On 2014-01-10 14:29:58 -0800, Joshua D. Drake wrote: > db02 goes down. It doesn't matter why. It is down. db01 continues to accept > orders, allow people to log into the website and we can still service > accounts. The continuity of service continues.
Why is that configuration advantageous over a async configuration is the question.
Because it is orders of magnitude less likely to lose transactions that were reported to have been committed. A permanent failure of the master is almost guaranteed to lose transactions with async. With auto-degrade, a permanent failure of the master only loses reported-committed transactions if it co-occurs with a temporary failure of the replica or the network, lasting longer than the time out period.
Why, with those requirements, are you using a synchronous standby at all?
They aren't using synchronous standby, they are using asynchronous standby because we fail to provide the choice they prefer, which is a compromise between the two.