Remaining Streaming Replication Open Items

On Tue, Apr 6, 2010 at 4:09 PM, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

I triaged the list of open items on the Streaming Replication wiki page.
I propose that we drop the ones I've marked as Drop below, and move the
remaining items to the main Open Items page for better visibility. And
of course try to resolve them as quickly as possible.

Thanks so much!!

    *  Walsender and dblink are not interruptible on win32. - related thread

I'd actually be happy to just leave it for 9.0, but it seems like
consensus has been reached on how to fix it, and Fujii is working on a
patch, so let's follow that through.

Yeah, I'm reworking the patch, but I'd like to take aim at only walreceiver
because the change for dblink might become too big at this point. Since no
one has complained about the long-term problem of dblink, I'm no sure it
really should be fixed right now.

    * Add the GUC parameter to specify the maximum number of log file segments held in pg_xlog directory to send to the standby server. Which is useful to avoid disk full in the primary.

Not only to avoid disk full in primary but also to make it feasible to
use streaming replication without archiving. It's a small change, we
should do it.

Yep.

    * pg_xlogfile_name(pg_last_xlog_receive/replay_location()) might report the wrong name. Because a backend cannot know the actual timeline which is related to the location.

Drop. It's not clear which timeline those functions should return in
boundary cases, when replaying records from a log file where the
timeline-switch occurs.

OK, but we need to add the note about that confusing behavior.
How about?:

diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index 57163da..da3253f 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -13206,6 +13206,8 @@ postgres=# SELECT * FROM
pg_xlogfile_name_offset(pg_stop_backup());
     This is usually the desired behavior for managing transaction log archiving
     behavior, since the preceding file is the last one that currently
     needs to be archived.
+    Note that <function>pg_xlogfile_name</> and
<function>pg_xlogfile_name_offset</>
+    always return an inaccurate result during recovery.
    </para>

<para>
@@ -13279,6 +13281,11 @@ postgres=# SELECT * FROM
pg_xlogfile_name_offset(pg_stop_backup());
</table>

    <para>
+    Note that <function>pg_xlogfile_name</> and
<function>pg_xlogfile_name_offset</>
+    always return an inaccurate result from any of the above locations.
+   </para>
+
+   <para>
     The functions shown in <xref linkend="functions-admin-dbsize"> calculate
     the disk space usage of database objects.
    </para>

    * The documentation needs to be improved.

I've done as much as I can on my own, what we need now is feedback on
what needs to be improved. So I'd like to drop this, but let's add new
more specific items about what needs to be improved, as people speak up.

Yep.

    * Redefine smart shutdown in standby mode?

Drop. Too big a change at this point.

I don't think that it's too big, but OK. And, ISTM we need to add the note
about the longstanding confusing behavior if it's dropped. How about?:

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 594bd7d..f8899e4 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1339,6 +1339,7 @@ echo -17 > /proc/self/oom_adj
        active, new connections will still be allowed, but only to superusers
        (this exception allows a superuser to connect to terminate
        online backup mode).
+       If the server is in recovery, it additionally waits for recovery to end.
       </para>
      </listitem>
     </varlistentry>

    * Quotes can't be escaped in recovery.conf

Under discussion. Not specific to streaming replication, and it's a
pre-existing issue, but should be fixed IMHO.

Yep.

    * Change the "standby mode" name.

Bikeshedding without consensus. I like the "standby mode" the best as
discussed on that thread, better than any of the proposed alternatives.
Drop this item.

Yep.

    * Fix things so that any such variables inherited from the server environment are intentionally *NOT* used for making SR connections.

Drop. Besides, we have the same problem with dblink, and I don't recall
anyone complaining.

Yep, but I don't think that dblink has the same issue because it's often
used to connect to another database on the same postgres instance, which
seems proper method. The problem is that walreceiver might wrongly connect
to *its* server and get stuck because no WAL records arrive for ever.
Since currently we don't allow the standby to accept the replication
connection, the problem will not happen in 9.0, and ISTM we don't need
to address it right now. So I agree to drop.

    * If standby_mode is enabled, and neither primary_conninfo nor restore_command are set, the standby would get stuck.

It's not really stuck, it will replay any WAL files you drop into
pg_xlog. I concur with Robert Haas though that it shouldn't print the
message to the log every few seconds. It should print a message the
first time it hits the end of WAL, but subsequent messages should be
suppressed until some progress has been made.

Yep, but it seems difficult to implement that. So I'd drop the suppression.

    * Remove the unnecessary section about HS from recovery.conf.sample

Yeah, let's do it.

Yep.

    * The replication connections consume superuser_reserved_connections slots.

I'd still like to change this slightly, per my suggestion on that
thread, but I don't feel strongly about it. It doesn't seem like a very
big change to me, but Tom felt otherwise.

I feel the same.

    * Add missing description about WAL-logging.

Small documentation change. Needs to be done I guess.

Yep.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

I wrote my previous email before reading this.

On Tue, Apr 6, 2010 at 3:09 AM, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

I triaged the list of open items on the Streaming Replication wiki page.
I propose that we drop the ones I've marked as Drop below, and move the
remaining items to the main Open Items page for better visibility. And
of course try to resolve them as quickly as possible.

    *  Walsender and dblink are not interruptible on win32. - related thread

I'd actually be happy to just leave it for 9.0, but it seems like
consensus has been reached on how to fix it, and Fujii is working on a
patch, so let's follow that through.

Agree.

    * Add the GUC parameter to specify the maximum number of log file segments held in pg_xlog directory to send to the standby server. Which is useful to avoid disk full in the primary.

Not only to avoid disk full in primary but also to make it feasible to
use streaming replication without archiving. It's a small change, we
should do it.

Do we have a working patch?

    * pg_xlogfile_name(pg_last_xlog_receive/replay_location()) might report the wrong name. Because a backend cannot know the actual timeline which is related to the location.

Drop. It's not clear which timeline those functions should return in
boundary cases, when replaying records from a log file where the
timeline-switch occurs.

Agree.

    * The documentation needs to be improved.

I've done as much as I can on my own, what we need now is feedback on
what needs to be improved. So I'd like to drop this, but let's add new
more specific items about what needs to be improved, as people speak up.

Agree. It's hard to think of this as a beta-blocker without more
specific feedback.

    * Redefine smart shutdown in standby mode?

Drop. Too big a change at this point.

We have a working patch for this - I want to commit it. I don't think
it's a big change, and the current behavior is extremely pathological.

    * Quotes can't be escaped in recovery.conf

Under discussion. Not specific to streaming replication, and it's a
pre-existing issue, but should be fixed IMHO.

Fine with me.

    * Change the "standby mode" name.

Bikeshedding without consensus. I like the "standby mode" the best as
discussed on that thread, better than any of the proposed alternatives.
Drop this item.

OK.

    * Fix things so that any such variables inherited from the server environment are intentionally *NOT* used for making SR connections.

Drop. Besides, we have the same problem with dblink, and I don't recall
anyone complaining.

Agree. I think that whole issue is bikeshedding.

    * If standby_mode is enabled, and neither primary_conninfo nor restore_command are set, the standby would get stuck.

It's not really stuck, it will replay any WAL files you drop into
pg_xlog. I concur with Robert Haas though that it shouldn't print the
message to the log every few seconds. It should print a message the
first time it hits the end of WAL, but subsequent messages should be
suppressed until some progress has been made.

Any idea how to implement this?

    * Remove the unnecessary section about HS from recovery.conf.sample

Yeah, let's do it.

Don't care.

    * The replication connections consume superuser_reserved_connections slots.

I'd still like to change this slightly, per my suggestion on that
thread, but I don't feel strongly about it. It doesn't seem like a very
big change to me, but Tom felt otherwise.

Agree, we should fix it.

    * Add missing description about WAL-logging.

Small documentation change. Needs to be done I guess.

No strong feelings.

...Robert

Robert Haas wrote:

On Tue, Apr 6, 2010 at 3:09 AM, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

* Add the GUC parameter to specify the maximum number of log file segments held in pg_xlog directory to send to the standby server. Which is useful to avoid disk full in the primary.

Not only to avoid disk full in primary but also to make it feasible to
use streaming replication without archiving. It's a small change, we
should do it.

Do we have a working patch?

No.

* Redefine smart shutdown in standby mode?

Drop. Too big a change at this point.

