diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 13:44:03 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 13:44:03 +0000 |
commit | 293913568e6a7a86fd1479e1cff8e2ecb58d6568 (patch) | |
tree | fc3b469a3ec5ab71b36ea97cc7aaddb838423a0c /doc/src/sgml/html/hot-standby.html | |
parent | Initial commit. (diff) | |
download | postgresql-16-293913568e6a7a86fd1479e1cff8e2ecb58d6568.tar.xz postgresql-16-293913568e6a7a86fd1479e1cff8e2ecb58d6568.zip |
Adding upstream version 16.2.upstream/16.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/src/sgml/html/hot-standby.html')
-rw-r--r-- | doc/src/sgml/html/hot-standby.html | 567 |
1 files changed, 567 insertions, 0 deletions
diff --git a/doc/src/sgml/html/hot-standby.html b/doc/src/sgml/html/hot-standby.html new file mode 100644 index 0000000..3fe5cd9 --- /dev/null +++ b/doc/src/sgml/html/hot-standby.html @@ -0,0 +1,567 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>27.4. Hot Standby</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="warm-standby-failover.html" title="27.3. Failover" /><link rel="next" href="monitoring.html" title="Chapter 28. Monitoring Database Activity" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">27.4. Hot Standby</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="warm-standby-failover.html" title="27.3. Failover">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="high-availability.html" title="Chapter 27. High Availability, Load Balancing, and Replication">Up</a></td><th width="60%" align="center">Chapter 27. High Availability, Load Balancing, and Replication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 16.2 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="monitoring.html" title="Chapter 28. Monitoring Database Activity">Next</a></td></tr></table><hr /></div><div class="sect1" id="HOT-STANDBY"><div class="titlepage"><div><div><h2 class="title" style="clear: both">27.4. Hot Standby <a href="#HOT-STANDBY" class="id_link">#</a></h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="hot-standby.html#HOT-STANDBY-USERS">27.4.1. User's Overview</a></span></dt><dt><span class="sect2"><a href="hot-standby.html#HOT-STANDBY-CONFLICT">27.4.2. Handling Query Conflicts</a></span></dt><dt><span class="sect2"><a href="hot-standby.html#HOT-STANDBY-ADMIN">27.4.3. Administrator's Overview</a></span></dt><dt><span class="sect2"><a href="hot-standby.html#HOT-STANDBY-PARAMETERS">27.4.4. Hot Standby Parameter Reference</a></span></dt><dt><span class="sect2"><a href="hot-standby.html#HOT-STANDBY-CAVEATS">27.4.5. Caveats</a></span></dt></dl></div><a id="id-1.6.14.18.2" class="indexterm"></a><p> + Hot standby is the term used to describe the ability to connect to + the server and run read-only queries while the server is in archive + recovery or standby mode. This + is useful both for replication purposes and for restoring a backup + to a desired state with great precision. + The term hot standby also refers to the ability of the server to move + from recovery through to normal operation while users continue running + queries and/or keep their connections open. + </p><p> + Running queries in hot standby mode is similar to normal query operation, + though there are several usage and administrative differences + explained below. + </p><div class="sect2" id="HOT-STANDBY-USERS"><div class="titlepage"><div><div><h3 class="title">27.4.1. User's Overview <a href="#HOT-STANDBY-USERS" class="id_link">#</a></h3></div></div></div><p> + When the <a class="xref" href="runtime-config-replication.html#GUC-HOT-STANDBY">hot_standby</a> parameter is set to true on a + standby server, it will begin accepting connections once the recovery has + brought the system to a consistent state. All such connections are + strictly read-only; not even temporary tables may be written. + </p><p> + The data on the standby takes some time to arrive from the primary server + so there will be a measurable delay between primary and standby. Running the + same query nearly simultaneously on both primary and standby might therefore + return differing results. We say that data on the standby is + <em class="firstterm">eventually consistent</em> with the primary. Once the + commit record for a transaction is replayed on the standby, the changes + made by that transaction will be visible to any new snapshots taken on + the standby. Snapshots may be taken at the start of each query or at the + start of each transaction, depending on the current transaction isolation + level. For more details, see <a class="xref" href="transaction-iso.html" title="13.2. Transaction Isolation">Section 13.2</a>. + </p><p> + Transactions started during hot standby may issue the following commands: + + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + Query access: <code class="command">SELECT</code>, <code class="command">COPY TO</code> + </p></li><li class="listitem"><p> + Cursor commands: <code class="command">DECLARE</code>, <code class="command">FETCH</code>, <code