On Fri, Jun 04, 2021 at 04:24:02PM +0900, Michael Paquier wrote: > On Sat, May 29, 2021 at 02:23:21PM -0500, Justin Pryzby wrote: > > On Tue, May 25, 2021 at 07:13:59PM -0500, Justin Pryzby wrote: > >> On Sat, Mar 20, 2021 at 12:16:27PM +1300, Thomas Munro wrote: > >> > > > + { > >> > > > + {"recovery_init_sync_method", PGC_POSTMASTER, > >> > > > ERROR_HANDLING_OPTIONS, > >> > > > + gettext_noop("Sets the method for > >> > > > synchronizing the data directory before crash recovery."), > >> > > > + }, > >> > >> Is there any reason why this can't be PGC_SIGHUP ? > > > > I can't see any reason why this is nontrivial. > > I think that we had better let recovery_init_sync_method as > PGC_POSTMASTER, to stay on the safe side. SyncDataDirectory() only > gets called now in the backend code by the startup process after a > crash at the beginning of recovery, so switching to PGC_SIGHUP would > have zero effect to begin with. Now, let's not forget that > SyncDataDirectory() is a published API, and if anything exterior were > to call that, it does not seem right to me to make that its behavior > reloadable at will.
You said switching to SIGHUP "would have zero effect"; but, actually it allows an admin who's DB took a long time in recovery/startup to change the parameter without shutting down the service. This mitigates the downtime if it crashes again. I think that's at least 50% of how this feature might end up being used. It might be "safer" if fsync were PGC_POSTMASTER, but it's allowed to change at runtime that parameter, which is much more widely applicable. I've already mentioned restart_after_crash, and remove_temp_files_after_crash. -- Justin