We have a working patch for this - I want to commit it. I don't think
it's a big change, and the current behavior is extremely pathological.

Oh, ok. I didn't look at the latest patch, if it looks good to you, fine
with me.

* If standby_mode is enabled, and neither primary_conninfo nor restore_command are set, the standby would get stuck.

It's not really stuck, it will replay any WAL files you drop into
pg_xlog. I concur with Robert Haas though that it shouldn't print the
message to the log every few seconds. It should print a message the
first time it hits the end of WAL, but subsequent messages should be
suppressed until some progress has been made.

Any idea how to implement this?

I'll take a look. It shouldn't be too hard.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

On Tue, Apr 6, 2010 at 10:36 AM, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

Robert Haas wrote:

On Tue, Apr 6, 2010 at 3:09 AM, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

    * Add the GUC parameter to specify the maximum number of log file segments held in pg_xlog directory to send to the standby server. Which is useful to avoid disk full in the primary.

Not only to avoid disk full in primary but also to make it feasible to
use streaming replication without archiving. It's a small change, we
should do it.

Do we have a working patch?

No.

:-(

    * Redefine smart shutdown in standby mode?

Drop. Too big a change at this point.

We have a working patch for this - I want to commit it.  I don't think
it's a big change, and the current behavior is extremely pathological.

Oh, ok. I didn't look at the latest patch, if it looks good to you, fine
with me.

I'll commit it tonight.

    * If standby_mode is enabled, and neither primary_conninfo nor restore_command are set, the standby would get stuck.

It's not really stuck, it will replay any WAL files you drop into
pg_xlog. I concur with Robert Haas though that it shouldn't print the
message to the log every few seconds. It should print a message the
first time it hits the end of WAL, but subsequent messages should be
suppressed until some progress has been made.

Any idea how to implement this?

I'll take a look. It shouldn't be too hard.

The tricky part, I believe, is that there's more than one message that
can potentially be emitted, and you don't want ANY of them to repeat
every 2 s, so some thought needs to be given to where to hook in the
logic.

...Robert

Heikki Linnakangas <heikki.linnakangas@enterprisedb.com> writes:

I triaged the list of open items on the Streaming Replication wiki page.
I propose that we drop the ones I've marked as Drop below, and move the
remaining items to the main Open Items page for better visibility.

By "drop" do you mean "move to TODO"? At least some of these issues
should be addressed in 9.1 or later. Perhaps some can really be
dropped, but it's not clear which.

regards, tom lane

Fujii Masao <masao.fujii@gmail.com> writes:

On Tue, Apr 6, 2010 at 4:09 PM, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

� � * Fix things so that any such variables inherited from the server environment are intentionally *NOT* used for making SR connections.

Drop. Besides, we have the same problem with dblink, and I don't recall
anyone complaining.

Yep, but I don't think that dblink has the same issue because it's often
used to connect to another database on the same postgres instance, which
seems proper method.

Yes, dblink is a poor precedent to cite because self-connections are a sane
behavior in its case.

The problem is that walreceiver might wrongly connect
to *its* server and get stuck because no WAL records arrive for ever.
Since currently we don't allow the standby to accept the replication
connection, the problem will not happen in 9.0, and ISTM we don't need
to address it right now. So I agree to drop.

Agreed, this can be put off until we support relay replication. I think
it will be an issue then, however.

regards, tom lane

Tom Lane wrote:

Heikki Linnakangas <heikki.linnakangas@enterprisedb.com> writes:

I triaged the list of open items on the Streaming Replication wiki page.
I propose that we drop the ones I've marked as Drop below, and move the
remaining items to the main Open Items page for better visibility.

By "drop" do you mean "move to TODO"? At least some of these issues
should be addressed in 9.1 or later. Perhaps some can really be
dropped, but it's not clear which.

Umm, yes, honestly speaking I hadn't even thought about that.

I've added the ones that should be addressed in the future to the TODO
list. I added a new subsection for standby server and streaming
replication related items:
http://wiki.postgresql.org/wiki/Todo#Standby_server_mode

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

On Tue, April 6, 2010 19:29, Heikki Linnakangas wrote:
[...]

