RE: Transactions involving multiple postgres foreign servers, take 2

From: Masahiko Sawada <sawada.mshk@gmail.com>
> On Tue, Jun 8, 2021 at 5:28 PM tsunakawa.takay@fujitsu.com
> <tsunakawa.takay@fujitsu.com> wrote:
> > Then, in what kind of scenario are we talking about the difficulty, and how is
> it difficult to handle, when we adopt either the method 1 or 2?  (I'd just like to
> have the same clear picture.)
> 
> IMO, even though FDW's commit/rollback transaction code could be
> simple in some cases, I think we need to think that any kind of errors
> (or even FATAL or PANIC) could be thrown from the FDW code. It could
> be an error due to a temporary network problem, remote server down,
> driver’s unexpected error, or out of memory etc. Errors that happened
> after the local transaction commit doesn't affect the global
> transaction decision, as you mentioned. But the proccess or system
> could be in a bad state. Also, users might expect the process to exit
> on error by setting  exit_on_error = on. Your idea sounds like that we
> have to ignore any errors happening after the local commit if they
> don’t affect the transaction outcome. It’s too scary to me and I think
> that it's a bad idea to blindly ignore all possible errors under such
> conditions. That could make the thing worse and will likely be
> foot-gun. It would be good if we can prove that it’s safe to ignore
> those errors but not sure how we can at least for me.
> 
> This situation is true even today; an error could happen after
> committing the transaction. But I personally don’t want to add the
> code that increases the likelihood.

I'm not talking about the code simplicity here (actually, I haven't reviewed the code around prepare and commit in the
patchyet...)  Also, I don't understand well what you're trying to insist and what realistic situations you have in mind
byciting exit_on_error, FATAL, PANIC and so on.  I just asked (in a different part) why the client has to know the
error.

Just to be clear, I'm not saying that we should hide the error completely behind the scenes.  For example, you can
allowthe FDW to emit a WARNING if the DBMS-specific client driver returns an error when committing.  Further, if you
wantto allow the FDW to throw an ERROR when committing, the transaction manager in core can catch it by PG_TRY(), so
thatit can report back successfull commit of the global transaction to the client while it leaves the handling of
failedcommit of the FDW to the resolver.  (I don't think we like to use PG_TRY() during transaction commit for
performancereasons, though.)
 

Let's give it a hundred steps and let's say we want to report the error of the committing FDW to the client.  If that's
thecase, we can use SQLSTATE 02xxx (Warning) and attach the error message.
 


> Just to be clear, with your idea, we will ignore only ERROR or also
> FATAL and PANIC? And if an error happens during committing one of the
> prepared transactions on the foreign server, will we proceed with
> committing other transactions or return OK to the client?

Neither FATAL nor PANIC can be ignored.  When FATAL, which means the termination of a particular session, the
committingof the remote transaction should be taken over by the resolver.  Not to mention PANIC; we can't do anything.
Otherwise,we proceed with committing other FDWs, hand off the task of committing the failed FDW to the resolver, and
reportsuccess to the client.  If you're not convinced, I'd like to ask you to investigate the code of some Java EE app
server,say GlassFish, and share with us how it handles an error during commit.
 


Regards
Takayuki Tsunakawa