Re: Standby trying "restore_command" before local WAL

On 08/06/2018 06:11 PM, Stephen Frost wrote:
> Greetings,
> 
> * Tomas Vondra (tomas.vondra@2ndquadrant.com) wrote:
>> On 08/06/2018 05:19 PM, Stephen Frost wrote:
>>> * David Steele (david@pgmasters.net) wrote:
>>>> I think for the stated scenario (known good standby that has been
>>>> shutdown gracefully) it makes perfect sense to trust the contents of
>>>> pg_wal.  Call this scenario #1.
>>>>
>>>> An alternate scenario (#2) is that the data directory was copied using a
>>>> basic copy tool and the pg_wal directory was not excluded from the copy.
>>>>   This means the contents of pg_wal will be in an inconsistent state.
>>>> The files that are there might be partials (not with the extension,
>>>> though) and you can easily have multiple partials.  You will almost
>>>> certainly not have everything you need to get to consistency.
>>
>> Yeah. But as Simon said, we do have fairly strong protections about applying
>> corrupted WAL - every record is CRC-checked. So why not to fall-back to the
>> restore_command only if the locally available WAL is not fully consistent?
> 
> "Corrupted" doesn't necessairly only mean "the data file was munged by
> the storage somehow."  In this case, corrupted could be an old and only
> partial WAL file, in which case we'd possibly be missing WAL that needs
> to be replayed to bring the cluster back to a valid state, no?
> 

Why wouldn't that be detected by checksums? Also, why wouldn't this be 
handled correctly by the logic I proposed, i.e. falling-back to remote 
WAL segment if the file is incomplete/broken in some sense?

>>>> But there's another good scenario (#3): where the pg_wal directory was
>>>> preloaded with all the WAL required to make the cluster consistent or
>>>> all the WAL that was available at restore time.  In this case, it would
>>>> be make sense to prefer the contents of pg_wal and only switch to
>>>> restore_command after that has been exhausted.
>>>>
>>>> So, the choice of whether to prefer locally-stored or
>>>> restore_command-fetched WAL is context-dependent, in my mind.
>>>
>>> Agreed.
>>
>> Maybe, not sure.
> 
> The argument that David makes above in scenario #2 certainly looks
> entirely likely to me and I don't think we've got any real protections
> against that.  The current common use-cases happen to work around the
> risk because tools like pg_basebackup ignore the existing pg_wal
> directory when doing the backup and instead populate it with exactly the
> correct WAL that's needed, and in cases where a restore command is
> specified will always pull back only valid WAL, but I don't think we can
> decide that this scenario (#2 from above):
> 

I'm probably missing something, but why couldn't we detect that using 
CRC. Or make sure we can detect that, e.g. by adding some additional 
info into each WAL segment?


>>>> Ideally we could have a default that is safe in each scenario with
>>>> perhaps an override if the user knows better.  Scenario #1 would allow
>>>> WAL to be read from pg_wal by default, scenario #2 would prefer fetched
>>>> WAL, and scenario #3 could use a GUC to override the default fetch behavior.
>>>
>>> Not sure how we'd be able to automatically realize which scenario we're
>>> in though..?
>>
>> But do we need to know it? I mean, can't we try the local WAL first, use it
>> if it passes the CRC checks (and possibly some other checks), and only
>> fallback to the remote WAL if it's identified as broken?
> 
> Maybe- but I think we need to be quite sure about that and I don't
> believe that just checking the CRCs is enough.
> 

Sure. So what else would we need to add to each WAL segment to make that 
possible? It needs to be cheap enough not to cause perf regression, but 
e.g. a CRC of each segment + amount of data actually stored in it should 
be sufficient.

Another idea - what if we instead allow fetching additional information 
of the archived WAL, and make decision based on that? For example, 
before restore_command we could request md5 checksum from the archive, 
compare it to the local WAL, and if they match then use the local one. 
Otherwise request the remote one. That'd still be a win.


regards

-- 
Tomas Vondra                  http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services