class="command">CLOSE</code> + </p></li><li class="listitem"><p> + Settings: <code class="command">SHOW</code>, <code class="command">SET</code>, <code class="command">RESET</code> + </p></li><li class="listitem"><p> + Transaction management commands: + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; "><li class="listitem"><p> + <code class="command">BEGIN</code>, <code class="command">END</code>, <code class="command">ABORT</code>, <code class="command">START TRANSACTION</code> + </p></li><li class="listitem"><p> + <code class="command">SAVEPOINT</code>, <code class="command">RELEASE</code>, <code class="command">ROLLBACK TO SAVEPOINT</code> + </p></li><li class="listitem"><p> + <code class="command">EXCEPTION</code> blocks and other internal subtransactions + </p></li></ul></div><p> + </p></li><li class="listitem"><p> + <code class="command">LOCK TABLE</code>, though only when explicitly in one of these modes: + <code class="literal">ACCESS SHARE</code>, <code class="literal">ROW SHARE</code> or <code class="literal">ROW EXCLUSIVE</code>. + </p></li><li class="listitem"><p> + Plans and resources: <code class="command">PREPARE</code>, <code class="command">EXECUTE</code>, + <code class="command">DEALLOCATE</code>, <code class="command">DISCARD</code> + </p></li><li class="listitem"><p> + Plugins and extensions: <code class="command">LOAD</code> + </p></li><li class="listitem"><p> + <code class="command">UNLISTEN</code> + </p></li></ul></div><p> + </p><p> + Transactions started during hot standby will never be assigned a + transaction ID and cannot write to the system write-ahead log. + Therefore, the following actions will produce error messages: + + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + Data Manipulation Language (DML): <code class="command">INSERT</code>, + <code class="command">UPDATE</code>, <code class="command">DELETE</code>, + <code class="command">MERGE</code>, <code class="command">COPY FROM</code>, + <code class="command">TRUNCATE</code>. + Note that there are no allowed actions that result in a trigger + being executed during recovery. This restriction applies even to + temporary tables, because table rows cannot be read or written without + assigning a transaction ID, which is currently not possible in a + hot standby environment. + </p></li><li class="listitem"><p> + Data Definition Language (DDL): <code class="command">CREATE</code>, + <code class="command">DROP</code>, <code class="command">ALTER</code>, <code class="command">COMMENT</code>. + This restriction applies even to temporary tables, because carrying + out these operations would require updating the system catalog tables. + </p></li><li class="listitem"><p> + <code class="command">SELECT ... FOR SHARE | UPDATE</code>, because row locks cannot be + taken without updating the underlying data files. + </p></li><li class="listitem"><p> + Rules on <code class="command">SELECT</code> statements that generate DML commands. + </p></li><li class="listitem"><p> + <code class="command">LOCK</code> that explicitly requests a mode higher than <code class="literal">ROW EXCLUSIVE MODE</code>. + </p></li><li class="listitem"><p> + <code class="command">LOCK</code> in short default form, since it requests <code class="literal">ACCESS EXCLUSIVE MODE</code>. + </p></li><li class="listitem"><p> + Transaction management commands that explicitly set non-read-only state: + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; "><li class="listitem"><p> + <code class="command">BEGIN READ WRITE</code>, + <code class="command">START TRANSACTION READ WRITE</code> + </p></li><li class="listitem"><p> + <code class="command">SET TRANSACTION READ WRITE</code>, + <code class="command">SET SESSION CHARACTERISTICS AS TRANSACTION READ WRITE</code> + </p></li><li class="listitem"><p> + <code class="command">SET transaction_read_only = off</code> + </p></li></ul></div><p> + </p></li><li class="listitem"><p> + Two-phase commit commands: <code class="command">PREPARE TRANSACTION</code>, + <code class="command">COMMIT PREPARED</code>, <code class="command">ROLLBACK PREPARED</code> + because even read-only transactions need to write WAL in the + prepare phase (the first phase of two phase commit). + </p></li><li class="listitem"><p> + Sequence updates: <code class="function">nextval()</code>, <code class="function">setval()</code> + </p></li><li class="listitem"><p> + <code class="command">LISTEN</code>, <code class="command">NOTIFY</code> + </p></li></ul></div><p> + </p><p> + In normal operation, <span class="quote">“<span class="quote">read-only</span>”</span> transactions are allowed to + use <code class="command">LISTEN</code> and <code class="command">NOTIFY</code>, + so hot standby sessions operate under slightly tighter + restrictions than ordinary read-only sessions. It is possible that some + of these restrictions might be loosened in a future release. + </p><p> + During hot standby, the parameter <code class="varname">transaction_read_only</code> is