Re: postmaster recovery and automatic restart suppression
| От | Robert Haas |
|---|---|
| Тема | Re: postmaster recovery and automatic restart suppression |
| Дата | |
| Msg-id | 603c8f070906081506v2ffe160bo421ac9407077d94@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: postmaster recovery and automatic restart suppression (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: postmaster recovery and automatic restart suppression
|
| Список | pgsql-hackers |
On Mon, Jun 8, 2009 at 4:30 PM, Tom Lane<tgl@sss.pgh.pa.us> wrote: > Greg Stark <stark@enterprisedb.com> writes: >>> On Mon, 2009-06-08 at 09:47 -0400, Tom Lane wrote: >>>> I think the proposed don't-restart flag is exceedingly ugly and will not >>>> solve any real-world problem. > >> Hm. I'm not sure I see a solid use case for it -- in my experience you >> want to be pretty sure you have a persistent problem before you fail >> over. > > Yeah, and when you do fail over you want more guarantee than "none at > all" that the primary won't start back up again on its own. > >> But I don't really see why it's ugly either. > > Because it's intentionally blowing a hole in one of the most prized > properties of the database, ie, that it doesn't go down if it can help > it. I want a *WHOLE* lot stronger rationale than "somebody might want > it someday" before providing a switch that lets somebody thoughtlessly > break a property we've sweated blood for ten years to ensure. I see that you've carefully not quoted Greg's remark about "mechanism not policy" with which I completely agree. This seems like a pretty useful switch for people who want more control over how the database gets restarted on those rare occasions when it wipes out (and possibly for debugging crash-type problems as well). The amount of blood-sweating that was required to make a robust automatic restart mechanism doesn't seem relevant to this discussion, though it is certainly a cool feature. I also don't see any reason to assume that users will do this "thoughtlessly". Perhaps someone will, but if our policy is to not add any features on the theory that someone might use in a stupid way, we'd better get busy reverting a significant fraction of the work done for 8.4. I'm not going to go so far as to say that we should never reject a feature because the danger of someone shooting themselves in the foot is too high, but this doesn't even seem like a likely candidate. If we put an option in postgresql.conf called "automatic_restart_after_crash = on", anyone who switches that to "off" should have a pretty good idea what the likely consequences of that decision will be. The people who are too stupid to figure that one out are likely to have a whole lot of other problems too, and they're not the people at whom we should be targetting this product. ...Robert
В списке pgsql-hackers по дате отправления: