Skip site navigation (1) Skip section navigation (2)

Re: smart shutdown at end of transaction (was: Default mode for shutdown)

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Simon Riggs <simon(at)2ndQuadrant(dot)com>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, Andres Freund <andres(at)anarazel(dot)de>, pgsql-hackers(at)postgresql(dot)org, Robert Haas <robertmhaas(at)gmail(dot)com>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>
Subject: Re: smart shutdown at end of transaction (was: Default mode for shutdown)
Date: 2012-04-29 16:41:56
Message-ID: 25269.1335717716@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Simon Riggs <simon(at)2ndQuadrant(dot)com> writes:
> I think we only need one new mode, "shutdown when transactions are
> finished" should only shutdown when all types of transaction are
> complete. For people that don't use prepared transactions the
> difference is irrelevant. For people that do use prepared
> transactions, I can't imagine they would want a new setting that ends
> with aborted transactions, since that isn't any different to a fast
> shutdown.

That sounds reasonable at first blush.  Implementing it might be
trickier than you think though, since (despite Peter's opinion) the
prepared xacts are not associated with any particular session, and the
postmaster itself doesn't know they are there.  What's more, if
individual sessions are told to commit hara-kiri as soon as they are not
in a transaction, there soon won't be any surviving session in which the
TM could issue a COMMIT PREPARED.

I think the only way this could be made to fly would be if the TM could
set a session state that indicates "I'm a TM session, don't kill me
until all prepared transactions are gone".  Which might be problematic
from a security standpoint, if random users could use it to proof
themselves against getting kicked out.  We could make it SUSET but then
TMs would have to run as superuser, which seems a bit less than
desirable.

On the whole it is not apparent to me that we really need a mode in
which shutdown waits for prepared transactions to flush out; and I would
definitely not be in favor of it being the default.  I think that that
would make prepared transactions an even bigger foot-gun than they are
now.  Just think: you say "pg_ctl stop", and the server promptly kicks
off all your users and won't let any more in, but doesn't actually shut
down.  You may not know why, and even if you do, you can't connect to do
something about it.  Eventually you give up and issue shutdown fast,
cursing whoever designed that misbegotten behavior.

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Kevin GrittnerDate: 2012-04-29 16:54:30
Subject: Re: default_transaction_isolation = serializable causes crash under Hot Standby
Previous:From: Simon RiggsDate: 2012-04-29 16:38:32
Subject: Re: default_transaction_isolation = serializable causes crash under Hot Standby

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group