always + true and may not be changed. But as long as no attempt is made to modify + the database, connections during hot standby will act much like any other + database connection. If failover or switchover occurs, the database will + switch to normal processing mode. Sessions will remain connected while the + server changes mode. Once hot standby finishes, it will be possible to + initiate read-write transactions (even from a session begun during + hot standby). + </p><p> + Users can determine whether hot standby is currently active for their + session by issuing <code class="command">SHOW in_hot_standby</code>. + (In server versions before 14, the <code class="varname">in_hot_standby</code> + parameter did not exist; a workable substitute method for older servers + is <code class="command">SHOW transaction_read_only</code>.) In addition, a set of + functions (<a class="xref" href="functions-admin.html#FUNCTIONS-RECOVERY-INFO-TABLE" title="Table 9.92. Recovery Information Functions">Table 9.92</a>) allow users to + access information about the standby server. These allow you to write + programs that are aware of the current state of the database. These + can be used to monitor the progress of recovery, or to allow you to + write complex programs that restore the database to particular states. + </p></div><div class="sect2" id="HOT-STANDBY-CONFLICT"><div class="titlepage"><div><div><h3 class="title">27.4.2. Handling Query Conflicts <a href="#HOT-STANDBY-CONFLICT" class="id_link">#</a></h3></div></div></div><p> + The primary and standby servers are in many ways loosely connected. Actions + on the primary will have an effect on the standby. As a result, there is + potential for negative interactions or conflicts between them. The easiest + conflict to understand is performance: if a huge data load is taking place + on the primary then this will generate a similar stream of WAL records on the + standby, so standby queries may contend for system resources, such as I/O. + </p><p> + There are also additional types of conflict that can occur with hot standby. + These conflicts are <span class="emphasis"><em>hard conflicts</em></span> in the sense that queries + might need to be canceled and, in some cases, sessions disconnected to resolve them. + The user is provided with several ways to handle these + conflicts. Conflict cases include: + + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + Access Exclusive locks taken on the primary server, including both + explicit <code class="command">LOCK</code> commands and various <acronym class="acronym">DDL</acronym> + actions, conflict with table accesses in standby queries. + </p></li><li class="listitem"><p> + Dropping a tablespace on the primary conflicts with standby queries + using that tablespace for temporary work files. + </p></li><li class="listitem"><p> + Dropping a database on the primary conflicts with sessions connected + to that database on the standby. + </p></li><li class="listitem"><p> + Application of a vacuum cleanup record from WAL conflicts with + standby transactions whose snapshots can still <span class="quote">“<span class="quote">see</span>”</span> any of + the rows to be removed. + </p></li><li class="listitem"><p> + Application of a vacuum cleanup record from WAL conflicts with + queries accessing the target page on the standby, whether or not + the data to be removed is visible. + </p></li></ul></div><p> + </p><p> + On the primary server, these cases simply result in waiting; and the + user might choose to cancel either of the conflicting actions. However, + on the standby there is no choice: the WAL-logged action already occurred + on the primary so the standby must not fail to apply it. Furthermore, + allowing WAL application to wait indefinitely may be very undesirable, + because the standby's state will become increasingly far behind the + primary's. Therefore, a mechanism is provided to forcibly cancel standby + queries that conflict with to-be-applied WAL records. + </p><p> + An example of the problem situation is an administrator on the primary + server running <code class="command">DROP TABLE</code> on a table that is currently being + queried on the standby server. Clearly the standby query cannot continue + if the <code class="command">DROP TABLE</code> is applied on the standby. If this situation + occurred on the primary, the <code class="command">DROP TABLE</code> would wait until the + other query had finished. But when <code class="command">DROP TABLE</code> is run on the + primary, the primary doesn't have information about what queries are + running on the standby, so it will not wait for any such standby + queries. The WAL change records come through to the standby while the + standby query is still running, causing a conflict. The standby server + must either delay application of the WAL records (and everything after + them, too) or else cancel the conflicting query so that the <code class="command">DROP + TABLE</code> can be applied. + </p><p> + When a conflicting query is short, it's typically desirable to allow it to + complete by delaying WAL application for a little bit; but a long delay in + WAL application is usually not desirable. So the cancel mechanism has + parameters, <a class="xref" href="runtime-config-replication.html#GUC-MAX-STANDBY-ARCHIVE-DELAY">max_standby_archive_delay</a> and <a class="xref" href="runtime-config-replication.html#GUC-MAX-STANDBY-STREAMING-DELAY">max_standby_streaming_delay</a>, that define the maximum + allowed delay in WAL application. Conflicting queries will be canceled + once it has taken longer than the relevant delay setting to apply any + newly-received WAL data. There are two parameters so that different delay + values can be specified for the case of reading WAL data from an archive + (i.e., initial recovery from a base backup or <span class="quote">“<span class="quote">catching up</span>”</span> a + standby server that has fallen far behind) versus reading WAL data via + streaming replication. + </p><p> + In a standby server that exists primarily for high availability, it's + best to set the delay parameters relatively short, so that the server + cannot fall far behind the primary due to delays caused by standby + queries. However, if the standby server is meant for executing + long-running queries, then a high or even infinite delay value may be + preferable. Keep in mind however that a long-running query could + cause other sessions on the standby server to not see recent changes + on the primary, if it delays application of WAL records. + </p><p> + Once the delay specified by <code class="varname">max_standby_archive_delay</code> or + <code class="varname">max_standby_streaming_delay</code> has been exceeded, conflicting + queries will be canceled. This usually results just in a cancellation + error, although in the case of replaying a <code class="command">DROP DATABASE</code> + the entire conflicting session will be terminated. Also, if the conflict + is over a lock held by an idle transaction, the conflicting session is + terminated (this behavior might change in the future). + </p><p> + Canceled queries may be retried immediately (after beginning a new + transaction, of course). Since query cancellation depends on + the nature of the WAL records being replayed, a query that was + canceled may well succeed if it is executed again. + </p><p> + Keep in mind that the delay parameters are compared to the elapsed time + since the WAL data was received by the standby server. Thus, the grace + period allowed to any one query on the standby is never more than the + delay parameter, and could be considerably less if the standby has already + fallen behind as a result of waiting for previous queries to complete, or + as a result of being unable to keep up with a heavy update load. + </p><p> + The most common reason for conflict between standby queries and WAL replay + is <span class="quote">“<span class="quote">early cleanup</span>”</span>. Normally, <span class="productname">PostgreSQL</span> allows + cleanup of old row versions when there are no transactions that need to + see them to ensure correct visibility of data according to MVCC rules. + However, this rule can only be applied for transactions executing on the + primary. So it is possible that cleanup on the primary will remove row + versions that are still visible to a transaction on the standby. + </p><p> + Row version cleanup isn't the only potential cause of conflicts with + standby queries. All index-only scans (including those that run on + standbys) must use an <acronym class="acronym">MVCC</acronym> snapshot that + <span class="quote">“<span class="quote">agrees</span>”</span> with the visibility map. Conflicts are therefore + required whenever <code class="command">VACUUM</code> <a class="link" href="routine-vacuuming.html#VACUUM-FOR-VISIBILITY-MAP" title="25.1.4. Updating the Visibility Map">sets a page as all-visible in the + visibility map</a> containing one or more rows + <span class="emphasis"><em>not</em></span> visible to all standby queries. So even running + <code class="command">VACUUM</code> against a table with no updated or deleted rows + requiring cleanup might lead to conflicts. + </p><p> + Users should be clear that tables that are regularly and heavily updated + on the primary server will quickly cause cancellation of longer running + queries on the standby. In such cases the setting of a finite value for + <code class="varname">max_standby_archive_delay</code> or + <code class="varname">max_standby_streaming_delay</code> can be considered similar to + setting <code class="varname">statement_timeout</code>. + </p><p> + Remedial possibilities exist if the number of standby-query cancellations + is found to be unacceptable. The first option is to set the parameter + <code class="varname">hot_standby_feedback</code>, which prevents <code class="command">VACUUM</code> from + removing recently-dead rows and so cleanup conflicts do not occur. + If you do this, you + should note that this will delay cleanup of dead rows on the primary, + which may result in undesirable table bloat. However, the cleanup + situation will be no worse than if the standby queries were running + directly on the primary server, and you are still getting the benefit of + off-loading execution onto the standby. + If standby servers connect and disconnect frequently, you + might want to make adjustments to handle the period when + <code class="varname">hot_standby_feedback</code> feedback is not being provided. + For example, consider increasing <code class="varname">max_standby_archive_delay</code> + so that queries are not rapidly canceled by conflicts in WAL archive + files during disconnected periods. You should also consider increasing + <code class="varname">max_standby_streaming_delay</code> to avoid rapid cancellations + by newly-arrived streaming WAL entries after reconnection. + </p><p> + The number of query cancels and the reason for them can be viewed using + the <code class="structname">pg_stat_database_conflicts</code> system view on the standby + server. The <code class="structname">pg_stat_database</code> system view also contains + summary information. + </p><p> + Users can control whether a log message is produced when WAL replay is waiting + longer than <code class="varname">deadlock_timeout</code> for conflicts. This + is controlled by the <a class="xref" href="runtime-config-logging.html#GUC-LOG-RECOVERY-CONFLICT-WAITS">log_recovery_conflict_waits</a> parameter. + </p></div><div class="sect2" id="HOT-STANDBY-ADMIN"><div class="titlepage"><div><div><h3 class="title">27.4.3. Administrator's Overview <a href="#HOT-STANDBY-ADMIN" class="id_link">#</a></h3></div></div></div><p> + If <code class="varname">hot_standby</code> is <code class="literal">on</code> in <code class="filename">postgresql.conf</code> + (the default value) and there is a + <a class="link" href="warm-standby.html#FILE-STANDBY-SIGNAL"><code class="filename">standby.signal</code></a><a id="id-1.6.14.18.7.2.5" class="indexterm"></a> + file present, the server will run in hot standby mode. + However, it may take some time for hot standby connections to be allowed, + because the server will not accept connections until it has completed + sufficient recovery to provide a consistent state against which queries + can run. During this period, + clients that attempt to connect will be refused with an error message. + To confirm the server has come up, either loop trying to connect from + the application, or look for these messages in the server logs: + +</p><pre class="programlisting"> +LOG: entering standby mode + +... then some time later ... + +LOG: consistent recovery state reached +LOG: database system is ready to accept read-only connections +</pre><p> + + Consistency information is recorded once per checkpoint on the primary. + It is not possible to enable hot standby when reading WAL + written during a period when <code class="varname">wal_level</code> was not set to + <code class="literal">replica</code> or <code class="literal">logical</code> on the primary. Reaching + a consistent state can also be delayed in the presence of both of these + conditions: + + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + A write transaction has more than 64 subtransactions + </p></li><li class="listitem"><p> + Very long-lived write transactions + </p></li></ul></div><p> + + If you are running file-based log shipping ("warm standby"), you might need + to wait until the next WAL file arrives, which could be as long as the + <code class="varname">archive_timeout</code> setting on the primary. + </p><p> + The settings of some parameters determine the size of shared memory for + tracking transaction IDs, locks, and prepared transactions. These shared + memory structures must be no smaller on a standby than on the primary in + order to ensure that the standby does not run out of shared memory during + recovery. For example, if the primary had used a prepared transaction but + the standby had not allocated any shared memory for tracking prepared + transactions, then recovery could not continue until the standby's + configuration is changed. The parameters affected are: + + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + <code class="varname">max_connections</code> + </p></li><li class="listitem"><p> + <code class="varname">max_prepared_transactions</code> + </p></li><li class="listitem"><p> + <code class="varname">max_locks_per_transaction</code> + </p></li><li class="listitem"><p> + <code class="varname">max_wal_senders</code> + </p></li><li class="listitem"><p> + <code class="varname">max_worker_processes</code> + </p></li></ul></div><p> + + The easiest way to ensure this does not become a problem is to have these + parameters set on the standbys to values equal to or greater than on the + primary. Therefore, if you want to increase these values, you should do + so on