|The PostgreSQL 9.0 Reference Manual - Volume 3 - Server Administration Guide
by The PostgreSQL Global Development Group
Paperback (6"x9"), 274 pages
RRP £9.95 ($14.95)
Sales of this book support the PostgreSQL project! Get a printed copy>>>
11.5.3 Administrator's Overview
hot_standby is turned
‘postgresql.conf’ and there is a ‘recovery.conf’
file present, the server will run in Hot Standby mode.
However, it may take some time for Hot Standby connections to be allowed,
because the server will not accept connections until it has completed
sufficient recovery to provide a consistent state against which queries
can run. During this period,
clients that attempt to connect will be refused with an error message.
To confirm the server has come up, either loop trying to connect from
the application, or look for these messages in the server logs:
LOG: entering standby mode ... then some time later ... LOG: consistent recovery state reached LOG: database system is ready to accept read only connections
Consistency information is recorded once per checkpoint on the primary.
It is not possible to enable hot standby when reading WAL
written during a period when
wal_level was not set to
hot_standby on the primary. Reaching a consistent state can
also be delayed in the presence of both of these conditions:
- A write transaction has more than 64 subtransactions
- Very long-lived write transactions
If you are running file-based log shipping ("warm standby"), you might need
to wait until the next WAL file arrives, which could be as long as the
archive_timeout setting on the primary.
The setting of some parameters on the standby will need reconfiguration if they have been changed on the primary. For these parameters, the value on the standby must be equal to or greater than the value on the primary. If these parameters are not set high enough then the standby will refuse to start. Higher values can then be supplied and the server restarted to begin recovery again. These parameters are:
It is important that the administrator select appropriate settings for
max_standby_streaming_delay. The best choices vary
depending on business priorities. For example if the server is primarily
tasked as a High Availability server, then you will want low delay
settings, perhaps even zero, though that is a very aggressive setting. If
the standby server is tasked as an additional server for decision support
queries then it might be acceptable to set the maximum delay values to
many hours, or even -1 which means wait forever for queries to complete.
Transaction status "hint bits" written on the primary are not WAL-logged, so data on the standby will likely re-write the hints again on the standby. Thus, the standby server will still perform disk writes even though all users are read-only; no changes occur to the data values themselves. Users will still write large sort temporary files and re-generate relcache info files, so no part of the database is truly read-only during hot standby mode. Note also that writes to remote databases using dblink module, and other operations outside the database using PL functions will still be possible, even though the transaction is read-only locally.
The following types of administration commands are not accepted during recovery mode:
Data Definition Language (DDL) - e.g.
Privilege and Ownership -
Maintenance commands -
Again, note that some of these commands are actually allowed during "read only" mode transactions on the primary.
As a result, you cannot create additional indexes that exist solely on the standby, nor statistics that exist solely on the standby. If these administration commands are needed, they should be executed on the primary, and eventually those changes will propagate to the standby.
pg_cancel_backend() will work on user backends, but not the
Startup process, which performs recovery.
pg_stat_activity does not
show an entry for the Startup process, nor do recovering transactions
show as active. As a result,
pg_prepared_xacts is always empty during
recovery. If you wish to resolve in-doubt prepared transactions,
pg_prepared_xacts on the primary and issue commands to
resolve transactions there.
pg_locks will show locks held by backends,
pg_locks also shows
a virtual transaction managed by the Startup process that owns all
AccessExclusiveLocks held by transactions being replayed by recovery.
Note that the Startup process does not acquire locks to
make database changes, and thus locks other than
do not show in
pg_locks for the Startup
process; they are just presumed to exist.
The Nagios plugin check_pgsql will work, because the simple information it checks for exists. The check_postgres monitoring script will also work, though some reported values could give different or confusing results. For example, last vacuum time will not be maintained, since no vacuum occurs on the standby. Vacuums running on the primary do still send their changes to the standby.
WAL file control commands will not work during recovery,
Dynamically loadable modules work, including
Advisory locks work normally in recovery, including deadlock detection. Note that advisory locks are never WAL logged, so it is impossible for an advisory lock on either the primary or the standby to conflict with WAL replay. Nor is it possible to acquire an advisory lock on the primary and have it initiate a similar advisory lock on the standby. Advisory locks relate only to the server on which they are acquired.
Trigger-based replication systems such as Slony, Londiste and Bucardo won't run on the standby at all, though they will run happily on the primary server as long as the changes are not sent to standby servers to be applied. WAL replay is not trigger-based so you cannot relay from the standby to any system that requires additional database writes or relies on the use of triggers.
New OIDs cannot be assigned, though some UUID generators may still work as long as they do not rely on writing new status to the database.
Currently, temporary table creation is not allowed during read only transactions, so in some cases existing scripts will not run correctly. This restriction might be relaxed in a later release. This is both a SQL Standard compliance issue and a technical issue.
DROP TABLESPACE can only succeed if the tablespace is empty.
Some standby users may be actively using the tablespace via their
temp_tablespaces parameter. If there are temporary files in the
tablespace, all active queries are cancelled to ensure that temporary
files are removed, so the tablespace can be removed and WAL replay
ALTER DATABASE ... SET
ALTER DATABASE ... RENAME on the primary
will generate a WAL entry that will cause all users connected to that
database on the standby to be forcibly disconnected. This action occurs
immediately, whatever the setting of
In normal (non-recovery) mode, if you issue
DROP USER or
for a role with login capability while that user is still connected then
nothing happens to the connected user - they remain connected. The user cannot
reconnect however. This behavior applies in recovery also, so a
DROP USER on the primary does not disconnect that user on the standby.
The statistics collector is active during recovery. All scans, reads, blocks, index usage, etc., will be recorded normally on the standby. Replayed actions will not duplicate their effects on primary, so replaying an insert will not increment the Inserts column of pg_stat_user_tables. The stats file is deleted at the start of recovery, so stats from primary and standby will differ; this is considered a feature, not a bug.
Autovacuum is not active during recovery. It will start normally at the end of recovery.
The background writer is active during recovery and will perform
restartpoints (similar to checkpoints on the primary) and normal block
cleaning activities. This can include updates of the hint bit
information stored on the standby server.
CHECKPOINT command is accepted during recovery,
though it performs a restartpoint rather than a new checkpoint.
|ISBN 9781906966072||The PostgreSQL 9.0 Reference Manual - Volume 3 - Server Administration Guide||See the print edition|