one?
... etc

On a related thought: presumably we force a sync rep if forceSyncCommit
is set?

Yes!
Please see RecordTransactionCommit() in xact.c (in my patch).

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Greetings!

On Fri, Dec 5, 2008 at 6:59 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Fri, 2008-12-05 at 16:00 +0900, Fujii Masao wrote:

On Fri, Dec 5, 2008 at 12:09 PM, Fujii Masao <masao.fujii@gmail.com> wrote:

I was expecting you to have walreceiver and startup share an end of WAL
address via shared memory, so that startup never tries to read past end.
That way we would be able to begin reading a WAL file *before* it was
filled. Waiting until a file fills means we still have to have
archive_timeout set to ensure we switch regularly.

You mean that not pg_standby but startup process waits for the next
WAL available? If so, I agree with you in the future. That is, I just think
that this is next TODO because there are many problems which we
should resolve carefully to achieve it. But, if it's essential for 8.4, I will
tackle it. What is your opinion? I'd like to clear up the goal for 8.4.

Umm.. on second thought, this feature (continuous recovery without
pg_standby) seems to be essential for 8.4. So, I will try it.

Sounds good. Perhaps you can share what changed your mind in those 4
hours...

Yeah, it's my imagination about the real situation after 8.4 release,
especially I considered about the future conjugal life of Synch Rep and
Hot Standby ;) Waiting to redo until the file fills might lead to marital
breakdown.

Could we start with pictures and some descriptions first, so we know
we're on the right track? I foresee no coding issues.

My understanding is that we start with a normal log shipping
architecture, then we switch into continuous recovery mode. So we do use
pg_standby at beginning, but then it gets turned off.

Yes, I also understand so. Updated sequence pictures are on wiki
as per usual. Please see P3, 4.
http://wiki.postgresql.org/wiki/NTT%27s_Development_Projects#Detailed_Design

Let's look at all of the corner cases also:
* standby keeps pace with primary (desired state)
* standby falls behind primary
* standby restarts to change shmmem settings
etc

Yes, I will examine such cases!

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Sat, 2008-12-06 at 17:55 +0900, Fujii Masao wrote:

Yeah, it's my imagination about the real situation after 8.4 release,
especially I considered about the future conjugal life of Synch Rep and
Hot Standby ;) Waiting to redo until the file fills might lead to marital
breakdown.

You're obviously working with some comedians now. ;-)

Could we start with pictures and some descriptions first, so we know
we're on the right track? I foresee no coding issues.

My understanding is that we start with a normal log shipping
architecture, then we switch into continuous recovery mode. So we do use
pg_standby at beginning, but then it gets turned off.

Yes, I also understand so. Updated sequence pictures are on wiki
as per usual. Please see P3, 4.
http://wiki.postgresql.org/wiki/NTT%27s_Development_Projects#Detailed_Design

p.6 looks good.

But what is p.7? It's even more complex than the original. Forgive me,
but I don't understand that. Can you explain?

What is the procedure if the standby shuts down, for example if we wish
to restart server to change a parameter? Or to reboot the system it is
on. Does the primary switch back to writing files to archive?

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Hi, thanks for the comment!

On Mon, Dec 8, 2008 at 11:04 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

Could we start with pictures and some descriptions first, so we know
we're on the right track? I foresee no coding issues.

My understanding is that we start with a normal log shipping
architecture, then we switch into continuous recovery mode. So we do use
pg_standby at beginning, but then it gets turned off.

Yes, I also understand so. Updated sequence pictures are on wiki
as per usual. Please see P3, 4.
http://wiki.postgresql.org/wiki/NTT%27s_Development_Projects#Detailed_Design

p.6 looks good.

But what is p.7? It's even more complex than the original. Forgive me,
but I don't understand that. Can you explain?

p.7 shows one of the system configuration examples. Some people don't
want to share an archive between two servers would probably choose
this configuration, I think.

If archive is not shared, some WAL files before replication starts would not
be copied automatically from the primary to standby. So, we have to copy
them by hand or using clusterware ..etc. This is what p.7 shows. If archive
is shared, archiver on the primary would copy them automatically (p.6).

What is the procedure if the standby shuts down, for example if we wish
to restart server to change a parameter?

Stop postgres by using immediate shutdown, and start postgres from an
existing database cluster directory. When restarting postgres, if there are
one or more archives, we also need to copy the WAL files after stopping
replication before restarting replication.

Or to reboot the system it is
on. Does the primary switch back to writing files to archive?

I assume that the primary always writes files to archive, that is, basically
the primary doesn't switch to non-archiving mode. Of course, if archiving
is disabled on the primary in any reason when restarting standby, the
primary need to switch back.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Tue, 2008-12-09 at 17:15 +0900, Fujii Masao wrote:

But what is p.7? It's even more complex than the original. Forgive me,
but I don't understand that. Can you explain?

p.7 shows one of the system configuration examples. Some people don't
want to share an archive between two servers would probably choose
this configuration, I think.

If archive is not shared, some WAL files before replication starts would not
be copied automatically from the primary to standby. So, we have to copy
them by hand or using clusterware ..etc. This is what p.7 shows. If archive
is shared, archiver on the primary would copy them automatically (p.6).

I agree that is the way to do it *if* the archive is not shared. But why
would you want to *not* share the archive??

What is the procedure if the standby shuts down, for example if we wish
to restart server to change a parameter?

Stop postgres by using immediate shutdown, and start postgres from an
existing database cluster directory. When restarting postgres, if there are
one or more archives, we also need to copy the WAL files after stopping
replication before restarting replication.

Or to reboot the system it is
on. Does the primary switch back to writing files to archive?

I assume that the primary always writes files to archive, that is, basically
the primary doesn't switch to non-archiving mode.

OK, I think that clears up what I was seeing in the code. i.e. I didn't
understand the modes of operation.

I really like most of what you've done, though you must forgive me for
saying I still don't like this. I really am with you on how tiresome
that sounds.

For clarity: I don't think its acceptable to have the archiver send
files to the archive at the same time as we're streaming data. In normal
running we should not duplicate the data paths - its just too much data
volume and/or bandwidth.

The cleanest way I can see is to have two modes of operation:
* First mode is file-based log shipping (FLS) (i.e. "warm standby")
* Second mode is streaming log shipping (SLS) (wal sender to wal
receiver)

When we start we are in FLS mode, then we catch up to the cross-over
point and we switch to SLS mode. If streaming stops, we just switch back
to FLS mode. If they reconnect, we follow same procedure again. So the
two modes are compatible, but are never simultaneously active except for
a short period when we switch modes.

If SLS mode is active then the archiver doesn't send files. If FLS mode
is active, we send files. All of the places in code that currently are
not optimised when XLogArchivingActive() must remain unoptimised for
either FLS or SLS mode, so we need a new name for that.

This makes least number of changes to existing architecture. People
currently use FLS mode and understand it (!), they just add
understanding of SLS mode. It's also a very straightforward
architecture, which means fewer code paths and less weird bugs. (There's
been enough already, as you know).

So just for clarity, let me rephrase it:

We set up FLS mode as we do currently. Then we initiate SLS mode. At the
end of the next WAL file on primary we archive it, then turn off
archiving on primary. (So for up to one WAL file we operate two modes
together).

If SLS mode ends, we send next WAL file via archiver. Some part of that
file has already been streamed across, but that doesn't matter. (If SLS
mode ends because primary is down, we obviously do nothing. If we have a
split brain situation then we rely on clusterware to kill us (STONITH).

So AFAICS p.6 of the architecture is all we really need. Nice, simple.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Simon Riggs wrote:

For clarity: I don't think its acceptable to have the archiver send
files to the archive at the same time as we're streaming data. In normal
running we should not duplicate the data paths - its just too much data
volume and/or bandwidth.

What if you want to run archiving for backup purposes, and also have a
standby server?

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

On Tue, 2008-12-09 at 14:42 +0200, Heikki Linnakangas wrote:

Simon Riggs wrote:

For clarity: I don't think its acceptable to have the archiver send
files to the archive at the same time as we're streaming data. In normal
running we should not duplicate the data paths - its just too much data
volume and/or bandwidth.

What if you want to run archiving for backup purposes, and also have a
standby server?

If we want to include that as an option, yes. If it is "always on" then
no, not everybody wants that.

The best way to implement that is to archive from the standby, not to
send the data twice. By definition the archive is more closely
associated with the standby node than the primary.

Maybe I misunderstood the diagrams? The additional flows to the archive
are actually all optional?

Anyway, I enclose a slightly simplified version of p.6 to allow us to
see the progression of file mode through to streaming mode. This is an
in-my-understanding version.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

%PDF-1.4
%��������
2 0 obj
<</Length 3 0 R/Filter/FlateDecode>>
stream
x��YKo7������7"��������@EO��A�n�\��K~�feo;m�$��YrF�H��>����_��3��Fv�%����~���������/�������?����I��t0������0����gWK�AE�K��W��Rf�����������jy%5�
ddpsmW]#�[��'?\G��O���^�"*�/�l���(�V�gt����Y8�q/L���k�d�����?��s\_�{�3>�������U8�G��z9������;7�vSP��rI ����������,������%P�E��e�k����1&�&��KbM����7t�����/����,(\	��I�VB����wE�V	�:2���@�.��k�l,��R�W��Y�-������a��1%�,�(Iup��>�$�SXuF�g�4�j���_M������[��R��h�8�;Kl�r	>J���=l=x��9�!�<�N��['FM��F�o���N�Q�����:8&��8�bZ��,w�f��dT�����e��Pk�������i�������z�MXY8�o�<����{������~�L�c�r:M�gR��n���e�$��V��qd�:�C�
P�jL���L����m��!�"�X������;���p��A��Z
����4����5z]�hO
�-�U����������VM��7�����������2��/����rn�17���q�ZH�~�_��}A��9wrPx����|,l���<��w�1Z���
^/Z�r�"i
r'l���k������s�B��\�3�J�K��AKi��HFe��z�j\;g�6N�0i��������g�cu��3&����N��5���|�9 �h�^��$�;���p�s������!p�������1{�%:�P;�y'���Y5�����A��q�{Z��� ��W�F]��#{b�������-�s��j�U@jA��?����)H_'��s��7!��h������d�ak%����7��!�&Q\k��.��RP7��0���U����F�$^M� q��"��p��<Vl=52��g�)J��mOL�w���0SJ�W�!Q~e�������I����_���J]Pf'67cV�5�t5�T''E#�I�Oa�^s�fGu�D��[����g�ETPN�l3&��(=Jm;�V!���&Q��e*�8�:Ga�j�+�"�z�����0�	�E�0Z4��bs6�����Y�NVF-�����h�W�
?R�MjZ@o~��0���_�����<�@���T��=�q����%��V�!������0������3��D3��D��x�!�S�����a�#�A��P����$&7�d�@���D����{�6��B��s��W������)�j�Z��Vz�������=J�S�"~�%������'9m����u@�����������d�Z�z�V�
���7\�����+�1(�-J^&;����8T����I�����m@Cq��T�A��%N8��6�P��Y�#�P��Q�������a��������8��Y_�`��,v�&��f�p�L�Q��R���:k�
�2���6K�L��
��
��:�mX����������GT
�MR��uC�W2�;�d�(�\1�7
���v���7�H��c��a���(���~���V�z��L�<&�u�g�.�cX�@����?�P8f�+�7�]�_
endstream
endobj

3 0 obj
1722
endobj

4 0 obj
<</Type/XObject/Subtype/Image/Width 55 /Height 55 /BitsPerComponent 8 /Length 5 0 R
/Filter/FlateDecode/ColorSpace[ /Indexed/DeviceRGB 255 <
0F0E0E 181717 252424 192076 2E2D2D 3D3C3B 41468D 4E4D4D 626161 6C6EA6 7E7D7D 9393A9 B3B2B2 BABAD4 C7C7DC DBDAE8
E4E3EA F1F0F6 F3F3F2 F5F4F7 F7F6F7 F9F9FA FCFBFC FFFFFF FFFFFF FFFFFF FFFFFF FFFFFF FFFFFF FFFFFF FFFFFF FFFFFF
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 FFFFFF
> ]
>>
stream
x����� Ee82�����)�H�EJ��Oy��S j�O�(���V�r�x4e*>PY��6��m���X��v6��5T��-��l^E����m�f[�(6����2�'I:��-;�������y~�j^�2����5��d���Z�iH����^�b��.�mzk���
�9�Q��D��cu���{������l�������X�h�;r�>���
endstream
endobj

5 0 obj
207
endobj

7 0 obj
<</Length 8 0 R/Filter/FlateDecode>>
stream
x��YKo7������7"����)�[==M���Es��/�Q��]���E��g��H��D}����_��3��Fv�%�>��~���1����O���Y���w?��t��IZ�t��;L����a0���S�A���%w��{�RF�����������zz-5�
d�ssmW]#��o�g?�Dw��{}��������e�����_�����>��������?��F����qF���� ���������W���2��e�"d����.b%�Z�1]�v�����hPN<��K�����C������|?�����.�L�*+���s�����e�c�w<�qp��7��k^�b�2��/8��ua��&y�}�W�.gk�9g	f:�V����U��M�=�6�����*QI�����(��8��S��B�2sG>i��6r}9��(�l��]
�`�W���c$��d�� �d>�(n��u�e]�QB$D�a���MV�&
������6�Q��_��=p\y��.I���y7���4�t#ty���k=OAz��\�����viP�:���V;���A�G~����C�v�S������������S����n/�IMY7�%V��2M�v���ub����K@a�c�6���Fx��f�b-b�e�
��L�c�j�����0��I��.��^��)���R��h�?�����8,F�t�jc�|d}_�������f.Sl�r:���.!�Vc�>�������+��/���N
�8�8��T��^�'"0��3F�$;��I^�\$�AA����Sr���dv��HU�ks�W�yJ�P#hI-�	
fL�V��V�s�l����&m��V��#?y�<U�<cb�0[q����F`���OB� �
7S`����t�Ni�<�\hvtv.�pH�1���p.p�Z�B�D�a�0�a�d|�6�6��G�?*}<-wog��_���U�Q�z��Z�R���0eS��\z �k�\����S`�	��G
R�I��B��1$\3�&IjlX���U0l�$k��}��=�R$�k
!UQ���\
���xF����U��	1h�KB��E$�RCD�pn�-����E���M8�C������z�(^�3%�{�b�Wf�	�j�5�O��$D��zfx,��etbs#1F�]��&����h$5I�� ���a�����WK$Z��-��ey�ZD���6b2�|��Uj�9'��
/�Di�
��:����%���8� �uuv�����-�]�h�4���qX8�n�j�b����3r����]I���Jm���nR�z��Z����,������yT��O��P��	z�	�_��H[5�$�k��H�>w&����G,��2��{��O�fx���Q�$Q��C�j����D`��9o�~$�~"�>��4)��=r�0�QYV�}eZ+K��J�>Z\���F)~S����B��(9-�INKy"�U1��Mm�AFi��MP2e�,5I+�]
��\�����3��(��H�2��t���0p�������L
6,�M�h(�b�
3��7��	GXX��
h��u���#5\]��_<�+���FU�mk�nGd���]�����������J�$.��R���:k�
�2���K�L����Zu��0���y�Y-�9�����H}�
-��1����U�wh��C;�h^��M	����s�~���q#e�be//*^7<���^���z����MZ��H_�e���������1c��Sd�	S&�bpv�m�����P*7M���cA���-�U�k9����8+(?�����K�C/������_/�#���~?Eau����u�m
endstream
endobj

8 0 obj
1812
endobj

10 0 obj
<</Length 11 0 R/Filter/FlateDecode>>
stream
x��ZK��
�����
���7�@���M�>9M��l�����#��f�������Yr��"Y����	{Z~��g	����KK���������,�����~��.q�wu���'�����%��3�&������`2�':?��j��(�}^���|{+������w?�n�v�D��}���K��%��}9�����}Z���|��K\Ee��������U�9��+��rEtxGW�^?�{���	��1��]#�A|�
M��^�v��0v�B���lV��ZAWl�0t}�i�*�x|EJ>���&�����n������	�����d)�EJ��p�}��-��i
�J����s���s>�L�i�q���y=�����.��5��<��N��Y�*O9��W�h�KmZ�|��Q�����tR�;Y���X��=���g������e�X�,�i�����&9���3��H���)���D�a��I<���1�*EY�n
Js�����:I��(6^���&
Q���s��(%�bK�����{�tY�Z�_��c2/�#}\��|��AwQFU�NKl������4(h=��NN�.�\#����ae��}���K�V]�<R���`3��w�����A2_�����F�.h�>�e�Tp~x��	a	(N9&��c&��eX_�R ���"�;WH�n�A�ep�"�����I����^���"Z��J�F��AU,�s���r��n�d���z����������9��s9��.!�Vs�>��Bb���.�����N���8�8��T��n)�����M����N^q.���(����S�����e:GH�*��/�W��.KBM�%�PG$�1�[��j<:g��VN�0i���}<���g�[u��3&���]n��k�+:y�E9 �h��E�1	.�NW��W*�1�b�����!���-�s�c�(�%��H��a�����&mVM���U�x[�>����
 ��7�F�	���=1KMb����-�����^������
����oB�(u��_�C�-h�������a+%����7���K�(�u�TE
cp���j�	ECV��7)WS�H�����<J,������������E����pJ������Iy�(^.fJ�Jw� �_Y5&��m��?k�$&��2A���[D0F�13f�]��PS;�����wM�:?8�5r��,5���UD���D
<�#
b;�B�S��mR���z�Y�Q�r ���-A����Q�H&1(�Bf����9s��A�����r�J"����)��a���J�B
��-[�Y���R���OU�����=
d.Z�s5�f���Gu�>%��x�69�Y���IbMP�%U^s���q�(t�p��zxPh8�!4	�N�#/�d�0Z4��ds�V�����Zz�������v�������}���������,�����W�<��#�:����>�U���	��$�4c������c$l?:S,%9��B-�j��$ _��)k	����	��h))�(��M�[^RU ����,r���/�4L�*=l��_FV�Ud�<W
�����z���Z�l�`
S%X�Z
0e%�e`�k(�w1����$���&(��^�������?�/���`���3��(�-T2��t���*��8T���2��
�l�<���0��v�dg��J�w��+]L��Mn��)����D��4m3Q����P4I
��S���*��\�x3x��~wn��p�B)�"�@��hEB�
)Z�<
%G}���yI������
P3�3�[���(g�69�(6
.Qd�q!�I��p����nGb���%�-f7�������N����;���E'U����w��$�#I&9����R-��{-Z�4�|��
#�'/�:^��)V�z/fk�#jVVLR�����H�"�X���j����3��0w�������-��k�7��t{����3<y���W����W�pqn����p�KY�%�d~��#iS����s��2����u0'��b3�[UY]����r�0���bH���lC�y��,4��tR���_�k�t�\#������y\��g���5��'�3�a]�A[��8��^�pS���K5��m5a�VJ+�0)�T����g5iRf�i]���/�^o��`���wE�����]}��W�vb�3?�m���/p�Pq$��R��98�w���4y�Q4n��8��I����=�f�G����>���E[�m����c�����>z�}~LtyU�I1�c��l�p�O�z8����Lv=X��I�	��y8!&+�+B�Tn�0��R��XA����!�r��q9��/	4�haA��	��wX�%r���
��p�@mB��6{&��2F��6n���	���
��(�9��	�x� M2!'���/��lXI��xgn6@c�\P*rha��X;�C;>,;2^e\���)���w�3������[0?F�Y�C�����?w����O�
�'�-
endstream
endobj

11 0 obj
2505
endobj

13 0 obj
<</Length 14 0 R/Filter/FlateDecode>>
stream
x��X�n7��W�l@cw��%������:q�'A|�����=����#�������H�#�y��yw�w��\���_��/��9�������u�u�l�9L�wK����	��2}������:_�L�E%�������w���������fz�VvUd0���k.��������Cr�����R�P�}�U\JP�������s��rN�?�s��OA��;�o^����,�3���^�U
D/�?��Y����q`F;b��`}�|�j����B��U���5�/xxN�[�t����g��A2?N��.�PDH
�@��	�J���r��)gOt,�����y�c(����}�QS��b�?�g�g��|������h����hi��Fe^:��Zf���R���G(<L!��-.P�b�$�nq�3��� g�:��F:�Z��O-�N�_W��
>Fd)"]��p���N�ba��������!�0L6~h��R����-��.�����_i8����^*G�L�
~1�B�S��j��bcR.�f�B��YiYo1��09��4
=�����I�v�S/_L�su��

���b�^�n�w����������b������uR��pF��8`L�G�����m���p�3F�$`�E"�Ey�x�+����!W�(��^���J<�#�G&at�0N�Y6���Z5�;�Xo�y?�</w�\���V:����o���&�7�tD-U����K����M*U�Hk�1@c��Oq�� ~
�8�#��NZAQ!�"��ME�:�
��r�p�KHYTR&���$��$Y|=J���"G�2�!7�a4���$n���MT��Q��*��8.c��������Jm=�-0��BaZ��J����P����	mR��Aw�V�N����)
�P����5����U�m�,������N~
���U��9s���7?tD-������I�����@����i 56�(��6wS��!�un���gcJ�0�[z-��U����u,'�\��"(D�������,�"b��r�~d��L<}��
��P�nw+m��M�Q���Eh|��,�����GE{��nkr�����#;�:_�{2��t�29�Q��g�������e��r�
����Y��r����r��D�Y�Sk��^s�4�D��bm�4]g1��W)�K�)=����}>.?X����tF�{.��7��(�\�q����c��@8�
����y� 5-��#�����z�^���G�8N*�k�H�j�QU"-��,+B�'><�t����(Ep�c?\>|���M�F)��PHr�����^IBV��m�.oP����V]zg���v�{�����P%�lp,][�M��/$�O
��p8��#$yg	^�^���)��/����99P���$3�%c�:���e���G���po��A�E�q�j�<�p�m�Y��K����e�)���+G9��$>�J�H�B[�Lv5��0�l����T��x�Ru�2z:���O�G�rZlE��Bk�i�A���>��}��^����?���K�Xwo�_);�X
endstream
endobj

14 0 obj
1546
endobj

16 0 obj
<</Length 17 0 R/Filter/FlateDecode>>
stream
x��ZKo7����soD�,�c�hni�P��m��%��GjF����I� ���H��O��nC������'n���Zb�������?'����?���������X���g��oG�b�����&����j*5���6i��m~}�������������jz�5o
dxp������l��zz��u�������K�����&�b?���������R��-����t*OwJg�������NBQv��
H���
X�|����n�hGrU3�2��~��D����?�h���W�������%���>n�r	�����~��o9���@qg_<�^s��9�`bn�<�)9�1g�t����[6��b��a�f���(9�d<�W�>wk��{�g���@K��5�4Qv�4��J�f��UR�lh�^O>��fO�'9r�3�$�:7�YM�����F�oj��oM������%g)p>�(���RSYJ:r���6�k�t
����aX���Z�Q
���Q 8_�F�.��N����s��K�H���S�oL3��xT1�0�*8�\���AA�^i�w0Z�09�gA�������!~����;S�R]���|�UL�a��t�����,�sT��0�h,��P'f�!�3�%���1aD�����,��C��&q=���DXEi�d�;���$!W��oT/hNS!y�o�G&atC
�y����Z5��?��*�aHyY��L�}U:+�T�W�CL��#}�������;K�7s���&0*V{�1@�`���x����
��18���	hyE_2`Q�
_�]�#-��.�k
!QEH.�a#s�$I�
�u�25!�t�������tD����ET�RP��+j�8�w�	�Y��7*��7���_
Eh-�u���z��ee�I����d�t��EcoP&�4k�%�s�����X��~�z�;yp=����)I�����F-L����w�����'�����@jl��� ���&�xqWe�1��MZ2%a���\��HK��Y��)�Y����yF0��� 
:?!�"���\E`����~b��B<}���$�P�vw��g�fT�JY��W�dj�������������Ok�p�q}�`�����sM��-�{�;�2l
^j����3H�FqGi����)���������Mw�����sd-kB��	�s&��D��m�4��`���Rj�jSzd��j����h�wdlL${�`Oz�?u�"�������^�Y�Yl�_*��R���	6@����U�GQ�G�$N*��h�H�l�
"���6�
����*�����G\�������/]��(����?
�o���'<>
r����a����wv
��K�Vtx@K��1'���U_��|���w�@���k8|�=�wz�2��V�����B'������7"3���l�rf�@3�2Jb�Gr��Ho��AeD��
��n�g�p��"����5�FvX�
md��*w��z*��c�\s��1Fn�i�Q?�hG,��U����;�rC�7�E.���*�I��_M�N=4�T9�i�'��u?�7���������T[��>Tm����O��$aY.k@4��y��c@�����a�G�s��M��"q�������c8�^O9����	�����^���
WG�J~�Q�J��\���V��T
j�9��!mV
�����)�e�{�������������Y[�L����o��#G��}���}���%9�4�z��xE'@�;��h�����Y�uW��{�9�O���P���M��w �y��K<��|��QN��N�-*�6������<�
{��?��E��n��������+��J��b�jv��In)%���8�;�8�LD�D�"c���=
Z�A���L�R��u����]3�]G��e�mD��C_fg����'�5+����:�[��Q<������&qG�4�F�����d��cc��ke�#����
K���*cZn`"�i�zN���������\��h�w'�~�������7��
endstream
endobj

17 0 obj
2002
endobj

19 0 obj
<</Length 20 0 R/Filter/FlateDecode/Length1 28572>>
stream
x���y|T��0~��wf����d2[&��L2	IHB	��1�L�H�d �'aq
UDm���V��a1�-T��[�_�
�X�m*m)�����9�&�}�������cn�9�9�9�����3����02�
��`KG�����z!�B����O��7}�|!m�����<�kEH���V�o\�6�fA�t�	���C��f\���0��6h������
P�l���0hy�P
����ZB��"4��u�6t��o��N���PGx��o��]�������r�^I��{��?�x���!��6�1��u���N���l���${���r{R��i>9=�����9���<���� B�O!}F�x$���%� �	�]�iAO�C�|
F=�����D��>t%�
���h�������`wb/*D�,=���K��� r`W�st
���
FmF&��f�����/N����8-*C�N��
�[�'A?B�W#��<��7��O�7h"��������}(��Q/��k�qbu�_��t����z�&>L�`�0�����,���D,q���	��{�A<�&��������
kl�Y�F�h?<C�'�}l��J<�8��(����E�������x%4Pi*��.�S�2:���g�Kc�k���o#;����n����� W�s
�_����@��(��������<��L ]�~�	��$xZQ�}������������jS�'f�H��~�~�MpRG���;�wdYA�%��~�?��R�S_�:���I�l�S�|)n�W�-�6|7~���d1YK�����'�Lx�Q�Z��������G�o���(N\��<l�������@G�{�G��l�fxd����+��������x/�r�����������t�
�������>r�c�O�K��epy�d��k��`W[�����>�=�Q>
t.�������<�yAsJk�}O@�_=<�;�Q�o�����&>F��CP��*a�!x��w��=�~��@;�����@�x
������{������*����=������L&3�<x.#a�C����^������K�r��\�����.���}���;�}O���>>��y�l~������Y�y]��V���^���E7E7]7_�@���U�_�����"������������[H	�&� �y^�Z�z�Jv��Ux/��l�N#��\t��_";�2���uxZC&)�i��PT�/�a�y8�/`�
Z#��|�5�A�H9��s����^G�s���}������� ?��kP:w�1���B�H
X���6����	��q1�'�@�RT��]����A���7�;q+���J���S�(h�M�6W��_%~+I�{�����L�i��:����������Q^�>����%?���S���
4�*t=�IlB5
�/�j���(�?
��J��O���*�����>v`W-.���A.�������N� A��K�����.&Ch����� ��_��%Ew'V����h"��-�+a�]�t+��7��@�(
4�#|�����&&���=���8��@�,�B����M�<�����E�*�-�k����w���"tN�gX�B�0*��%��\7��8Z�x,��z��hG����G:
���3f��_P9��|j�����IE���r'�d�2���/-���q���d{��*Y�&�A/
:���F�5��f9h��
��N�uB��c24������|>f0W}
3�`�0�$W����r�_��Y�����
�\�o�c��g�v�NO�
r���Z��f�&V��mkMs5L�������O�G��
������93�8k*v$�`S1���&��W�����Pkl�����������1<���2��3c�<��f�eb�Y1[F����������n����<c��5��!����<X�:�����\&��j�2�7��Z�����u�9�������4ol�9`,��m�ZKo"�-�a5���!�7��2=	=�r�����4��c���m��f`�gk-��>��$N O��uq�?=V��oU{w��������������%�B��f�
M���X�:���Q����@��v���3M�Yx*��2�����X+p$g5o�*h;�dI~y��H��O����m��wDA*'c���p,//��KED7x
{����'��"~�$C
�C������B z:e�MCA�*��
J]F+SQ�0�1F�i�����%�g`�glx�$y/s~�cB`��"9�j�*b����J�"��e
r��f��u���)�S��T(�4��K!*DR8�B�|�V�1>~�L�[�tH%k�rmLj�P���������):������U��_�v^����r�a��/��U^������G���Y1�43~�������fQ�?�I��������C�sb~-��[k�r��������J�,�� /��v�4�
�P��M)��m�@�6\1��O
oV�f�%��V7D�&!
�Cz#����$��p���� W�t�r�r�t��~�U
,}���tk�52W�W2w����E2.W��?1�	��K�����vR'��/�.��c��lFNW�`m
�#{0�z\&� ~M�i���Ml���3�����m+/d��&�TbM/v��d;IO�<eri ;�O��L������?�_����x����']�Qs�l��x.>2���]���d��A����S��-6���x��V	>�6������S{2�K����]*��E-�����~������d�/�^$/2,�vx{�
�����,w��Y>3j��F�l���V��bm��zz-��&��%�����t��F3��b1i
�}�&9�;s ���p���O����5Q�IMg�']@�J	���\Y^hs�c��|�� Os�t�5o�5�N�B�Rn�*��
hk�=�x�=�rk������KvH>H�����=���:���L�s��g�����?H�y���~U�������t^21��c���s�|8^�98��������9�?��']�m�A7����m��v=��A�	x�����D4�,{�^P���R��X��9������iJ���2Xh�Je�v�3��A[nE��!t�a�)������{����'dpa����[92F?P��IE%���4�U{�<d�U���k�v�"����_1r�q�q����g���
���:���` ��4�<��q���Po�i��E��v�v���tZ
U*��FC��T��-q"�W��l�� �f�����]��'
jdaO
���^�1`�A���
z�6EF��[��Y���i�h8����:
�!1s�<
{��0�����&��er7�x���-���-W�R����"T3,������	2&�"!�"�w�N����bF��������n���214%���^n�O/7

XVn..c����:Q�����&��������2�n�[!���
��E�d�4���>o�<���.�/���j���N�O����%F�F4�t@��`K�T$���f�n����%�a��d4�����1�o����fy#o��x��7���V�3,@�	&��vh  o��b�.M�i�HwPD��� �;9�
 c���(���[8���<�����A�|�a�q#�����.YtGu������oy�]���M=nH��V�3���W�v�/�

�(��V^n-/�"9b>rd�F)�D�c�^��	���S%�9�qh��%���sI�\ [��H�[���'G�}�=���k3�%T���j��8����@7�@�Z�����
��&%>�cs�
P��n�8������i��k
�s ��	B������6m��#-Q�t�V+j9Q��z�
h+r2�vB��h�b� l"�����
+b"��h�z����&�
H�-�Gn%4c� �����/�7���;S	4�F������?]i�V�V�� O�j(})��RU��.�zz)=�h�&N#.q3��r��RK,�`iH�P���n*��c�:�
Dg�]��d������kf^���y�tp���+��n��|�g���n.O|��Q�+T����Z�>���|V�d��;����8��W�Y���k�-O�$��$s�)�I2���)�RuVM�2y�IV�a�i�y�=��h��t��*�?3�u=��p�i��fis��Y��vXv$�ee�MM�75-B@��8+3���������?�@%,���:w��X��p,�51-��i�&�)
�EbM�<��
���=��R���?	�=�r��i�����!M'!��l����5��7�$����:�df�K�L)�k����d���;�-��gd�?kZ��U]O,��|Z�}Ad�����_^�9hy�����S�{
�_��/��v7~W���������~g(���p��Z#ol2�t��K�������o]��h��p�"��23/h��4 b��8D�{dE�����r�xf�=�����J���FN6���Z�_bn����t+I���[�)��O��oT
�����"��n�������Kj�t�%��8NyBD��s�V�i�
X6�74�
�A���#�0�9�i���GE08�!�5VUR�S��(f��\����L���\+`q�����wX��������_�3�!%����I�*`*�����1O�.������X����2G��U��&�0�g�U��bA���`@��Y�,�a��fA�3 �X��R%��J;��B>�\d���6�p):A+h^��n��E��Qo�s�d������)�3����/�Qzk:b����MXqs�����k&�,p��������'�]���{�mon������hRM���s����9��z����#��������2���G���4����i�s��M��<_�_�_��������_�-F
�j�5h�"���Ms��b�--7w������fE�+�]�0z�S�T���w��(����z� ��V���2�z���9�+��cB_�t��;H`���U�7�z�������/�4�������w\���b�����7_�hI���w7O�Z���tM8���8um������*lf:P�C$���N�8^�Mt��D6�1��z6==��{��������_%u���������OHld�������GV����e�k�vi�
-��8�����h�Rf(�j0+�Yj
U��9���AvJ��4���%4<�z�e15�31u��L.���apZ	��:
Q�\~�|����<���I��?�[�v/�V	�N|�g��!~s���l:��8[{��T�(��F�T��U8&�j�:[����\�\\(5��]��U��u8Z]�q����.�k�/5�saMX�n�;����5��:������"p�t�N�q�I�Sp
mw��K�6g� ��Pln���L12�RO^��&����Po�]��4�����"�y�TV)V%�%,X_���?�;���M����\?�g��A���oY�x��?~�a������_M�T���Fv��e���=��z��+�����K/������/����$m���ix�k
��,�$���u^!��
G���
y�R4YW!L3Ws��A]�Pg�e�m��v�e�m��UXm���\�'�����]{V�1XsP�)��c�����2�z�z�.�N�cx�ex����4����}O���������_���A�����`4�%�<�u{4�&%�W�-f�E�N�uV�-O���Bg��Y&��	�j���p��!��."Xg���h6��z����FA����e���_o?#�p���4`�LC���^���]�k��E��yV�e��J��f�4���:���}�L��UL������\#M=��q����(w4�`!.�<�7����������tDg�*i�0Mu1����&�(��'�dN���,2��'������X�"�K�����"����+a���8�['+�6���������
���A]�qM%���&�d���{�2/#�K�j\��~[9��Q��$�$*��"�t\�Nb���������s��K?�s�����}��	����{OZ_#�#w��&Yu�}r������'
��ot�=�4��-�Bw�;��v�k����I��rL1�a7��������
&�h��q2��'���w��=���Y<���X1]�T����J��Z�����(��zDl��C-U��7��8�p�g�Uk��ZQ��D+��d�ZR0����6�<0�p�O�XF=<���{�\��������v���S�/�>z��g[����Kl?��6�����n�t��["�-X=
�l
W9�b-�Mq�A��sl�]
�k���t�p��~���� h��`��l��I6�Z�+y(Q	���ii�Yi\���&Y�&�F��]��d��(�i�6mV��"KV�$Ym�Qp%k,V���&���\��"���F\6�ng����f�x
�F��!�/�/�c�{��[}c�q��@?���[��v���4��+��zTyd�A<i
���T�����%����\&����T���e�1�	*R��DZ	|�lL�!��a'����x�x�g�;���y~�����|.�z��i���9�U��w�1��h����n�����mrx����_@��\������\�	�
'��:����v����&��Q^��'�x�����=
�����\���9����
��ppn�����rHb�E�ux9�E�@�d�2��N�k�u��o����t1�a�1�Vw��
���{�r��>	�<����Jz'2Zn-)�^U��e9��H�j���J5����H��+W��_w��}���r��)M?DZ�a]{��m#�����w��o�� ����-�I�u�<�L����)�e)�sr�LM�kL�������'������)�Q�9����q��e��9B���>W^~ni9_�?��0����J���3n1�j���e�����y�0��Y�nw���5�L������w�f�N�3�/������C����u������l}1rBH
����!riP����E�g���r�u2����q�3��Q�yH{TK|�*0&��R���X����#�|BI{�jx���z}=�=P����F������)��3�4��]�t��LGr����8��L��[H\e��5�<?;z������%57\�15��<v�
O��Dg��^��#]��;"mR�]R��������&Of��s��=�������
6�:��������S_xa���.X����p���
N+L���|)?�_����x�hDA4%YE�l��F��s�X���p��*.g0�dJ�)�����i�}DE�1OJM�{�\5le��]�Hzu����k��
NI�9���&[7?4=Ru�e�g��v�=�<�sa�c����{G��x�h%��u��`�<q������S��>�[w�M'������c:�p����8���kuY����c�a��=���	�e��x~�0�/+�2�6x��Qe��I�\������w�^��G��M�g����~4v�7�IN�DvIC���O�Nqg��<u'L�%|�t�u��p��`7�6���0�Mf�9�'~
s]��/�Rs�r�n������wq�$��2��
�8UfT��Td�'o��!�dl
{�.P��*��bS)`��S�EoK����������,Ux�~k����������/�����0���������F�������1�<�mf|
��ID�������o��_l��k�Twj�!`�����/2����m����l.��gO�O��8{{���)�S&T��j�k&,N_<!�kIo���?��~�g���mu:��Cd��o�S� ��5�n4�ath�\���z-���Q�H.�*�g�\��Xr���
'����,���<d9j9nIXx���2��Y�y�}�� ysO7��W?��~9C�.�
M'i�>��AM=N�3
������<�`��G%��1�������}p�����������w?z�����|�������ee��p��wa����������'���z���^TdPz��K������,�$R���������L���])��q�4�6�2��~�[������"Y�C���[�u7�sem��n
�)�g�coG B��y�����!�aO��Q��B�|��=�4����^D�7P�z	�9�����h?)`7ZS����
�&�� o�T���x
�T,~t��;}W�v�{���w�`oC���*��sW�l8����l���w<2r'��a�=����Y���;��y'�����,S�����l����,�/�/��&����bo�����u���O�>�������������y*��:O�o�OW@2M�
2�TGjL��9�K�KM�M�h?u��6K8�3$J�tV�O��U�Q���%I��X����
+o��e���%t�OW����;�
!��@����'��O{�2v!�OV�~&{'.<N����#������6�(�3"?���G�������o;��N�m]0���UKlo��������|�4��d��G�V�&�%\��I\bsk5]b� HH���������G7�V����a����.�-w/��l��w�vC�r�%!������fG��sx-��$"I|�WO������H��g�D-���[3a��G��@)-���V�a��D��3sK���L!YH�\����<�	3��U��5�HO�8*o�pO/v��V	�#�]�N��)8=��t����>�y�l������~ps��������7^�8^�|x/�aqN��������6|�������|��a����-��;+i�sQ�"gsR��^r/w����Q0��kH�[��7� b|q�~���0^o���+,]�k�F1�7��}~I-�����b��2z-��i�H�~�!���s���Gu���&���w�0d��W%@�
��p���^���F��JMp��}�>J6U�F��S�q��S������~~����=��f�
O<r��[�f��Gq*�?���gLY�����y�{��J��lG� p����6����x��`��]��F���`d���n��Dv�������* Nz�:N9H��
G��p�b��^M��/����;M�Q���l�5k��,����M�e�x����6vu�g��^}x�������3�4#�����FV��\����F��=x��������G�����kp��\g�T�J�a�X-���11-��@���bFV)r@����r
J���8
��
}9�����/�KI�� ���HD���z��l6���[�r=w��a��Ct�x��)���'�Y�n���������B���E���z����C���2�<�����Q�	�-���8K��EQ����G��L�juz�CXSh��!�GG�!��/��
@AQ&A�a��/)g��K��&�k�d���g,z���S��<��y�~�X4	a$�q���'� 4���x'�nu��u����]�
�Z��^�g�3*��������+�[��2Mz2��$:=.gQ]�;NM
YB�T�����rq�~�a�q�i��F\�_cXc\c���m��BeN���L�hh
�����22����x{���w=���p�#9{?8R�����	�YF=����� �C���sW���W��quk-n���}��������9�,6�^�D�% �c� ,a���;�����,OmO%��d�-0�<���&�J�O
�2s
�Yo��\��)��`�������bR,�-�Dr�%�8��= �=i�����4�;������SMI��<�7{��w�+��^���'���}X%��$q�����]
�L�,��t�?e�MFa�>�d�zm��|R*U�<*J�>"�����jju��������.omJ�7>��~���oU����r�����t��Sso[t�O�Yc�h��5Ga�u��\y������k{���]Y�s6���1��w��]�/,�{S���%3�\�l�%O�HgK<������g>��Q�(] �I|���O�`��'��L����B��"�"�E)�������)k������\�rX���C���_����L;!'d������'�R-��L������d����e
��k6 �;��K���Y?���}8�����:��v���S���*<�6�ov�+��O9��G��5�b
��^��4��9����0����F�<Rq{�
����b���G�mx�����xD���lK��p��MW���y����~��wA3-`+��R������%�]��Z��]�����!�m��rXsX{X��E��.IL6y�����	�b
m����FC��N|��.��d����5�������LH��m6���	���Z�~��`�Hf�	[,&���HL�(��b�K/��D"e!�����K��d9����Ep��V2��F��g��9���zKH+^���{6���`_	�4���$ct��J�F>��=0{�'��a���+;j��T��t�tQ�h�l��7%�����*�7�{���r��5����,� ��`z��^�&����r1�����g�
�����I�h@~.[�u��?~��������m�����Nrp���E3K���#��5�����$>�|�y�Q
�&���`�d��8SRx^���!�������s:])DN
Z�%�s=
��i�uE�2�
�R�%)79�&�;��li19 ���3��S-
��
o��9^�0�������h�����$��b�~���32I����N��o�S^��O���?t4~p�+8��p���o�E�]���?|!����?���������R�����}5y�Om���+,�R����~��;����H|�nP�F�{56N7=>�:�%���)W��4K��������>���,M�@��r�w����t?�w@}~]�GQ5�i��i@J�������L(/"O���w�[ ��yiY��Gh>kG��J�-�r�{��n�|�����5�/4���Z�v�����{HL��~��O
�F�1l|�4���y�%�rTZ)���#��I�������f��e��$T�f�3k��@��Zn.Bj���g5��2cA�9tv�0>V�
k�_��Z����:t?��
�6�Vr�
��8�
�J��*lD��J6i�
��-�,��5�A6J�T� �4E�9T(]��<�������U*�C+��TX@I��UXD5��*�'!�t6�II;��B�$��
��evN�����;�<���y�5�#�;�e��1X���0X`��)���Ra���-�>Pa���s�g�0���@��G��
���Ux�����#OH��G�?�0����
�d�
��~eO`���+{3�
�,��1���d�����=K�
'
l�~��v�����<�0�����`7���Bqr���R��}�cp&�/cp.�k<�jF�"
l�*���YAa������,9��b��0Z�B��a����1�u�NH}*�V��L��G�-�0��j��8S���d�z�Q�N��@��7	��S�&�P1k�
#��\cV�����0_R/Zy+`�B0i�jX�j���m�8L�k�h)�1:v�����(f��>{�'
i�8a�\�n�9�z�����E)�Zad[-�����i-C+=Qv��vDi#C�����.
>�h>/�[��y��*F���qa��Ry=Ig+��=)���u���
w���
3��x���V��Q�v"�KZ��z.�ic���������D��.����Z��"M���N��G��{�
+���"IF�V&YT�:�Z���E�+��FGv����`�6�B}��:��kQ����]GU~���q��Q��[�`��&�$O9�(�B����j2[a��F9OiC����m����v����G�j��iQ%5�
�>�3���R��Em�g��uN�����2����t������Z��u��������Qa��v��]#*u���D~?���j�Ii;������M�����u����Am�Zu�!��-�������������*���ET�1��Ve�r���Tj+3���!�+E:dF�����v���tO��N6R9�x���I��
*g:�n�l�SuK�;�c��`�s�����(�����k�d3�3J��'�a�����g�V��	W1���l`��2���'
���}�S���MQU��YO���q$�.g��]�y[X�9ISVoe��fZ�q��kw2�I�C���T�*����;����P���{+`w^�U�]Z����a����:uF��v�:�d
�Z�`2�p�`����3�Qp��V��~1����f��Qx�����Y{
�,����l�	j��g���	"�3i�~���c���(�Vi~NF��[�gF-�(�W�����?�f��mS���}4�Z*���U�7��������,�1�H��Q]�j�:������5��eFm��1�V5.<&���~����J��o���R����rN���^�zR	\�,����*g:����C��T�SJ�����o�<j��14������6���M��Z������EX�2��\���u3�FTO������b�8�6�.�$����q�H�89�w������3���:���r�u�|���2n��CG��9�.�U<�~Fq:��y�}�����*�W��[��s��|�O':'s�����Q���9a�CSN��{-���_�A���}n�(�V�G���C��o���������W��"j��m^�7��P���������r,�5Z��?��9*s�����wV��>�{Fg����D9����2��d�'Am"D����}K����E���)�G��P	$:j
��Mt�������f�+���������B-a�qyq[X������&yVWowWo�/��)w����������N&/�j��-QyN'��T^^4��yF{��0���/*/G�����3z#����������i+X���V,
�F��S����HKoW�kU��5��5�/f�.yqo�5��]+w�����{��#��po�U�t�}��d�<?�'�����U�
�Pg�n����
Z��Lp�����������ruoh}�s5
�N�v����FZ���C�|:{o�%���;[�@�����:��to��h(D���[�����|Y�K`�"�������;B��}��-�j�c@%��s�:e��H�
�w�
�-�h���
���-mrD����3,����12ttu����m��FZ����������H�[���X 3Jw�����}��P_t�
-���(]�r/�������@�WX���t��G��Q�}���)A%5JW	�vD:Fo�Z�6�o����FB��h��6���n��t��#����|Hnr�a�]g��C��a cgKQ������0���2�-
��N����3���JU�k�+�rD�Q3��O7��B�/���#��p��>*'p��0��D��1��jGhu��H'L�k�W��[#����F��^�u��������)zwoWG���������p������tu��u�v����#�"D^@��
����fC��[<�v������+���/�3�f��y���55�5s��&��6 �(�(�)O`�p�>F�oQ1v*���+7�����*m@g�G�X�p0���uzhuo8L%�@n�am!���T�`d�y������S���
��
�W
�����ku��0����������a�]�Q����)�Si�����C+A�BQ�����%�Lf7����Z.����D��|��2P��Ijm�P���e9�6�2�2�����#z X�����]U���#k�Z�e{$�F���rw�����U�eExU
�����U�G�WO8��
����TO����!G����[A��E��s���S<�d,@�97vF�3�-}�xLRw����e[���:����K��K gji��l���E�EE����&M*-����L.�2�|r�I�o��?*#���cz�j��SNC����p>gn�h�"�� �:m��=�n�'�!H���S������>����w���{���+��^��J��W��������w���{���+��^�����y��98��������	��N���7s�3	W���I|?�����V�6���2���=���p?�!��~���c��E�l��2|�g�Y8'�R�|�B�i�[!���ex���5�A:�z��s����7�b���bV
)��M����F��_���s�
mR��\0S)�����U<@K�����@�8���n�19�,#z�KF1H���-A��'3P���#�M}��4Y�g�I�|�l�G�L��2��l-�9�"�[��C�8�[x>&�k�	�W�WA�	�������%'�9�G�#��B����NH� }
IG>�\"���f9�� ��%�
��-�}��'���~5XV^|�
y�*��R
g�
��C���_N�
�����|�("o�$��
���dH�!5C������A��CzR���c��1�Az�;�R�|H96���������2rQ�$���
�+_'?g��P�A�yi0��f��	J	�B��������3����y!�*H� ��t+$-9D2[}6��9���s}��G�C
���@�d�*.����	v�
U�n� �����o�f��u�,�� ����f�y�
�l���lf��l�Z,����@��@��@���'����������������8�����Cx �����@%���
/H�A<��
�����U��.<�xD�@d��L< ���I�S��V��A�
��[`��@�t�tP�C���`�  �
�;��{r��zAEq����0�E`���8$�"���0	�v��*H+ ���$-`g��oe��BHU�V@����l;_@"�K��3lc�����y�?����`������[������%�Hr��N�Y�6������0!q�Hn!��T`�v��u��T��k0��oF2��� u�p�SQ��'#�@�R�%OBY<�]
�,��|�Al��������}�"~�}���<��A���������7�^-��������Px���~��n��{}W�b��*�l�Z/�+�E�����.����+}�(���W���W�`M�c���`y
����e�����K��p[0_�C������+����u>]�.Egl�$���A+��`�$�G�����h��i�3X"4'���,t�%qu�n�L\;���V��3��CX�`YL���c�:T�xflj^��.�0V�W����a7��4Bk��0����!��M�S��pal�|s
-s6����\�uU�*�tkym��d�j>�V]����u�bO�6��)�Hm��}��?
�_�����/�hl8�M��YH������uCx)�C2�������	iH�xH��{�,x��<QDY/K�)��hfM���L�����D��x���'+��8�k�5���Mg(^/��y
� /C�bCYz�PE�q�F����x��Q�	���o�3����i�-���q���	Cj�����X)��[���"�������p�����������K�r�=�_�-�Y��{y0\=8-8���n�3{~i�yk�8�V��o�l>����5��[��h�l�V]���5;8������o�-�����+�b���6��7�tH����NKw]�r�]���3�g�L�h��g�.�)�e�������zZz�A�K�������������U�V~��M}���J��w?�W���}��r���,k���Ak3=R�b��`�JV���6r�"m��m��"~���j����
��L��5r����L�b��8����p�(����9����7������_�T:���2
�DG�1�c�T�/����
endstream
endobj

20 0 obj
15949
endobj

21 0 obj
<</Type/FontDescriptor/FontName/DAAAAA+ArialMT
/Flags 4
/FontBBox[-664 -324 2027 1037]/ItalicAngle 0
/Ascent 905
/Descent -211
/CapHeight 1037
/StemV 80
/FontFile2 19 0 R>>
endobj

22 0 obj
<</Length 378/Filter/FlateDecode>>
stream
x�]�Mn�0F����t��`	!�$H,�����C�T�e���������c?����\�~�_���Y��`�N
���7L�j^G����F��m�i��6���Q�����-ls�����ip����G��qs��03K��`:��Sk��
�P������e�K���&����5L�U�Zs�(O���UUD`���]J%�N}��G��&I���@�����g���#K��LF�C>����� ����G��WI,���e�|!����Y��'�:s��X�W��Y�qN����_�?'�8�K<'����eX��%�N�2�I�2E^��?�������� �3��3<� ��b��K\o����M��;�[$4e�
����o���bUx�
dR� 
endstream
endobj

23 0 obj
<</Type/Font/Subtype/TrueType/BaseFont/DAAAAA+ArialMT
/FirstChar 0
/LastChar 35
/Widths[750 666 722 277 833 666 666 666 610 722 722 666 610 222 556 722
277 277 943 556 277 556 333 222 556 556 833 556 556 500 556 500
500 556 500 777 ]
/FontDescriptor 21 0 R
/ToUnicode 22 0 R
>>
endobj

24 0 obj
<</Length 25 0 R/Filter/FlateDecode/Length1 24080>>
stream
x��|y\[U��9���f�M$ainPJ�P�,K(�EJ�Vh�%��@h��Q�Z��u�qtZ��ujZ������quf�y��w\��.3Zu��,�=�������~�?��+�=�9�<���<���F��
�C����_���-B��6���3>��wR,�����������=��{����}:������������3"�s/�Q���o���khgu�D������������6/W�Dhf��{|[�N)�f���b��'���'NB�	�</��"�;�c���d�/�3m���?@Hy�a���J�fXN��Uj�V�7�9���bE���(�!;}��T.�����H=������&���O@>$?����8��F�^��G�P;B7��Y�'4�@���(���=?��a��:�$+�C?CE��x=�.�z�Df�z
�E�M�����Q-
������O|��^��4T�V�������c.T����@j�s���6�dT���h��0��<�=�U�N�����V��C�� z���~f��b��=���B9h

V
�{��a
N����Yw�����'��JQ
�G�p����z�
����Y��q
�s"e� �����E�iDkP+��8v��<��?9�W�F>@u9��_�z
���g��x^��x7����J�*f�WV�����}�=���}��3����}��N�N4LtMl��5q|�=����%��t	����U�tH�^���v���a4���c�W����p1�W�����}�>�_��dZ���b���{8��q����q4^1�c|��/&&^��db���gGP
������a����(�c���?��sj����8������r����8���������cx��)~��?�_g����12&��g
�Bf)��lgv2O0������k�������?3gM�>�l��������-�{�8���]���\.���{�{�{�����B��Eq��n�����H)(/T.Wv)�P�*��Y~��_�_�_�V!�K�:��N:�����G��?Eo����y/g�wbkC���7
�F����F&���(�}�Ag�a�c~����x7z,i����������r��X���|J�QZ��a�
po=x@������W�= ���9�c���	r��0�������}�a���R��1��"�����1:��1��Q���Ux�Y���O��=
�����J�����
�
�52���N����/Ut��!�]v1��$1O����D�^CK���}���7Z���}�3��� ���v
�[_��aqZ4d���G��`7z���{���c-�K�^n�_Q��O�<��!���1���|�ev�x'����]~�7���a���1�"@�`����&�oS��/��]�����T�s�R&mbjxQi��7!��[=����VV��)-)�]�),�w���������t���i�v�5%��d6	F�^���U�R
B�(����U�������E���A�oJGkL���qbb+E�cz
���^	�����X��
��z�{��%��u+�����,�NS���\m���t����U'�p�X[0�5\�Z���jj]�
MA>����(fu����y���~�~��@U,�UW���	16���[����.��l.���Z��-�\�cF7EA�t���6��m� 9�I��bx����Z��vW�oCS��5�=Ln��.f�z�6�����M���������H�������MSG��ln�5`.���ux
l��p��
B��(���z��z�S�����/m�����!���T���wQj�8�����U���}u��-hx����+�����L7��2��O�1
Qt5�L��\�A
b�_J�\p�
R*��������X;�!S��sI?�Sd.q�Kbw��dz�O�Qf_"�H(�������#z��� ��y�=� `�)s�	"T�>��	�5����N"��F��
�m+������ ���cZ����H�2�->�����=H3���*'��(�$�w����1��V�V�k��[e�6�����+c2K�mb�b�X:
��!�LM��
��T��Gy�"�������H*�5N�w�4:�9�E��i2�����������f�`.�iX�nxX3ml
����.q�p��otb[�K\�G�������[��8vSZl��f8D�[@�$��>
xt�~?�!C���H�����,��8��]�T�q��vD���6��U�X�R�LU�X�X�'���&�)
�8�O�=�O�}�D�����Y�o*N���o���w��Y�������m��uW']g��z���,�?�|�dH�81��,%��V+��#7���k
p��Zl��T+��J
���R��IV��d�j�~��a�2���XR��T�I:��#8��n����L��Q�e�GNh�fa�p�(��@�(~��6b��i7����
�67~��a���q�W�1���@��F��O���*�tUu�����JS��\�]0\~��I���7��E��n��Z�lIRR����<���Pa�3S�cl�+Jb�y�c��TL��S����t.������w������'����z��O�~�;&4��M�����M|��q� ������X_��5�Z�.;.�+=�J���N'W����<�9z���g�r�l�^S���v�k��F����b��$G*��)v�Zk�1����ygxDeN�Q���W��qM�����h�0#4���4��(	3?hq7~�rZ8
Z�,=��OWW�k9��P�6\.�D�<��J��l��������T�2s�����������qe*��ee%�$���2�bu�$)���I�������%���\q��B��������m�#9�|��~Az���9w����A������h����W�u���fWgZ�?r���5}��bY�%����6�/�\���1��e�����h���U��)�)�P�*�Px�O*�+&<��.�-�Z�7�\J�f�^�6��a�r���
�
b�j�]d���v���vWa�V�s����N���������:�y�eK-Cz9�,�P�]�k�Y.��y��	�3�^�S���#5d�e�vO�i��=-@��!
U����]Q���l��H����Bq��xo<�
��I���e�IU ;���P�>@������9�d��x��������.n&!���#U4�Jg��s.��O6=j:jR�2y���&�M�HVnub�lI�L����,V�HbF��v�������6�Q�����{�������HO���:�f�$5LQ'%��2�]]��I�2��Z�%�#��R�s`GK����=�0~����Jc�AX#}������������dQwL�|;q�-����v7Y�����~&��S�6�)�j��^�������\q����y=�j��]Wml�S>Kql�����}��vm���/���7�rN��w����
x=����oW��wh��5&�o��*��Z���;�;4���*U35��
~@������#T���dH����%�+T^	!����\
�EU$T�UX��K�=E��*s�Fk�i��)v�B�6��8�5����X�/�o����}��|$M���G��:�H��P���\�z�
Fa�*��TM�� ���^
\7�>sZ8��*7��n�8�������*�b�.�S0|;6�y�g68�W��B�F9��p����2����x��������Co?|��7w�>����x�j/�bm�0~���
O[ ��*~�R�s�N�s�,m%�N�;�
����,
�%�����H���X��`JIq!x�ATc��&���*S@q��6*0�1G���))MH�E�mxH5�XZ��@�������SS��������d�4L	c���q�k�^�BU�g��%I����y�W��_����g�x�a+����qn�7��b{9��g�{v����&���9���vk�4���e�G�s�]�Z0�:D(RF����V�f�d�����S�?ogs�|�`��T\���X363P�	/������U\Zj�i�y��
v�oupZ�(�}o�ET��2D��*�"�`�3�c����r���")�"�y�\�i!9�X��S$�������"�����J���E��w����e�Q��c9��=3�|������e��������Y�j|���q4_�I����w}������m�[�u7��DY���eDg��������nSsJ}�~�����?Xe��U�2f�7b�`dX-c4���F�gnOi���������I�����##
1�������$7����q��U(v�h��,��(B,,N9��-�)R)����9z��
��T	����qH��F���%I%<
�T�X����+�[Y��"O��+�q9o]60���_��_Kb�R�/����8��3�f�N�fj�(��;��:��d���;�w�8-�%"��@�$Xu\��d������C��l�.�����q�N�fd�2���5+ee��xV�#�W8fi3D���(�'���M"���W( ��*e�L��)�c��Y�(EHa�W�l��g%=��n<�2v����S�����
yJ;e�B��� ���j"-��-)D�H�5��%	�;�<H�R�'�B���9k]�v������rk�^<����~n[�%]3.�l�����W]�7i��.h����]f�Zt���w�Z������+]5������#f�c�����&�D��f�;�r��%o2*�&�q�s�����l���N.���

�D���t��f�<d�����T�m9�
�w
]6����&���2&����`����0hM���SQ��Trv�7��m����I	�%.Q��\��(S��<9T��
����Ld4[�1�h�����Pm��L����R!@>��bI_��e3�l�H1rP\������w���{����-�M�p��'�j��*�������;������g�,��l�}�m������l��r�@]W
�g�qkf_&�T�%[f���u�kg�u��[�Z�
��R��8�*�ovh�Fy<�(�i/�}<�G2s�R_������I�I��r������7�)/���~��/O|�������+���
��';n�]�c�|;.���_=2��#�>w��?��^���~����N�72�)�}�#(������a0n7�m�a���X�����4c�����7��v�y?7���B�|��$&m�����2i�Q��L8�4�c�f������Y�(s�HZ�������:vEJ����W�h$^(���B�
~I�,	y��������[�z�����������Y���n��iNn��
&�+.�b����1�7g�b�Z�_&*�GQ��f�G�����j�����f8[�zMN g�E��h�m�N�FU.%%9�j�h���\����X�Ff�Y������[��8,�-r,�^�tdm6����<H��+��a�X�Y_�r��ge��]������x�;�r�5���4�*h��RM��)�*�
�����[��c����A��=�=�FI�%�:����MB�v��TR�%�4�U	�����r)3�@P^�)���U���G����K�,���o�u�[�r�������~��mG��<#T���m���m*o5��gJYSy|������?����'}�k��+�������c��5?Zx���^~���������
Z:��Rr6"�5 �J�M&fCZP��zH��J���Xf�kq���eX��YE��$��������&anH��t���2*�X`#Id���[��@"��& ���/���P������?���p������45���Iz��w_���?��.] <<���7�p��mp�]��-������C��3j��Z��.f��~a�;����p�zJ��I�i9c�Zk�1��O< ���^H��5�C��VC�^}+DIA��W�������2�F}H�����{R�������o\��j�=8s�u-��n��O��I��1��&�_g��)9H<����x����O�������O������������������@ o#\�^k[sS������kvd���ya�L�BH���{�������_����K<�����o�Y�����~R}\=�V"�aX�0��������'�U*�|.G�;������
����6Xp��p^����WAJ�������������XX��_$p�E'����'�Zr�0����"�N�H�UF%/8�b������|����wU�����5��)w�f\^�c���z�A�x�����N����I\\�@��;���m0�dE��W�\w#�z��!�Wsk�
�&����@
P����R)�.�bJ��j���3���6!��b����51�b?�l�
�;�=���,���}I�Tz�Go��)�D�`�A��l-��f������%/�[oL)]����vs9cGZ���}�Jr���4�y������hbf�������Ii"�^\pA�R���� ��!N
��V�4�3�Z-�VkF���Vb���y�e�H�p�%J�_���%��G*?��DJF;B��W�-�>�_Gf���e�)�m��#���R*����Sur��:i��j������ \"[7}9r�&�:�5�8:�����R��Fa�:�Z��������Z�?������������sq���c���f��O2i���K}�����������e?W	���>�.�������R�1Tk��u��j��1�qpo��^2�+�)Y�j%�
{��>�h��	����X�AQ�\�U���I\�z9�k�;pzx��=�\�a;`m���G���[k�tq	ZO��"o5������]]���)�_:���,����4~��������g��c��nO�~�����7�U����i����c�3��y���/�f}7����{�=reH���������*
\��
�F��
|���1�w%/4\lPZ����������b..�T%7������6�Q��Z�:��P�F���`��W
M�W�Fc��n��8��S9b�Q�M_ �!A�+����'�P�#���OdO�!��tL�J���~��]/��l��[�������K/����k�k6�s��_?�kvg.���Lh��m����[����q��
�r�P���JL)�zu����Z��C����V��*�Zo0�'�$�b��P�,<o�4���UF�A�Q+UVL��`����iR�c��Q2��0�S�������uU��7��lJzwC{����:S��IQ�&C�m��������,�����[�v��z��1��\����p�.���ca�;��"��O��=�}���K�]E����s���V0���
e��W�#j�w��<~��RT���'���6�
\R��vq������������D-P_�<m������n���s���u0�B�����<��#$W�=������rf����
�
E�2K�[~?����W?�	j��^�K�=�O�'����28�uH�=��Y�� n����VD�9#?��d�<
m�t��d�E�$/�0�6V|�+Q:��0�N�WeX�r��2�F��a�p��^��6#�:��j�a����e6�
�+����;��2� �p���Lh�a��{dX
�^VB�z@�y�&��aJ2e��������������N�}��K,:���,�2l@��%�#\7X_�a�Z���
�����1
+	�mV�CjJ`��_ ��!�U����MV����a���*|�M2���%�07��a�oj��|SKd���L�A�iI2�M��a�o��d�+^'� _�C�:e�K��XCx��"���\�,Z���^'�s%������a���Da��r��a���0�hfa��g)�D�g�0�/����j�
���hK���2L�%>����d��?Na;]�y&��I�4��G&��p��3�0��eP�A���0���pY'�Y�a��N
����d���J��	��a.�(�0�?Baz��7e���C`���w�~7Oa*�S�A.��h5B}(�:�������F]n������%��
�0���A�b���
�
�������<	�D�
F�Q'}������*�S�
d������n�W��N�!Jg���"�������q`.�4wC��s��Ikt5��SJ&g��%�G�!�T@)�\X���a$O��5m��+}�:����y���}������N�t��]��2���=tE)}��"�	NT^u
�KD��|����\{wP������D�t&Y��4Iz�}��wa���mX
�o�R���7(kw
�`��T/�#]T�|@M~��0	RM^e?�Z���uD���(�r�oa�E,�����)������{M��_^�Gi#3{����.����(q_�T��~~Y��:"��G�(�J�?([C�,��M�j�t���|2��t7��0����	oH{���5En��%�����9��55r^�P������=���D�&u:D-;L9�M�J�<{�Y��t���kP>�d�
j�q.tPk��{'����O����5)���nJ��u"�{#�������&� ~c�L�O���zEQ��8������W�O,,(����]��#!(�E���V��>*+I;D�C�|� �Z7����'ic/�)�d�v�E,�,�J
��
��$�������&�7��������mt�~���i�@��?�Y����	;�n�T�P�F��E�D�:�]����5$k��Z6�=��*�J�KT�u�ttR����)����%N����L2����{������W��:�C�f��B�06b��%�B�5��R��]���
�
��J(@[����$�������H��)�,O�b�xjA��zIX��_=��$��"A=|i�j���yVSm��C��D�d'G�d�O��w�b���{��������'��'|�����h���<����7(���l��t�@�'km�w#�= ���D4������}�`�;d�$t:L�GT��Y�������2i�g��.G@��m�3JT�����W>��f�SM��������w��6��|4W����2�#����	��@���:K
9���sI��G)���
���w��(�b����x�v����(��K�'��S�v2v�kN�z��q�
M[o�����<4�'1C�+e����d���y$��jw��Q%�KV�'������C��D������l��s/sr�&�F���T����A���\9B�U����qh��F�hjv�_K?�^X������\Y��r��5�����g�q\b�o����E�$���az��NQ@�b�{�+��I
�n�����r���P��V
�$K�)B���� c��l)��rT�U���]�<d��^���G�����K���C}��? >*��
����P���P�/�E��^���_(������CW���IOD\��fWV@Q\(�tw�+��]���2	��5���{q����W�K��������k������X�m���H�#:KB������y������:�k�����P��<�t#�@8�.{�(��Y%.�E�qu�����P������H`��
+
B�a__�����X�
{;�� ��@\j����]�n_$����>q�������(�
�F=�����
W�q��=	v���������`O(��{|�@�����}~84�����+��9����H�#�����.1(/E����.���P���&0�B���H�/:�����?<T(RN�a�?��=0D&��A"d3"�@������
 ���	�&����H�5�L����%�	�R�ph,������$����3D����bW��8;�
�@��'v;����7�t___����&���Yb`�'�=$��"�;�d��`7eoT6����f�����f`s?!��O�/v����"*%zG@�QP
SXF��=�N��`/,���%����`���7D� �{��>_�(�@b4!��p�'DW+��F��z<����=���C=��hO��'J�����#/$��q�`�zt��e�/X\[�z����������KW��5W��7�/]���5����q���p�(��9L��(29s��8�'3�D�����$���:
���t_g8 �X(6��.�A�����N#�h� Q�.@8�� ���$]D���E�"N������Gai 35�@3#q�@��HL&�&���}m�a�h������^��C�S��d���#}
���'���T��\_{{��he�z�|������
���=Ar ���
���"��R}���Ap��m��H������
�����DIyeM���cq���������m����^�a�n��
�w��

���:��$�>��g��c�G'eL����8���������`_t.AX���@nEi�,�|vEAQiQ�Z��
:�f�.-����\,/�S9�R������HZ�<j�p���_����.�G6��Vt�,��#���:K�o��)��n�)�	v�=����3���W���8���� �q�+��_A��
��W���8���� �q�+��_A�?��w~+1�MB�J����($�'o��V��+�����N�����7i��4N���D�s���|��"	x�j����r��d���:ab�K�j9/W�UpSo�����o}�3}�;�����4gZ�r�>�z�A���^�_��O��7}����w��k���g���'��3����ScFW2{�����3x8T�2x6��"/����%�Q�6�jd���m�^�XL��ER��K�z�T��=#�[H{�H�\��7[jge_Y#0{��Ii��O5<W����{F�3�ij���HjZ��8� `<��$>����y�r�|VS�?&�-���FZV��CK�<�'�;-���IZzhYM�e��������>��O�O^3�����|,8�7{�(Vc��R�m�X�-/u���bxJ���|��\���Q�3��Q���<� ���4�lRyG�G�������zW�[��Q���G�+��x�ya�Oa�H����_����p���
����&9��8����)����/�=�8
X�p�:F9���7�<�5:nr��N9�8��"�vB��:�0i]�:G�8JvY*�]:`���z���������QR@�����aG��n�/m7K�-�T�3a�L�K�c�^�W���~�#�����+��5����e��9��"~�����wf�;3x���T�N�Q�TJ�bTHe!��&�aQ
�Rr��(,0�d���a��A�X��4���b'���M�}��5�5+����8fn@
���b��Q~be������o���-��cn�hu�(�������y�j���4RO\wss3J��U���*���h��)Ij��S5,:
Rn���\�����4m�;V5��h�`"��!v�*qC�Q�?Q_w��T�MG�|��~%�g����@4�~��G*�S�U<T��
������x�v^��\��"N���B��Hx�w��7������\�u�]��Z�(�1i�XEq8���(`*���EY0�R �&P
�N,��qH8z1��';���O`��]$���i�
�o�� �)B�<*w�}�Ci��/���������������F��,�.��.�}��vE�1�G(����PAMA
�%C����C�+.p����Ct�`�)tF����l��������/�Q��[��^��i?�����u��W��j�G'NH���YE:Y6���S�eD���e�x��	���M�`4��7E�G
endstream
endobj

25 0 obj
11942
endobj

26 0 obj
<</Type/FontDescriptor/FontName/EAAAAA+Arial-ItalicMT
/Flags 68
/FontBBox[-517 -324 1080 1024]/ItalicAngle -30
/Ascent 905
/Descent -211
/CapHeight 1024
/StemV 80
/FontFile2 24 0 R>>
endobj

27 0 obj
<</Length 325/Filter/FlateDecode>>
stream
x�]�Mn�0�����taH���R$�Qi��"c������V��y�=�i�aQ]*����U
��z�L��)-�zD��������� ��z�f*��Y�o�7�n��[x�����&6E�����/��By.4t����>7���V���y�z���}� b:GE�&�(p��A�I���,�����wli;��8/��T�4�=��I��c.�������9a�
9�z�|d���5�?3���%r�z����=�����dFo$����?9!s�3D�?%
�O��k~�?Z��������N����Y�Pw��J��.p���wbG�.��
w.��
endstream
endobj

28 0 obj
<</Type/Font/Subtype/TrueType/BaseFont/EAAAAA+Arial-ItalicMT
/FirstChar 0
/LastChar 23
/Widths[750 722 556 222 556 556 556 277 556 333 500 556 556 277 556 500
556 222 500 500 556 556 500 277 ]
/FontDescriptor 26 0 R
/ToUnicode 27 0 R
>>
endobj

29 0 obj
<</Length 30 0 R/Filter/FlateDecode/Length1 23472>>
stream
x��||T��������c�Iy��	!d�" ��)�&%�d��$�03
�VPk�Q+�X�b[�>[m�LP���)=}��k[m�
*=j����Z���Z{��T�������.�]k}{�o}��[{��
7E�.������O1(�@������7�W>Jd6w�w�����N��w�+�z;������b����nW�W�����4�����&��}fwo����H��{k�������B��F1��+�g����Y�W�\���g��������~�?p�2�D�^���>w��cY��o��'0�p�O4@#��d�@��$�a�hs�oQQ�M�ch��_>e�J����G�+Sk�g>}�2�]��������L�,��Ia��B+�zf�$2�H�&;�S#������B��"���k�|ZK��ZC�TI�D{�����Zz�y�Q�~�9i
�f+�G�bj?D��i�!V"�=�(��Fz�~Ga�Hw��J#����S��^b�e�9��������g��S�V*�6�1K`��u�Gh����'�?
&+���$�R����������*��G��'�u��J�j����LW��r6d\I7A���U�q9&��YB�����+���nx��Q�J��~%�t�����>���&�w�"��j&�������cX�'�~�bY:[����`o�}����t�>��f�����*��E��
?AY��	��R���Xs����;��i��������/
$#�:�!���L��_u���N�F1|=|�-�nh�5z���If`,��b*+fK��Ul��)���R��&?n�%<���+�������t=E��-z���T�,��
��ne���J��K�M���S�SyT��r�g���K�GauN��pm�N���u���d�����
v(ma��j�����g�'���a�;��"%K�H��H�*��s��F�W~AIW�����:=w������#\��N���q��9��
�FtmE=���;����>z�~��;"�c�|�WfD4�@�fgX.���5�l���`?co�c��DR���+GZ,]$m���>�N���]�����-�Z�L4�z����#�1�|���9��8�{���'\�X4"��s%T���^��m�|��v�FW���A�<N!:@�@�>��5z]��������4�3	�403.M�Bx�������v]��c7��p������}_b�f/�#�mv:��'UJB�F�2i3�-R�t�t������I�IoI��V9N���Z�K��<$�}�o��*YJ��R���\y	��4�2l1�n6�g�����������7��5E��MM��L?00�n
� � ��ie�vv�R �faiz?'�����Q	� Am�F�g��^�[~K~L��H��+P�^�g����l���s)�>D=����������b���T�A�y�tD2I��}xcm`)�g�:
�2��u��Q�g�E��W�
��M{���@�z�>�b�e�=���I��::%�Rp�J�0&K����������������o��5�3��%l
+���mx������q%�^B��G� j�����)�����_.���Q����/�k
�z��T	w&����Wc���P�x���	�""���Y������n����4_~P�%��_(*�3�W��WQ���P�%�P��1�(\NKi)kc�++i^��?�Z�o
�mh18�Wl5�M��z%��w"��s��5Z�n���������"D�q�v�n�
��^4.�+�����o��85T�[��>E�W!{r�?��b%���E~��Y*��f�nW��I?�\G� ���+��Y�&z�^E�$!����:��
^��C�����t�<���>c1l�?^g�D��L���r��\��V����<��a15�a�?�HXC5��G���Z�}�Z14��o3�r����J�Y���0Q���}�)b��i���R���T�3v5t:��+�_��l������E��y�������g�3�U���s�RS��g�J�����X��"#�&�A�%F����V5��T��+W��{��i�ASu3q�j�@Sgb:��y�S�tNb2��������v5�b�]e/n|k��E
p��w�8=����5�Z��`�����������W�#�ri82
`�`���%�3
HI���%2[ T0�^SL��p	���ZWG������������ �n���^�u�l����I�Q=\�Y��e�Jm���{�kSsPv�pq��	&]y,y�����o���&�&{T~;4t��{q���t�����J��Z�����~�
n�
-�AvX�\�����^�gZ/W��*{����pM�P��
��RS���G)�Vjj��+��-��9��hh��H�SM����;l��;�����{rM@�C��&-��D�U����B�f;tZ�;�Rj_
4|Zv;�O0��u������A�|�]:I���f����|�I� ���P��t8�99<DL��)d,��y��G�{��V�G����eY
����|����p�uq�v�R[Z�������W�&Vfo�+�&V&������;���9k��XkbBm�� K��e��^��^��f�v�U�m}��;m}������4I��4Y�"(7M"�����2�EPw����J1�����u���D���M����.1Lm��.s���`�����d�dI�M��"g���

������!�hxW�]�����ie�Pm��GG�O�����Jt�eyx�����\f��};h4��fg��2E����R�F�AI~�UR�K(�a�d���k�/o8��*[O�[T��7#�N���)���J�2��fo�vC7N�����#VJf���[L^��*-b������D� ��OQ�K)Q��1�f2�M������#�����Xo����5���$�<�w}��3J���!�1H�y�����\������O���������JL,.��^Z\�xqi\IV�=��`�tOb]�����K/J�_���g�e����_���??�n���W
���c\�"h�h4��uf~C����,/��C�"�"����&�K��H�)2�<g��>_�L��FYF���G�c#Q�����/����Q��3�V�dx=���9��9lN��X��g���}O����������l�������������L0;-fgR��Xt�2>-0��S#�3���b����������������2�Z	�m�����_Z"l�xqqQ"NX�����K���So1�w����
���������c�{*s22�,���=�����W�p���'��������!��A��6SlRl�c�q���I�#��%>��7�b�4��F����.��U�Z���.�@Y��(��P�W"�?���'�1�T�����"�fwPK}r�f�Q9����i�u���3.6�%����c��	�K���N��6��p|���7[?>WV��z|9%WT�w8���Y���l>_�����K��5{���MF��JK0��(,ZV�kvn��m��7�n}j�eW��8>����*G�\��
]>&=bO/X�~��,?������������+e���1�{6��S����I���\a��.�I�L��%���5�69��f�Q�L�(S�;��)Y��ff0G[�l5K�r�X�3�@�P�X��HJj,qQJ�����������r�q(�,G��@�/�1��|�����X�6	�8�x�%#}Iz\���+��z���l�;������f���$DHm���WSkt��YDdJd6e�����i���K���O�(KM���������TE�5-3�eF|l�+^bQA�����Qv��xU~^���1���:��8#cl	R���iT��{�L$#e�\v���47���esj����2X�AF�]���_�1�q�1��H�����B��s���H1��|�y��<WE��o�� j���I��I*F��14+Zlq���79�ep��h'���f8������p-7�0>��'qw$!>i�f�������&�?)�DT&&�q���a�+�U��*f-O�����=��W:4�V�������8m�a�����{�?�����.uT�59��+���k�cJ/}����c[b��4���{���.��zK���������2�)}��453�#���p�Q:�����xc}_j�;�����I�G�(���������g�(W?
�g\���7O��b����a�z���V(uA�
��Fu��a6�m���Q�~���u�3�4\"���(�������R�-�}?���dm���N�s:�(6n�K����a��5��B����������FJ�{H�M����)!>[�#�:�����F���l���o��gO�f�7��C�c(?�$a
�zL�\V(?�!`�#SZtX���v
1oL�U��J�]�&����:_�������NyO��M9)����t��l::i+t�M��a�L�a�7��:������s��0�;g��;7M������0������v����C:��\/�Hn��#:[�p��i:�P�#O��\����.
���w���
:��U�9�����N�6�M�a�<7E���<�:yr<��r��a�Jr5^���s���"��:�<�W���u1�w���ry���a��w��m�a����2y�������w��������O�f�<^	��uX������0�����^�;u��������0�����_�?�a�7LM4H���NrQ;F�~��D�n /��t,��q��{�=C�L������R��d*��J
L��1��O��-�2\���CEb�;z0���.�����������P��Si
���9�W	���}�9���;��%��R;.�R�*e��:���G���_����;�_�=��v���S�9x�Xx���k|�G[1�%���U����k@�������t� �
��~����k��S��K���A�/d�����E&-����e�����r��x;�T]�|=z����z03���'��Ts1s���y�V�qK�	�x�u�]�]&���6AY��n*?�>a=U��W]g�q�������{\��j!o���>aI?h�]���S�a���=�3.A�C����'���9�q�u?2�M�j �=�vm�kq�r��c����!d��'�����T��e��:q�3�j��/��8���MXD�Z���K����{���E�*��!�
a5������BA�}ZF�	�/�->����l��K�79�+���~�^=�t���>�����G�C�F�\��;aU-�����}2'��}:o����N�����������]��-����kq���O��3-��\�������
����Q���wM�+���%�{�|���f�F
�z����G��n�G�����;��_x~`F�piy�M���AQ�����.j]���{�:���#��5�V��C�tj^\Z�l�}��=��/^��0��hz=i{���j��B�R��H�^+x�kg@@_����"�fxq��K�t�4j�~��'�30;��|��~��}���Q�+_T����W������p������Z�i��7yF�O��?�q���DM���Y����C��3��b�gO��|�3�����q���j�Md��DN;w>�L�wO����'+��;e�|������D��:��k�}�S��*;!��O���0��-��t�.!�[��Z��8o��������6Q�=�����[��xN����<�<�j��*�eR�-g��W��[�=��N����u���'2`�b����~v�����v�|>*>�����
������S�K�nQ����[�~Fjg���|��i�3�V	]B�~aY�^E���U='�x�4��vtKk��v����/�Nb�����s�[�GT
�5}���y��7�T0Q��0�������9��I}4��Gw�^%5�kY����T5�C_��T|���sg��d����v��������������g��,����D�2������[?Og���>�G�Z�
�,?[Ox�u��;�.i���y���[�~7]"�~p�LP��O����d�������RE�wyx[.A+$�
���1��+%:��K���T�7
�8��������kgXo�<l�ww������n�����0�V{}�^�+�����=��j�+�:R
'�������������+�W+{z�u����_]���}��M�^�_]����������=�������e��}~��(i����i�y������!O��X������3v=�6�\�^�o����B]U�����}������a���
�YjS����3_u�u���{G7��')�J�.���{p��[���vx���^�����z������{�r�K<�
�O]��u��0mqQS��Y�������g������~�K�������)W{�:�Q�{����������������z��_�p�=]}��|U]P�1�h���
@��A�����u��>7��
��������^�how���=B4���6���uy�\=j���_�
c��p�:�����i���s�G�
�i8`R?M`H��}�y����}E����lwCI7�*�~���
m��l����a��+��[n�_��,�*���r��%d�C����rj;�=�����lt����
����W_�?{43#"U�������.�{A-�i��m�\�~N1�U���+��==\��h������ ����.��	Y�����RO���kq���n��z]]�+=}n�>72 �����
ME����{Z������&;��}
�5�;�_VP�c���^������@oOAo������-
�:���gd>_��w�{x$�-k�6��[U]��j�um��zUu����j���jkj�4Y"-�"w&���"
�:X�|��Zy�2���o�;�w�{��R��,�?��s�=0V�]]>��,_m��n��m�`axo�0���@��n��@-���N�eJ.X;��rkA�=;�N�<���zvN`](d��)&7v��]=����~w`��|u2�28�t�+!����������5WaE�]b���������B.��	��Zr�P=�^�����?��dyb��z������|@K3w/B��U������f2�X�9��B;�`��iw��t
|�����@����=8Px|^}�O���z.r�I!��S>���t�;�NV�<�����=A|\�ea��J*�KK�,T�,Z�WXRX��������_R�D]�������7��������<_�k�i�a�\_�����`��s�����s�(��Xu�O���:��
�Y�����������?�����D� :������@t���?�����D� :������@t���� ��N�C�78�j�Z{���9�~�������s�����[��xs��vg&������e9O��D@���a�Uq��N��{fb7�O�	U����p�=��vn}g`+6�\�@�V+K��B�W��E�o�����Ma�})�iX��rlf��?�Y�?co�V�����-���s����Gr���?���������p:��|���y����9���/�P��"�J�S��"Kw���	JL+�����K5`$'��He�BtMRHa��b�Hv~�G��������O�Xg��|z$6��Yi��B�h�aC��+���h��-����G"c���?A*�.��e�^�L�;�8����DN��Pl��w$TX�
#�����Y��������N6�-��0��\�?��3����H��h�����A86�A�J*���|
�	���b4>�e�UF��W��
'�M�����l�
�
H��?����}��.zV~O�J��uXI��g�>*@����DX�vWF��Psf�AFF���)�:B��y%b��|-���C���l��
�S��	�~����0b�)��������gX�����#YK��2K��
�$�m@o�?��?�!��!\�!\�!�������X9��
��_��h�V@r0�@fv�~�������l�0{�HD���P|�@�z$:���Y�Z�&A�WG�����o
Uv�$��
�	ED�tWi���+���w��	K\+,|��b�����Ht\�Nx�	�^���F;���	:4�4��#1�E���b��PL��Yy%T_)��24;C�|���������P�
^�f��fd�����������M�RP����z$2������9FL;���sFf%����J���d<������x��5!�!	���m/ZM�#��^G�Q1+/�N�)�&����#4	����6������l+���BphE�M��[�;�Z�v��EC��D��<��5T�~Z����v�+�B����J��D6�)��\�v�N�S�)�TvvZw�����s����.�w����F�G���#���5B����}��cp�����O
�5��Kvw��C��8���@������;��F�P�������#
'�Coy�����#y'�dgC���%[���d�1��
X[��-�W�)�&+6�@�@,(�Q�Q����(gTc�l�R���Q{��QcQ��A�������#����j�7�2�6�5m�S��iT>���^�Q���I��n
Y�����~��oE�/���dG_�!4;h�
x���F�x��������Q���~���$���9���L���fJ��>�d�3�fJ���Li�r�����UH����U�|U�~t
��!�+���"�^
��6���_@N����/���J��$�2E������L�+���.�
M��A����,�-�5*�	e�b���y�0G#)�E[*c�= �d�B{@hH�.<&����w�Vh���#�e8.�8w��h�E��
�W�q�;yDT@���N��" �gC���H{p�
(V��W:�$JL�qg���y�m���P���6��P� ����}(���^�K���>�e���n�W��a��2R��21��������L�����eZ���|?�r��MXHw�fX��a�_��2,?����a��a�8��:������E��{���q&��S��M�������>���Z��@g��ia���E_�T��Vb�[byZ�m�e�X�8 I�2�����r��!)=�0��PC%��P�:����P����)�
���&��a3�C9�b9J����`0�r�l�l<�c���P�\��:�a�$�Y��$�a�E����u~���(��e�P��(��PC�����}T��c:DN.{,���#��l�r21<�
��rl�u�c�^��v�
u��'�����M���]�%F�!
��B
�B���7�P�ak��E�P�1���
3D7��!�+����-�"�)[,o�RA��P7I'Ria��"5��?��*6,�8C9�@+�daX�Yny���ai(6fKB�����r�<�2!'d�<
$[�s!�y��Zi|'�J���S�*.���������NA1����'m�A��������3����l�fcx��AC����Q<����4~�I���Q�e{=����������f�eN��`��m4��m�a�m�;�l�w

?�������Q�a������r�og�r��7r tC�����km�@�M6�\[�Wl�gsFI6O�:[7��wg���s���TH���m�K���B�U�bae�:[$�B_� .��5�������m�<#�4f��|�|���kLm�&S�����t�<�,s��j�1G�#�f����%3�I�5>�t����e�����^�U�����
3Kt�z�~}Up��~�^\���/kf��-�>8�N�mj����Qy����^����T�T�����QFM��,�w����M���X�
������[[Z(q{ErE|y\Y]�Y�V���qL}��ws�w��o�pnK����-�������/�H���������y?��zj��y�]���K[�F
|����9�7MCc���./����a���Y+�6jH�����Y�@��oH���@0t�
h��s=-��
ge�RgG.��pV�X�xj9[[����#�<���zi�&m6e	YR6p�?����&6�b{_3���Z��n����������Tu�o���e���w���n��k�}�uxE�Y����
{�05�657;�5���vWM���k�n����I^K�=�k9�����mgY����p^�8�m�����~]�ol6SUK�&m��"�-�i�-U���r�:�'_���B��r���UA_�����KHi���M;})�����f��KVL���(�\���~|�
|`c�_�u��p��u ���y��Y}=@S�C�%���y���6�S���M���h����1t8<��x�O�Q����6���d�<&���O�cx�?�vO�������G�����
G����7��!���;�'/�%��Z$���
>�`B[�7n���<a�9�,�
>������^����m�?����0I��
endstream
endobj

30 0 obj
10555
endobj

31 0 obj
<</Type/FontDescriptor/FontName/BAAAAA+TimesNewRomanPS-BoldMT
/Flags 4
/FontBBox[-558 -306 2032 1025]/ItalicAngle 0
/Ascent 891
/Descent -216
/CapHeight 1025
/StemV 80
/FontFile2 29 0 R>>
endobj

32 0 obj
<</Length 243/Filter/FlateDecode>>
stream
x�]�Mj�0��:�,�E�l�;#()
/���=�,�A-	Y^���O�B�0��<�^����@�����QW�y�0��
�jPZ�G��Gh��p��d�����[�������GB_�B������as�4
�N��&��X�f��W���~������!���Ji�NH���H:�8t�+'h��^[�$����*N2�T<r]�N�n�������pI[�~��������r�V�=��.����3v�
endstream
endobj

33 0 obj
<</Type/Font/Subtype/TrueType/BaseFont/BAAAAA+TimesNewRomanPS-BoldMT
/FirstChar 0
/LastChar 5
/Widths[777 500 500 500 500 500 ]
/FontDescriptor 31 0 R
/ToUnicode 32 0 R
>>
endobj

34 0 obj
<</Length 35 0 R/Filter/FlateDecode/Length1 1164>>
stream
x��SKkQ�f�IS�h|.�D+��$}��� �b��(���
�3iPl���]�:!�����.�\�t���m�ER���I���0�~�w�=��9w\���6��J5.����������!\�������$�_���w��	@���2����#���e�]�#�$�����1M(>�1��j7=���l*�v���!�3�W-����>���u/��y1����[
"@�)����L,���%!t7D�)�~����V/��4�������3��gN�q�"Z����[�^s��k��;�V����5��^�����q����=������'"e�
��|��F���C.��K���pp5<cA{~��g�~��~L��x<�"�0������X����ez
�Q�����^���M�C��&�`	��-���&�)9�J����)/UT�r�����h����f��F��W�RMW��0@y�v*�)����@�����/�A��Q5���P��
�|]h08�X���$?�J���:W
���B��:��1L�S��B���f�4�������G���S	�\
endstream
endobj

35 0 obj
577
endobj

36 0 obj
<</Type/FontDescriptor/FontName/FAAAAA+OpenSymbol
/Flags 4
/FontBBox[-179 -312 1082 916]/ItalicAngle 0
/Ascent 799
/Descent -200
/CapHeight 916
/StemV 80
/FontFile2 34 0 R>>
endobj

37 0 obj
<</Length 222/Filter/FlateDecode>>
stream
x�]��n� D�|��C��CN���U$�Vq�
�R��5>���m�@f�"���%�7;�a���a�������(`������2��:�Z\U	y��x���q=�	���������[�����u
�x�Y�O5����5��a�G��Y=�!��QE;��WY���*����H����~�W�1Y�dqlrv;MT��
��96���
�qK��=��D�u��m�
endstream
endobj

38 0 obj
<</Type/Font/Subtype/TrueType/BaseFont/FAAAAA+OpenSymbol
/FirstChar 0
/LastChar 1
/Widths[500 1000 ]
/FontDescriptor 36 0 R
/ToUnicode 37 0 R
>>
endobj

39 0 obj
<</Length 40 0 R/Filter/FlateDecode/Length1 30340>>
stream
x���{|���8>3�������s�g��n��=B �'�"�p5��dI6d%7r!b���(XE��UK�
xi]�������W���m_y[,j�RK�V��;3����~�������c��93s���s��3�<�2�?F:�
qHj��=q�!��!ln�<(~|��L�O ������{�j@H�@H�xC�������
!C+B~Eg8���v�
��NcN'4��SB}�����W~���z�����z�B�z�uPWC}Iw���_�~��:�{B��f��=P?�Pay_����Qn��9�������p/B����0|��@��J�Z���
FS�9�b��NWJjZ�[�dx����#(���(���T��'�R,?I�hI>a�%��3��@���XDc����a'.F��>kyM����Fwc3�D6�-�<��-�������"tz(�4�.����^F�����1*G�
���wQs�;H�v -��Vb
�7�v����D?�����Y-�:�U�����Q.���-W?�nG�`E�-A�(�$����w�5���'��>�/B�����N�e��B����FxfZ���4�v�����7
��3�o�O!JF��S����R���/���.G�'�^�9�_��.�U������i��������k���C� �e0�zt=z
��}L����Eh��c��E���I��r
�:*����Ch/��F��g�s ����]l�)x	^�o�i'�r�q��_����EY �A�:���U,��E�_�{��>A��C�)����?�'_�D���������%�*�d�=4���Do���_�'����N� ���C�&d9�#w�G���e���|������[�Q��)c���};���k������`|��^V�z����~�~O����/�_�Y�M�N�}�c��V��'��'�0k/�9]G�M���_��1�6���'p�n� ���c�y���b~9���������E��]��xOy�r��?&s'�+�b��hllW�tH���!��C����D�8>���\����w��
x)�
��ux�������
`
D	�H5YEB$L���[�|����7�qr8�s^.�s������X� w
�${;��*�:w�{�;
Z����/��?��&\"t��!�y���������(\�TE��
�
���
�e��f���U��T�����q�L'�����4�##�<zX�������^�x�'�L)�A�*�?F[�O��@��������[�����?#�8x���Y�^��J����!�.>��{���7�
�8>����q9��~El�*�U�"<V�����|;���������.���	�i�
}��E��B�C�nx�x�[��o@����>�
��	�K�*:D#��\���
�AG�G���'=�����/����]����D��y��9����`�k�����nD��vt5x���������[����@�����G`G�E%�	|nCo�]�/��E�X;:�>���K`?�6����C��_(�A���}`��k��
��k��)V�n�(����{�"��s��P��l�����(���������3�'��~��c����6�_�4���
�>���xZ��k��?��
x.��$�n�ZG����?�����<��x-��)���sP#>�����S-C����3�	-��a�k�j@i�B�&(/�,>�D�� ���}�W
�o.���Id��QYl%��$�j�E���U�-/����rs����Lo�Gt��������jI6'���N�Q��
��Fyu��V1�k��>��E���
AChVCkT����q�b+C������RS���&�U���u^1��Z�8�/[���j��b�4��2x7��{<@ �9:k�(n����;w����p��oMX���j�j
���}�}
f���;H�JLE]�����[K9�rYu��h�������9?/�k������0j0T���*j�J6���A���yGw�2nB�[�vo{�kMQ.�L�H
���Q�U'3U�\��cvo
���iu��b�������77�@K��[w�����V�0���)�o�)E�������:��z�U{z;w^�
�q����[<�.�4?�\u���M^O�*���M=hA;WnsJ����������`�2�����}b�jX9-YL9�.���m"p���5��Yx.��6���U�4��kZw���vJ�L^q��X��������E��o���N�M
���h ���&��
��X�,?o�8���3�P��P#�6�<����P���z�D��hJ�E�>eI���(i�=G�z�kh����i�V/X�!v�FU��F�-��s^��Ew8��������&�ng�,������s��d(�\���")����42�4��|�S0�n�r`��
��QS��D���x�)��R5�h<~�R�b�L�2:/p~}�y�������_�GV_�s����zp@;w�{����;C��m�����s��'�w���N)t<~dWJ���fXD'��G*m
>a�h�!�c
�8������8�Q�1��*�#�����p�t G��I�d�2�������
`���y�<IY�a������%
}�D�(���]��w5���T�����H���_���"*��,����U��pDZ�
��%j��D��E��Ep�'��4��
`��r����	P
~(G����MPr��8+M�X=,��NO�'���G��97y;�
�2?
�Q9O u��T������j�MUUS���V�V�4�B	B��K�D2��8p��5D���8���dy����1����k�;���?��������Sp;�����-�}��
���p�`����(�mB������-�
[�h�P �|Mq����8��.M�+�G=H�:�����.o����zm������6�k�Q?�w�T��\���,O?�?�8�zE������s�O��Tc�UJIZ%CR�h}�����+c��*V�P�oI:���hh5������3%�K����41����D�O��TVJF�18B��	�^g6���1^kv@)ej������lp��K�M����=*Io��i���4��f��������4�i����-U)�Y�	�����4WMB�2�a��+
���S�g[6�2�t�+(��vZD����Z��
 �2�d�ha�$���Nj��$b�VN��@%N*��lB-
,(^��+3���yl���9�>�7C���`����������~��w]h�e~���_���xe�w|�����2{%�����������][�w�
c*�<EX�#c9�'rE��
&D�$��H�����?����-�E���I6\����>�
�u'X�����I������S�y�b�f�m��9�S�������\�R�7���R�T����0;r�rG���8Y�5"���r���tS��q�H:����|�����7U.==Y��e�M�,=M-�4|�����R�$i;�[�#�*�4�L���SZ�G������;�jY����\7�b,69q�A�\������7
G&��;�{�L�����'��,������k_k/�]�E%x���t�R�4�kI����Y�1������w^��pn������m�>�D�+����
���p���k�s��H�)�R���=|�D�2K�����R� �)edC�L�f~�I2���6)�mrQFi��h������<\�$h5"7���CM�CM�#9\A��)^��k��aC_�l���<*}��M/��r���f�n���u8��:�`�\��8�
tk��4���������u�^;gw����eS?l�M�[�$j'�w:
��s�m	�d=p���M88���B-����f�r�������!2|e�9s���'t�
��j
%B��2�~����
\JV��I�-z������w��/i�mX��>������K�JMZ������|����[n�$��������o5�f��+���~i.q�+��-��g���)]�@���G��"I�U��Iv�=�{,{�w����z1?��0��y�{N�I�"G�F����c��1�SV{��Z���v�����g��}u�z��rc�ga�2#��+��y�2��e�J�FHR{z�.##������tWZ�X7���d����]��2y���m�[��>��Sd��>��*O�P?1��I�'��������R
�xNF}�=�;3~����'C��yueO��F����������X=#+HK)��S?���V�
����b#�Yy��lL��>��u�����Z�C�J��k�`P�TV�S��KY9���F��o_��22�Fnt�]�U���{l���I�������a[����u[��i�,�l�A�1���<���)2aS)���cTW�P!U����r����`�����7�>	l�5���l �Sf?'�z��y��d�W�q"�0�M�����Ff���Zk�2fC����Bg�UPpTW
�������
�Yr��YxY6
l
�v!���xz)�����=m��Y����_���o�*;�i����"1��_hn:��[��0�rMvj�h�$5,X{��go�U�`���M��v,i���_F������}��onV4k��	~8�sju_��t2���Y��%\�n���y�Zma]K��d�*
p���c��0��F#r�F��BvS�C#��O>=q����\QD4s��+Z�]FJ2�KK�p>����P�����=�,���u�9i.��*t��
�;����!.��Nb����Kzy�������G����"�����Dx.K@*^p)	7���(��}P���@���B�����&'�|��S)V�,��C��h���=|J�i��V���@�N��&����km��=��=�=�q��7�o�o�N	���M�U?'��xI��NR��������5Z;��WZ*������b� ���z�`i�L���M Qu��
��8xL�#nI������1��e��������c?�����;�xwO�]w���M2n����W>�K�����=p`���zW�V��,2��u8mG1��}�7���"�/W�KI)'�R�5�-�Yks��q�\������R�����}��!�6��n���"�V�����~��n������X�T
�14�����D	>����DYL5����	T�n��M>���t8�9Z��AMV�t�\��b0�qI�J3=fg�������t�4yr�02y��E`�D�
��*S�,M�#��%��!�#)TPe��}*�����A{�'�b ^�@�,�l������=�Y��k��y�z����6�\���m������n��3|}��5�c+�~��'���
�����������r�V�����##�H����,���pT�h"i<�p��y�2Yi�'���@Xg*��f��{��k��1��h�v�:�<��
y�i7������,������lVd�����������{m������o�"���gfdz+�Ao���Q��B�n�_�q�~g�>�~���d�F�Wd(�N�So�x���yl_���b���{{�q��Q
�W��p���|��H��%q���#p�=
������0����U;>���]J��
J��U�����&bj�%%��3���%�aU�A$�m����a��
����b��D��,8��
�HI[�8&�M�~�P�)�)�vL2�+���B�����'t����8hJ���i��r���?��#S���0l4`�^-��k���n������[wl��Ql�ve�x��W_��0o.��:tK=� �&�]��7mY\�b.��v��^���g�Mme������v]�������K�!v���0b7�����/L�/�w�V
6!�4%u&	�dK�9��l�[/�S�5�UcCH������|R��j������Q`�c�A�g�#v ��fe�G���3Vlu���1�^~�@��\c1��U�aO���S��7�BzMH'V��A*4���������<-vJ\qQ}Oi�\�������&o'��/+�����a�`%�b]��&����
�&/J&� W��H��r����kS����7�������)*��oC6��d4L���r��dbAT���������J��/�������7�Y1�${�����+
�3^eV����	Lb�O4��<v
�n�X��mn�}�7���+6�$�V�������������S���mh��P&��/Su��qUAS�����IP0E')
z�N���
�>b�F8��3Ek�>�
�?�������g 2��o����r����s��<�,���������da��-�Y�&�O��6n��a��j:��Z���
�	^���%C�q?GTj��&dV=�3�a��S�����O����;N�Kzd#}��rz��ih��Tibz�^)3%�)/%�j1�m$���#mk��y�Ee���S�������^�]���c�����V���G�e�"�y�H�����2>�+I�$�Z����j���j2m�l7)}(W7����Kt=|�jCR�u����G��a���G]������=Z4�z:�>�|c���~~H{�?���j
gq�\ �m�����������m�`_��T2��SSfS6�f�0���l�=Nn�Lf�;We,� t���R�������Flt�8�s�Y�m���_�u?�$?��8��LIS��M�>}��F����4w��������,�����,/�n{���N]�z�����r��'�-ol]�lE�k������
a�^�`��o��p����g���X����_�+V}����Z'/������M=��N�]�d%sa����9�
�Af�$�Zz�=����O]0*�=�}�a���)�a�D���W����\���������������RU
�����E|���Y�Re:2��.�����79�O�?����RKS��1�8ms����io������L#&�1�>"�K	X��)���#Xg�k%�[W�#:�E��dA}�f����v����3}J}	�U��
A3��dU�$(�t��J��RZ��hR�a��
�`��U�
A�eR�t��-
+��������;wn3(��g����.�Ys2e�+x���}�7�|����psS�*���^~���KKc�\l�B��;��7�.]����H}�g��ml}��Fh">?E����\)
6�b��p����O�%p}~�k�0.;��BA�j������sx���������P�.���S@�9�5��[�o�j����+����[sG�����s�l����fmO�y�z�N3�3%���MO�zl�D2���I2UI��
����L�H����}~}Tw�����ou����~���[p�P_��3]
�q�0>���_�~-�����H3Z=Mw_;�&����h����r��R8��V�~�w�����_q�p��9
��+�/���&S�_����^�fO���|%�|���g{�����E.]����w����w���@��7�;�.��<��<�b��'~��A���'J������D}6B���>���p��zk�5�[��<y��N^��	Wj3���[U;/������_��Dl����3�g�(.�u,��k���>��5��h%�C�8x��-�dz0v��A�Mo*i���`�6B��v�

��&��|2\L98h)�[M�4����Z�����Dk������{F��S�95=h��]|'9������_RV��.��q�R��s��G#	X:���9&���k�l�_j:���-�U�TxJ���S�4��
}�
?-
Q������5��&t$~�����	��;�ms�n�IU��d'dfG�0?3Z�B=1Vs�'9�������Q�
b��7vsMV��[W,s.,[�u'��4��?'-�/�H��~��J
����l�D�-�h26��m���9b���������lz��k�������O~�zN�<7y�u�y������������r7,w7ov0��M����$5%H������TO[��AV���#�O?(���HT$
*��1>
��K�+1m�T���>��#E���w���7gO`��m9@A����=.����x@:�\���5����dh[�z���+�������������KV�����������/b��g��g������y�9��
�b���+�W�S�7�x��5
�BcW�4s��z#�s�pa�-�9�9���C�-��5�+�W:7�����yc�Bm��uF�*��a��N���A��,p�3��z�-+�d����X���/�������Gz8�_��GQ�Q�1��;��X�y��c���&��m��
���k�T8���:����g��k��H����S�=���7)	��py�w��?����Z��b,��7�W���7o\Q�|Q�!�1,��u��:u����~��o�L��-�lZ��r�@����.<��)GD"�jr��K�F��������d����;8�R��9��U#����v���v�>��QP-}}���� ���BM!B�x&x)�����5�*�^��������r�r�" ��"Z�,<��#S��������V�@������K�{b����$r��POR�_j�v��z�,�9��>����$oYiYV������_�X��K�������x������)o����+��z���c7�{e���7�J�(�(�I B9������1xq�(��LJ�<+����c^[U�������[�����'�
{�L�Z���:kS^��������������(�iK��
��������jAo-�S�9j�:�+�Y�n����7�a�~�>�S��t��c9'r(�0�:��y'G�C�pWA}��^�J��gzJ��FJ����$Jj���
wo4��I�ee�I�7	'��z��J���B[o*n�6����+�(B~�17-�9��P�R5�JH���_�wQ�����?g��������"�������R���A�Y}Gl��'p����L�����������
�>����fg�u ������5s
�s��v�]T�������v���������9����S���GW�Y�z��j��l&��[P�h��1B���,�~������|`'f'�Rn����I/1+1#�R� n��g�����
�������}L2�HXX
}�	��R0X��N�.>�������y�`s!����R1�b
R�RP� I�����N�$�t�Px�\�b�Hqw����������y�Wk5�.�x�`Q;5V����y������u��\X��G���E���at%?,�+��v���8T��[�-�
�
�[�7t����I����������������D�q�uI�2/�� S���f5
�����)X��(�z�d/jyA�/Sh�P^"�pH'j�C�:N�h�h�P)�����`�N�Q����Pe 8������	�FZHp���C"v�4�]����t����t9'��
������fJ�kv��9J�W�/(�
��I
cE�>qH+�+`=�F���s��ZIG[���h-�Y���NL��aG������A<pk�Eq�+Oc���ck����O�c�"2N�go��'�����z9{t@��#`�
�:�!�+47:
}f^�6��:r�.�#U��p'�R�R���&�M�"u��W������:�V���cf�lB>z�����l�#���IU8M�$�~�I�s)u��	l������M�!j�^^���dn3�FO��J�/��}R�������/�������X[�����b��J��y��4�d)��%uyEP�
��]����
	2��=~��,���B��P7��Jw�����S�A�g\����
v�+�b��GJ���EAa�J#��h�ZWZP�E8N������P�<�T:068
�$��_��
a��5���E�mj�>B2���������mS�o'x:p��w����4��
v��q��v8h�����Gp��
Q-5��J.U��#�����
~�\�r��-�����	��~�m�����d>�����xilL8��N"N�k����2�8Z�g�*d�
�J�)h�����1(��N���wx���*�F��k
1s.�K�����hup�?#e�����9�Y(WD��;�Z�4�$O�.��
z����A���/�Kz^�5i�4�5�f�IZ�Thy�9�)�s�6��+C t	D���;��]*KO��e�8���Y�;�\
�	v_��_�I��c�/�a���c���'��
��g��L���:[~>I��m�+����_���76�3V�M�T���~���q���P�wB�������u-�-C53����_��T@���T�o���j���/�T�j��x@ZI��Z��; ��t;�l�U���">	�Rh���i��
��nHw(��5P�H������
�A��XK��\r�{B����5J��F���Z}X���W��j�������f�7�c�5>j���t�O���g���W��J��J�g�j�qKM]�F��:�*����9F�a5�Q��J�9����#��a
9�7eX
��2�D?�O��
�H���Nr�k�9Q��h���2�C�Z�+��a�����z�j<"�	�
&�7-�a���0��L=2, ��JV�]��h�i��P��cV��$A�5$��D���8�����+M�����,F6�{8�<����G�y��?�`
�5��e�G6�O��v������.��T/�Oeta�3X�:G����p3XM��(�a���L�ag��~��0���+��_���~�?�a���2�u��a���2�M�T�A��S�A��7d�+���~�w1XCe�������5j�����a�g��k�^,���
��g�e�G��C6�qn�a:���Le������_a������?��l�vK�a�9V�(~N�~N
���E�)�&�P��]��r�cp�'��?9O3���*��ugR�y_��r���\*�\��|r|�SO��#���b�����\f?*���2L��QX���"��}��^r�a:��h5���Pu�j�RD�BZ�:���H�2���L��G�-]@_P-k�_�T8���VAO�����P&�+F�)B�2T�Z�����@�
xdT+a�
H�h3�����!�\��h���f���X��Z6��4�t����(��o��3�����(�l���Y|����&Y*�v��~���l�{���iE��A���u�3(���!�FF/"�o)��a�&��S�0�J�=�(�h�)��^�����[�)V���f\m��7"[o>�r/Z/s���t2)����i��YO�Y�*���	�$�����q2��<%�~�E��l�	��0��3�6������6y���Rv�)��071!}�qb����H�P�d}��t[�����O�`��f�YcbuS
����D6�l��4OeC��l��Y�@q{�X������%�&[����a�0�J���mr��4����e;��I���SN�>�e����fy�����~�#�H�0�h���Fd���+�0�!V�����.���mb��L���u��f���b��mH��z��K�d�����Z�t�Edv�}�'�H/�tGo���a������!2����0�u1�>�����(+�m��i��;�JY3��j������;]�|t����~!"
|a}m���CL����fm��)�R�n�^a�m����L�����IB����~��Fb7
�V6�=��L#!t�OpM�mc�3�����I����-�������L�b�����{(!�AF?����}�����������A��1�����5��0��
�l/u
�
P�P���:f	�Lc��;�0��nx�,������_�,�����F�z�/a�u��
rj�C$���R����6E�jfM�5q�=�O��e>c��^����G���z������l��m	{��G��e�s�������>s@���(�i�Hwk�<���e_�~:%���������),����M�3�1(���/$��]H%�5��.��|�r���y���e���#_HC~���%���_��/�<�����hf���= ��67��h���[����|��}�Jx����I6"�t����-���mS�RO��$�E�g������g��L������u�����������72m�>�N���^�M�P��������I�5���e���bW���1�y������X���e�M��h�	�'��j��6���/�����y��V���?�6���0�}��?kj�~����<:�}Y�	i��X���_��S}A��#ng�������s�O��{�F���j��	d�>����%B^�|�)!!�td
j�1���z�2\�J!Q�9��4���g����
� ��x�zK_�#�Ww����=���$�������#�=b_W[�X��
�`����!�2 .�
�����|�J
���.qedC����2<��n������v�O�9����i��p���`n���4���;��1�3�2�����V3����?���o{;�%�bxCd`0�n#=� ��Y%6�E��z�����@�������p'�L�k������2�),����#=(m��/��]C/��u�v�������HH\�i�����������)o�[��H����
=ybb�m��@gwoX����b[g�?���J�m���o]����za:���?��)F�����z��pd��������RS�F�@�Sm�����H����R 2I�n��@�����`7tQ��!�����1��X�����
�w��$�����A����-]�����:@g	�wGzF�F6��
�D	�GBzi�p'�\�w��Dz�
��a���>$v�8��0��'�����0���-�$����W�b��][DX��N�;���;(o�
y�6�X����4���(�CmT�bG/,F�E
R;����A��`��
3O�v�6��������������=2���B���=����P�(���`d�L���{�{�h���}�
����e�-h��.���*���3W�=�.D^@�M��p�������/��^�x�2qy�x����e�����W��-�[�Z��kVw�X��FELu��
�D/���b�!�5��"n���m��@�l%����(��_��6�����f ������(�c�Z�05�0(.L%�n=w�g��*��f(L��t����C�04��;j���SL�!O�b��Z��9�5Z�M] ��a6�ej�&�s�y����p[���W.�{��Q�P{{��Xe?��y�������/0�����$o���@�H�=���ap�C��"�t+!�n0T�T��EL�,��'b�X�1�8��6
��4�����=�
�e��@g�PW;�����p�]}i�4�>����l1��68�c����u���e,O��^�	
��kVUC��,���������5
�XT\B^^Z.��)�(��k��������
e��>��jX>$�����,���!���������v��s�rK���cv�����=���{�����k����W�
�zm��k��^|�����_�6����W�
�zm��k��^|������~m0�� �����D�%P&������������8k����������p~�������#���e�l�D�"V���w��~O�}�����������-��*�^��/���5�~./��
|�l���������/�'��@k�pf���6�g��_�xV;NB���`%�����]��7e�o����J�}y��_��<�}1�����=c&K�4��;fL.��M�]�AQn):
��^�v�
������	
�i%&���DH� qhr��$��k,�F��~�����1ZLc&GIc���a.�� /rs�@�e�iP����OP>�1��d�W�U������l��Z��R���!1��hvnI���������9�-q��pp*q7������FM����8%��6�����qT��d��Z_��Z���e���9���{Y.q=�0�W��"�m����z.}��>��m�v�[0�*����Pr�Z����r���oe����-A�>.A" ��m��*��h'�i'�f'�f'p�)@�7C���S�]���a��^�y�:
�`@fv��� 	�3 ;��1��r�5'34���PR�7��C"�����Q������7�H�}�j��������R�t&�4&�h��97��g��y��A�K�sV�\.!���(�G��1�E'�����TB�ga��!��� ����d�rA�"�
��Po�r�R(��z~�'�cP����mt����@���d��"f[Iuy���Ra�_C�	��(���yB��M��A�(�"eh>����G�Yj��ir"����(�Q%-�U���(Qk,t?K~@G.@������|�n�30&����4��ZC�M�, ����Df��h9d����{��&�%G��%�K�������}��%����>��DnE6,�9Dg�I����<��G�'aMt]m�|�A���1An��=��*rZ���@�
i�k�U��
����f-��� 
����>���>F�}@�}����>�R�E+P�E+�h�V�h�VFA�m�VF��@����(��(E#P4E#���B
	($F!
�PH�B
	($FQE@QE��(���(�EP
E��B
(DF!�"P��B
(DFa
P����(L@a
P����g�8
'��P�`'��P����P��d� w���@rH�
�1FrH�
�1 9�H�
�1 9&/}�	���\i+�m�(�Q�=
�G��(�=��k��E(�@eQ��E(��"
Q��2��
��a#@1#@1�(F��A��s����\��T\�6�����CV^����jt���D�X�
t+�B��F>V�x�Dnu��m��CZ��^HOBz��A�BzR��I�Q�\�W���y�������{O*�WO*N(�X�B����kA��|+�A� y��H�
��-�O�����G���\�|.~2������b�3O�|��&I�[�>���_��������9�q�l���P~� �}���T�R>�,Hn���MR�<�����<�D:���lcNRID����X���������Q����P<=�_��V���O�A�)���P>9�>	��OO�������;E�����G��pW����)�j�\����Q�Z@[1���"0��Q�\�(zsp:	e�L����;��E����b���*+P>cO�DKn�h7�X��O��������xK��x5�~+���l�w
��=Z����e��O��e�����Y�����������[���l�Q�u�8y\Jvos��O��K�!�JwK�����~����qy���\��u_�5�X�woqKn��B|���M�[��,�*I������6��|'I��3��������^e�2]�����*�����4*�J��UD�T�uF
�����
��<�M��$�w��Z���\iX�7D�����b��U�q�YqYT�.�QsjX�0:7�0����������b|k3�F�M��n�q�tC
�ibt��R&��������U�*������d�r>��4�����
�����5GK(Okn�^K���	b$���	b�Es��G�u+i;�W�h'X�
�����Z�D��d!E%�|@xZ�F�|���3<S���������p�:�p�g�Y8`1@[{��cX^7Q,��c9l �P���mn6�����3(Y2J�4J���38��%{
��
8������+��%�
�z���Z��6w:������k���!��������pt���^���t���hw��� z�nu����p�h�T\�
�6�UU6U�7���s5U^`�J:X����������UM���sUIUl�������*��~+��V6���i^h3�-�=1���&���
�
4Gu��Q=$��_�_M�`��.����.�5�=)G�
���I����h�(�����g�eM�T�R��:�?����"����,�g6&�����~���h6�;rC4wUCt�
��j�m����6�cm�����Q�x�NG����+i���$#�%�W��1WZI�s��B�{-d�e2<��E�/�c�e����uyJ�W��)-�����������G�F�G������}4�����```J6�����|�����G(4��/�z�kK3��G`�N)$�>��������L�:�	��u,��
endstream
endobj

40 0 obj
16516
endobj

41 0 obj
<</Type/FontDescriptor/FontName/CAAAAA+Arial-BoldMT
/Flags 4
/FontBBox[-627 -376 2032 1047]/ItalicAngle 0
/Ascent 905
/Descent -211
/CapHeight 1047
/StemV 80
/FontFile2 39 0 R>>
endobj

42 0 obj
<</Length 381/Filter/FlateDecode>>
stream
x�]��n�0��<E������UBH--��h��&�C
z����&�������a��/������8���� .p�m �0�^�#���������y����XA������b�7����p����Gu���m��`��((Ka��u���� ��mc�r��[����N �%����<�\k�QT���������r��g�|���Q�d�gE���c�
9aN�SbuD�x^!����8��w<� �97B>��T������#��S�S���gq}�#�?;!�������_Q���,�_����c�K���{����F1��R�������2�gxW��Sdu��3*����b��P���#�_����M��9�[���z�������8a}����/
endstream
endobj

43 0 obj
<</Type/Font/Subtype/TrueType/BaseFont/CAAAAA+Arial-BoldMT
/FirstChar 0
/LastChar 35
/Widths[750 610 277 277 556 333 610 556 556 610 277 610 610 610 666 610
610 610 333 556 277 556 277 556 333 556 556 722 333 333 889 333
777 389 722 556 ]
/FontDescriptor 41 0 R
/ToUnicode 42 0 R
>>
endobj

44 0 obj
<</F1 33 0 R/F2 43 0 R/F3 23 0 R/F4 28 0 R/F5 38 0 R
>>
endobj

45 0 obj
<</Font 44 0 R
/XObject<</Im4 4 0 R>>
/ProcSet[/PDF/Text/ImageC/ImageI/ImageB]
>>
endobj

1 0 obj
<</Type/Page/Parent 18 0 R/Resources 45 0 R/MediaBox[0 0 842 595]/Group<</S/Transparency/CS/DeviceRGB/I true>>/Contents 2 0 R>>
endobj

6 0 obj
<</Type/Page/Parent 18 0 R/Resources 45 0 R/MediaBox[0 0 842 595]/Group<</S/Transparency/CS/DeviceRGB/I true>>/Contents 7 0 R>>
endobj

9 0 obj
<</Type/Page/Parent 18 0 R/Resources 45 0 R/MediaBox[0 0 842 595]/Group<</S/Transparency/CS/DeviceRGB/I true>>/Contents 10 0 R>>
endobj

12 0 obj
<</Type/Page/Parent 18 0 R/Resources 45 0 R/MediaBox[0 0 842 595]/Group<</S/Transparency/CS/DeviceRGB/I true>>/Contents 13 0 R>>
endobj

15 0 obj
<</Type/Page/Parent 18 0 R/Resources 45 0 R/MediaBox[0 0 842 595]/Group<</S/Transparency/CS/DeviceRGB/I true>>/Contents 16 0 R>>
endobj

18 0 obj
<</Type/Pages
/Resources 45 0 R
/MediaBox[ 0 0 595 842 ]
/Kids[ 1 0 R 6 0 R 9 0 R 12 0 R 15 0 R ]
/Count 5>>
endobj

46 0 obj
<</Type/Catalog/Pages 18 0 R
/OpenAction[1 0 R /XYZ null null 0]
>>
endobj

47 0 obj
<</Author<FEFF00530069006D006F006E002000520069006700670073>
/Creator<FEFF0049006D00700072006500730073>
/Producer<FEFF004F00700065006E004F00660066006900630065002E006F0072006700200032002E0033>
/CreationDate(D:20081209133510Z')>>
endobj

xref
0 48
0000000000 65535 f 
0000072614 00000 n 
0000000019 00000 n 
0000001812 00000 n 
0000001833 00000 n 
0000004014 00000 n 
0000072758 00000 n 
0000004034 00000 n 
0000005917 00000 n 
0000072902 00000 n 
0000005938 00000 n 
0000008516 00000 n 
0000073047 00000 n 
0000008538 00000 n 
0000010157 00000 n 
0000073193 00000 n 
0000010179 00000 n 
0000012254 00000 n 
0000073339 00000 n 
0000012276 00000 n 
0000028312 00000 n 
0000028335 00000 n 
0000028525 00000 n 
0000028973 00000 n 
0000029268 00000 n 
0000041297 00000 n 
0000041320 00000 n 
0000041520 00000 n 
0000041915 00000 n 
0000042169 00000 n 
0000052811 00000 n 
0000052834 00000 n 
0000053039 00000 n 
0000053352 00000 n 
0000053541 00000 n 
0000054204 00000 n 
0000054225 00000 n 
0000054416 00000 n 
0000054708 00000 n 
0000054870 00000 n 
0000071473 00000 n 
0000071496 00000 n 
0000071691 00000 n 
0000072142 00000 n 
0000072442 00000 n 
0000072515 00000 n 
0000073465 00000 n 
0000073550 00000 n 
trailer
<</Size 48/Root 46 0 R
/Info 47 0 R
/ID [ <C4B47CF1C62ED46F939E826619662936>
<C4B47CF1C62ED46F939E826619662936> ]
/DocChecksum /6C5AA538634AA8ED700453539D3CDA00
>>
startxref
73794
%%EOF

Hi,

Thanks for explaining the architecture in detail!

If we want to include that as an option, yes. If it is "always on" then
no, not everybody wants that.

Yes. I also think that archiving should be optional on each servers.

The best way to implement that is to archive from the standby, not to
send the data twice. By definition the archive is more closely
associated with the standby node than the primary.

Maybe I misunderstood the diagrams? The additional flows to the archive
are actually all optional?

Anyway, I enclose a slightly simplified version of p.6 to allow us to
see the progression of file mode through to streaming mode. This is an
in-my-understanding version.

Yes, I basically agree with you! The only difference between us is
whether the primary also has to switch two modes (FLS <-> SLS).
I think that the primary don't need to stop archiving forcibly when
replication starts, which should be optional for the user. The user
who doesn't want to archive can disable archiving by using existing
mechanism (change archive_command & pg_ctl reload). It's more
complicated to switch the modes on each servers.

For clarity: the user can choose the strategy of archiving from the
following.

1) each primary and standby archives
2) only primary archives
3) only standby archives
4) no server archives

The user who don't want to share an archive would choose 1).
The user who want to share an archive and cannot accept any
increase of bandwidth would choose 4). On the other hand,
the user who can accept it would choose 2) or 3). I prefer 2) to
3), for multiple standby in the future. And, if 3) is adopted,
I wonder if we can get a base backup. Can we get it from the
standby during recovery?

I agree that is the way to do it *if* the archive is not shared. But why
would you want to *not* share the archive??

First of all, I'd not like to buy a machine only for an archive other than
the primary and standby. Meanwhile, if an archive is located on either
the primary or standby (which should we locate it on?), post-failure
processing is complicated.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Wed, 2008-12-10 at 14:51 +0900, Fujii Masao wrote:

Yes, I basically agree with you! The only difference between us is
whether the primary also has to switch two modes (FLS <-> SLS).
I think that the primary don't need to stop archiving forcibly when
replication starts, which should be optional for the user. The user
who doesn't want to archive can disable archiving by using existing
mechanism (change archive_command & pg_ctl reload). It's more
complicated to switch the modes on each servers.

Yes, I see that a manual change of parameter is possible. But it is
difficult to get the timing of the manual change correct and yet
important not to get that wrong. I don't want to spend the next year
answering questions on list about how that works and agreeing that it
isn't ideal.

We should have an optional mechanism that will turn archiving on the
primary off *automatically* when the mode changes. Maybe a third mode on
archive_mode to cater for this, but other ways possible also.

For clarity: the user can choose the strategy of archiving from the
following.

1) each primary and standby archives
2) only primary archives
3) only standby archives
4) no server archives

Those are all possible, but they aren't all equally usable as it stands.

In my experience most people do things very simply, so (4) is the common
use case. So it needs to Just Work.

We need to cater for a range of use cases, from simple implementations
through to complex multi-node cases. I don't think its right to assume
that everybody is implementing a complex use case and so we mostly cater
for that.

The user who don't want to share an archive would choose 1).

If we include a feature you need to explain why its there. Asking the
question doesn't mean that I'm opposed, just that I'm checking why you
think its important to have that option.

So, why would you want to run with multiple archives?

The user who want to share an archive and cannot accept any
increase of bandwidth would choose 4). On the other hand,
the user who can accept it would choose 2) or 3). I prefer 2) to
3), for multiple standby in the future. And, if 3) is adopted,

I wonder if we can get a base backup. Can we get it from the
standby during recovery?

That's an important feature, so we should make it "yes". (Can't
understand why you've built this with the archiver active on standby
node if this isn't possible).

People I talk to consider "low impact on primary" to be an important
aspect of this feature. Though if you forced me to prioritise I would
say making (4) automatic is more important than (3).

I agree that is the way to do it *if* the archive is not shared. But why
would you want to *not* share the archive??

First of all, I'd not like to buy a machine only for an archive other than
the primary and standby. Meanwhile, if an archive is located on either
the primary or standby (which should we locate it on?), post-failure
processing is complicated.

Are you saying that putting the archive on the primary is an option?

What is complicated about having the archive on the standby server?

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Simon Riggs wrote:

On Wed, 2008-12-10 at 14:51 +0900, Fujii Masao wrote:

For clarity: the user can choose the strategy of archiving from the
following.

1) each primary and standby archives
2) only primary archives
3) only standby archives
4) no server archives

Those are all possible, but they aren't all equally usable as it stands.

In my experience most people do things very simply, so (4) is the common
use case. So it needs to Just Work.

Agreed. All this talk about archiving and streaming working at the same
time is very confusing.

AFAICS, the patch as submitted doesn't work if archiving is disabled in
the primary. Which means that strategies (2) and (4) in your list are
not possible. The standby relies on the archiving and file-based log
shipping to work correctly. The streaming is just an extra thing,
shortcutting the normal file-based log shipping path to keep the latest
WAL segment up-to-date in the standby.

In the current form, is there any reason why walreceiver needs to be an
integrated server process? Couldn't it just be a stand-alone program
that connects to the primary and writes the received records to the
right WAL file? The only reason I can see is to reliably kill it when
the standby server is promoted to primary.