all standby servers first, before applying the changes to the + primary server. Conversely, if you want to decrease these values, you + should do so on the primary server first, before applying the changes to + all standby servers. Keep in mind that when a standby is promoted, it + becomes the new reference for the required parameter settings for the + standbys that follow it. Therefore, to avoid this becoming a problem + during a switchover or failover, it is recommended to keep these settings + the same on all standby servers. + </p><p> + The WAL tracks changes to these parameters on the + primary. If a hot standby processes WAL that indicates that the current + value on the primary is higher than its own value, it will log a warning + and pause recovery, for example: +</p><pre class="screen"> +WARNING: hot standby is not possible because of insufficient parameter settings +DETAIL: max_connections = 80 is a lower setting than on the primary server, where its value was 100. +LOG: recovery has paused +DETAIL: If recovery is unpaused, the server will shut down. +HINT: You can then restart the server after making the necessary configuration changes. +</pre><p> + At that point, the settings on the standby need to be updated and the + instance restarted before recovery can continue. If the standby is not a + hot standby, then when it encounters the incompatible parameter change, it + will shut down immediately without pausing, since there is then no value + in keeping it up. + </p><p> + It is important that the administrator select appropriate settings for + <a class="xref" href="runtime-config-replication.html#GUC-MAX-STANDBY-ARCHIVE-DELAY">max_standby_archive_delay</a> and <a class="xref" href="runtime-config-replication.html#GUC-MAX-STANDBY-STREAMING-DELAY">max_standby_streaming_delay</a>. The best choices vary + depending on business priorities. For example if the server is primarily + tasked as a High Availability server, then you will want low delay + settings, perhaps even zero, though that is a very aggressive setting. If + the standby server is tasked as an additional server for decision support + queries then it might be acceptable to set the maximum delay values to + many hours, or even -1 which means wait forever for queries to complete. + </p><p> + Transaction status "hint bits" written on the primary are not WAL-logged, + so data on the standby will likely re-write the hints again on the standby. + Thus, the standby server will still perform disk writes even though + all users are read-only; no changes occur to the data values + themselves. Users will still write large sort temporary files and + re-generate relcache info files, so no part of the database + is truly read-only during hot standby mode. + Note also that writes to remote databases using + <span class="application">dblink</span> module, and other operations outside the + database using PL functions will still be possible, even though the + transaction is read-only locally. + </p><p> + The following types of administration commands are not accepted + during recovery mode: + + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + Data Definition Language (DDL): e.g., <code class="command">CREATE INDEX</code> + </p></li><li class="listitem"><p> + Privilege and Ownership: <code class="command">GRANT</code>, <code class="command">REVOKE</code>, + <code class="command">REASSIGN</code> + </p></li><li class="listitem"><p> + Maintenance commands: <code class="command">ANALYZE</code>, <code class="command">VACUUM</code>, + <code class="command">CLUSTER</code>, <code class="command">REINDEX</code> + </p></li></ul></div><p> + </p><p> + Again, note that some of these commands are actually allowed during + "read only" mode transactions on the primary. + </p><p> + As a result, you cannot create additional indexes that exist solely + on the standby, nor statistics that exist solely on the standby. + If these administration commands are needed, they should be executed + on the primary, and eventually those changes will propagate to the + standby. + </p><p> + <code class="function">pg_cancel_backend()</code> + and <code class="function">pg_terminate_backend()</code> will work on user backends, + but not the startup process, which performs + recovery. <code class="structname">pg_stat_activity</code> does not show + recovering transactions as active. As a result, + <code class="structname">pg_prepared_xacts</code> is always empty during + recovery. If you wish to resolve in-doubt prepared transactions, view + <code class="literal">pg_prepared_xacts</code> on the primary and issue commands to + resolve transactions there or resolve them after the end of recovery. + </p><p> + <code class="structname">pg_locks</code> will show locks held by backends, + as normal. <code class="structname">pg_locks</code> also shows + a virtual transaction managed by the startup process that owns all + <code class="literal">AccessExclusiveLocks</code> held by transactions being