I've added the ones that should be addressed in the future to the TODO
list. I added a new subsection for standby server and streaming
replication related items:
http://wiki.postgresql.org/wiki/Todo#Standby_server_mode

I reported "Assertion failure twophase.c" a few times; see:

http://search.postgresql.org/search?m=1&amp;q=Assertion+failure+twophase.c&amp;l=&amp;d=&amp;s=

Btw, it has now also happened once without the postbio package installed - (which was unlikely to
be the cause anyway, I think).

I don't see it mentioned in the TODO, but maybe it's just deemed too elusive to be assigned a todo
entry.

Was the issue eventually found/solved?

thanks,

Erik Rijkers

On Tue, 2010-04-06 at 20:27 +0200, Erik Rijkers wrote:

Was the issue eventually found/solved?

We think so, but the event was not conclusively traceable.

--
Simon Riggs www.2ndQuadrant.com

On Tue, 2010-04-06 at 11:06 -0400, Robert Haas wrote:

* Redefine smart shutdown in standby mode?

Drop. Too big a change at this point.

We have a working patch for this - I want to commit it. I don't think
it's a big change, and the current behavior is extremely pathological.

Oh, ok. I didn't look at the latest patch, if it looks good to you, fine
with me.

I'll commit it tonight.

I don't see this on hackers. Have you posted it? I'd like to see what
you do before it gets committed. Thanks.

--
Simon Riggs www.2ndQuadrant.com

On Tue, 2010-04-06 at 10:09 +0300, Heikki Linnakangas wrote:

* Walsender and dblink are not interruptible on win32. - related thread

I'd actually be happy to just leave it for 9.0, but it seems like
consensus has been reached on how to fix it, and Fujii is working on a
patch, so let's follow that through.

That one is a must, for me.

I would put relaying easily above any of the other stuff. That is a
truly useful feature that we are very close to being able to have in
this release. Adding things like quotes is not moving us forwards in any
important sense.

--
Simon Riggs www.2ndQuadrant.com

On Tue, Apr 6, 2010 at 3:14 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Tue, 2010-04-06 at 11:06 -0400, Robert Haas wrote:

    * Redefine smart shutdown in standby mode?

Drop. Too big a change at this point.

We have a working patch for this - I want to commit it.  I don't think
it's a big change, and the current behavior is extremely pathological.

Oh, ok. I didn't look at the latest patch, if it looks good to you, fine
with me.

I'll commit it tonight.

I don't see this on hackers. Have you posted it? I'd like to see what
you do before it gets committed. Thanks.

It's the same patch Fujii Masao posted previously, for which I
previously said I would fix up the comments and docs and commit. But
here is the adjusted version, which is hopefully more clear about what
we're doing at why we're doing it.

...Robert

On Wed, 2010-04-07 at 07:40 -0400, Robert Haas wrote:

On Tue, Apr 6, 2010 at 3:14 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Tue, 2010-04-06 at 11:06 -0400, Robert Haas wrote:

* Redefine smart shutdown in standby mode?

Drop. Too big a change at this point.

We have a working patch for this - I want to commit it. I don't think
it's a big change, and the current behavior is extremely pathological.

Oh, ok. I didn't look at the latest patch, if it looks good to you, fine
with me.

I'll commit it tonight.

I don't see this on hackers. Have you posted it? I'd like to see what
you do before it gets committed. Thanks.

It's the same patch Fujii Masao posted previously, for which I
previously said I would fix up the comments and docs and commit. But
here is the adjusted version, which is hopefully more clear about what
we're doing at why we're doing it.

OK, that looks a lot less risky than I had understood from discussions.
The main thing for me is it doesn't interfere with Startup or
WalReceiver, so assuming it works I've got no objections. Thanks for
chasing this down, good addition.

--
Simon Riggs www.2ndQuadrant.com

On Wed, Apr 7, 2010 at 8:17 AM, Simon Riggs <simon@2ndquadrant.com> wrote:

OK, that looks a lot less risky than I had understood from discussions.
The main thing for me is it doesn't interfere with Startup or
WalReceiver, so assuming it works I've got no objections. Thanks for
chasing this down, good addition.

Thanks. Committed.