For a solution that doesn't depend on the file-based log shipping, I
think we'll need a way for the standby to request a certain starting
point for the streaming when it connects. When the standby starts, it
would first recover all the log segments it can obtain using
recovery_command, and then connect to the primary and request to start
streaming from where recovery_command stopped.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

On Wed, 2008-12-10 at 14:39 +0200, Heikki Linnakangas wrote:

For a solution that doesn't depend on the file-based log shipping, I
think we'll need a way for the standby to request a certain starting
point for the streaming when it connects. When the standby starts, it
would first recover all the log segments it can obtain using
recovery_command, and then connect to the primary and request to
start
streaming from where recovery_command stopped.

That was already suggested and rejected because it introduces a
potentially unacceptable delay in the start of synch replication - for
large databases this could be hours. (I should add it was suggested by
me and I now accept that it should be rejected.)

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Wed, 2008-12-10 at 14:39 +0200, Heikki Linnakangas wrote:

In the current form, is there any reason why walreceiver needs to be
an integrated server process? Couldn't it just be a stand-alone
program that connects to the primary and writes the received records
to the right WAL file? The only reason I can see is to reliably kill
it when the standby server is promoted to primary.

Reasons:

* integration: we have one service we stop and start, not two. We want
one log, one set of commands, one set of parameters etc

* cooperation: if wal receiver is a server process we can reasonably
communicate the current WAL limit via shared memory. That gives us
smooth flow of WAL between receiver and replay (startup process) rather
than a burst of activity each time a file arrives. That helps smooth
performance and minimises failover time. Without this we would need to
retain the concept of archive_timeout on the primary even when
streaming, which is fairly strange.

* code management

Other than that there isn't that much in it...

We've all read the stuff about how other RDBMS come with integrated
replication. We *can* make this integrated, robust and very very easy to
use, yet with flexibility for a variety of purposes.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Simon Riggs wrote:

On Wed, 2008-12-10 at 14:39 +0200, Heikki Linnakangas wrote:

For a solution that doesn't depend on the file-based log shipping, I
think we'll need a way for the standby to request a certain starting
point for the streaming when it connects. When the standby starts, it
would first recover all the log segments it can obtain using
recovery_command, and then connect to the primary and request to
start
streaming from where recovery_command stopped.

That was already suggested and rejected because it introduces a
potentially unacceptable delay in the start of synch replication - for
large databases this could be hours. (I should add it was suggested by
me and I now accept that it should be rejected.)

I don't understand that argument. If the standby is missing say 100 log
files, it's not up-to-date with the primary until it has somehow
obtained and replayed all those log file. It doesn't make any difference
whether it obtains them over the wire via walreceiver, or via an
archive. Until it has obtained and replayed all those files, it's not
up-to-date, and a failover would lead to data loss.

Or did I misunderstand what "start of synch replication" means? Got a
pointer to the previous discussion?

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

Simon Riggs wrote:

* cooperation: if wal receiver is a server process we can reasonably
communicate the current WAL limit via shared memory. That gives us
smooth flow of WAL between receiver and replay (startup process) rather
than a burst of activity each time a file arrives. That helps smooth
performance and minimises failover time. Without this we would need to
retain the concept of archive_timeout on the primary even when
streaming, which is fairly strange.

Does it actually do that? I can see comments suggesting that in
walreceiver, but I can't find the place in xlog.c where the startup
process does the waiting.

* code management

Other than that there isn't that much in it...

Ok, just making sure I wasn't missing something crucial. I agree it
should be integrated. What I'm actually worried about is that this
system isn't integrated enough, and having to set up the archiving,
pg_standby, and the synchronous repliation itself, correctly, makes it
too complex to be practical.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

On Wed, 2008-12-10 at 09:48 +0000, Simon Riggs wrote:

What is complicated about having the archive on the standby server?

If the storage on the standby fails, you would lose the archive, right?

I think there's a use case for having two identical servers, and just
setting them up to replicate synchronously. Many of these use-cases
might not even care much about write performance or the duplicity of
maintaining two copies of the archive. They might care a lot about PITR
though, and that would be impossible if you lose the archive.

Do you see a cost to allowing all of the options listed by Fujii Masao?

Regards,
Jeff Davis

On Wed, 2008-12-10 at 20:52 +0200, Heikki Linnakangas wrote:

Simon Riggs wrote:

On Wed, 2008-12-10 at 14:39 +0200, Heikki Linnakangas wrote:

For a solution that doesn't depend on the file-based log shipping, I
think we'll need a way for the standby to request a certain starting
point for the streaming when it connects. When the standby starts, it
would first recover all the log segments it can obtain using
recovery_command, and then connect to the primary and request to
start
streaming from where recovery_command stopped.

That was already suggested and rejected because it introduces a
potentially unacceptable delay in the start of synch replication - for
large databases this could be hours. (I should add it was suggested by
me and I now accept that it should be rejected.)

I don't understand that argument. If the standby is missing say 100 log
files, it's not up-to-date with the primary until it has somehow
obtained and replayed all those log file. It doesn't make any difference
whether it obtains them over the wire via walreceiver, or via an
archive. Until it has obtained and replayed all those files, it's not
up-to-date, and a failover would lead to data loss.

Or did I misunderstand what "start of synch replication" means? Got a
pointer to the previous discussion?

I think you just went down the same path I did before. (That's a good
sign).

When the WAL starts streaming the *primary* can immediately perform
synchronous replication, i.e. commit waits for transfer. The *standby*
has an initial lag before it catches up, whatever we do (as you say).

I suggested that way initially because it simplifies the mode change.
The mode change isn't really that complex, so I agreed we should change
it.

The two ways of doing this are/were:

1. (Initial suggestion)
* allow standby to catchup
* then connect and allow sync rep

2. Preferred Choice
* connect to primary and allow sync rep
* catch up

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Wed, 2008-12-10 at 11:52 -0800, Jeff Davis wrote:

On Wed, 2008-12-10 at 09:48 +0000, Simon Riggs wrote:

What is complicated about having the archive on the standby server?

If the storage on the standby fails, you would lose the archive, right?

As well as the standby itself presumably. Either way you need to restart
from a base backup.

I think there's a use case for having two identical servers, and just
setting them up to replicate synchronously. Many of these use-cases
might not even care much about write performance or the duplicity of
maintaining two copies of the archive.

Yes, that's what I've said also.

They might care a lot about PITR
though, and that would be impossible if you lose the archive.

Agreed, yes we need it as an option.

Do you see a cost to allowing all of the options listed by Fujii Masao?

I haven't argued in favour of removing any options, so not sure what you
mean. I have asked for an explanation of why certain features are needed
so we can judge whether there is a simpler way of providing everything
required. It may not exist.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

* Simon Riggs <simon@2ndQuadrant.com> [081210 14:58]:

I think you just went down the same path I did before. (That's a good
sign).

When the WAL starts streaming the *primary* can immediately perform
synchronous replication, i.e. commit waits for transfer. The *standby*
has an initial lag before it catches up, whatever we do (as you say).

I suggested that way initially because it simplifies the mode change.
The mode change isn't really that complex, so I agreed we should change
it.

The two ways of doing this are/were:

1. (Initial suggestion)
* allow standby to catchup
* then connect and allow sync rep

2. Preferred Choice
* connect to primary and allow sync rep
* catch up

Call me think, but I'm confused... In sync rep, there *can't be* any
catchign up do do... i.e. if the "slave" isn't accepting the WAL the
master "stops" doing *anything*...

--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.

On Wed, 2008-12-10 at 21:02 +0200, Heikki Linnakangas wrote:

Simon Riggs wrote:

* cooperation: if wal receiver is a server process we can reasonably
communicate the current WAL limit via shared memory. That gives us
smooth flow of WAL between receiver and replay (startup process) rather
than a burst of activity each time a file arrives. That helps smooth
performance and minimises failover time. Without this we would need to
retain the concept of archive_timeout on the primary even when
streaming, which is fairly strange.

Does it actually do that? I can see comments suggesting that in
walreceiver, but I can't find the place in xlog.c where the startup
process does the waiting.

Not yet... we agreed it would do that a few days ago. This thread, Fri 5
Dec.

* code management

Other than that there isn't that much in it...

Ok, just making sure I wasn't missing something crucial. I agree it
should be integrated. What I'm actually worried about is that this
system isn't integrated enough, and having to set up the archiving,
pg_standby, and the synchronous replication itself, correctly, makes it
too complex to be practical.

I'm worried about the complexity also. If we didn't use the existing
archiving mechanism we'd need to invent something that looks just like
it.

If I could get rid of pg_standby as well, I would. I've got no qualms
about chopping stuff I wrote, as long as we do it for a good reason.
Keeping the parts of the old model that make sense means less code and
less process change for existing users.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Wed, 2008-12-10 at 20:04 +0000, Simon Riggs wrote:

They might care a lot about PITR
though, and that would be impossible if you lose the archive.

Agreed, yes we need it as an option.

Do you see a cost to allowing all of the options listed by Fujii Masao?

I haven't argued in favour of removing any options, so not sure what you
mean. I have asked for an explanation of why certain features are needed
so we can judge whether there is a simpler way of providing everything
required. It may not exist.

I was trying to provide a use-case for maintaining the archive on both
primary and standby, i.e. option (1). My understanding was that you were
asking for such a use case with this question:

"So, why would you want to run with multiple archives?"

Regards,
Jeff Davis

Simon Riggs wrote:

When the WAL starts streaming the *primary* can immediately perform
synchronous replication, i.e. commit waits for transfer.

Until the standby has obtained all the missing log files, it's not
up-to-date, and there's no guarantee that it can finish the replay. For
example, imagine that your archive_command is an scp from the primary to
the standby. If a lightning strikes the primary before some WAL file has
been copied over to the archive directory in the standby, the standby
can't catch up. In the primary then, what's the point for a commit to
wait for transfer, if the reply from the standby doesn't guarantee that
the transaction is safe in the standby?

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

On Thu, 2008-12-11 at 09:44 +0200, Heikki Linnakangas wrote:

Simon Riggs wrote:

When the WAL starts streaming the *primary* can immediately perform
synchronous replication, i.e. commit waits for transfer.

Until the standby has obtained all the missing log files, it's not
up-to-date, and there's no guarantee that it can finish the replay. For
example, imagine that your archive_command is an scp from the primary to
the standby. If a lightning strikes the primary before some WAL file has
been copied over to the archive directory in the standby, the standby
can't catch up. In the primary then, what's the point for a commit to
wait for transfer, if the reply from the standby doesn't guarantee that
the transaction is safe in the standby?

The WAL files will have already left the primary.

Timeline is this in my understanding
1 [Primary] Set up continuous archiving
2 [Primary] Take base backup
3 [Standby] Connect to primary to initiate streaming
4 [Primary] Log switch and, optionally, turn off archiving
5 [Standby] Begin replaying files, initially from archive
6 [Standby] Switch to replaying WAL records immediately after streaming

So sync rep would turn on after step 4, so that all intermediate WAL
files have been sent to the archive. If we lose the Primary after this
point then all transactions are accessible to standby. If we lose the
Standby or Archive, then we need to replace them and re-run the above.

The above was outlined on thread "Synchronous Log Shipping Replication"
and pretty much all agreed on 18 Sep.

Recent changes I have requested in the architecture are:
* making archiving optional on primary, so we don't need to send WAL
data *twice*.
* allowing streaming/startup process to work together via shared memory,
to reduce average replication delay and improve performance
* skip archiving/de-archiving step on standby because it's superfluous
(all on this thread)

All of those are fairly minor code changes, but reduce complexity of
solution and significantly reduce the amount of copying of WAL files (3
copy actions to/from archive removed without loss of robustness). I
would have made the suggestions earlier but it wasn't until I saw the
architecture diagrams that I understood the intention of the code.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Simon Riggs wrote:

On Thu, 2008-12-11 at 09:44 +0200, Heikki Linnakangas wrote:

Simon Riggs wrote:

When the WAL starts streaming the *primary* can immediately perform
synchronous replication, i.e. commit waits for transfer.

Until the standby has obtained all the missing log files, it's not
up-to-date, and there's no guarantee that it can finish the replay. For
example, imagine that your archive_command is an scp from the primary to
the standby. If a lightning strikes the primary before some WAL file has
been copied over to the archive directory in the standby, the standby
can't catch up. In the primary then, what's the point for a commit to
wait for transfer, if the reply from the standby doesn't guarantee that
the transaction is safe in the standby?

The WAL files will have already left the primary.

Timeline is this in my understanding
1 [Primary] Set up continuous archiving
2 [Primary] Take base backup
3 [Standby] Connect to primary to initiate streaming
4 [Primary] Log switch and, optionally, turn off archiving
5 [Standby] Begin replaying files, initially from archive
6 [Standby] Switch to replaying WAL records immediately after streaming

So sync rep would turn on after step 4, so that all intermediate WAL
files have been sent to the archive. If we lose the Primary after this
point then all transactions are accessible to standby. If we lose the
Standby or Archive, then we need to replace them and re-run the above.

Between steps 4 and 5, there's no guarantee that all WAL files generated
after step 3 and the start of streaming have already been archived.
There's a delay between writing a WAL file and when the file has been
safely archived. If you lose the primary during that window, the standby
will have old WAL files in the archive, the most recent ones in received
by walreceiver, but it's missing the WAL files generated just before the
switch to streaming mode.

Recent changes I have requested in the architecture are:
* making archiving optional on primary, so we don't need to send WAL
data *twice*.

Agreed. I'm not so much worried about the bandwidth, but it's a lot of
extra work from administration point of view. It's very hard to get it
right, so that you eliminate windows like the above.

As the patch stands, if you turn off archiving in the primary, and the
standby ever disconnects, even for only a few seconds, the standby will
miss any WAL generated until it reconnects, and without archiving
there's no way for the standby to get hold of the missed WAL.

* allowing streaming/startup process to work together via shared memory,
to reduce average replication delay and improve performance
* skip archiving/de-archiving step on standby because it's superfluous
(all on this thread)

All of those are fairly minor code changes, but reduce complexity of
solution and significantly reduce the amount of copying of WAL files (3
copy actions to/from archive removed without loss of robustness). I
would have made the suggestions earlier but it wasn't until I saw the
architecture diagrams that I understood the intention of the code.

To make archiving optional in the primary, I don't see any other choice
than adding the capability for the standby to request arbitrary WAL
files from the primary, over the wire. That seems like a pretty
significant change to walsender: it needs to be able to read WAL not
only from wal_buffers, but from files. That would be a good idea for
performance reasons, too: currently if there's a network glitch and the
primary doesn't get acknowledgements from the standby for a short while,
XLogInserts in the primary will block waiting for the standby after
wal_buffers fills up. That's not a big deal for synchronous replication,
but in asynchronous mode you don't want network glitches like that to
stall the primary.

And of course it means changes in the startup code as well. And we'll
need bookkeeping in the primary of what WAL the standby has already
received, so that it doesn't recycle the WAL segments until they've been
sent to the standby. Or alternatively, the primary needs to be able to
retrieve segments from the archive, but then we're dependent on
archiving again.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

On Thu, 2008-12-11 at 11:29 +0200, Heikki Linnakangas wrote:

Simon Riggs wrote:

On Thu, 2008-12-11 at 09:44 +0200, Heikki Linnakangas wrote:

Simon Riggs wrote:

When the WAL starts streaming the *primary* can immediately perform
synchronous replication, i.e. commit waits for transfer.

Until the standby has obtained all the missing log files, it's not
up-to-date, and there's no guarantee that it can finish the replay. For
example, imagine that your archive_command is an scp from the primary to
the standby. If a lightning strikes the primary before some WAL file has
been copied over to the archive directory in the standby, the standby
can't catch up. In the primary then, what's the point for a commit to
wait for transfer, if the reply from the standby doesn't guarantee that
the transaction is safe in the standby?

The WAL files will have already left the primary.

Timeline is this in my understanding
1 [Primary] Set up continuous archiving
2 [Primary] Take base backup
3 [Standby] Connect to primary to initiate streaming
4 [Primary] Log switch and, optionally, turn off archiving
5 [Standby] Begin replaying files, initially from archive
6 [Standby] Switch to replaying WAL records immediately after streaming

So sync rep would turn on after step 4, so that all intermediate WAL
files have been sent to the archive. If we lose the Primary after this
point then all transactions are accessible to standby. If we lose the
Standby or Archive, then we need to replace them and re-run the above.

Between steps 4 and 5, there's no guarantee that all WAL files generated
after step 3 and the start of streaming have already been archived.
There's a delay between writing a WAL file and when the file has been
safely archived. If you lose the primary during that window, the standby
will have old WAL files in the archive, the most recent ones in received
by walreceiver, but it's missing the WAL files generated just before the
switch to streaming mode.

I was presuming that the synchronisation was clear, but I'm sorry it
wasn't. Sync rep would begin only *after* the last WAL file was
archived.

Recent changes I have requested in the architecture are:
* making archiving optional on primary, so we don't need to send WAL
data *twice*.

Agreed. I'm not so much worried about the bandwidth, but it's a lot of
extra work from administration point of view. It's very hard to get it
right, so that you eliminate windows like the above.

As the patch stands, if you turn off archiving in the primary, and the
standby ever disconnects, even for only a few seconds, the standby will
miss any WAL generated until it reconnects, and without archiving
there's no way for the standby to get hold of the missed WAL.

I described earlier that archiving would turn back on again if the
replication ever failed (with correct synchronisation).

All I've asked for is the ability to turn on and turn back on archiving,
yes, with synchronisation so its safe.

Personally, I think people will laugh if we tell them we decided to ship
all the data twice and couldn't see another way. That's the kind of
thing people give presentations at PGcon about...

* allowing streaming/startup process to work together via shared memory,
to reduce average replication delay and improve performance
* skip archiving/de-archiving step on standby because it's superfluous
(all on this thread)

All of those are fairly minor code changes, but reduce complexity of
solution and significantly reduce the amount of copying of WAL files (3
copy actions to/from archive removed without loss of robustness). I
would have made the suggestions earlier but it wasn't until I saw the
architecture diagrams that I understood the intention of the code.

To make archiving optional in the primary, I don't see any other choice
than adding the capability for the standby to request arbitrary WAL
files from the primary, over the wire.

I don't think that's the only or even a desirable way. We cannot allow a
build up of WAL files to occur on the primary.

Making archiving optional isn't the big deal you're saying it is.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Hi,

On Thu, Dec 11, 2008 at 7:09 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

Recent changes I have requested in the architecture are:
* making archiving optional on primary, so we don't need to send WAL
data *twice*.

Agreed. I'm not so much worried about the bandwidth, but it's a lot of
extra work from administration point of view. It's very hard to get it
right, so that you eliminate windows like the above.

As the patch stands, if you turn off archiving in the primary, and the
standby ever disconnects, even for only a few seconds, the standby will
miss any WAL generated until it reconnects, and without archiving
there's no way for the standby to get hold of the missed WAL.

I described earlier that archiving would turn back on again if the
replication ever failed (with correct synchronisation).

All I've asked for is the ability to turn on and turn back on archiving,
yes, with synchronisation so its safe.

Personally, I think people will laugh if we tell them we decided to ship
all the data twice and couldn't see another way. That's the kind of
thing people give presentations at PGcon about...

OK, I will add such archiving feature. My new design of archiving is as follows.

Primary
----------
I extend archive_mode as follows and make the user be able to choose the
archiving strategy on the primary.

- always
The primary always archives the WAL. This is compatible with current (<=8.3)
archive_mode = on.

- none
The primary always doesn't archive the WAL. This is compatible with current
archive_mode = off.

- standalone
The primary doesn't archive the WAL only during replication. If replication is
not in progress, the primary archives the WAL. That is, the primary switches
the modes whenever replication starts / ends.

[FLS->SLS]
When replication starts, the primary disable archiving *after* the switched
WAL file is archived. WAL streaming doesn't need to wait for disablement
of archiving, so the processing on the primary isn't blocked by starting of
replication. But, both WAL streaming and archiving would be in progress
for a while (until the switched WAL file is archived) after
replication starts.

[SLS->FLS]
When replication starts, the primary restarts archiving immediately. This
also doesn't block the processing on the primary. But, this might cause
loss of some files from an archive if archiving is slow on the standby.
The primary should look for the last archived file (by the standby) from
an archive and restart archiving from the subsequent file? Of course,
the primary cannot archive it if it's already removed on the primary.

Standby
-----------
I would add new option for achiving during recovery into recovery.conf
(recovery_archive_mode). Though this option is similar to archive_mode,
merging them would confuse the user more, I think. Or, I should merge?
And, do you want to configure the archive command only for recovery?
If so, I would add new option to specify the archive command during
recovery (recovery_archive_command).

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Hi,

On Thu, Dec 11, 2008 at 7:09 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Thu, 2008-12-11 at 11:29 +0200, Heikki Linnakangas wrote:

Simon Riggs wrote:

On Thu, 2008-12-11 at 09:44 +0200, Heikki Linnakangas wrote:

Simon Riggs wrote:

When the WAL starts streaming the *primary* can immediately perform
synchronous replication, i.e. commit waits for transfer.

Until the standby has obtained all the missing log files, it's not
up-to-date, and there's no guarantee that it can finish the replay. For
example, imagine that your archive_command is an scp from the primary to
the standby. If a lightning strikes the primary before some WAL file has
been copied over to the archive directory in the standby, the standby
can't catch up. In the primary then, what's the point for a commit to
wait for transfer, if the reply from the standby doesn't guarantee that
the transaction is safe in the standby?

The WAL files will have already left the primary.

Timeline is this in my understanding
1 [Primary] Set up continuous archiving
2 [Primary] Take base backup
3 [Standby] Connect to primary to initiate streaming
4 [Primary] Log switch and, optionally, turn off archiving
5 [Standby] Begin replaying files, initially from archive
6 [Standby] Switch to replaying WAL records immediately after streaming

So sync rep would turn on after step 4, so that all intermediate WAL
files have been sent to the archive. If we lose the Primary after this
point then all transactions are accessible to standby. If we lose the
Standby or Archive, then we need to replace them and re-run the above.

Between steps 4 and 5, there's no guarantee that all WAL files generated
after step 3 and the start of streaming have already been archived.
There's a delay between writing a WAL file and when the file has been
safely archived. If you lose the primary during that window, the standby
will have old WAL files in the archive, the most recent ones in received
by walreceiver, but it's missing the WAL files generated just before the
switch to streaming mode.

Yes, since such standby is unsafe, the user must not promote it to the primary.
Then, the user has to stop the standby (don't complete recovery), restart the
primary and restart the standby.

I was presuming that the synchronisation was clear, but I'm sorry it
wasn't. Sync rep would begin only *after* the last WAL file was
archived.

Agreed. In order for the user to confirm whether replication began or
not, we might need to log the name of the switched WAL file.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Wed, 2008-12-10 at 15:06 -0500, Aidan Van Dyk wrote:

Call me think, but I'm confused... In sync rep, there *can't be* any
catchign up do do... i.e. if the "slave" isn't accepting the WAL the
master "stops" doing *anything*...

In normal/steady state, yes, you are correct. But there is more...

The simplest way to configure standby would be to freeze the primary
while we setup the standby and then go straight into normal/steady
state. That could mean hours of downtime for large databases, which is
unacceptable in a feature aimed at increasing availability. So we need
to allow the primary to continue working while the standby is setup.
That then creates a log gap between the LSN of the primary and the LSN
of the standby, which must be resolved.

So the catchup occurs during the transient initial phase when standby is
catching up with primary before they continue together in normal/steady
state.

Most of the architectural discussion over last few months has been about
the need for the initial state and how to handle it. Most of the code
complexity also.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Thu, 2008-12-11 at 19:19 +0900, Fujii Masao wrote:

All I've asked for is the ability to turn on and turn back on archiving,
yes, with synchronisation so its safe.
(snip)

OK, I will add such archiving feature. My new design of archiving is as follows.

Primary
----------
I extend archive_mode as follows and make the user be able to choose the
archiving strategy on the primary.

- always
The primary always archives the WAL. This is compatible with current (<=8.3)
archive_mode = on.

- none
The primary always doesn't archive the WAL. This is compatible with current
archive_mode = off.

- standalone
The primary doesn't archive the WAL only during replication. If replication is
not in progress, the primary archives the WAL. That is, the primary switches
the modes whenever replication starts / ends.

[FLS->SLS]
When replication starts, the primary disable archiving *after* the switched
WAL file is archived. WAL streaming doesn't need to wait for disablement
of archiving, so the processing on the primary isn't blocked by starting of
replication. But, both WAL streaming and archiving would be in progress
for a while (until the switched WAL file is archived) after
replication starts.

I'm OK with that, but that is slightly different from what Heikki had
said in relation to the point at which sync rep begins on primary, so he
may have a different view.

synchronous_replication means "if we a standby server has connected to
us we will wait for all WAL associated with a transaction to be
transferred prior to commit". So there is never a 100% guarantee that
the transaction is safe, just an "if possible, 100%".

So this implements the equivalent of DRBD Protocol A and B. Do we have
an option to allow the WALreceiver to fsync the WAL file after a commit
is received, which would make it equivalent to Protocol C? If we don't,
I'm OK with that since it reduces performance so much it isn't a
practical option in many cases.
http://www.drbd.org/users-guide/s-replication-protocols.html

[SLS->FLS]
When replication starts, the primary restarts archiving immediately. This
also doesn't block the processing on the primary. But, this might cause
loss of some files from an archive if archiving is slow on the standby.
The primary should look for the last archived file (by the standby) from
an archive and restart archiving from the subsequent file? Of course,
the primary cannot archive it if it's already removed on the primary.

Standby will always have kept enough files to allow it to restart from
the last restartpoint, so a gap in the file sequence is unlikely. As
long as we archive the WAL file that contains the last LSN we
transferred before streaming failed. That conceivably might mean we need
to write a .ready message after a WAL file filled, which might mean we
have problems if the replication timeout is longer than the checkpoint
timeout, but that seems an unlikely configuration. And if anybody has a
problem with that we just recommend they use the "always" mode.

Standby
-----------
I would add new option for achiving during recovery into recovery.conf
(recovery_archive_mode). Though this option is similar to archive_mode,
merging them would confuse the user more, I think. Or, I should merge?
And, do you want to configure the archive command only for recovery?
If so, I would add new option to specify the archive command during
recovery (recovery_archive_command).

I think if you really want two archives or archiving during recovery
then this is desirable to avoid confusion.

Explaining all this in the docs will be fun. :-)

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

* Simon Riggs <simon@2ndQuadrant.com> [081211 05:45]:

On Wed, 2008-12-10 at 15:06 -0500, Aidan Van Dyk wrote:

Call me think, but I'm confused... In sync rep, there *can't be* any
catchign up do do... i.e. if the "slave" isn't accepting the WAL the
master "stops" doing *anything*...

In normal/steady state, yes, you are correct. But there is more...

The simplest way to configure standby would be to freeze the primary
while we setup the standby and then go straight into normal/steady
state. That could mean hours of downtime for large databases, which is
unacceptable in a feature aimed at increasing availability. So we need
to allow the primary to continue working while the standby is setup.
That then creates a log gap between the LSN of the primary and the LSN
of the standby, which must be resolved.

So the catchup occurs during the transient initial phase when standby is
catching up with primary before they continue together in normal/steady
state.

But "catchup" *has* to be *done* before PostgreSQL can enter "sync rep".

So, if I start PostgreSQL in sync rep mode, without any capable clients
to rep with.... But I'ld rather be buggered there then find out tonight
at 3am that it was in sync rep mode but wasn't really doing sync rep,
becus I'ld messed up something somewhere (firewall, config, password,
anything) and ther ewas not "caught up" client at the time, and I've
just lost a days' worth of my $$$$$ transactions...

Most of the architectural discussion over last few months has been about
the need for the initial state and how to handle it. Most of the code
complexity also.

Well, for me, I'm quite happy with a "restart/stop&start" being a
necessary "downtime" to move to synchronous replication. This way, I
could see a "setup" routing that looks like:
1) Current "production" DB does normal backups/PITR/WAL archiving
2) I setup new "slave", which involves
- restore from backup + wal recover (pg_standby type)
- Could take days+++
- Oh well....
3) Stop production
4) so, now slave is caught up...
5) Start "production" now in sync rep mode as master
6) start slave in sync-rep mode as slave...

So downtime would be limited to the time from the old postmaster
shutdown to the time the slave has replayed the last WAL and connected
to the restarted postmaster as a sync rep slave...

Or am I way too naive to think that a small downtime to "switch" from
non-sync-rep to sync-rep is acceptable...

a.
--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.

* Fujii Masao <masao.fujii@gmail.com> [081211 05:25]:

- standalone
The primary doesn't archive the WAL only during replication. If replication is
not in progress, the primary archives the WAL. That is, the primary switches
the modes whenever replication starts / ends.

That scares the hebegebies out of me... I'm doing sync-rep because I
*really* *want* *my* *data* .... *always* ...

I want sync-rep because I'm going to get even *stonger* guarentees on my
data (and, if hot-standby works out, load balancing too, but thats not
*my* primary desire for sync-rep)...

But I'm sure as hell *not* going to throw all my eggs into that slave's
basket and do away with my WAL archive... Would anyone actually use
that "standby" mode, and if not, why compilcate the code for it?

a.

--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.

On Thu, 2008-12-11 at 09:27 -0500, Aidan Van Dyk wrote:

But "catchup" *has* to be *done* before PostgreSQL can enter "sync rep".

Not true. Please reread the thread where Heikki questions that and I
reply. This was Fujii-san's idea, which I now agree with.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Thu, 2008-12-11 at 09:37 -0500, Aidan Van Dyk wrote:

* Fujii Masao <masao.fujii@gmail.com> [081211 05:25]:

- standalone
The primary doesn't archive the WAL only during replication. If

replication is

not in progress, the primary archives the WAL. That is, the

primary switches

the modes whenever replication starts / ends.

But I'm sure as hell *not* going to throw all my eggs into that
slave's
basket and do away with my WAL archive... Would anyone actually use
that "standby" mode, and if not, why compilcate the code for it?

Sending data twice is not a requirement I ever heard expressed, nor has
the lack of ability to send it twice been voiced as a criticism for any
form of replication I'm familiar with. Ask the DRBD guys if sending data
twice is necessary or required to make replication work.

If multiple people think its a good idea then I respect your choice of
option.

But I also think that many or perhaps most people will choose not to
send data twice and I respect that choice of option also.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Simon Riggs wrote:

On Thu, 2008-12-11 at 09:27 -0500, Aidan Van Dyk wrote:

But "catchup" *has* to be *done* before PostgreSQL can enter "sync rep".

Not true. Please reread the thread where Heikki questions that and I
reply. This was Fujii-san's idea, which I now agree with.

I think the confusion here is about what exactly "sync rep" means in
this situation. It's true that you can start streaming the WAL before
the standby has fully caught up. But from the client's point of view,
there's not much point in streaming the log *synchronously* and making
the client to wait for the acknowledment from the standby, if the
acknowledgment from the standby that WAL has be streamed up to point X,
doesn't actually guarantee that the slave can recover all the way to
that point.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

* Simon Riggs <simon@2ndQuadrant.com> [081211 10:03]:

Sending data twice is not a requirement I ever heard expressed, nor has
the lack of ability to send it twice been voiced as a criticism for any
form of replication I'm familiar with. Ask the DRBD guys if sending data
twice is necessary or required to make replication work.

If multiple people think its a good idea then I respect your choice of
option.

But I also think that many or perhaps most people will choose not to
send data twice and I respect that choice of option also.

Well, PostgreSQL has WAL, so we've already accepted the notion of "send
data twice" being useful sometimes...

But I would note that the "archive" and "streaming" are both sending the
data *different* places... or at least, in my case would be...

