-<!-- $PostgreSQL: pgsql/doc/src/sgml/high-availability.sgml,v 1.46 2010/02/18 04:14:38 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/high-availability.sgml,v 1.47 2010/02/19 00:15:25 momjian Exp $ -->
<chapter id="high-availability">
<title>High Availability, Load Balancing, and Replication</title>
is useful for both log shipping replication and for restoring a backup
to an exact state with great precision.
The term Hot Standby also refers to the ability of the server to move
- from recovery through to normal running while users continue running
- queries and/or continue their connections.
+ from recovery through to normal operation while users continue running
+ queries and/or keep their connections open.
</para>
<para>
return differing results. Eventually, the standby will be
consistent with the primary.
Queries executed on the standby will be correct with regard to the transactions
- that had been recovered at the start of the query, or start of first statement,
+ that had been recovered at the start of the query, or start of first statement
in the case of serializable transactions. In comparison with the primary,
the standby returns query results that could have been obtained on the primary
at some moment in the past.
</para>
<para>
- "Read-only" above means no writes to the permanent database tables.
- There are no problems with queries that use transient sort and
+ "Read-only" above means no writes to the permanent or temporary database
+ tables. There are no problems with queries that use transient sort and
work files.
</para>
</listitem>
<listitem>
<para>
- <command>LOCK TABLE</>, in short default form, since it requests <literal>ACCESS EXCLUSIVE MODE</>.
<command>LOCK TABLE</> that explicitly requests a mode higher than <literal>ROW EXCLUSIVE MODE</>.
</para>
</listitem>
+ <listitem>
+ <para>
+ <command>LOCK TABLE</> in short default form, since it requests <literal>ACCESS EXCLUSIVE MODE</>.
+ </para>
+ </listitem>
<listitem>
<para>
Transaction management commands that explicitly set non-read-only state:
</listitem>
<listitem>
<para>
- sequence update - nextval()
+ Sequence update - <function>nextval()</>
</para>
</listitem>
<listitem>
</para>
<para>
- Note that the current behaviour of read only transactions when not in
+ Note that the current behavior of read only transactions when not in
recovery is to allow the last two actions, so there are small and
- subtle differences in behaviour between read-only transactions
+ subtle differences in behavior between read-only transactions
run on a standby and run during normal operation.
It is possible that <command>LISTEN</>, <command>UNLISTEN</>,
<command>NOTIFY</>, and temporary tables might be allowed in a
issuing <command>SHOW transaction_read_only</>. In addition, a set of
functions (<xref linkend="functions-recovery-info-table">) allow users to
access information about the standby server. These allow you to write
- functions that are aware of the current state of the database. These
+ programs that are aware of the current state of the database. These
can be used to monitor the progress of recovery, or to allow you to
write complex programs that restore the database to particular states.
</para>
</listitem>
<listitem>
<para>
- Waiting to acquire buffer cleanup locks
+ The standby waiting longer than <varname>max_standby_delay</>
+ to acquire a buffer cleanup lock.
</para>
</listitem>
<listitem>
</para>
<para>
- Some WAL redo actions will be for <acronym>DDL</> actions. These DDL actions are
- repeating actions that have already committed on the primary node, so
- they must not fail on the standby node. These DDL locks take priority
- and will automatically *cancel* any read-only transactions that get in
- their way, after a grace period. This is similar to the possibility of
- being canceled by the deadlock detector, but in this case the standby
- process always wins, since the replayed actions must not fail. This
- also ensures that replication does not fall behind while waiting for a
- query to complete. Again, the assumption is that the standby is
- primarily for high availability.
+ Some WAL redo actions will be for <acronym>DDL</> execution. These DDL
+ actions are replaying changes that have already committed on the primary
+ node, so they must not fail on the standby node. These DDL locks take
+ priority and will automatically *cancel* any read-only transactions that
+ get in their way, after a grace period. This is similar to the possibility
+ of being canceled by the deadlock detector. But in this case, the standby
+ recovery process always wins, since the replayed actions must not fail.
+ This also ensures that replication does not fall behind while waiting for a
+ query to complete. This prioritization presumes that the standby exists
+ primarily for high availability, and that adjusting the grace period
+ will allow a sufficient guard against unexpected cancellation.
</para>
<para>
- An example of the above would be an Administrator on Primary server
+ An example of the above would be an administrator on the primary server
running <command>DROP TABLE</> on a table that is currently being queried
on the standby server.
Clearly the query cannot continue if <command>DROP TABLE</>
proceeds. If this situation occurred on the primary, the <command>DROP TABLE</>
would wait until the query had finished. When <command>DROP TABLE</> is
run on the primary, the primary doesn't have
- information about which queries are running on the standby and so
+ information about which queries are running on the standby, so it
cannot wait for any of the standby queries. The WAL change records come through to the
standby while the standby query is still running, causing a conflict.