replayed by recovery. + Note that the startup process does not acquire locks to + make database changes, and thus locks other than <code class="literal">AccessExclusiveLocks</code> + do not show in <code class="structname">pg_locks</code> for the Startup + process; they are just presumed to exist. + </p><p> + The <span class="productname">Nagios</span> plugin <span class="productname">check_pgsql</span> will + work, because the simple information it checks for exists. + The <span class="productname">check_postgres</span> monitoring script will also work, + though some reported values could give different or confusing results. + For example, last vacuum time will not be maintained, since no + vacuum occurs on the standby. Vacuums running on the primary + do still send their changes to the standby. + </p><p> + WAL file control commands will not work during recovery, + e.g., <code class="function">pg_backup_start</code>, <code class="function">pg_switch_wal</code> etc. + </p><p> + Dynamically loadable modules work, including <code class="structname">pg_stat_statements</code>. + </p><p> + Advisory locks work normally in recovery, including deadlock detection. + Note that advisory locks are never WAL logged, so it is impossible for + an advisory lock on either the primary or the standby to conflict with WAL + replay. Nor is it possible to acquire an advisory lock on the primary + and have it initiate a similar advisory lock on the standby. Advisory + locks relate only to the server on which they are acquired. + </p><p> + Trigger-based replication systems such as <span class="productname">Slony</span>, + <span class="productname">Londiste</span> and <span class="productname">Bucardo</span> won't run on the + standby at all, though they will run happily on the primary server as + long as the changes are not sent to standby servers to be applied. + WAL replay is not trigger-based so you cannot relay from the + standby to any system that requires additional database writes or + relies on the use of triggers. + </p><p> + New OIDs cannot be assigned, though some <acronym class="acronym">UUID</acronym> generators may still + work as long as they do not rely on writing new status to the database. + </p><p> + Currently, temporary table creation is not allowed during read-only + transactions, so in some cases existing scripts will not run correctly. + This restriction might be relaxed in a later release. This is + both an SQL standard compliance issue and a technical issue. + </p><p> + <code class="command">DROP TABLESPACE</code> can only succeed if the tablespace is empty. + Some standby users may be actively using the tablespace via their + <code class="varname">temp_tablespaces</code> parameter. If there are temporary files in the + tablespace, all active queries are canceled to ensure that temporary + files are removed, so the tablespace can be removed and WAL replay + can continue. + </p><p> + Running <code class="command">DROP DATABASE</code> or <code class="command">ALTER DATABASE ... SET + TABLESPACE</code> on the primary + will generate a WAL entry that will cause all users connected to that + database on the standby to be forcibly disconnected. This action occurs + immediately, whatever the setting of + <code class="varname">max_standby_streaming_delay</code>. Note that + <code class="command">ALTER DATABASE ... RENAME</code> does not disconnect users, which + in most cases will go unnoticed, though might in some cases cause a + program confusion if it depends in some way upon database name. + </p><p> + In normal (non-recovery) mode, if you issue <code class="command">DROP USER</code> or <code class="command">DROP ROLE</code> + for a role with login capability while that user is still connected then + nothing happens to the connected user — they remain connected. The user cannot + reconnect however. This behavior applies in recovery also, so a + <code class="command">DROP USER</code> on the primary does not disconnect that user on the standby. + </p><p> + The cumulative statistics system is active during recovery. All scans, + reads, blocks, index usage, etc., will be recorded normally on the + standby. However, WAL replay will not increment relation and database + specific counters. I.e. replay will not increment pg_stat_all_tables + columns (like n_tup_ins), nor will reads or writes performed by the + startup process be tracked in the pg_statio views, nor will associated + pg_stat_database columns be incremented. + </p><p> + Autovacuum is not active during recovery. It will start normally at the + end of recovery. + </p><p> + The checkpointer process and the background writer process are active during + recovery. The checkpointer process will perform restartpoints (similar to + checkpoints on the primary) and the background writer process will perform + normal block cleaning activities. This can include updates of the hint bit + information stored on the standby server. + The <code class="command">CHECKPOINT</code> command