...Robert

On Tue, Apr 6, 2010 at 4:09 PM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Tue, 2010-04-06 at 10:09 +0300, Heikki Linnakangas wrote:

    *  Walsender and dblink are not interruptible on win32. - related thread

I'd actually be happy to just leave it for 9.0, but it seems like
consensus has been reached on how to fix it, and Fujii is working on a
patch, so let's follow that through.

That one is a must, for me.

I would put relaying easily above any of the other stuff. That is a
truly useful feature that we are very close to being able to have in
this release. Adding things like quotes is not moving us forwards in any
important sense.

+1. I think this is easily the most important remaining issue that we
need to fix, with the possible exception of the shutdown checkpoint
issue.

...Robert

On Thu, Apr 8, 2010 at 10:41 AM, Robert Haas <robertmhaas@gmail.com> wrote:

On Wed, Apr 7, 2010 at 8:17 AM, Simon Riggs <simon@2ndquadrant.com> wrote:

OK, that looks a lot less risky than I had understood from discussions.
The main thing for me is it doesn't interfere with Startup or
WalReceiver, so assuming it works I've got no objections. Thanks for
chasing this down, good addition.

Thanks.  Committed.

Thanks. The following TODO item should be removed?

"Redefine smart shutdown in standby mode to exist as soon as all
read-only connections are gone."
http://wiki.postgresql.org/wiki/Todo#Standby_server_mode

Or change it to something like?

"Change smart shutdown in standby mode so that it kills the startup
and walreceiver process before waiting for the regular backends to die off"

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Thu, Apr 8, 2010 at 2:54 AM, Fujii Masao <masao.fujii@gmail.com> wrote:

On Thu, Apr 8, 2010 at 10:41 AM, Robert Haas <robertmhaas@gmail.com> wrote:

On Wed, Apr 7, 2010 at 8:17 AM, Simon Riggs <simon@2ndquadrant.com> wrote:

OK, that looks a lot less risky than I had understood from discussions.
The main thing for me is it doesn't interfere with Startup or
WalReceiver, so assuming it works I've got no objections. Thanks for
chasing this down, good addition.

Thanks.  Committed.

Thanks. The following TODO item should be removed?

"Redefine smart shutdown in standby mode to exist as soon as all
read-only connections are gone."
http://wiki.postgresql.org/wiki/Todo#Standby_server_mode

Or change it to something like?

"Change smart shutdown in standby mode so that it kills the startup
 and walreceiver process before waiting for the regular backends to die off"

Yeah, we should do one of those two things, but I don't much care which.

...Robert

On Thu, 2010-04-08 at 06:58 -0400, Robert Haas wrote:

Thanks. Committed.

Thanks. The following TODO item should be removed?

"Redefine smart shutdown in standby mode to exist as soon as all
read-only connections are gone."
http://wiki.postgresql.org/wiki/Todo#Standby_server_mode

Or change it to something like?

"Change smart shutdown in standby mode so that it kills the startup
and walreceiver process before waiting for the regular backends to die off"

Yeah, we should do one of those two things, but I don't much care which.

I do. I see no reason to do the latter, ever, so should not be added to
any TODO.

--
Simon Riggs www.2ndQuadrant.com

On Thu, Apr 8, 2010 at 7:37 AM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Thu, 2010-04-08 at 06:58 -0400, Robert Haas wrote:

Thanks.  Committed.

Thanks. The following TODO item should be removed?

"Redefine smart shutdown in standby mode to exist as soon as all
read-only connections are gone."
http://wiki.postgresql.org/wiki/Todo#Standby_server_mode

Or change it to something like?

"Change smart shutdown in standby mode so that it kills the startup
 and walreceiver process before waiting for the regular backends to die off"

Yeah, we should do one of those two things, but I don't much care which.

I do. I see no reason to do the latter, ever, so should not be added to
any TODO.

Well, stopping recovery earlier would mean fewer locks, which would
mean a better chance for the read-only backends to finish their work
and exit quickly. But I'm not sure how much it's worth worrying
about.

...Robert

On Thu, 2010-04-08 at 07:53 -0400, Robert Haas wrote:

I do. I see no reason to do the latter, ever, so should not be added to
any TODO.

Well, stopping recovery earlier would mean fewer locks, which would
mean a better chance for the read-only backends to finish their work
and exit quickly. But I'm not sure how much it's worth worrying
about.