And, also, I know WAL archiving isn't necessary for replication to work.
but it's necessary for me to sleep comfortably at night ;-)

I'm just suprised that people are willing to throw away their
backup/PITR archiving once they have a singl "live slave" up.

a.

--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.

* Heikki Linnakangas <heikki.linnakangas@enterprisedb.com> [081211 10:09]:

Simon Riggs wrote:

On Thu, 2008-12-11 at 09:27 -0500, Aidan Van Dyk wrote:

But "catchup" *has* to be *done* before PostgreSQL can enter "sync rep".

Not true. Please reread the thread where Heikki questions that and I
reply. This was Fujii-san's idea, which I now agree with.

I think the confusion here is about what exactly "sync rep" means in
this situation. It's true that you can start streaming the WAL before
the standby has fully caught up. But from the client's point of view,
there's not much point in streaming the log *synchronously* and making
the client to wait for the acknowledment from the standby, if the
acknowledgment from the standby that WAL has be streamed up to point X,
doesn't actually guarantee that the slave can recover all the way to
that point.

Quite possibly a terminology problem.. I my case I said "sync rep"
meaning the mode such that the transaction doesn't commit successfully
for my PG client until the xlog record has been "streamed" to the
client... and I understand that at his presentation at PGcon, Fujii-san
there could be possible variants on when the "streamed" is considered
done based on network, slave ram, disk, application, etc.

a.

--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.

On Thu, 2008-12-11 at 17:07 +0200, Heikki Linnakangas wrote:

Simon Riggs wrote:

On Thu, 2008-12-11 at 09:27 -0500, Aidan Van Dyk wrote:

But "catchup" *has* to be *done* before PostgreSQL can enter "sync rep".

Not true. Please reread the thread where Heikki questions that and I
reply. This was Fujii-san's idea, which I now agree with.

I think the confusion here is about what exactly "sync rep" means in
this situation. It's true that you can start streaming the WAL before
the standby has fully caught up.

Yep.

But from the client's point of view,
there's not much point in streaming the log *synchronously* and making
the client to wait for the acknowledment from the standby, if the
acknowledgment from the standby that WAL has be streamed up to point X,
doesn't actually guarantee that the slave can recover all the way to
that point.

I disagree. This morning I showed it was possible, given the
synchronisation I outlined.

There is a slight relaxation of that in the current proposal, so you
need to take that up if you see any problem there.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Thu, 2008-12-11 at 19:19 +0900, Fujii Masao wrote:

My new design of archiving is as follows.

So far I haven't asked about running multiple standby servers and don't
recall having seen this mentioned anywhere. Forgive me if this was
already mentioned.

The idea is that we would be able to have multiple standby servers
connecting to one primary, yes? It would be useful to have sync
replication work that it must get an acknowledgement from at least one
standby before it continues.

Or do you think we would stream to just one standby, then use the
archiver (primary or standby) to keep sending files to allow multiple
additional standby nodes?

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Hi,

On Fri, Dec 12, 2008 at 12:15 AM, Aidan Van Dyk <aidan@highrise.ca> wrote:

* Heikki Linnakangas <heikki.linnakangas@enterprisedb.com> [081211 10:09]:

Simon Riggs wrote:

On Thu, 2008-12-11 at 09:27 -0500, Aidan Van Dyk wrote:

But "catchup" *has* to be *done* before PostgreSQL can enter "sync rep".

Not true. Please reread the thread where Heikki questions that and I
reply. This was Fujii-san's idea, which I now agree with.

I think the confusion here is about what exactly "sync rep" means in
this situation. It's true that you can start streaming the WAL before
the standby has fully caught up. But from the client's point of view,
there's not much point in streaming the log *synchronously* and making
the client to wait for the acknowledment from the standby, if the
acknowledgment from the standby that WAL has be streamed up to point X,
doesn't actually guarantee that the slave can recover all the way to
that point.

Quite possibly a terminology problem.. I my case I said "sync rep"
meaning the mode such that the transaction doesn't commit successfully
for my PG client until the xlog record has been "streamed" to the
client... and I understand that at his presentation at PGcon, Fujii-san
there could be possible variants on when the "streamed" is considered
done based on network, slave ram, disk, application, etc.

I'd like to define the meaning of "synch rep" again. "synch rep" means:

(1) Transaction commit waits for WAL records to be replicated to the standby
before the command returns a "success" indication to the client.

(2) The standby has (can read) all WAL files indispensable for recovery.

If both are true, your system is in "synch rep"; you can perform failover safely
without any transaction loss whenever the primary falls down. On the other
hand, if either is false, your system is in not "synch rep" but "standalone";
the failure of the primary might cause a certain transaction loss. Starting the
standby doesn't mean "synch rep" directly. We have to wait for (1) *and* (2)
after starting the standby. (1) is reported as a server log message, so we can
wait for (1). (2) is somewhat complicated; if an archive is shared, the server
log message for achiving indicates (2). otherwise, The copy operation (copy
indispensable WAL files from the primary to the standby) by the user or
clusterware indicates (2). But, as Simon pointed out, since many people share
an archive, they should monitor only the server log messages. Or, should I
create the feature for the user to confirm whether it's in "synch rep" via SQL?

Since there is a little delay between (1) and (2), we can do WAL streaming
asynchronously only in the delay, as Heikki pointed out. But I'm not sure if
it's worth trying it.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Hi,

The idea is that we would be able to have multiple standby servers
connecting to one primary, yes? It would be useful to have sync
replication work that it must get an acknowledgement from at least one
standby before it continues.

No, in my current patch, only one standby can perform WAL streaming.
Of course, Yes in the future (8.5?).

Or do you think we would stream to just one standby, then use the
archiver (primary or standby) to keep sending files to allow multiple
additional standby nodes?

Interesting! and Yes, we can.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

* Fujii Masao <masao.fujii@gmail.com> [081211 23:00]:

Hi,

Or, should I
create the feature for the user to confirm whether it's in "synch rep" via SQL?

I don't need a way to check via SQL, but I'ld love a postgresql.conf
option that when set would make sure that all connections pretty much
just hang until a slave has connected and everything is setup for "sync
rep". I think I saw that youre using "normal" connection setup to start
the wal streaming to the slave, so you have to allow connections, but
I'ld really not want any of my pg-clients able to do anything if
sync-rep isn't happenning...

a.

--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.

Hi,

On Fri, Dec 12, 2008 at 1:34 PM, Aidan Van Dyk <aidan@highrise.ca> wrote:

* Fujii Masao <masao.fujii@gmail.com> [081211 23:00]:

Hi,

Or, should I
create the feature for the user to confirm whether it's in "synch rep" via SQL?

I don't need a way to check via SQL, but I'ld love a postgresql.conf
option that when set would make sure that all connections pretty much
just hang until a slave has connected and everything is setup for "sync
rep". I think I saw that youre using "normal" connection setup to start
the wal streaming to the slave, so you have to allow connections, but
I'ld really not want any of my pg-clients able to do anything if
sync-rep isn't happenning...

How about stopping the request / connection from a client in front of
postgres (e.g. connection pooling software)? Or, we should develop
the feature like OFFLINE of Oracle apart from Synch Rep at first.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Fri, 2008-12-12 at 12:53 +0900, Fujii Masao wrote:

Quite possibly a terminology problem.. I my case I said "sync rep"
meaning the mode such that the transaction doesn't commit successfully
for my PG client until the xlog record has been "streamed" to the
client... and I understand that at his presentation at PGcon, Fujii-san
there could be possible variants on when the "streamed" is considered
done based on network, slave ram, disk, application, etc.

I'd like to define the meaning of "synch rep" again. "synch rep" means:

(1) Transaction commit waits for WAL records to be replicated to the standby
before the command returns a "success" indication to the client.

(2) The standby has (can read) all WAL files indispensable for recovery.

I would change "can read" in (2) to "has access to". "Can read" implies
we have read all files and checked CRCs of individual records.

The crux of this is what we mean by "synchronous_replication = on".
There are two possible meanings:

1. Commit will wait only if streaming is available and has waited for
all necessary startup conditions.
This provides "Highest Availability"

2. Commit will wait *until* full sync rep is available. So we don't
allow it until standby fails and also don't allow it if standby goes
down.
This provides "Highest Transaction Durability", though is fairly
fragile. Other systems recommend use of multiple standby nodes if this
option is selected.

Perhaps we should add this as a third option to synchronous_replication,
so we have either off, on, only

So far I realise I've been talking exclusively about (1). In that mode
synchronous_replication = on would wait for streaming to complete even
if last WAL file not fully transferred.

For (2) we need a full interlock. Given that we don't currently support
multiple streamed standby servers, it seems not much point in
implementing the interlock (2) would require. Should we leave that part
for 8.5, or do it now?

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

* Simon Riggs <simon@2ndQuadrant.com> [081212 08:20]:

2. Commit will wait *until* full sync rep is available. So we don't
allow it until standby fails and also don't allow it if standby goes
down.
This provides "Highest Transaction Durability", though is fairly
fragile. Other systems recommend use of multiple standby nodes if this
option is selected.

yes please!

Perhaps we should add this as a third option to synchronous_replication,
so we have either off, on, only

So far I realise I've been talking exclusively about (1). In that mode
synchronous_replication = on would wait for streaming to complete even
if last WAL file not fully transferred.

Seems reasonable...

For (2) we need a full interlock. Given that we don't currently support
multiple streamed standby servers, it seems not much point in
implementing the interlock (2) would require. Should we leave that part
for 8.5, or do it now?

Ugh... If all sync-rep is gong to give is "if it's working, the commit
made it the slaves, but it might not be working [anymore|yet], but you
(the app using pg) have no way of knowing...", that sort of defeats the
point ;-)

I'ld love multiple slaves, but I understand that's not in the current
work, and I understand that it might be hard with the accept & become
wall-sender approach. It should be very easy to make a walsender handle
"multiple" slaves, and voting of quorum/etc as "successfully on slave",
except that we need to get the multiple connections to the walsender
backend...

a.

--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.

On Fri, 2008-12-12 at 12:53 +0900, Fujii Masao wrote:

Or, should I create the feature for the user to confirm whether it's in
"synch rep" via SQL?

I think this would be useful.

Regards,
Jeff Davis

On Fri, 2008-12-12 at 08:57 -0500, Aidan Van Dyk wrote:

For (2) we need a full interlock. Given that we don't currently support
multiple streamed standby servers, it seems not much point in
implementing the interlock (2) would require. Should we leave that part
for 8.5, or do it now?

Ugh... If all sync-rep is gong to give is "if it's working, the commit
made it the slaves, but it might not be working [anymore|yet], but you
(the app using pg) have no way of knowing...", that sort of defeats the
point ;-)

http://archives.postgresql.org/pgsql-hackers/2008-12/msg00865.php

Fujii Masao offers to provide a SQL function that will tell you
definitively whether you are in full sync rep, or some degraded mode. I
assume that there will also be server log messages to identify whether
you ever left sync rep mode.

Regards,
Jeff Davis

* Jeff Davis <pgsql@j-davis.com> [081212 13:41]:

On Fri, 2008-12-12 at 08:57 -0500, Aidan Van Dyk wrote:

For (2) we need a full interlock. Given that we don't currently support
multiple streamed standby servers, it seems not much point in
implementing the interlock (2) would require. Should we leave that part
for 8.5, or do it now?

Ugh... If all sync-rep is gong to give is "if it's working, the commit
made it the slaves, but it might not be working [anymore|yet], but you
(the app using pg) have no way of knowing...", that sort of defeats the
point ;-)

http://archives.postgresql.org/pgsql-hackers/2008-12/msg00865.php

Fujii Masao offers to provide a SQL function that will tell you
definitively whether you are in full sync rep, or some degraded mode. I
assume that there will also be server log messages to identify whether
you ever left sync rep mode.

So when would I have to call that function? Before begin, after begin,
before commit, or all, to guarentee that know that my application is
suppose to "delay" calling commit until when sync-mode is actualyl
synchronous? And then afterwards, I have to call it again t omake sure
it didn't fall "out of" mode between my previous call and the commit
actually working?

Bugger it, then I'll have to to patch every single app/query that writes
transactions to the database to be "sync rep" aware... And if I miss
one...

Some might say that if the data's that important, that audit/patching to
be "sync rep" aware is worth it, but then I guess they say that then you
might as well do application level replication as well ;-)

a.

--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.

On Fri, 2008-12-12 at 14:23 -0500, Aidan Van Dyk wrote:

So when would I have to call that function? Before begin, after begin,
before commit, or all, to guarentee that know that my application is
suppose to "delay" calling commit until when sync-mode is actualyl
synchronous? And then afterwards, I have to call it again t omake sure
it didn't fall "out of" mode between my previous call and the commit
actually working?

I'm not suggesting that applications call the function. It's a way for a
monitoring system to know that you're in a degraded state and notify
you.

I'm not sure I entirely understand the use case you're advocating:

Let's say the standby has a major failure. Now you have a single point
of failure (the primary), so _all_ of your transactions are in jeopardy
anyway -- at least until you get back into sync rep. Rejecting new
transactions won't save your old ones.

The only time it helps is when the failure is temporary, i.e. you didn't
really lose the storage on the standby. But you would need to rely on
some guarantee that the storage is still intact on the standby system
even though the standby is unresponsive.

Is that the use case?

Regards,
Jeff Davis

Hi,

Fujii Masao wrote:

I'd like to define the meaning of "synch rep" again. "synch rep" means:

(1) Transaction commit waits for WAL records to be replicated to the standby
before the command returns a "success" indication to the client.

(2) The standby has (can read) all WAL files indispensable for recovery.

Let me point out that - very much like the original Postgres-R algorithm
- this guarantees committed transactions to be durable and consistent
(no late aborts of conflicting transactions), but it does not guarantee
that a transaction committed on one node is immediately visible on the
other node. In that sense, it is not synchronous as commonly understood,
because it does not "operate with all their parts in synchrony" [1]Wikipedia on Synchronization http://en.wikipedia.org/wiki/Synchronization, as
implied by the term "synchronous". This might (and often has in the
past) lead to confusion.

It's certainly enough of a reason for me to rather use the term "eager
replication". See [2]Postgres-R general mailing list, by Markus Wanner, subject: terms for database replication: synchronous vs eager http://lists.pgfoundry.org/pipermail/postgres-r-general/2008-September/000014.html for a more in-depth explanation. I might also
point out, that Jan Wieck called this very same approch "an asynchronous
replication system by all means" [3]Postgres General mailing list, by Jan Wieck, subject: terms for database replication: synchronous vs eager http://archives.postgresql.org/pgsql-hackers/2007-09/msg00631.php.

Regards

Markus Wanner

[1]: Wikipedia on Synchronization http://en.wikipedia.org/wiki/Synchronization
http://en.wikipedia.org/wiki/Synchronization

[2]: Postgres-R general mailing list, by Markus Wanner, subject: terms for database replication: synchronous vs eager http://lists.pgfoundry.org/pipermail/postgres-r-general/2008-September/000014.html
terms for database replication: synchronous vs eager
http://lists.pgfoundry.org/pipermail/postgres-r-general/2008-September/000014.html

[3]: Postgres General mailing list, by Jan Wieck, subject: terms for database replication: synchronous vs eager http://archives.postgresql.org/pgsql-hackers/2007-09/msg00631.php
terms for database replication: synchronous vs eager
http://archives.postgresql.org/pgsql-hackers/2007-09/msg00631.php

On Sat, 2008-12-13 at 00:00 +0100, Markus Wanner wrote:

Hi,

Fujii Masao wrote:

I'd like to define the meaning of "synch rep" again. "synch rep" means:

(1) Transaction commit waits for WAL records to be replicated to the standby
before the command returns a "success" indication to the client.

(2) The standby has (can read) all WAL files indispensable for recovery.

Let me point out that - very much like the original Postgres-R algorithm
- this guarantees committed transactions to be durable and consistent
(no late aborts of conflicting transactions), but it does not guarantee
that a transaction committed on one node is immediately visible on the
other node. In that sense, it is not synchronous as commonly understood,
because it does not "operate with all their parts in synchrony" [1], as
implied by the term "synchronous". This might (and often has in the
past) lead to confusion.

You're right that neither the data transfer nor data availability is
entirely synchronous, but data transfer is synchronous at time of
*commit*: it is recorded on multiple nodes at the same time.

The term "synchronous replication" is already well used in the industry
to mean synchronous commit, so I don't think we should change the name
now. The project here is also known to everybody as "synch rep".

* Oracle Data Guard calls it "synchronous redo transport"
* MS Exchange calls it "synchronous replication"
* MS SQL Server has "Database Mirroring", "Log Shipping" and
"Replication". "Database Mirroring" provides synchronous mechanism, with
"Replication" meaning data transfer to other databases,
publish&subscribe.
* DB2 HADR provides "synchronous replication"
* MySQL call it "synchronous replication"

What is confusing is that "replication" itself is a much abused term and
is used to describe technologies for HA, DR and data movement.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Hi,

Simon Riggs wrote:

You're right that neither the data transfer nor data availability is
entirely synchronous, but data transfer is synchronous at time of
*commit*: it is recorded on multiple nodes at the same time.

I'm unsure what you mean by a "data transfer being synchronous". To what
other process or state should the data transfer be synchronous to?

The term "synchronous replication" is already well used in the industry
to mean synchronous commit, so I don't think we should change the name
now. The project here is also known to everybody as "synch rep".

I understand very well, that you don't want to change the name. I've
been hesitant to "relabel" Postgres-R from synchronous to asynchronous
to eager.

However, that is a marketing decision [1]Some people like the term "virtually synchronous" for marketing purposes. That's at least half-ways technically correct., which should not be mixed
with the technical discussion here. Speaking of a "synchronous commit"
is utterly misleading, because the commit itself is exactly the thing
that's *not* synchronous.

It *is* an optimization to fully synchronous replication to defer commit
on the "slave" and only make sure that the transaction *can* be applied
at some time in the future.

However, this *does* have the drawback of transactions not being
immediately visible on the slave. Often enough, this is acceptable. But
it certainly matters to some applications developers.

What is confusing is that "replication" itself is a much abused term and
is used to describe technologies for HA, DR and data movement.

I absolutely agree to that. And I'm thus recommending to at least be
consistent and honest with the term "synchronous" and point out that WAL
writing is synchronous for the log shipping approach here (AFAIK). But
that the commit is asynchronous for performance reasons. In other words:
this approach is certainly (and hopefully, for performance reasons)
different from a fully synchronous approach. Even for marketing reasons,
it might make sense to point out that difference (.. "no, we are faster
than fully sync rep.").

Regards

Markus Wanner

[1]: Some people like the term "virtually synchronous" for marketing purposes. That's at least half-ways technically correct.
purposes. That's at least half-ways technically correct.

On 2008-12-13, at 13:07, Markus Wanner wrote:

However, that is a marketing decision [1], which should not be mixed
with the technical discussion here. Speaking of a "synchronous commit"
is utterly misleading, because the commit itself is exactly the thing
that's *not* synchronous.

[1]: Some people like the term "virtually synchronous" for marketing
purposes. That's at least half-ways technically correct.

Marketing people are virtually trustworthy, from my life experience.
If you ask me, this is just preposterous.

On Sat, 2008-12-13 at 14:07 +0100, Markus Wanner wrote:

Speaking of a "synchronous commit"
is utterly misleading, because the commit itself is exactly the thing
that's *not* synchronous.

Not really sure where you're going here. "synchronous replication" is
used exactly as described in the Wikipedia entry here:
http://en.wikipedia.org/wiki/Database_replication

No two word phrase is going to accurately sum up the complexity and
potential for data loss in these situations. DRBD saw that too and just
called them A, B and C and then describe them more accurately.

But I don't think we should say "PostgreSQL just implemented algorithm
B" which is just unhelpful. I don't think its "marketing" to refer to it
by the phrase most commonly used for the technology we are building.
Nobody suggested we call it "wizrep" or suchlike...

The docs can contain the exact description of data loss and timing
windows.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Hi,

Simon Riggs wrote:

On Sat, 2008-12-13 at 14:07 +0100, Markus Wanner wrote:

Speaking of a "synchronous commit"
is utterly misleading, because the commit itself is exactly the thing
that's *not* synchronous.

Not really sure where you're going here.

I'm pointing to a potential misunderstanding, trying to help to prevent
you from running into the same issues and discussions as I did.

I've learned the hard way, that the Postgres-R algorithm is not fully
synchronous (in the strict sense). This caused confusion for people who
take the word "synchronous" by its original meaning. The algorithm
proposed here seems similar enough to potentially cause the same confusion.

As I see it now, I think it's well worth to point out the difference,
from both, the technical as well as from the marketing perspective. The
former for better understanding, the later to prevent users from
thinking it must be slow per definition. Arguing that your approach is
not fully synchronous definitely helps defending that concern.

However, I'm just now realizing, that the difference is only relevant as
soon as you begin to allow read-only access on the slave. AFAIK that's
among the goals of this effort, no?

"synchronous replication" is
used exactly as described in the Wikipedia entry here:
http://en.wikipedia.org/wiki/Database_replication

That article describes pretty much all variants of replication, what
exactly are you referring to?

Under "Database Replication > Multi-Master replication" it describes
eager vs lazy variants, which is IMO a more appropriate and useful
distinction than sync vs async. (But that's admittedly a sentence I've
contributed myself, IIRC).

Under "Storage Replication > Synchronous Replication" one can read:
"Write is not considered complete until acknowledgement by both local
and remote storage." For the proposed approach this might hold true for
WAL writing. However, the user certainly doesn't care how synchronous
the log is shipped nor written, is as long as she doesn't see the
changes on the slave.

That's the difference between fully synchronous and eager (or virtually
or approximately synchronous) algorithms. You seem to refer to both as
"synchronous". Phrases like "synchronous commit" or "synchronous data
transfer" do not help me to understand what exactly you are talking about.

Explaining that the slave commits (and therefore makes the transactions
visible) asynchronously would help. And it would prevent disappointment
for users who expect changes to be immediately visible on the slave.

No two word phrase is going to accurately sum up the complexity and
potential for data loss in these situations. DRBD saw that too and just
called them A, B and C and then describe them more accurately.

Agreed. I've chosen lazy, eager and sync, so far. I'm open for better
terms, and I leave it up to you to call your variants whatever you like.
But to understand what you are talking about, I'd prefer to get to know
these distinctions crisp and clear.

But I don't think we should say "PostgreSQL just implemented algorithm
B" which is just unhelpful. I don't think its "marketing" to refer to it
by the phrase most commonly used for the technology we are building.

I certainly agree to using such terms. Unfortunately, in my experience,
synchronous replication is commonly used to mean that transactions are
guaranteed to be immediately visible on remote nodes after the client
got commit acknowledgment. That's the cause for confusion I'm envisioning.

I'm hoping to be somewhat helpful to this effort of getting a log
shipping replication variant into Postgres. It can only be beneficial
for Postgres-R in that we gain field experience with ..uhm.. this
special kind of replication, however we name it.

I'm already on xmas vacation, so I won't bother you any further on this
issue. Have fun coding and make sure to enjoy this time of the year.

All the best.

Markus Wanner

I certainly agree to using such terms. Unfortunately, in my experience,
synchronous replication is commonly used to mean that transactions are
guaranteed to be immediately visible on remote nodes after the client
got commit acknowledgment. That's the cause for confusion I'm envisioning.

I think that's a very important point. It's very possible that 8.4
may support both this feature and Hot Standby (although the latter
seems to have stalled a bit...). That makes me think "oh, great, I
can offload any subset of my read-only queries to the standby". Not
so fast.

I think we need to reserve the term "synchronous replication" for a
system where transactions that begin at the same time on the primary
and standby see the same tuples. Clearly that is "more" synchronous
than what is being proposed here; if we call this "synchronous
replication", what will we call that? "Really Synchronous, Honest, No
Kidding"? Admittedly, we may never implement that feature, but that
seems irrelevant.

It would be useful to have names for all the different possibilities.
Random ideas:

Log Shipping. After each log switch, the previous WAL log is copied
to the standby in its entirety.

WAL Streaming - Asynchronous. The WAL log is streamed from master to
standby as it is written, but transactions on the master never wait.

WAL Streaming - Synchronous Receive. The WAL log is streamed from
master to standby as it is written, and transactions on the master
wait until the standby acknowledges receipt of the WAL.

WAL Streaming - Synchronous Write. The WAL log is streamed from
master to standby as it is written, and transactions on the master
wait until the standby acknowledges that the WAL has been written to
disk.

WAL Streaming - Synchronous Apply. The WAL log is streamed from
master to standby as it is written, and transactions on the master
wait until the standby acknowledges that WAL has been written to disk
and applied.

...Robert

"Robert Haas" <robertmhaas@gmail.com> writes:

I think we need to reserve the term "synchronous replication" for a
system where transactions that begin at the same time on the primary
and standby see the same tuples. Clearly that is "more" synchronous
than what is being proposed here; if we call this "synchronous
replication", what will we call that? "Really Synchronous, Honest, No
Kidding"? Admittedly, we may never implement that feature, but that
seems irrelevant.

We won't call it anything, because we never will or can implement that.
See the theory of relativity: the notion of exactly simultaneous events
at distinct locations isn't even well-defined, because observers at yet
other locations will disagree about what is "simultaneous". And I'm
not just making a joke here --- speed-of-light delays in a WAN are
meaningful compared to current computer speeds. In practice, the
slave and the master will never commit at exactly the same time.

I agree with the point made upthread that we should use the term
"synchronous replication" the way it's commonly used in the industry.
Inventing our own terminology might be fun but it's not really going
to result in less confusion.

regards, tom lane

Synchronous replication, "sync rep" is *not* intersted in the "slave's
visiblity of the commit", because PostgreSQL doesn't "serve" requests
when in recovery (wal receiving) mode *now*.

This sync rep patch/proposal/discution is *strictly* (at this point yet,
hot standby may eventually or hopefully soon change that) the means to
get the data "safely in 2 seperate places", before the COMMIT returns,
by means of wal streaming. That "safely in 2 places" can have various
implementation options (like received, on disk, or applied), and
Fujii-san explained some of the options as to what to consider "safe"
and their trade-offs at his presentation at last year.

Once both sync-rep (the wal-streaming get changes in two places) and
hot-standby (run queries while WAL is being applied) are available in
PostgreSQL, at that point we might need to start "other client
visibility", but even then, we still don't need to worry about
multi-master options...

a.

* Markus Wanner <markus@bluegap.ch> [081213 12:17]:

Hi,

Simon Riggs wrote:

On Sat, 2008-12-13 at 14:07 +0100, Markus Wanner wrote:

Speaking of a "synchronous commit"
is utterly misleading, because the commit itself is exactly the thing
that's *not* synchronous.

Not really sure where you're going here.

I'm pointing to a potential misunderstanding, trying to help to prevent
you from running into the same issues and discussions as I did.

I've learned the hard way, that the Postgres-R algorithm is not fully
synchronous (in the strict sense). This caused confusion for people who
take the word "synchronous" by its original meaning. The algorithm
proposed here seems similar enough to potentially cause the same confusion.

As I see it now, I think it's well worth to point out the difference,
from both, the technical as well as from the marketing perspective. The
former for better understanding, the later to prevent users from
thinking it must be slow per definition. Arguing that your approach is
not fully synchronous definitely helps defending that concern.

However, I'm just now realizing, that the difference is only relevant as
soon as you begin to allow read-only access on the slave. AFAIK that's
among the goals of this effort, no?

"synchronous replication" is
used exactly as described in the Wikipedia entry here:
http://en.wikipedia.org/wiki/Database_replication

That article describes pretty much all variants of replication, what
exactly are you referring to?

Under "Database Replication > Multi-Master replication" it describes
eager vs lazy variants, which is IMO a more appropriate and useful
distinction than sync vs async. (But that's admittedly a sentence I've
contributed myself, IIRC).

Under "Storage Replication > Synchronous Replication" one can read:
"Write is not considered complete until acknowledgement by both local
and remote storage." For the proposed approach this might hold true for
WAL writing. However, the user certainly doesn't care how synchronous
the log is shipped nor written, is as long as she doesn't see the
changes on the slave.

That's the difference between fully synchronous and eager (or virtually
or approximately synchronous) algorithms. You seem to refer to both as
"synchronous". Phrases like "synchronous commit" or "synchronous data
transfer" do not help me to understand what exactly you are talking about.

Explaining that the slave commits (and therefore makes the transactions
visible) asynchronously would help. And it would prevent disappointment
for users who expect changes to be immediately visible on the slave.

No two word phrase is going to accurately sum up the complexity and
potential for data loss in these situations. DRBD saw that too and just
called them A, B and C and then describe them more accurately.

Agreed. I've chosen lazy, eager and sync, so far. I'm open for better
terms, and I leave it up to you to call your variants whatever you like.
But to understand what you are talking about, I'd prefer to get to know
these distinctions crisp and clear.

But I don't think we should say "PostgreSQL just implemented algorithm
B" which is just unhelpful. I don't think its "marketing" to refer to it
by the phrase most commonly used for the technology we are building.

I certainly agree to using such terms. Unfortunately, in my experience,
synchronous replication is commonly used to mean that transactions are
guaranteed to be immediately visible on remote nodes after the client
got commit acknowledgment. That's the cause for confusion I'm envisioning.

I'm hoping to be somewhat helpful to this effort of getting a log
shipping replication variant into Postgres. It can only be beneficial
for Postgres-R in that we gain field experience with ..uhm.. this
special kind of replication, however we name it.

I'm already on xmas vacation, so I won't bother you any further on this
issue. Have fun coding and make sure to enjoy this time of the year.

All the best.

Markus Wanner

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.

On Sat, 2008-12-13 at 13:05 -0500, Robert Haas wrote:

Hot Standby (although the latter
seems to have stalled a bit...)

It's just being worked on asynchronously. ;-)

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Sat, 2008-12-13 at 13:05 -0500, Robert Haas wrote:

I certainly agree to using such terms. Unfortunately, in my experience,
synchronous replication is commonly used to mean that transactions are
guaranteed to be immediately visible on remote nodes after the client
got commit acknowledgment. That's the cause for confusion I'm envisioning.

I think that's a very important point. It's very possible that 8.4
may support both this feature and Hot Standby (although the latter
seems to have stalled a bit...). That makes me think "oh, great, I
can offload any subset of my read-only queries to the standby". Not
so fast.

I think we need to reserve the term "synchronous replication" for a
system where transactions that begin at the same time on the primary
and standby see the same tuples.

Define "same time".

You can have a variantof sync rep + hot standby where the master does
not return committed before the slave has both synced the data and
replied the transaction so that it is visible on slave but in that case
you may have a usecase, where it is actually visible on slave _before_
it is visible on master.

actually you can't have that "same time" guarantee even on single
system, that is, if you start two transactions connections "at the same
time", you still cant be sure there is not third transaction which has
committed between those two and which makes the visible data on those
two different.

Clearly that is "more" synchronous
than what is being proposed here; if we call this "synchronous
replication", what will we call that? "Really Synchronous, Honest, No
Kidding"? Admittedly, we may never implement that feature, but that
seems irrelevant.

It would be useful to have names for all the different possibilities.
Random ideas:

Log Shipping. After each log switch, the previous WAL log is copied
to the standby in its entirety.

WAL Streaming - Asynchronous. The WAL log is streamed from master to
standby as it is written, but transactions on the master never wait.

WAL Streaming - Synchronous Receive. The WAL log is streamed from
master to standby as it is written, and transactions on the master
wait until the standby acknowledges receipt of the WAL.

