On Mon, 2008-12-15 at 09:19 -0500, Robert Haas wrote:
> I understand you're point, but I think there's still a use case. The
> idea is that declaring the secondary dead is a rare event, and there's
> some mechanism by which you're enabled to page your network staff, and
> they hightail it into the office to fix the problem. It might not be
> the way that you want to run your system, but I don't think it's
> unreasonable for someone else to want it.
>
Agreed: there's an analogy to RAID here. When a disk goes out, it still
allows writes, but moves to a degraded state. Hopefully your monitoring
system notifies you, and you fix it.
Also, let's say that the standby suffers catastrophic storage failure.
Now you only have your data on one server anyway (the primary).
Rejecting new transactions from committing doesn't save all the old
transactions in the event of a subsequent storage failure on the
primary.
I'm not advocating this option in particular, other than saying that it
seems like a reasonable option to me.
Regards,
Jeff Davis
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