The purpose of the lock is to prevent access to objects when they are in
inappropriate states for access. If we stopped startup and allowed
access, how do we know that things are in sufficiently good state to
allow access? We don't. If the Startup process is holding a lock then
that is the only safe thing to do. Otherwise we might allow access to a
table with a partially built index or other screw ups.

--
Simon Riggs www.2ndQuadrant.com

On Thu, Apr 8, 2010 at 8:00 AM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Thu, 2010-04-08 at 07:53 -0400, Robert Haas wrote:

I do. I see no reason to do the latter, ever, so should not be added to
any TODO.

Well, stopping recovery earlier would mean fewer locks, which would
mean a better chance for the read-only backends to finish their work
and exit quickly.  But I'm not sure how much it's worth worrying
about.

The purpose of the lock is to prevent access to objects when they are in
inappropriate states for access. If we stopped startup and allowed
access, how do we know that things are in sufficiently good state to
allow access? We don't. If the Startup process is holding a lock then
that is the only safe thing to do. Otherwise we might allow access to a
table with a partially built index or other screw ups.

Hmm. Good point. I guess you could really only stop the startup
process safely when it wasn't holding any locks anyhow - you couldn't
just kill it and have it release the locks.

...Robert

On Thu, 2010-04-08 at 09:40 -0400, Robert Haas wrote:

On Thu, Apr 8, 2010 at 8:00 AM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Thu, 2010-04-08 at 07:53 -0400, Robert Haas wrote:

I do. I see no reason to do the latter, ever, so should not be added to
any TODO.

Well, stopping recovery earlier would mean fewer locks, which would
mean a better chance for the read-only backends to finish their work
and exit quickly. But I'm not sure how much it's worth worrying
about.

The purpose of the lock is to prevent access to objects when they are in
inappropriate states for access. If we stopped startup and allowed
access, how do we know that things are in sufficiently good state to
allow access? We don't. If the Startup process is holding a lock then
that is the only safe thing to do. Otherwise we might allow access to a
table with a partially built index or other screw ups.

Hmm. Good point. I guess you could really only stop the startup
process safely when it wasn't holding any locks anyhow - you couldn't
just kill it and have it release the locks.

... and if it isn't holding any locks at all, there is no reason to kill
Startup first => no TODO item.

--
Simon Riggs www.2ndQuadrant.com

On Thu, Apr 8, 2010 at 9:56 AM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Thu, 2010-04-08 at 09:40 -0400, Robert Haas wrote:

On Thu, Apr 8, 2010 at 8:00 AM, Simon Riggs <simon@2ndquadrant.com> wrote:

On Thu, 2010-04-08 at 07:53 -0400, Robert Haas wrote:

I do. I see no reason to do the latter, ever, so should not be added to
any TODO.

Well, stopping recovery earlier would mean fewer locks, which would
mean a better chance for the read-only backends to finish their work
and exit quickly.  But I'm not sure how much it's worth worrying
about.

The purpose of the lock is to prevent access to objects when they are in
inappropriate states for access. If we stopped startup and allowed
access, how do we know that things are in sufficiently good state to
allow access? We don't. If the Startup process is holding a lock then
that is the only safe thing to do. Otherwise we might allow access to a
table with a partially built index or other screw ups.

Hmm.  Good point.  I guess you could really only stop the startup
process safely when it wasn't holding any locks anyhow - you couldn't
just kill it and have it release the locks.

... and if it isn't holding any locks at all, there is no reason to kill
Startup first => no TODO item.

I think you could shut it down at the first point at which it is
holding no locks, rather than letting it continue recovering and
potentially retake some new locks. That would be more consistent with
the general idea of what a smart shutdown is supposed to be about. I
think the real question is whether it's worth the code complexity. I
suspect most people use fast shutdown most of the time anyway in
real-world applications.

...Robert

On Thu, Apr 8, 2010 at 11:00 PM, Robert Haas <robertmhaas@gmail.com> wrote:

I think you could shut it down at the first point at which it is
holding no locks, rather than letting it continue recovering and
potentially retake some new locks.  That would be more consistent with
the general idea of what a smart shutdown is supposed to be about.  I
think the real question is whether it's worth the code complexity.