WAL Streaming - Synchronous Write. The WAL log is streamed from
master to standby as it is written, and transactions on the master
wait until the standby acknowledges that the WAL has been written to
disk.

WAL Streaming - Synchronous Apply. The WAL log is streamed from
master to standby as it is written, and transactions on the master
wait until the standby acknowledges that WAL has been written to disk
and applied.

We still could call Sync Rep as a feature "synchronous replication" on
basis that "WAL Streaming - Synchronous Write" is the highest security
level achievable using the feature.

And maybe have Sync Hot Standby as a feature on top of that which
provides "WAL Streaming - Synchronous Apply"

------------------------------------------
Hannu Krosing http://www.2ndQuadrant.com
PostgreSQL Scalability and Availability
Services, Consulting and Training

On Sat, 2008-12-13 at 21:35 +0200, Hannu Krosing wrote:

We still could call Sync Rep as a feature "synchronous replication" on
basis that "WAL Streaming - Synchronous Write" is the highest security
level achievable using the feature.

And maybe have Sync Hot Standby as a feature on top of that which
provides "WAL Streaming - Synchronous Apply"

Or maybe better call it Serializable Hot Standby, as the actual
guarantee that can be achieved is that when one client does something on
master and after committing on master starts another transaction on
slave, then the effects of query on master are visible on slave.

--
------------------------------------------
Hannu Krosing http://www.2ndQuadrant.com
PostgreSQL Scalability and Availability
Services, Consulting and Training

Hi,

Tom Lane wrote:

We won't call it anything, because we never will or can implement that.
See the theory of relativity: the notion of exactly simultaneous events
at distinct locations isn't even well-defined

That has never been the point of the discussion. It's rather about the
question if changes from transactions are guaranteed to be visible on
remote nodes immediately after commit acknowledgment. Whether or not
this is guaranteed, in both cases the term "synchronous replication" is
commonly used, which is causing confusion.

Regards

Markus Wanner

Hi,

Simon Riggs wrote:

Hot Standby (although the latter
seems to have stalled a bit...)

It's just being worked on asynchronously. ;-)

LOL, thanks for bringing humor into this discussion :-)

Regards

Markus Wanner

Hi,

Hannu Krosing wrote:

You can have a variantof sync rep + hot standby where the master does
not return committed before the slave has both synced the data and
replied the transaction so that it is visible on slave but in that case
you may have a usecase, where it is actually visible on slave _before_
it is visible on master.

As long as it's not visible *before* the client requests a COMMIT, that
certainly doesn't matter (because the application cannot check that).

What matters is, that an application might expect a node to show the
changes of a transaction which has previously (seen from the application
itself) been committed and acknowledged by another node.

AFAICT the common understanding of synchronous replication is, that all
nodes confirm to have committed the changes of a transaction *before*
acknowledging COMMIT to the application (and obviously only *after* the
application requested to COMMIT the transaction, so the guarantee is
that all nodes commit *sometime* within that time frame, which is
certainly possible to guarantee, see 2PC approaches).

This guarantee is not provided by the Postgres-R algorithm, nor by the
approach presented. Both only guarantee, that the transaction *will* get
committed (and thus get visible) on all nodes *sometime* *after* the
application requested to commit it (even in case of various failures,
that is) [1]of course these approaches also guarantee that the transaction is committed on the local node *before* acknowledging commit, so that subsequent (seen from the application) queries are guaranteed to see the changes. But that guarantee only holds true for the local node.. As cited before, that has been enough of a reason for Jan
Wieck to call Postgres-R asynchronous, and I certainly see his point.

Note that the amount of time that passes between the commit
acknowledgment and the actual commit on remote nodes may theoretically
be infinitely long. And in practice certainly long enough for an
application to notice the difference. However, it still is a practical
optimization, because most applications should cope with it just fine.
But not all...

Do you consider the proposed log shipping approach to be synchronous?
How about the Postgres-R algorithm?

Regards

Markus Wanner

[1]: of course these approaches also guarantee that the transaction is committed on the local node *before* acknowledging commit, so that subsequent (seen from the application) queries are guaranteed to see the changes. But that guarantee only holds true for the local node.
committed on the local node *before* acknowledging commit, so that
subsequent (seen from the application) queries are guaranteed to see the
changes. But that guarantee only holds true for the local node.

* Markus Wanner <markus@bluegap.ch> [081213 16:33]:

Hi,

Hannu Krosing wrote:

You can have a variantof sync rep + hot standby where the master does
not return committed before the slave has both synced the data and
replied the transaction so that it is visible on slave but in that case
you may have a usecase, where it is actually visible on slave _before_
it is visible on master.

As long as it's not visible *before* the client requests a COMMIT, that
certainly doesn't matter (because the application cannot check that).

Well, I think the PG MVCC (which wal-streaming just ships across
somewhere else) will save that. So with hot-standby you could have
another client could see the result *after* the COMMIT has been
requested, but *before* the COMMIT returns... But we have this
situation in a single current PG instance anyways, so it's nothing
new....

But with hot-standby, I could also see that it could be done such that
the wal-stream is fsynced to disk (i.e. xlog) and acknowledged, but
because of a current running query, application of it is delayed... But
this is hot-standby's problem of describing itself, not sync-rep.

IMHO, sync-rep is about getting the change "durrably to a slave" before
acknoledging the COMMIT. That slave could be any number of things:
- A "WAL archive" type system having the ability to be used for
recover
- A PG with special "recovery mode" that reads the stream and applies it
- A full hot-standby recovery

I could see any and all of those (and probably other) being usefull and
used.

But in the current patch, it focusses on the streaming (sending), and
and a receiver "recovery" mode that can accept/apply them, again,
without worrying about acutally running queries (yet) ...

a.

--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.

Markus Wanner wrote:

Tom Lane wrote:

We won't call it anything, because we never will or can implement that.
See the theory of relativity: the notion of exactly simultaneous events
at distinct locations isn't even well-defined

That has never been the point of the discussion. It's rather about the
question if changes from transactions are guaranteed to be visible on
remote nodes immediately after commit acknowledgment. Whether or not
this is guaranteed, in both cases the term "synchronous replication" is
commonly used, which is causing confusion.

Might it not be true that anybody unfamiliar would be confused and that
this is a bit of a straw man?

I don't think synchronous replication guarantees that it will be
immediately visible. Even if it did push the change to the other
machine, and the other machine had committed it, that doesn't guarantee
that any reader sees it any more than if I commit to the same machine
(no replication), I am guaranteed to see the change from another
session. Synchronous replication only means that I can be assured that
my change has been saved permanently by the time my commit completes. It
doesn't mean anybody else can see my change or is guaranteed to see my
change if the query from another session.

If my application assumes that it can commit to one server, and then
read back the commit from another server, and my application breaks as a
result, it's because I didn't understand the problem. Even if PostgreSQL
didn't use the word "synchronous replication", I could still be
confused. I need to understand the problem no matter what words are used.

Cheers,
mark

--
Mark Mielke <mark@mielke.cc>

Hi,

Aidan Van Dyk wrote:

Well, I think the PG MVCC (which wal-streaming just ships across
somewhere else) will save that. So with hot-standby you could have
another client could see the result *after* the COMMIT has been
requested, but *before* the COMMIT returns... But we have this
situation in a single current PG instance anyways, so it's nothing
new....

AFAIU the proposed algorithm only waits until WAL is written on the
slave before acknowledging COMMIT. Application of the changes may be
deferred, so it's not necessarily immediately visible on the slave.

But with hot-standby, I could also see that it could be done such that
the wal-stream is fsynced to disk (i.e. xlog) and acknowledged, but
because of a current running query, application of it is delayed... But
this is hot-standby's problem of describing itself, not sync-rep.

I'm thinking of the overall system and don't care much if it's
hot-standby's or sync-rep's problem. But it's certainly the master which
needs to await certain acknowledgments of the slaves. That has so far
been discussed within this sync-rep thread.

IMHO, sync-rep is about getting the change "durrably to a slave" before
acknoledging the COMMIT. That slave could be any number of things:
- A "WAL archive" type system having the ability to be used for
recover
- A PG with special "recovery mode" that reads the stream and applies it
- A full hot-standby recovery

I could see any and all of those (and probably other) being usefull and
used.

I certainly agree to that.

Regards

Markus Wanner

Hi,

Mark Mielke wrote:

Might it not be true that anybody unfamiliar would be confused and that
this is a bit of a straw man?

Might be. I've neglected the issue myself for a while.

I don't think synchronous replication guarantees that it will be
immediately visible. Even if it did push the change to the other
machine, and the other machine had committed it, that doesn't guarantee
that any reader sees it any more than if I commit to the same machine
(no replication), I am guaranteed to see the change from another
session.

AFAIK every snapshot taken after a transaction has acknowledged its
commit is guaranteed to see changes from that transaction. Isn't that a
pretty frequent and obvious user expectation?

Synchronous replication only means that I can be assured that
my change has been saved permanently by the time my commit completes. It
doesn't mean anybody else can see my change or is guaranteed to see my
change if the query from another session.

So you wouldn't be surprised if a transaction from two hours ago isn't
visible on another node, just because that node happens to be rather
busy with lots of other readers and maintenance tasks?

If my application assumes that it can commit to one server, and then
read back the commit from another server, and my application breaks as a
result, it's because I didn't understand the problem.

Well, yeah, depends on user expectations. I'm surprised to hear that you
have that understanding of synchronous replication.

Even if PostgreSQL
didn't use the word "synchronous replication", I could still be
confused. I need to understand the problem no matter what words are used.

As said, it depends on what the common understanding of "synchronous
replication" is. I've so far been under the impression, that these
potential lags are unexpected and confusing. Several people pointed me
at that problem and I've thus "relabeled" Postgres-R as not being
synchronous. I'm at least surprised to suddenly get pushed into the
other direction. :-)

However, I absolutely agree that it's not that important how we name it.
What is important, is that users and developers understand the difference.

Regards

Markus Wanner

Markus Wanner wrote:

I don't think synchronous replication guarantees that it will be
immediately visible. Even if it did push the change to the other
machine, and the other machine had committed it, that doesn't guarantee
that any reader sees it any more than if I commit to the same machine
(no replication), I am guaranteed to see the change from another
session.

AFAIK every snapshot taken after a transaction has acknowledged its
commit is guaranteed to see changes from that transaction. Isn't that a
pretty frequent and obvious user expectation?

Yes - but that's only really true while the session continues. From
another session? I've never assumed that I could reconnect and be
guaranteed to get the latest snapshot that includes absolutely
everything that has been committed.

Any system that guaranteed this even when involving multiple machines
would be guaranteed to be inefficient and difficult to scale in my
opinion. How could any system promise to have reasonable commit times
while also guaranteeing that once a commit completes, any session to any
other server will be able to see the commit? I think this forces some
sort of serialization between multiple machines and defeats the purpose
of having multiple machines. Where before it was indeterminate to know
when the commit would take effect at each replica, it's not
indeterminate when my commit will succeed. That is, my commit cannot
succeed until every single server acknowledge that it is has fully
received and committed my transaction. What happens if there are network
problems, or what happens if I am replicating over a slower link? What
if I am committing to 100 servers? Is it reasonable to expect 100 server
negotiations to complete in full before my own commit will return?

Synchronous replication only means that I can be assured that
my change has been saved permanently by the time my commit completes. It
doesn't mean anybody else can see my change or is guaranteed to see my
change if the query from another session.

So you wouldn't be surprised if a transaction from two hours ago isn't
visible on another node, just because that node happens to be rather
busy with lots of other readers and maintenance tasks?

Any system that is two hours behind should fall out of the pool used to
satisfy reads from. So, if there was a surprise, it would be this. I
don't believe ACID requires that a commit on one server is immediately
visible on another server. Any work I do on the "behind" server would
still be safe from a transaction and referential integrity perspective.
However, if I executed 'commit' on this "behind" server, I would expect
the commit to wait until it catches up, or in the case of a 2 hour
behind, I would expect the commit to fail. Look at the alternative - all
commits to any server in the pool would be locked up waiting for this
one machine to catch up on 2 hours of transaction. This emphasizes that
the problem is that a server two hours of date is still in the pool,
rather than the problem being keeping things up-to-date.

If my application assumes that it can commit to one server, and then
read back the commit from another server, and my application breaks as a
result, it's because I didn't understand the problem.

Well, yeah, depends on user expectations. I'm surprised to hear that you
have that understanding of synchronous replication.

I've seen people face it in the past. Most recently we had a
presentation from the developer of digg.com, and he described how he had
this problem with MySQL and that he had to work around it.

On a smaller scale and slightly unrelated, I had this problem frequently
between memcache and PostgreSQL. That is, memcache would always be
latest, but PostgreSQL might not be latest, because the commit had not
occurred.

It seems like a standard enough problem to me. I don't expect Postgres-R
to do the impossible. As with my previous paragraph, I don't expect
Postgres-R to wait 2-hours to commit just because one server is falling
behind.

Even if PostgreSQL
didn't use the word "synchronous replication", I could still be
confused. I need to understand the problem no matter what words are used.

As said, it depends on what the common understanding of "synchronous
replication" is. I've so far been under the impression, that these
potential lags are unexpected and confusing. Several people pointed me
at that problem and I've thus "relabeled" Postgres-R as not being
synchronous. I'm at least surprised to suddenly get pushed into the
other direction. :-)

However, I absolutely agree that it's not that important how we name it.
What is important, is that users and developers understand the difference

I agree they are unexpected and confusing. I don't agree that they are
unexpected or confusing to those knowledgeable in the domain. So, the
question becomes - whose expectation is wrong? Should the user learn
more? Or should we push for a change in terminology? Does it make sense
for Postgres-R (which looks excellent to me BTW, at least in principle)
be marketed differently, because a few users tie "synchronous
replication" to "serialized access"?

Because that's really what we're talking about - we're talking about
transactions in all sessions being serialized between machines to
provide less surprise to users who don't understand the complexity of
having multiple replicas.

Forget replication - even for the exact same server - I don't expect
that if I commit from one session, I will be able to see the change
immediately from my other session or a new session that I just opened.
Perhaps this is often stable to rely on this, and it is useful for the
database server to minimize the window during which the commit becomes
visible to others, but I think it's a false expectation from the start
that it absolutely will be immediately visible to another session. I'm
thinking of situations where some part of the table is in cache. The
only way the commit can communicate that the new transaction is
available is by during communication between the processes or threads,
or between the multiple CPUs on the machine. Do I want every commit to
force each session to become fully in alignment before my commit
completes? Does PostgreSQL make this guarantee today? I bet it doesn't
if you look far enough into the guts. It might be very fast - I don't
think it is infinitely fast.

Cheers,
mark

--
Mark Mielke <mark@mielke.cc>

On Sat, Dec 13, 2008 at 1:29 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

"Robert Haas" <robertmhaas@gmail.com> writes:

I think we need to reserve the term "synchronous replication" for a
system where transactions that begin at the same time on the primary
and standby see the same tuples. Clearly that is "more" synchronous

We won't call it anything, because we never will or can implement that.
See the theory of relativity: the notion of exactly simultaneous events

OK, fine. I'll be more precise. I think we need to reserve the term
"synchronous replication" for a system where transactions that begin
on the standby after the transactions has committed on the master see
the effects of the committed transaction.

at distinct locations isn't even well-defined, because observers at yet
other locations will disagree about what is "simultaneous". And I'm
not just making a joke here --- speed-of-light delays in a WAN are
meaningful compared to current computer speeds. In practice, the
slave and the master will never commit at exactly the same time.

I agree with the point made upthread that we should use the term
"synchronous replication" the way it's commonly used in the industry.
Inventing our own terminology might be fun but it's not really going
to result in less confusion.

I just googled "synchronous replication" and read through the first
page of hits. Most of them do not address the question of whether
synchronous replication can be said to have be completed when WAL has
been received by the standby not but yet applied. One of the ones
that does is:

http://code.google.com/p/google-mysql-tools/wiki/SemiSyncReplicationDesign

...which refers to what we're proposing to call "Synchronous
Replication" as "Semi-Synchronous Replication" (or 2-safe replication)
specifically to distinguish it. The other is:

http://www.cnds.jhu.edu/pub/papers/cnds-2002-4.pdf

...which doesn't specifically examine the issue but seems to take the
opposite position, namely that the server on which the transaction is
executed needs to wait only for one server to apply the changes to the
database (the others need only to know that they need to commit it;
they don't actually need to have done it). However, that same paper
refers to two-phase commit as a synchronous replication algorithm, and
Wikipedia's discussion of two-phase commit:

http://en.wikipedia.org/wiki/Two-phase_commit_protocol

...clearly implies that the transaction must be applied everywhere
before it can be said to have committed.

The second page of Google results is mostly a further discussion of
the MySQL solution, which is mostly described as "semi-synchronous
replication".

Simon Riggs said upthread that Oracle called this "synchronous redo
transport". That is obviously much closer to what we are doing than
"synchronous replication".

...Robert

On Sat, 2008-12-13 at 21:35 -0500, Robert Haas wrote:

On Sat, Dec 13, 2008 at 1:29 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

"Robert Haas" <robertmhaas@gmail.com> writes:

I think we need to reserve the term "synchronous replication" for a
system where transactions that begin at the same time on the primary
and standby see the same tuples. Clearly that is "more" synchronous

We won't call it anything, because we never will or can implement that.
See the theory of relativity: the notion of exactly simultaneous events

OK, fine. I'll be more precise. I think we need to reserve the term
"synchronous replication" for a system where transactions that begin
on the standby after the transactions has committed on the master see
the effects of the committed transaction.

If it's guaranteed to be visible on the standby after it's committed on
the master, and you don't have any way to make it actually simultaneous,
then that implies that it's visible on the slave for some brief period
of time before it's committed on the master.

That situation is still asymmetric, so why is that a better use of the
term "synchronous"?

Regards,
Jeff Davis

If it's guaranteed to be visible on the standby after it's committed on
the master, and you don't have any way to make it actually simultaneous,
then that implies that it's visible on the slave for some brief period
of time before it's committed on the master.

That situation is still asymmetric, so why is that a better use of the
term "synchronous"?

Because that happens anyway. If I request a commit on a single,
unreplicated server, the server makes the commit visible to new
transactions and then sends me a message informing me that the commit
has completed. Since the message takes some finite time to reach me,
there is a window of time after the commit has completed and before I
know that the commit has been completed.

Suppose for the sake of argument that the single, unreplicated server
did these two tasks in the opposite order - namely, first, it sent a
message to the process requesting the commit stating that the commit
had completed, and only then made the transaction visible. This would
create a race condition: the process requesting the commit might
receive the commit and begin a new transaction before the previous
transaction had been made visible, and would therefore not be able to
see the results of its own previous actions. I think it's fair to say
that this behavior would be judged totally intolerable.

Therefore, there can't possibly be any applications out there which
are depending on the fact that commits don't become visible until they
are acknowledged, but there very well could be some applications which
depend on the fact that one commits are acknowledged, they are
visible. If replication is synchronous in this sense, then I can open
a connection to the master, write some data, close the connection,
open a new connection to the master or the slave (not caring which),
and read back the data that I just wrote (assuming no one else has
modified it in the mean time). If it isn't, then I can't. Some
people will not care about this, but some will.

The point here is that synchronous replication, at least to some
people, is going to imply that the user-visible states of the two
copies are consistent. To other people, it is going to imply that
committed transactions will never be lost even in the event of a
catastropic loss of the primary 1 picosecond after the commit is
acknowledged. We need to choose some word that implies that we are
guaranteeing the latter of these two things but not the former.
Otherwise, we will have confused users, and terminological confusion
when and if we ever implement the former as well.

...Robert

Might it not be true that anybody unfamiliar would be confused and that this
is a bit of a straw man?

[...]

If my application assumes that it can commit to one server, and then read
back the commit from another server, and my application breaks as a result,
it's because I didn't understand the problem. Even if PostgreSQL didn't use
the word "synchronous replication", I could still be confused. I need to
understand the problem no matter what words are used.

That is certainly true. But there is value in choosing words which
elucidate the situation as much as possible.

...Robert

On Sat, 2008-12-13 at 22:23 -0500, Robert Haas wrote:

If it's guaranteed to be visible on the standby after it's committed on
the master, and you don't have any way to make it actually simultaneous,
then that implies that it's visible on the slave for some brief period
of time before it's committed on the master.

That situation is still asymmetric, so why is that a better use of the
term "synchronous"?

Because that happens anyway. If I request a commit on a single,
unreplicated server, the server makes the commit visible to new
transactions and then sends me a message informing me that the commit
has completed. Since the message takes some finite time to reach me,
there is a window of time after the commit has completed and before I
know that the commit has been completed.

Oh, I see the distinction now.

Thanks for the detailed reply.

Regards,
Jeff Davis

The point here is that synchronous replication, at least to some
people, is going to imply that the user-visible states of the two
copies are consistent. To other people, it is going to imply that
committed transactions will never be lost even in the event of a
catastropic loss of the primary 1 picosecond after the commit is
acknowledged. We need to choose some word that implies that we are
guaranteeing the latter of these two things but not the former.
Otherwise, we will have confused users, and terminological confusion
when and if we ever implement the former as well.

Right. Before watching this thread, I had thought that the log
shipping sync replication behaves former (and I had told so to people
in Japan who are interested in 8.4 development. Of course this is my
fault, though).

Now I understand the log shipping sync replication does not behave
same as other "sync replications" such as pgpool and PGCluster (there
maybe more, but I don't know)
--
Tatsuo Ishii
SRA OSS, Inc. Japan

The point here is that synchronous replication, at least to some
people, is going to imply that the user-visible states of the two
copies are consistent. To other people, it is going to imply that
committed transactions will never be lost even in the event of a
catastropic loss of the primary 1 picosecond after the commit is
acknowledged. We need to choose some word that implies that we are
guaranteeing the latter of these two things but not the former.
Otherwise, we will have confused users, and terminological confusion
when and if we ever implement the former as well.

With apologies for replying to my own post:

It's also important to understand that these two invariants are
completely separate and it is possible to guarantee either without the
other. If you want (1), the standby needs to apply the WAL before
sending an acknowledgment to the primary but does not necessarily need
to write it to disk (of course, it will have to be written to disk
before the modified buffers are written to disk, but that's a separate
issue). If you want (2), the standby needs to write the WAL to disk
before sending the acknowledgment but does not necessarily need to
apply it. If you want both, then, you need to wait for both (and it's
worth noting that your performance will probably be nothing to write
home about).

I also did some research on terminology that has been used in the
literature. As Jim Gray describes it:

1-safe replication. Transaction is committed when it has been locally
WAL-logged to durable storage.
Group-safe replication. Transaction is committed when WAL has been
received by all remote servers, but not necessarily written to durable
storage.
Group-safe & 1-safe replication. Transaction is committed when it has
been locally WAL-logged to durable storage and WAL has been received
by all remote servers.
2-safe replication. Transaction is committed when it has been written
to durable storage on both local and remote servers.
Very safe replication. As 2-safe, but fails any read-write
transaction if the secondary is down.

(Actually, it appears that "Transaction Processing" Jim Gray and
Andreas Reuter, 1993 uses 2-safe to refer to either 2-safe or
group-safe; the distinction between the two is a subsequent
development. See e.g. Advances in Database Technology-EDBT 2004
by Elisa Bertino)

The term of art for making sure that transactions committed on the
primary are visible on the secondary seems to be "one-copy
serializability" (see, for example, a Google Books search on that
term).

...Robert

Robert Haas wrote:

On Sat, Dec 13, 2008 at 1:29 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

We won't call it anything, because we never will or can implement that.
See the theory of relativity: the notion of exactly simultaneous events

OK, fine. I'll be more precise. I think we need to reserve the term
"synchronous replication" for a system where transactions that begin
on the standby after the transactions has committed on the master see
the effects of the committed transaction.

Wouldn't this be serialized transactions?

I'd like to see proof of some sort that PostgreSQL guarantees that the
instant a 'commit' returns, any transactions already open with the
appropriate transaction isolation level, or any new sessions *will* see
the results of the commit.

I know that most of the time this happens - but what process
synchronization steps occur to *guarantee* that this happens?

I just googled "synchronous replication" and read through the first
page of hits. Most of them do not address the question of whether
synchronous replication can be said to have be completed when WAL has
been received by the standby not but yet applied. One of the ones
that does is:

http://code.google.com/p/google-mysql-tools/wiki/SemiSyncReplicationDesign

...which refers to what we're proposing to call "Synchronous
Replication" as "Semi-Synchronous Replication" (or 2-safe replication)
specifically to distinguish it. The other is:

http://www.cnds.jhu.edu/pub/papers/cnds-2002-4.pdf

...which doesn't specifically examine the issue but seems to take the
opposite position, namely that the server on which the transaction is
executed needs to wait only for one server to apply the changes to the
database (the others need only to know that they need to commit it;
they don't actually need to have done it). However, that same paper
refers to two-phase commit as a synchronous replication algorithm, and
Wikipedia's discussion of two-phase commit:

http://en.wikipedia.org/wiki/Two-phase_commit_protocol

...clearly implies that the transaction must be applied everywhere
before it can be said to have committed.

The second page of Google results is mostly a further discussion of
the MySQL solution, which is mostly described as "semi-synchronous
replication".

Simon Riggs said upthread that Oracle called this "synchronous redo
transport". That is obviously much closer to what we are doing than
"synchronous replication".

Two phase commit doesn't imply that the transaction is guaranteed to be
immediately visible. See my previous paragraph. Unless transactions are
locked from starting until they are able to prove that they have the
latest commit (a feat which I'm going to theorize as impossible -
because the moment you wait for a commit, and you begin again, you
really have no guarantee that another commit has not occurred in the
mean time), I think it's clear that two phase commit guarantees that the
commit has taken place, but does *not* guarantee anything about visibility.

It might be a good bet - but guarantee? There is no such guarantee.

Cheers,
mark

--
Mark Mielke <mark@mielke.cc>

Hi all,

I just wanted to point out a detail that I have not seen mentioned in
this thread (but I might have skipped some messages and I apologize in
advance if this is a duplicate).

What the application is going to see is a failure when the postmaster it
is connected to is going down. If this happen at commit time, I think
that there is no guarantee for the application to know what happened:
1. failure occurred before the request reached postmaster: no instance
committed
2. failure occurred during commit: might be committed on either nodes
3. failure occurred while sending back ack of commit to client: both
instances have committed
But for the client, it will all look the same: an error on commit.

This is just to point out that despite all your efforts, the client
might think that some transactions have failed (error on commit) but
they are actually committed. If you don't put some state in the driver
that is able to check at failover time if the commit operation succeeded
or not, it does not really matter what happens for in-flight
transactions (or in-commit transactions) at failure time. In all cases,
a manual inspection of the database logs will be required.
Actually, if there was a way to query the database about the status of a
particular transaction by providing a cluster-wide unique id, that would
help a lot. I wrote a paper on the issues with database replication at
Sigmod earlier this year (http://infoscience.epfl.ch/record/129042).
Even though it was targeted at middleware replication, I think that some
of it is still relevant for the problem at hand.

Regarding the wording, if experts can't agree, you can be sure that
users won't either. Most of them don't have a clue about the different
flavors of replication. So as long as you state clearly how it behaves
and define all the terms you use that should be fine.

manu

--
Emmanuel Cecchet
FTO @ Frog Thinker
Open Source Development & Consulting
--
Web: http://www.frogthinker.org
email: manu@frogthinker.org
Skype: emmanuel_cecchet

Robert Haas wrote:

The term of art for making sure that transactions committed on the
primary are visible on the secondary seems to be "one-copy
serializability" (see, for example, a Google Books search on that
term).

Not exactly. 1-copy-serializability which is the standard for
multi-master solutions, guarantees that transactions are executed in the
same serializable order at each replica (which means that transactions
can be executed in different order and committed at different times on
different replica as long as a consistent serializable view is presented
to the client).
There are a number of optimizations in that area but in a multi-master
case, replicas rarely commit at the same time. There are interesting
papers on the subject (like Tashkent & Tashkent+ based on Postgres) for
those who want to understand these problems more thoroughly.

Hope this helps,
manu

--
Emmanuel Cecchet
FTO @ Frog Thinker
Open Source Development & Consulting
--
Web: http://www.frogthinker.org
email: manu@frogthinker.org
Skype: emmanuel_cecchet

On Sun, 2008-12-14 at 13:31 +0900, Tatsuo Ishii wrote:

The point here is that synchronous replication, at least to some
people, is going to imply that the user-visible states of the two
copies are consistent. To other people, it is going to imply that
committed transactions will never be lost even in the event of a
catastropic loss of the primary 1 picosecond after the commit is
acknowledged. We need to choose some word that implies that we are
guaranteeing the latter of these two things but not the former.
Otherwise, we will have confused users, and terminological confusion
when and if we ever implement the former as well.

Right. Before watching this thread, I had thought that the log
shipping sync replication behaves former (and I had told so to people
in Japan who are interested in 8.4 development. Of course this is my
fault, though).

Now I understand the log shipping sync replication does not behave
same as other "sync replications" such as pgpool and PGCluster (there
maybe more, but I don't know)

GENERAL COMMENTS, not to anybody in particular:

'Tis but thy name that is my enemy.
...
What's in a name? That which we call a rose
By any other name would smell as sweet.
...

Juliet, from "Romeo and Juliet"

I am truly lost to understand why the *name* "synchronous replication"
causes so much discussion, yet nobody has discussed what they would
actually like the software to *do* (this being a software discussion
list...). AFAICS we can make the software behave like *any* of the
definitions discussed so far.

It is certainly far too early to say what the final exact behaviour will
be and there is no reason at all to pre-suppose that it need only be a
single behaviour. I'm in favour of options, generally, but I would say
that the distinction between some of these options is mostly very fine
and strongly doubt whether people would use them if they existed. *But*
I think we can add them at a later stage of development if requirements
genuinely exist once all the benefits *and* costs are understood.

I would also point out that the distinction made between various
meanings of synchronous is *only* important if Hot Standby is included
as well. And that is closely linked to the replication feature, which we
really need to complete first. We have much to do yet.

So let's please end the name debate there and think about software.

...

We can make the reply to a commit message when any of the following
events have occurred

1. We sent the message to standby
2. We received the message on standby
3. We wrote the WAL to the WAL file
4. We fsync'd the WAL file
5. We CRC checked the WAL commit record
6. We applied the WAL commit record

Now you might think from what people have said that having synchronised
contents on both primary and standby is the only way to achieve exactly
the same results to queries on both nodes. Another way is to utilise a
snapshot taken on the primary and simply wait until the standby catches
up with that snapshot's LSN. So there is more than one way of achieving
a particular result and it is not dependent upon the exact
synchronisation we employ at commit time.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Simon Riggs wrote:

I am truly lost to understand why the *name* "synchronous replication"
causes so much discussion, yet nobody has discussed what they would
actually like the software to *do* (this being a software discussion
list...). AFAICS we can make the software behave like *any* of the
definitions discussed so far.

I think people have talked about 'like' in the context of user
expectations. That is, there seems to exist a set of people (probably
those who've never worked with a multi-replica solution before) who
expect that once commit completes on one server, they can query any
other master or slave and be guaranteed visibility of the transaction
they just committed. These people may theoretically change their
decision to not use Postgres-R, or at least change their approach to how
they work with Postgres-R, if the name was in some way more intuitive to
them in terms of what is actually being provided.

"Synchronous replication" itself says only details about replication, it
does not say anything about visibility, so to some degree, people are
focusing on the wrong term as the problem. Even if it says "asynchronous
replication" - not sure that I care either way - this doesn't improve
the understanding for the casual user of what is happening behind the
scenes. Neither synchronous nor asynchronous guarantees that the change
will be immediately visible from other nodes after I type 'commit;'.
Asynchronous might err on the side of not immediately visible, where
synchronous might (incorrectly) imply immediate visibility, but it's not
an accurate guarantee to provide.

Synchronous does not guarantee visibility immediately after. Some
indefinite but usually short time must normally pass from when my
'commit;' completes until when the shared memory visible to my process
"sees" the transaction. Multiple replicas with network latency or
reliability issues increases the theoretical minimum size of this window
to something that would be normally encountered as opposed to something
that is normally not encountered.

The only way to guarantee visibility is to ensure that the new
transaction is guaranteed to be visible from a shared memory perspective
on every machine in the pool, and every active backend process. If my
'commit;' is going to wait for this to occur, first, I think this forces
every commit to have numerous network round trips to each machine in the
pool, it forces each machine in the pool to be network accessible and
responsive, it forces all commits to be serialized in the sense of "the
slowest machine in the pool determines the time for my commit to
complete", and I think it implies some sort of inter-process signalling,
or at the very least CPU level signalling about shared memory (in the
case of multiple CPUs).

People such as myself think that a visibility guarantee is unreasonable
and certain to cause scalability or reliability problems. So, my 'like'
is an efficient multi-master solution where if I put 10 machines in the
pool, I expect my normal query/commit loads to approach 10X as fast. My
like prefers scalability over guarantees that may be difficult to
provide, and probably are not provided today even in a single server
scenario.

It is certainly far too early to say what the final exact behaviour will
be and there is no reason at all to pre-suppose that it need only be a
single behaviour. I'm in favour of options, generally, but I would say
that the distinction between some of these options is mostly very fine
and strongly doubt whether people would use them if they existed. *But*
I think we can add them at a later stage of development if requirements
genuinely exist once all the benefits *and* costs are understood.

The above 'commit;' behaviour difference - whether it completes when the
commit is permanent (it definitely will be applied for certain to all
replicas - it just may take time to apply to all replicas), or when the
commit has actually taken effect (two-phase commit on all replicas - and
both phases have completed on all replicas - what happens if second
phase commit fails on one or more servers?), or when the commit is
guaranteed to be visible from all existing and new sessionss (two-phase
commit plus additional signalling required?) might be such an option.

I'm doubtful, though - as the difference in implementation between the
first and second is pretty significant.

I'm curious about your suggestion to direct queries that need the latest
snapshot to the 'primary'. I might have misunderstood it - but it seems
that the expectation from some is that *all* sessions see the latest
snapshot, so would this not imply that all sessions would be redirect to
the 'primary'? I don't think it is reasonable myself, but I might be
misunderstanding something...

Cheers,
mark

--
Mark Mielke <mark@mielke.cc>

We can make the reply to a commit message when any of the following
events have occurred

1. We sent the message to standby
2. We received the message on standby
3. We wrote the WAL to the WAL file
4. We fsync'd the WAL file
5. We CRC checked the WAL commit record
6. We applied the WAL commit record

Also

0. The same time we would have done so if replication had not been
configured at all.

I think the basic problem here is that we can talk about "asynchronous
replication" and "synchronous replication" but there are n>2
possible/useful behaviors (I would guess principally 0, 2, 4, and 6,
but YMMV). So we're going to need some way to clarify what we mean.

BTW, in case my previous emails on this topic might have given someone
the contrary impression, I'm not really that worked up about this
either. Interesting? Yes. Have opinions? Yes. Lie awake nights
worrying about it? Nope. :-)

...Robert

Mark Mielke wrote:

Forget replication - even for the exact same server - I don't expect
that if I commit from one session, I will be able to see the change
immediately from my other session or a new session that I just opened.
Perhaps this is often stable to rely on this, and it is useful for the
database server to minimize the window during which the commit becomes
visible to others, but I think it's a false expectation from the start
that it absolutely will be immediately visible to another session. I'm
thinking of situations where some part of the table is in cache. The
only way the commit can communicate that the new transaction is
available is by during communication between the processes or threads,
or between the multiple CPUs on the machine. Do I want every commit to
force each session to become fully in alignment before my commit
completes? Does PostgreSQL make this guarantee today? I bet it doesn't
if you look far enough into the guts. It might be very fast - I don't
think it is infinitely fast.

FYI: I haven't been able to prove this. Multiple sessions running on my
dual-core CPU seem to be able to see the latest commits before they
begin executing. Am I wrong about this? Does PostgreSQL provide a
intentional guarantee that a commit from one session that completes
immediately followed by a query from another session will always find
the commit effect visible (provide the transaction isolation level
doesn't get in the way)? Or is the machine and algorithms just fast
enough that by the time it executes the query (up to 1 ms later) the
commit is always visible in practice?

Cheers,
mark

--
Mark Mielke <mark@mielke.cc>

Mark Mielke wrote:

Mark Mielke wrote:

Forget replication - even for the exact same server - I don't expect
that if I commit from one session, I will be able to see the change
immediately from my other session or a new session that I just opened.
Perhaps this is often stable to rely on this, and it is useful for the
database server to minimize the window during which the commit becomes
visible to others, but I think it's a false expectation from the start
that it absolutely will be immediately visible to another session. I'm
thinking of situations where some part of the table is in cache. The
only way the commit can communicate that the new transaction is
available is by during communication between the processes or threads,
or between the multiple CPUs on the machine. Do I want every commit to
force each session to become fully in alignment before my commit
completes? Does PostgreSQL make this guarantee today? I bet it doesn't
if you look far enough into the guts. It might be very fast - I don't
think it is infinitely fast.

FYI: I haven't been able to prove this. Multiple sessions running on my
dual-core CPU seem to be able to see the latest commits before they
begin executing. Am I wrong about this? Does PostgreSQL provide a
intentional guarantee that a commit from one session that completes
immediately followed by a query from another session will always find
the commit effect visible (provide the transaction isolation level
doesn't get in the way)?

Yes. PostgreSQL does guarantee that, and I would expect any other DBMS
to do the same.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Le 14 déc. 08 à 16:48, Simon Riggs a écrit :

I am truly lost to understand why the *name* "synchronous replication"
causes so much discussion, yet nobody has discussed what they would
actually like the software to *do* (this being a software discussion
list...). AFAICS we can make the software behave like *any* of the
definitions discussed so far.

It seems that the easy parts are the one the more people will
participate into. Maybe that's that simple.

We can make the reply to a commit message when any of the following
events have occurred

1. We sent the message to standby
2. We received the message on standby
3. We wrote the WAL to the WAL file
4. We fsync'd the WAL file
5. We CRC checked the WAL commit record
6. We applied the WAL commit record

Ok, so let's talk about this easy part: my understanding of
"synchronous replication" is that it gives to its users the strong
guarantee that at commit time the transaction is secured to the
slave(s). That means you get the D of ACID on more than one server.

Why synchronous? Because you know the durability is ensured exactly
when you receive the COMMIT ack.

So I'm with Simon on this, the term Synchronous Replication does
describe accurately what's being implemented here, and on the other
hand, as so many of us are saying, it's true that it tells very little
about it. Those 6 options are all in the scope of the infamous naming,
just different guarantees level, from almost strong to very strong,
with some "almost, but not quite, entirely unlike the strong I want".
Pick your naming here too.

At least, that's how I'm understanding this, the bottom line of why
care sending this email is that maybe it'll help some people to
recover from sleep deprivation ;)

My 2¢,
- --
dim

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAklFcEsACgkQlBXRlnbh1bk0YwCfa+zGBKTK5EoH/Nmu0x+R6vKI
buAAniyL6Z+3MdT4rim5/xZQvdr4QOIQ
=iHnY
-----END PGP SIGNATURE-----

Robert Haas wrote:

We can make the reply to a commit message when any of the following
events have occurred

1. We sent the message to standby
2. We received the message on standby
3. We wrote the WAL to the WAL file
4. We fsync'd the WAL file
5. We CRC checked the WAL commit record
6. We applied the WAL commit record

Perhaps it'd be useful if the failure modes these are trying to
protect against were described too.

If I understand right.

1. Protects all the transactions from the failure of the
master; so long as neither the network nor the slave
machine die soon?

2. Protects all the transactions from the failure of the
master and the network between the slave and master,
so long as the slave doesn't die soon?

3. Same as #2?

4. Protects against the failure of the master, the network,
and parts of the slave; so long as the slave's disk
survives the failure?

5. Protects against all of the above, and bit-errors in the
memories of the slave machine (except the slave's disk
controller?)? Or are we reading-back the CRC from the
slave's disk and comparing to the CRC computed on the
master where it might protect from even more?

6. Same as 4?

If this is right, #2, #3, #4, and #6 feel similar except
that they're protecting against failures of different (but
still all incomplete) subsets of the hardware on the slave, right?

Heikki Linnakangas wrote:

Mark Mielke wrote:

FYI: I haven't been able to prove this. Multiple sessions running on
my dual-core CPU seem to be able to see the latest commits before
they begin executing. Am I wrong about this? Does PostgreSQL provide
a intentional guarantee that a commit from one session that completes
immediately followed by a query from another session will always find
the commit effect visible (provide the transaction isolation level
doesn't get in the way)?

Yes. PostgreSQL does guarantee that, and I would expect any other DBMS
to do the same.

Where does the expectation come from? I don't recall ever reading it in
the documentation, and unless the session processes are contending over
the integers (using some sort of synchronization primitive) in memory
that represent the "latest visible commit" on every single select, I'm
wondering how it is accomplished? If they are contending over these
integers, doesn't that represent a scaling limitation, in the sense that
on a 32-core machine, they're going to be fighting with each other to
get the latest version of these shared integers into the CPU for
processing? Maybe it's such a small penalty that we don't care? :-)

I was never instilled with the logic that 'commit in one session
guarantees visibility of the effects in another session'. But, as I say
above, I wasn't able to make PostgreSQL "fail" in this regard. So maybe
I have no clue what I am talking about? :-)

If you happen to know where the code or documentation makes this
promise, feel free to point it out. I'd like to review the code. If you
don't know - don't worry about it, I'll find it later...

Cheers,
mark

--
Mark Mielke <mark@mielke.cc>

When the database says the data is committed it has to mean the data
is really committed. Imagine if you looked at a bank account balance
after withdrawing all the money and saw a balance which didn't reflect
the withdrawal and allowed you to withdraw more money again...

--
Greg

On 14 Dec 2008, at 14:44, Mark Mielke <mark@mark.mielke.cc> wrote:

Show quoted text

Mark Mielke wrote:

Forget replication - even for the exact same server - I don't
expect that if I commit from one session, I will be able to see the
change immediately from my other session or a new session that I
just opened. Perhaps this is often stable to rely on this, and it
is useful for the database server to minimize the window during
which the commit becomes visible to others, but I think it's a
false expectation from the start that it absolutely will be
immediately visible to another session. I'm thinking of situations
where some part of the table is in cache. The only way the commit
can communicate that the new transaction is available is by during
communication between the processes or threads, or between the
multiple CPUs on the machine. Do I want every commit to force each
session to become fully in alignment before my commit completes?
Does PostgreSQL make this guarantee today? I bet it doesn't if you
look far enough into the guts. It might be very fast - I don't
think it is infinitely fast.

FYI: I haven't been able to prove this. Multiple sessions running on
my dual-core CPU seem to be able to see the latest commits before
they begin executing. Am I wrong about this? Does PostgreSQL provide
a intentional guarantee that a commit from one session that
completes immediately followed by a query from another session will
always find the commit effect visible (provide the transaction
isolation level doesn't get in the way)? Or is the machine and
algorithms just fast enough that by the time it executes the query
(up to 1 ms later) the commit is always visible in practice?

Cheers,
mark

--
Mark Mielke <mark@mielke.cc>

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

If this is right, #2, #3, #4, and #6 feel similar except
that they're protecting against failures of different (but
still all incomplete) subsets of the hardware on the slave, right?

Right. Actually, the biggest difference with #6 has nothing to do
with protecting against failures. It has rather to do with the ease
of writing applications in the context of hot standby. You can close
your connection, open a connection to a different server, and know
that your transactions will be reflected there. On the other hand,
I'd be surprised if it didn't come with a substantial performance
penalty, so it may not be too practical in real life even if it sounds
good on paper.

#1 , #3, and #5 don't feel that useful to me. In the case of #1,
sending your WAL over the network and then not checking that it got
there is sort of silly: the likelihood of packet loss on the network
has got to be several orders of magnitude more likely than a failure
on the master. #3 and #5 just don't seem to provide any real benefits
over their immediate predecessors.

Honestly, I think the most useful thing is probably going to be
asynchronous replication: in other words, when a commit is requested
on the master, we write WAL and return success. In the background, we
stream the WAL to a secondary, which writes it and applies it. This
will give us a secondary which is mostly up to date (and can run
queries, with hot standby) without killing performance. The other
options are going to be for environments where losing a transaction is
really, really bad, or (in the case of #6) read-mostly environments
where it's useful to spread the query load out across several servers,
but the overhead associated with waiting for the rare write
transactions to apply everywhere is tolerable.

...Robert

Greg Stark wrote:

When the database says the data is committed it has to mean the data
is really committed. Imagine if you looked at a bank account balance
after withdrawing all the money and saw a balance which didn't reflect
the withdrawal and allowed you to withdraw more money again...

Within the same session - sure. From different sessions? PostgeSQL MVCC
let's you see an older snapshot, although it does prefer to have the
latest snapshot with each command.

For allowing to withdraw more money again, I would expect some sort of
locking "SELECT ... FOR UPDATE;" to be used. This lock then forces the
two transactions to become serialized and the second will either wait
for the first to complete or fail. Any banking program that assumed that
it could SELECT to confirm a balance and then UPDATE to withdraw the
money as separate instructions would be a bad banking program. To
exploit it, I would just have to start both operations at the same time
- they both SELECT, they both see I have money, they both give me the
money and UPDATE, and I get double the money (although my balance would
show a big negative value - but I'm already gone...). Database 101.

When I asked for "does PostgreSQL guarantee this?" I didn't mean hand
waving examples or hand waving expectations. I meant a pointer into the
code that has some comment that says "we want to guarantee that a commit
in one session will be immediately visible to other sessions, and that a
later select issued in the other sessions will ALWAYS see the commit
whether 1 nanosecond later or 200 seconds later" Robert's expectation
and yours seem like taking this "guarantee" for granted rather than
being justified with design intent and proof thus far. :-) Given my
experiment to try and force it to fail, I can see why this would be
taken for granted. Is this a real promise, though? Or just a unlikely
scenario that never seems to be hit?

To me, the question is relevant in terms of the expectations of a
multi-replica solution. We know people have the expectation. We know it
can be convenient. Is the expectation valid in the first place?

I've probably drawn this question out too long and should do my own
research and report back... Sorry... :-)

Cheers,
mark

--
Mark Mielke <mark@mielke.cc>

Mark Mielke wrote:

When I asked for "does PostgreSQL guarantee this?" I didn't mean hand
waving examples or hand waving expectations. I meant a pointer into the
code that has some comment that says "we want to guarantee that a commit
in one session will be immediately visible to other sessions, and that a
later select issued in the other sessions will ALWAYS see the commit
whether 1 nanosecond later or 200 seconds later" Robert's expectation
and yours seem like taking this "guarantee" for granted rather than
being justified with design intent and proof thus far. :-) Given my
experiment to try and force it to fail, I can see why this would be
taken for granted. Is this a real promise, though?

Yes.

In a nutshell, commit works like this:

1. Write and flush WAL record about the commit
2. Mark the transaction as committed in clog
3. Remove the xid from the shared memory ProcArray.
4. Release locks and other resources
5. Reply to client that the transaction has been committed.

After step 3, any backend taking a snapshot will see the transaction as
committed. Since we only reply to the client at step 5, it is guaranteed
that a transaction beginning after step 5, as well as an already open
transaction taking a new snapshot (ie. running a new command in read
committed mode) after that will see the transaction as committed.

The relevant code is in CommitTransaction() in xact.c.

To me, the question is relevant in terms of the expectations of a
multi-replica solution. We know people have the expectation.

Yeah, I think Robert is right. We should reserve the term "synchronous
replication" for the mode where that guarantee holds for the slave as well.

In fact, waiting for reply from standby server before acknowledging a
commit to the client is a bit pointless otherwise. It puts you in a
strange situation, where you're waiting for the commits in normal
operation, but if there's a network glitch or the standby goes down,
you're willing to go ahead without it. You get a high guarantee that
your data is up-to-date in the standby, except when it isn't. Which
isn't much of a guarantee.

But with hot standby, it makes a lot of sense. The guarantee is that if
the standby is accepting queries, it's up-to-date with the primary.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

Mark Mielke wrote:

Where does the expectation come from? I don't recall ever reading it in
the documentation, and unless the session processes are contending over
the integers (using some sort of synchronization primitive) in memory
that represent the "latest visible commit" on every single select, I'm
wondering how it is accomplished?

The "integers" you're imagining are the ProcArray. Every backend has an
entry there, and among other things it contains the current XID the
backend is running. When a backend takes a new snapshot (on every single
select in read committed mode), it locks the ProcArray, scans all the
entries and collects all the XIDs listed there in the snapshot. Those
are the set of transactions that were running when the snapshot was
taken, and is used in the visibility checks.

If they are contending over these
integers, doesn't that represent a scaling limitation, in the sense that
on a 32-core machine, they're going to be fighting with each other to
get the latest version of these shared integers into the CPU for
processing? Maybe it's such a small penalty that we don't care? :-)

The ProcArrayLock is indeed quite busy on systems with a lot of CPUs.
It's held for such short times that it's not a problem usually, but it
can become a bottleneck with a machine like that with all backends
running small transactions.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

On Sun, 2008-12-14 at 12:57 -0500, Mark Mielke wrote:

I'm curious about your suggestion to direct queries that need the
latest
snapshot to the 'primary'. I might have misunderstood it - but it
seems
that the expectation from some is that *all* sessions see the latest
snapshot, so would this not imply that all sessions would be redirect
to
the 'primary'? I don't think it is reasonable myself, but I might be
misunderstanding something...

I said "a snapshot taken on the primary", but the query would run on the
standby.

Synchronising primary and standby so that they are identical from the
perspective of a query requires some synchronisation delay. I'm pointing
out that the synchronisation delay can occur

* at the time we apply WAL - which will slow down commits (i.e. #6 on my
previous list of options)
* at the time we run a query that needs to see primary and standby
synchronised

So the same effect can be achieved in various ways.

The first way would require *all* transactions to be applied on standby,
i.e. option #6 for all transactions. That is a performance disaster and
I would not force that onto everybody.

The second way can be done by taking a snapshot on the primary, with an
associated LSN, then using that snapshot on the standby. That is
somewhat complex, but possible. I see the requirement for getting the
same answer on multiple nodes as a further extension of "transaction
isolation mode" and think that not all people will want this, so we
should allow that as an option.

I'm not going to worry about this at the moment. Hot standby will be
useful without this and so I regard this as a secondary objective. Rome
wasn't built in a single release, or something like that.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Sun, 2008-12-14 at 21:41 -0500, Robert Haas wrote:

If this is right, #2, #3, #4, and #6 feel similar except
that they're protecting against failures of different (but
still all incomplete) subsets of the hardware on the slave, right?

Right. Actually, the biggest difference with #6 has nothing to do
with protecting against failures. It has rather to do with the ease
of writing applications in the context of hot standby. You can close
your connection, open a connection to a different server, and know
that your transactions will be reflected there. On the other hand,
I'd be surprised if it didn't come with a substantial performance
penalty, so it may not be too practical in real life even if it sounds
good on paper.

#1 , #3, and #5 don't feel that useful to me.

Yes, looks that way for me also.

Good analysis Ron. I agree with Robert that #6 is there for other
reasons.

#2 corresponds to DRBD algorithm B

#4 corresponds to DRBD algorithm C

Fujii-san, please can we incorporate those two options, rather than just
one choice "synchronous_replication = on". They look like two commonly
requested options.

#6 is an additional synchronization step in Hot Standby. I would say
that people won't want that when they see how it performs (they probably
won't want #4 either for that same reason, but that is for robustness).

Also, I would point out that the class of synch_rep is selected by the
user on the primary and can vary from transaction to transaction. That
is a very good thing, as far as I am concerned. We would need to enforce
#6 for all transactions (if we implemented synchronisation in this way).

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

Simon Riggs wrote:

I am truly lost to understand why the *name* "synchronous replication"
causes so much discussion, yet nobody has discussed what they would
actually like the software to *do*

It's the color of the bikeshed ...

We can make the reply to a commit message when any of the following
events have occurred

1. We sent the message to standby
2. We received the message on standby
3. We wrote the WAL to the WAL file
4. We fsync'd the WAL file
5. We CRC checked the WAL commit record
6. We applied the WAL commit record

In DRBD tradition, I suggest you implement all of them, or at least
factor the code so that each of them can be a one line change. (We can
probably later drop one or two options.)

In fact, waiting for reply from standby server before acknowledging a commit
to the client is a bit pointless otherwise. It puts you in a strange
situation, where you're waiting for the commits in normal operation, but if
there's a network glitch or the standby goes down, you're willing to go
ahead without it. You get a high guarantee that your data is up-to-date in
the standby, except when it isn't. Which isn't much of a guarantee.

It protects you against a catastrophic loss of the primary, which is a
non-trivial consideration. At the risk of being ghoulish, imagine
that you are a large financial company headquartered in the world
trade center.

...Robert

It's a real promise. The reason you're getting hand-wavy answers is
because it's such a basic requirement that I'm trying to point out
just how fundamental a requirement it is.

If you want to see the actual code which guarantees this take a look
around the code for procarray - in particular the code for taking a
snapshot. There are comments there about what locks are needed when
committing and when taking a snapshot and why. But it's quite technical.

--
Greg

On 15 Dec 2008, at 02:03, Mark Mielke <mark@mark.mielke.cc> wrote:

Show quoted text

Greg Stark wrote:

When the database says the data is committed it has to mean the
data is really committed. Imagine if you looked at a bank account
balance after withdrawing all the money and saw a balance which
didn't reflect the withdrawal and allowed you to withdraw more
money again...

Within the same session - sure. From different sessions? PostgeSQL
MVCC let's you see an older snapshot, although it does prefer to
have the latest snapshot with each command.

For allowing to withdraw more money again, I would expect some sort
of locking "SELECT ... FOR UPDATE;" to be used. This lock then
forces the two transactions to become serialized and the second will
either wait for the first to complete or fail. Any banking program
that assumed that it could SELECT to confirm a balance and then
UPDATE to withdraw the money as separate instructions would be a bad
banking program. To exploit it, I would just have to start both
operations at the same time - they both SELECT, they both see I have
money, they both give me the money and UPDATE, and I get double the
money (although my balance would show a big negative value - but I'm
already gone...). Database 101.

When I asked for "does PostgreSQL guarantee this?" I didn't mean
hand waving examples or hand waving expectations. I meant a pointer
into the code that has some comment that says "we want to guarantee
that a commit in one session will be immediately visible to other
sessions, and that a later select issued in the other sessions will
ALWAYS see the commit whether 1 nanosecond later or 200 seconds
later" Robert's expectation and yours seem like taking this
"guarantee" for granted rather than being justified with design
intent and proof thus far. :-) Given my experiment to try and force
it to fail, I can see why this would be taken for granted. Is this a
real promise, though? Or just a unlikely scenario that never seems
to be hit?

To me, the question is relevant in terms of the expectations of a
multi-replica solution. We know people have the expectation. We know
it can be convenient. Is the expectation valid in the first place?

I've probably drawn this question out too long and should do my own
research and report back... Sorry... :-)

Cheers,
mark

--
Mark Mielke <mark@mielke.cc>

Robert Haas wrote:

In fact, waiting for reply from standby server before acknowledging a commit
to the client is a bit pointless otherwise. It puts you in a strange
situation, where you're waiting for the commits in normal operation, but if
there's a network glitch or the standby goes down, you're willing to go
ahead without it. You get a high guarantee that your data is up-to-date in
the standby, except when it isn't. Which isn't much of a guarantee.

It protects you against a catastrophic loss of the primary, which is a
non-trivial consideration. At the risk of being ghoulish, imagine
that you are a large financial company headquartered in the world
trade center.

So you'd want all commits to wait until the transaction is safely
replicated in the standby. But if there's a network glitch, or the
standby is restarted, you're happy to reply to the client that it's
committed if it's only safely committed in the primary. Essentially, you
wait for the reply as long the standby responds within X seconds, but if
it takes more then Y seconds, you don't wait. I know that people do
that, but it seems counterintuitive to me. In that case, when the
primary acks the transaction as committed, you only know that it's
safely committed in the primary; it doesn't give any hard guarantee
about the state in the standby.

But when you consider the possibility to use the standby for queries,
the synchronous mode makes sense too.

I'm not opposed to providing all the options, but the synchronous mode
where we can guarantee that if you query the standby, you will see the
effects of all transactions committed in the primary, makes the
synchronous mode much more interesting. If you don't need that property,
you're most likely more happy with asynchronous mode anyway.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

* Robert Haas <robertmhaas@gmail.com> [081215 07:32]:

In fact, waiting for reply from standby server before acknowledging a commit
to the client is a bit pointless otherwise. It puts you in a strange
situation, where you're waiting for the commits in normal operation, but if
there's a network glitch or the standby goes down, you're willing to go
ahead without it. You get a high guarantee that your data is up-to-date in
the standby, except when it isn't. Which isn't much of a guarantee.

It protects you against a catastrophic loss of the primary, which is a
non-trivial consideration. At the risk of being ghoulish, imagine
that you are a large financial company headquartered in the world
trade center.

This was exacty my original point - I want the transaction durably on
the slave before the commit is acknowledged (to build as much local
redunancy as I can), but I certatily *don't* want to loose the ability
to use WAL archiving, because I ship my WAL off-site too...

The ability to have an extra local copy is good. But I'm certainly not
going to want to give up my off-site backup/WAL for it...

a.

--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.

So you'd want all commits to wait until the transaction is safely replicated
in the standby. But if there's a network glitch, or the standby is
restarted, you're happy to reply to the client that it's committed if it's
only safely committed in the primary. Essentially, you wait for the reply as
long the standby responds within X seconds, but if it takes more then Y
seconds, you don't wait. I know that people do that, but it seems
counterintuitive to me. In that case, when the primary acks the transaction
as committed, you only know that it's safely committed in the primary; it
doesn't give any hard guarantee about the state in the standby.

I understand you're point, but I think there's still a use case. The
idea is that declaring the secondary dead is a rare event, and there's
some mechanism by which you're enabled to page your network staff, and
they hightail it into the office to fix the problem. It might not be
the way that you want to run your system, but I don't think it's
unreasonable for someone else to want it.

But when you consider the possibility to use the standby for queries, the
synchronous mode makes sense too.
I'm not opposed to providing all the options, but the synchronous mode where
we can guarantee that if you query the standby, you will see the effects of
all transactions committed in the primary, makes the synchronous mode much
more interesting. If you don't need that property, you're most likely more
happy with asynchronous mode anyway.

I agree that asynchronous mode will be the right solution for a very
large subset of our users.

...Robert

Fujii-san,

Just repeating this in case you lost this comment:

On Mon, 2008-12-15 at 09:40 +0000, Simon Riggs wrote:

Fujii-san, please can we incorporate those two options, rather than just
one choice "synchronous_replication = on". They look like two commonly
requested options.

I see the comment in line 230+ of walreceiver.c, so understand that you
have implemented option #3 from the following list.

So from my previous list

1. We sent the message to standby (A)
2. We received the message on standby
3. We wrote the WAL to the WAL file (B)
4. We fsync'd the WAL file (C)
5. We CRC checked the WAL commit record
6. We applied the WAL commit record

Please could you also add an option #4, i.e. add the *option* to fsync
the WAL to disk at commit time also. That requires us to add a third
option to synchronous_replication parameter.

That then means we will have robustness options that map directly to
DRBD algorithms A, B and C (shown in brackets in the above list). I
believe these map also to Data Guard options Maximum Performance and
Maximum Availability.

AFAICS if we implement the additional items I've requested over the last
few days, then the architecture is now at a good point for 8.4 and we
can begin to look at low level implementation details. Or put another
way, I'm not expecting to come up with more architecture changes.

#6 is an additional synchronization step in Hot Standby. I would say
that people won't want that when they see how it performs (they probably
won't want #4 either for that same reason, but that is for robustness).

We can jointly add option #6 once we have both sync rep and hot standby
committed, or at a late stage of hot standby development. There's not
much point looking at it before then.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support

On Mon, 2008-12-15 at 09:19 -0500, Robert Haas wrote:

I understand you're point, but I think there's still a use case. The
idea is that declaring the secondary dead is a rare event, and there's
some mechanism by which you're enabled to page your network staff, and
they hightail it into the office to fix the problem. It might not be
the way that you want to run your system, but I don't think it's
unreasonable for someone else to want it.

Agreed: there's an analogy to RAID here. When a disk goes out, it still
allows writes, but moves to a degraded state. Hopefully your monitoring
system notifies you, and you fix it.

Also, let's say that the standby suffers catastrophic storage failure.
Now you only have your data on one server anyway (the primary).
Rejecting new transactions from committing doesn't save all the old
transactions in the event of a subsequent storage failure on the
primary.

I'm not advocating this option in particular, other than saying that it
seems like a reasonable option to me.

Regards,
Jeff Davis

Peter Eisentraut wrote:

Simon Riggs wrote:

I am truly lost to understand why the *name* "synchronous replication"
causes so much discussion, yet nobody has discussed what they would
actually like the software to *do*

It's the color of the bikeshed ...

Hmmm. I thought this was pretty clear. There's three levels of synch
which are useful features:

1) "synchronus" standby which is really asynchronous, but only has a gap
of < 100ms.

2) Synchronous standby which guarentees that all committed transactions
are on the failover node and that no data will be lost for failover, but
the failover node is still in standby mode.

3) Synchronous replication where the standby node has identical
transactions to the master node, and is queryable read-only.

Any of these levels would be useful and allow a certain number of our
users to deploy PostgreSQL in an environment where it wasn't used
before. So if we can only do (2) for 8.4, that's still very useful for
telecoms and banks.

--Josh

Josh Berkus wrote:

Hmmm. I thought this was pretty clear. There's three levels of synch
which are useful features:

1) "synchronus" standby which is really asynchronous, but only has a gap
of < 100ms.

2) Synchronous standby which guarentees that all committed transactions
are on the failover node and that no data will be lost for failover, but
the failover node is still in standby mode.

3) Synchronous replication where the standby node has identical
transactions to the master node, and is queryable read-only.

Any of these levels would be useful....

Isn't the "queryable read-only" feature totally orthogonal with
how synchronous the replication is?

For one reporting system I have, where new data is continually
being added every second; I'd love to have a read-only-slave
even if that system has the "100ms" gap you mentioned in #1.

Heck I don't care if the queries it runs even have a 100 *minute*
gap; but I sure would like it to be synchronous in the sense
that all the transactions to survive a failure of the primary.

Isn't the "queryable read-only" feature totally orthogonal with
how synchronous the replication is?

Yes. However, it introduces specific difficult issues which an
unreadable synchronous slave does not have.

--Josh

On Mon, 2008-12-15 at 13:43 -0800, Josh Berkus wrote:

Isn't the "queryable read-only" feature totally orthogonal with
how synchronous the replication is?

Yes. However, it introduces specific difficult issues which an
unreadable synchronous slave does not have.

Don't think it's hugely difficult, but there are multiple ways of doing
this. But it is irrelevant until we have the basic ability to run
queries.

I've explained this twice now on different parts of this thread. Could I
politely direct your attention to those posts?

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support