Обсуждение: data loss with pg_standby when doing a controlled failover

Running 8.3.7, I have a warm standby configuration with a
archive_timeout of 10min.

It's obvious that there's a 10min period where data could be lost if the
master fails and the warm standby server has to take over. What's not
obvious is that this is true even if the master server is shut down
regularly, because it will not write out a last log segment to the
archive. As a consequence, when doing a controlled failover (for
maintenance purposes or so) all data changed after the last archive copy
will be lost.
IMHO this should be mentioned in the docs explicitly (I find it quite
surprising that data can be lost even if the system is shutdown
correctly), or better when shutting down the postmaster should spit all
log segments containing all changes when archiving is on so the warm
standby server can catch up.

Regards.
Andreas

On Mon, Apr 6, 2009 at 7:37 AM, Andreas Pflug <pgadmin@pse-consulting.de>wrote:

> Running 8.3.7, I have a warm standby configuration with a
> archive_timeout of 10min.
>
> It's obvious that there's a 10min period where data could be lost if the
> master fails and the warm standby server has to take over. What's not
> obvious is that this is true even if the master server is shut down
> regularly, because it will not write out a last log segment to the
> archive. As a consequence, when doing a controlled failover (for
> maintenance purposes or so) all data changed after the last archive copy
> will be lost.
> IMHO this should be mentioned in the docs explicitly (I find it quite
> surprising that data can be lost even if the system is shutdown
> correctly), or better when shutting down the postmaster should spit all
> log segments containing all changes when archiving is on so the warm
> standby server can catch up.



You make an excellent point.  If you're looking for a way to mitigate this
risk, run:

    select pg_switch_xlog() ;

   Before shutting down.

--Scott

>
>
> Regards.
> Andreas
>
> --
> Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-bugs
>

On Mon, Apr 6, 2009 at 1:37 PM, Andreas Pflug <pgadmin@pse-consulting.de> wrote:
> IMHO this should be mentioned in the docs explicitly (I find it quite
> surprising that data can be lost even if the system is shutdown
> correctly), or better when shutting down the postmaster should spit all
> log segments containing all changes when archiving is on so the warm
> standby server can catch up.

See also this thread which might be interesting for you:
http://archives.postgresql.org/message-id/3f0b79eb0903242329j12865d55s348f5c873a956e71@mail.gmail.com

--
Guillaume

Scott Mead wrote:
>
>
>
> On Mon, Apr 6, 2009 at 7:37 AM, Andreas Pflug
> <pgadmin@pse-consulting.de <mailto:pgadmin@pse-consulting.de>> wrote:
>
>     Running 8.3.7, I have a warm standby configuration with a
>     archive_timeout of 10min.
>
>     It's obvious that there's a 10min period where data could be lost
>     if the
>     master fails and the warm standby server has to take over. What's not
>     obvious is that this is true even if the master server is shut down
>     regularly, because it will not write out a last log segment to the
>     archive. As a consequence, when doing a controlled failover (for
>     maintenance purposes or so) all data changed after the last
>     archive copy
>     will be lost.
>     IMHO this should be mentioned in the docs explicitly (I find it quite
>     surprising that data can be lost even if the system is shutdown
>     correctly), or better when shutting down the postmaster should
>     spit all
>     log segments containing all changes when archiving is on so the warm
>     standby server can catch up.
>
>
>
> You make an excellent point.  If you're looking for a way to mitigate
> this risk, run:
>
>     select pg_switch_xlog() ;
>
>    Before shutting down.
Sort of, unless some other user succeeds to commit a transaction after
pg_switch_xlog, and before the database ceases operation.

My "graceful failover" procedure now includes this workaround:
- shutdown server
- restart server with --listen_addresses='' to prevent other users to
connect (there are no local users on the server machine)
- pg_switch_xlog()
- shutdown finally
- let the warm server continue

Regards,
Andreas

Guillaume Smet wrote:
> On Mon, Apr 6, 2009 at 1:37 PM, Andreas Pflug <pgadmin@pse-consulting.de> wrote:
>
>> IMHO this should be mentioned in the docs explicitly (I find it quite
>> surprising that data can be lost even if the system is shutdown
>> correctly), or better when shutting down the postmaster should spit all
>> log segments containing all changes when archiving is on so the warm
>> standby server can catch up.
>>
>
> See also this thread which might be interesting for you:
> http://archives.postgresql.org/message-id/3f0b79eb0903242329j12865d55s348f5c873a956e71@mail.gmail.com
>
It is, though not related to this problem. I'd expect pg_standby's
default behaviour to be like the pseudocode's in the warm-standby
documentation. To me, it's kind of unexpected that it won't continue
restoring if the trigger file is present (as Kevin said, what's the use
case for the current behaviour?).

Regards,
Andreas

Hi,

On Mon, Apr 6, 2009 at 11:13 PM, Andreas Pflug
<pgadmin@pse-consulting.de> wrote:
> Scott Mead wrote:
>>
>>
>>
>> On Mon, Apr 6, 2009 at 7:37 AM, Andreas Pflug
>> <pgadmin@pse-consulting.de <mailto:pgadmin@pse-consulting.de>> wrote:
>>
>> =A0 =A0 Running 8.3.7, I have a warm standby configuration with a
>> =A0 =A0 archive_timeout of 10min.
>>
>> =A0 =A0 It's obvious that there's a 10min period where data could be lost
>> =A0 =A0 if the
>> =A0 =A0 master fails and the warm standby server has to take over. What'=
s not
>> =A0 =A0 obvious is that this is true even if the master server is shut d=
own
>> =A0 =A0 regularly, because it will not write out a last log segment to t=
he
>> =A0 =A0 archive. As a consequence, when doing a controlled failover (for
>> =A0 =A0 maintenance purposes or so) all data changed after the last
>> =A0 =A0 archive copy
>> =A0 =A0 will be lost.
>> =A0 =A0 IMHO this should be mentioned in the docs explicitly (I find it =
quite
>> =A0 =A0 surprising that data can be lost even if the system is shutdown
>> =A0 =A0 correctly), or better when shutting down the postmaster should
>> =A0 =A0 spit all
>> =A0 =A0 log segments containing all changes when archiving is on so the =
warm
>> =A0 =A0 standby server can catch up.
>>
>>
>>
>> You make an excellent point. =A0If you're looking for a way to mitigate
>> this risk, run:
>>
>> =A0 =A0 select pg_switch_xlog() ;
>>
>> =A0 =A0Before shutting down.
> Sort of, unless some other user succeeds to commit a transaction after
> pg_switch_xlog, and before the database ceases operation.
>
> My "graceful failover" procedure now includes this workaround:
> - shutdown server
> - restart server with --listen_addresses=3D'' to prevent other users to
> connect (there are no local users on the server machine)
> - pg_switch_xlog()
> - shutdown finally
> - let the warm server continue

What if new xlogs are generated by autovacuum or bgwriter
between pg_switch_xlog and final shutdown? Those xlogs
can be ignored?

Regards,

--=20
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center