I don't think it's worth. So I agree to just remove the TODO item:
"Redefine smart shutdown in standby mode to exist as soon as all
read-only connections are gone."
http://wiki.postgresql.org/wiki/Todo#Standby_server_mode

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Robert Haas wrote:

On Tue, Apr 6, 2010 at 10:36 AM, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

Robert Haas wrote:

* If standby_mode is enabled, and neither primary_conninfo nor restore_command are set, the standby would get stuck.

It's not really stuck, it will replay any WAL files you drop into
pg_xlog. I concur with Robert Haas though that it shouldn't print the
message to the log every few seconds. It should print a message the
first time it hits the end of WAL, but subsequent messages should be
suppressed until some progress has been made.

Any idea how to implement this?

I'll take a look. It shouldn't be too hard.

The tricky part, I believe, is that there's more than one message that
can potentially be emitted, and you don't want ANY of them to repeat
every 2 s, so some thought needs to be given to where to hook in the
logic.

We have the emode_for_corrupt_record() function that's used in all the
errors that indicate a corrupt WAL record, that's a perfect place to
hook this into. See attached patch.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

On Tue, Apr 13, 2010 at 11:49 AM, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

Robert Haas wrote:

On Tue, Apr 6, 2010 at 10:36 AM, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

Robert Haas wrote:

    * If standby_mode is enabled, and neither primary_conninfo nor restore_command are set, the standby would get stuck.

It's not really stuck, it will replay any WAL files you drop into
pg_xlog. I concur with Robert Haas though that it shouldn't print the
message to the log every few seconds. It should print a message the
first time it hits the end of WAL, but subsequent messages should be
suppressed until some progress has been made.

Any idea how to implement this?

I'll take a look. It shouldn't be too hard.

The tricky part, I believe, is that there's more than one message that
can potentially be emitted, and you don't want ANY of them to repeat
every 2 s, so some thought needs to be given to where to hook in the
logic.

We have the emode_for_corrupt_record() function that's used in all the
errors that indicate a corrupt WAL record, that's a perfect place to
hook this into. See attached patch.

The test for elog == LOG seems a bit fragile to me - why that
specifically? Maybe elog < PANIC? elog > DEBUG1? Both?

But it seems basically sensible to me.

...Robert

On Wed, Apr 14, 2010 at 12:49 AM, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

We have the emode_for_corrupt_record() function that's used in all the
errors that indicate a corrupt WAL record, that's a perfect place to
hook this into. See attached patch.

One problem of the patch is that even if the content of error message
is different from the past, it would be skipped when the location of
invalid record is the same of the past. For example, if there is a
partially-filled unbroken WAL file in the standby, the following
message would be written:

record with zero length at %X/%X

Then if you drop corrupted WAL file into pg_xlog, the following message
might have to be output, but would be skipped:

invalid magic number %04X in log file %u, segment %u, offset %u

But I think that we might be able to live with the issue since it's
a very corner case.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Fujii Masao wrote:

One problem of the patch is that even if the content of error message
is different from the past, it would be skipped when the location of
invalid record is the same of the past. For example, if there is a
partially-filled unbroken WAL file in the standby, the following
message would be written:

record with zero length at %X/%X

Then if you drop corrupted WAL file into pg_xlog, the following message
might have to be output, but would be skipped:

invalid magic number %04X in log file %u, segment %u, offset %u

But I think that we might be able to live with the issue since it's
a very corner case.

Yeah, we can live with that. The user is not generally interested in
what exactly is wrong with the record. It just indicates that it has the
end of valid WAL in the standby.

Applied.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

Robert Haas wrote:

On Tue, Apr 13, 2010 at 11:49 AM, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

We have the emode_for_corrupt_record() function that's used in all the
errors that indicate a corrupt WAL record, that's a perfect place to
hook this into. See attached patch.

The test for elog == LOG seems a bit fragile to me - why that
specifically? Maybe elog < PANIC? elog > DEBUG1? Both?

Suppressing anything >= ERROR wouldn't make sense, as ERRORs cause the
replay to abort. I didn't want to affect WARNINGs either, which indicate
that something is truly wrong. The only level left between DEBUG1, which
is what the message is downgraded to, and WARNING, is LOG.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com