is accepted during recovery, + though it performs a restartpoint rather than a new checkpoint. + </p></div><div class="sect2" id="HOT-STANDBY-PARAMETERS"><div class="titlepage"><div><div><h3 class="title">27.4.4. Hot Standby Parameter Reference <a href="#HOT-STANDBY-PARAMETERS" class="id_link">#</a></h3></div></div></div><p> + Various parameters have been mentioned above in + <a class="xref" href="hot-standby.html#HOT-STANDBY-CONFLICT" title="27.4.2. Handling Query Conflicts">Section 27.4.2</a> and + <a class="xref" href="hot-standby.html#HOT-STANDBY-ADMIN" title="27.4.3. Administrator's Overview">Section 27.4.3</a>. + </p><p> + On the primary, the <a class="xref" href="runtime-config-wal.html#GUC-WAL-LEVEL">wal_level</a> parameter can be used. + <a class="xref" href="runtime-config-replication.html#GUC-MAX-STANDBY-ARCHIVE-DELAY">max_standby_archive_delay</a> and + <a class="xref" href="runtime-config-replication.html#GUC-MAX-STANDBY-STREAMING-DELAY">max_standby_streaming_delay</a> have no effect if set on + the primary. + </p><p> + On the standby, parameters <a class="xref" href="runtime-config-replication.html#GUC-HOT-STANDBY">hot_standby</a>, + <a class="xref" href="runtime-config-replication.html#GUC-MAX-STANDBY-ARCHIVE-DELAY">max_standby_archive_delay</a> and + <a class="xref" href="runtime-config-replication.html#GUC-MAX-STANDBY-STREAMING-DELAY">max_standby_streaming_delay</a> can be used. + </p></div><div class="sect2" id="HOT-STANDBY-CAVEATS"><div class="titlepage"><div><div><h3 class="title">27.4.5. Caveats <a href="#HOT-STANDBY-CAVEATS" class="id_link">#</a></h3></div></div></div><p> + There are several limitations of hot standby. + These can and probably will be fixed in future releases: + + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + Full knowledge of running transactions is required before snapshots + can be taken. Transactions that use large numbers of subtransactions + (currently greater than 64) will delay the start of read-only + connections until the completion of the longest running write transaction. + If this situation occurs, explanatory messages will be sent to the server log. + </p></li><li class="listitem"><p> + Valid starting points for standby queries are generated at each + checkpoint on the primary. If the standby is shut down while the primary + is in a shutdown state, it might not be possible to re-enter hot standby + until the primary is started up, so that it generates further starting + points in the WAL logs. This situation isn't a problem in the most + common situations where it might happen. Generally, if the primary is + shut down and not available anymore, that's likely due to a serious + failure that requires the standby being converted to operate as + the new primary anyway. And in situations where the primary is + being intentionally taken down, coordinating to make sure the standby + becomes the new primary smoothly is also standard procedure. + </p></li><li class="listitem"><p> + At the end of recovery, <code class="literal">AccessExclusiveLocks</code> held by prepared transactions + will require twice the normal number of lock table entries. If you plan + on running either a large number of concurrent prepared transactions + that normally take <code class="literal">AccessExclusiveLocks</code>, or you plan on having one + large transaction that takes many <code class="literal">AccessExclusiveLocks</code>, you are + advised to select a larger value of <code class="varname">max_locks_per_transaction</code>, + perhaps as much as twice the value of the parameter on + the primary server. You need not consider this at all if + your setting of <code class="varname">max_prepared_transactions</code> is 0. + </p></li><li class="listitem"><p> + The Serializable transaction isolation level is not yet available in hot + standby. (See <a class="xref" href="transaction-iso.html#XACT-SERIALIZABLE" title="13.2.3. Serializable Isolation Level">Section 13.2.3</a> and + <a class="xref" href="applevel-consistency.html#SERIALIZABLE-CONSISTENCY" title="13.4.1. Enforcing Consistency with Serializable Transactions">Section 13.4.1</a> for details.) + An attempt to set a transaction to the serializable isolation level in + hot standby mode will generate an error. + </p></li></ul></div><p> + + </p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="warm-standby-failover.html" title="27.3. Failover">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="high-availability.html" title="Chapter 27. High Availability, Load Balancing, and Replication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="monitoring.html" title="Chapter 28. Monitoring Database Activity">Next</a></td></tr><tr><td width="40%" align="left" valign="top">27.3. Failover </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 16.2 Documentation">Home</a></td><td width="40%" align="right" valign="top"> Chapter 28. Monitoring Database Activity</td></tr></table></div></body></html>
\ No newline at end of file |