</para>
<para>
If the conflict is caused by a lock, the conflicting standby
transaction is cancelled immediately. If the transaction is
- idle-in-transaction then the session is aborted
- instead, though this might change in the future.
+ idle-in-transaction, then the session is aborted instead.
+ This behavior might change in the future.
</para>
</listitem>
for as long as needed to run queries on the standby. This guarantees that
a WAL cleanup record is never generated and query conflicts do not occur,
as described above. This could be done using <filename>contrib/dblink</>
- and <function>pg_sleep()</>, or via other mechanisms. If you do this, you should note
- that this will delay cleanup of dead rows by vacuum or HOT and
- people might find this undesirable. However, remember that the
- primary and standby nodes are linked via the WAL, so this situation is no
- different from the case where the query ran on the primary node itself
- except for the benefit of off-loading the execution onto the standby.
+ and <function>pg_sleep()</>, or via other mechanisms. If you do this, you
+ should note that this will delay cleanup of dead rows on the primary by
+ vacuum or HOT, and people might find this undesirable. However, remember
+ that the primary and standby nodes are linked via the WAL, so the cleanup
+ situation is no different from the case where the query ran on the primary
+ node itself. And you are still getting the benefit of off-loading the
+ execution onto the standby.
</para>
<para>
be disabled via <filename>postgresql.conf</>. The server might take
some time to enable recovery connections since the server must first complete
sufficient recovery to provide a consistent state against which queries
- can run before enabling read only connections. Look for these messages
- in the server logs:
+ can run before enabling read only connections. During this period,
+ clients that attempt to connect will be refused with an error message.
+ To confirm the server has come up, either loop retrying to connect from
+ the application, or look for these messages in the server logs:
<programlisting>
LOG: entering standby mode
<para>
As a result, you cannot create additional indexes that exist solely
- on the standby, nor can statistics exist solely on the standby.
- If these administration commands are needed they should be executed
- on the primary so that the changes will propagate to the
+ on the standby, nor statistics that exist solely on the standby.
+ If these administration commands are needed, they should be executed
+ on the primary, and eventually those changes will propagate to the
standby.
</para>
<para>
The <productname>Nagios</> plugin <productname>check_pgsql</> will
- work, but it is very simple.
- <productname>check_postgres</> will also work, though some actions
- could give different or confusing results.
+ work, because the simple information it checks for exists.
+ The <productname>check_postgres</> monitoring script will also work,
+ though some reported values could give different or confusing results.
For example, last vacuum time will not be maintained, since no
- vacuum occurs on the standby (though vacuums running on the primary do
- send their changes to the standby).
+ vacuum occurs on the standby. Vacuums running on the primary
+ do still send their changes to the standby.
</para>
<para>
In normal (non-recovery) mode, if you issue <command>DROP USER</> or <command>DROP ROLE</>
for a role with login capability while that user is still connected then
nothing happens to the connected user - they remain connected. The user cannot
- reconnect however. This behaviour applies in recovery also, so a
+ reconnect however. This behavior applies in recovery also, so a
<command>DROP USER</> on the primary does not disconnect that user on the standby.
</para>
</para>
<para>
- Autovacuum is not active during recovery, though it will start normally
- at the end of recovery.
+ Autovacuum is not active during recovery, it will start normally at the
+ end of recovery.
</para>
<para>
The background writer is active during recovery and will perform
restartpoints (similar to checkpoints on the primary) and normal block
- cleaning activities. (Remember, hint bits will cause blocks to
- be modified on the standby server.)
+ cleaning activities. This can include updates of the hint bit
+ information stored on the standby server.
The <command>CHECKPOINT</> command is accepted during recovery,
though it performs a restartpoint rather than a new checkpoint.
</para>
<para>
Valid starting points for recovery connections are generated at each
checkpoint on the master. If the standby is shut down while the master
- is in a shutdown state it might not be possible to re-enter Hot Standby
- until the primary is started up so that it generates further starting
- points in the WAL logs. This is not considered a serious issue
- because the standby is usually switched to act as primary when
- the first node is taken down.
+ is in a shutdown state, it might not be possible to re-enter Hot Standby
+ until the primary is started up, so that it generates further starting
+ points in the WAL logs. This situation isn't a problem in the most
+ common situations where it might happen. Generally, if the primary is
+ shut down and not available anymore, that's likely due to a serious
+ failure that requires the standby being converted to operate as
+ the new primary anyway. And in situations where the primary is
+ being intentionally taken down, coordinating to make sure the standby
+ becomes the new primary smoothly is also standard procedure.
</para>
</listitem>
<listitem>