Document Warm Standby for High Availability

bmomjian · bmomjian · commit 5e550acbc4d1 · 2006-09-15T22:02:21.000Z
Includes sample standby script.

Simon Riggs
diff --git a/doc/src/sgml/backup.sgml b/doc/src/sgml/backup.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/backup.sgml,v 2.84 2006/09/15 21:55:07 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/backup.sgml,v 2.85 2006/09/15 22:02:21 momjian Exp $ -->
 
 <chapter id="backup">
  <title>Backup and Restore</title>
@@ -1203,6 +1203,312 @@ restore_command = 'copy /mnt/server/archivedir/%f "%p"'  # Windows
   </sect2>
  </sect1>
 
+ <sect1 id="warm-standby">
+  <title>Warm Standby Servers for High Availability</title>
+
+  <indexterm zone="backup">
+   <primary>Warm Standby</primary>
+  </indexterm>
+
+  <indexterm zone="backup">
+   <primary>PITR Standby</primary>
+  </indexterm>
+
+  <indexterm zone="backup">
+   <primary>Standby Server</primary>
+  </indexterm>
+
+  <indexterm zone="backup">
+   <primary>Log Shipping</primary>
+  </indexterm>
+
+  <indexterm zone="backup">
+   <primary>Witness Server</primary>
+  </indexterm>
+
+  <indexterm zone="backup">
+   <primary>STONITH</primary>
+  </indexterm>
+
+  <indexterm zone="backup">
+   <primary>High Availability</primary>
+  </indexterm>
+
+  <para>
+   Continuous Archiving can be used to create a High Availability (HA)
+   cluster configuration with one or more Standby Servers ready to take
+   over operations in the case that the Primary Server fails. This
+   capability is more widely known as Warm Standby Log Shipping.
+  </para>
+
+  <para>
+   The Primary and Standby Server work together to provide this capability,
+   though the servers are only loosely coupled. The Primary Server operates
+   in Continuous Archiving mode, while the Standby Server operates in a
+   continuous Recovery mode, reading the WAL files from the Primary. No
+   changes to the database tables are required to enable this capability,
+   so it offers a low administration overhead in comparison with other
+   replication approaches. This configuration also has a very low
+   performance impact on the Primary server.
+  </para>
+
+  <para>
+   Directly moving WAL or "log" records from one database server to another
+   is typically described as Log Shipping. PostgreSQL implements file-based
+   Log Shipping, meaning WAL records are batched one file at a time. WAL
+   files can be shipped easily and cheaply over any distance, whether it be
+   to an adjacent system, another system on the same site or another system
+   on the far side of the globe. The bandwidth required for this technique
+   varies according to the transaction rate of the Primary Server.
+   Record-based Log Shipping is also possible with custom-developed
+   procedures, discussed in a later section. Future developments are likely
+   to include options for synchronous and/or integrated record-based log
+   shipping.
+  </para>
+
+  <para>
+   It should be noted that the log shipping is asynchronous, i.e. the WAL
+   records are shipped after transaction commit. As a result there can be a
+   small window of data loss, should the Primary Server suffer a
+   catastrophic failure. The window of data loss is minimised by the use of
+   the archive_timeout parameter, which can be set as low as a few seconds
+   if required. A very low setting can increase the bandwidth requirements
+   for file shipping.
+  </para>
+
+  <para>
+   The Standby server is not available for access, since it is continually
+   performing recovery processing. Recovery performance is sufficiently
+   good that the Standby will typically be only minutes away from full
+   availability once it has been activated. As a result, we refer to this
+   capability as a Warm Standby configuration that offers High
+   Availability. Restoring a server from an archived base backup and
+   rollforward can take considerably longer and so that technique only
+   really offers a solution for Disaster Recovery, not HA.
+  </para>
+
+  <para>
+   Other mechanisms for High Availability replication are available, both
+   commercially and as open-source software.  
+  </para>
+
+  <para>
+   In general, log shipping between servers running different release
+   levels will not be possible. It is the policy of the PostgreSQL Worldwide
+   Development Group not to make changes to disk formats during minor release
+   upgrades, so it is likely that running different minor release levels 
+   on Primary and Standby servers will work successfully. However, no
+   formal support for that is offered and you are advised not to allow this
+   to occur over long periods.
+  </para>
+
+  <sect2 id="warm-standby-planning">
+   <title>Planning</title>
+
+   <para>
+    On the Standby server all tablespaces and paths will refer to similarly
+    named mount points, so it is important to create the Primary and Standby
+    servers so that they are as similar as possible, at least from the
+    perspective of the database server. Furthermore, any CREATE TABLESPACE
+    commands will be passed across as-is, so any new mount points must be
+    created on both servers before they are used on the Primary. Hardware
+    need not be the same, but experience shows that maintaining two
+    identical systems is easier than maintaining two dissimilar ones over
+    the whole lifetime of the application and system.
+   </para>
+
+   <para>
+    There is no special mode required to enable a Standby server. The
+    operations that occur on both Primary and Standby servers are entirely
+    normal continuous archiving and recovery tasks. The primary point of
+    contact between the two database servers is the archive of WAL files
+    that both share: Primary writing to the archive, Standby reading from
+    the archive. Care must be taken to ensure that WAL archives for separate
+    servers do not become mixed together or confused.
+   </para>
+
+   <para>
+    The magic that makes the two loosely coupled servers work together is
+    simply a restore_command that waits for the next WAL file to be archived
+    from the Primary. The restore_command is specified in the recovery.conf
+    file on the Standby Server. Normal recovery processing would request a
+    file from the WAL archive, causing an error if the file was unavailable.
+    For Standby processing it is normal for the next file to be unavailable,
+    so we must be patient and wait for it to appear. A waiting
+    restore_command can be written as a custom script that loops after
+    polling for the existence of the next WAL file. There must also be some
+    way to trigger failover, which should interrupt the restore_command,
+    break the loop and return a file not found error to the Standby Server.
+    This then ends recovery and the Standby will then come up as a normal
+    server.
+   </para>
+
+   <para>
+    Sample code for the C version of the restore_command would be be:
+<programlisting>
+triggered = false;
+while (!NextWALFileReady() && !triggered)
+{
+    sleep(100000L);         // wait for ~0.1 sec
+    if (CheckForExternalTrigger())
+        triggered = true;
+}
+if (!triggered)
+        CopyWALFileForRecovery();
+</programlisting>
+   </para>
+
+   <para>
+    PostgreSQL does not provide the system software required to identify a
+    failure on the Primary and notify the Standby system and then the
+    Standby database server. Many such tools exist and are well integrated
+    with other aspects of a system failover, such as ip address migration.
+   </para>
+
+   <para>
+    Triggering failover is an important part of planning and design. The
+    restore_command is executed in full once for each WAL file. The process
+    running the restore_command is therefore created and dies for each file,
+    so there is no daemon or server process and so we cannot use signals and
+    a signal handler. A more permanent notification is required to trigger
+    the failover. It is possible to use a simple timeout facility,
+    especially if used in conjunction with a known archive_timeout setting
+    on the Primary. This is somewhat error prone since a network or busy
+    Primary server might be sufficient to initiate failover. A notification
+    mechanism such as the explicit creation of a trigger file is less error
+    prone, if this can be arranged.
+   </para>
+  </sect2>
+
+  <sect2 id="warm-standby-config">
+   <title>Implementation</title>
+
+   <para>
+    The short procedure for configuring a Standby Server is as follows. For
+    full details of each step, refer to previous sections as noted.
+    <orderedlist>
+     <listitem>
+      <para>
+       Set up Primary and Standby systems as near identically as possible,
+       including two identical copies of PostgreSQL at same release level.
+      </para>
+     </listitem>
+     <listitem>
+      <para>
+       Set up Continuous Archiving from the Primary to a WAL archive located
+       in a directory on the Standby Server. Ensure that both <xref
+       linkend="guc-archive-command"> and <xref linkend="guc-archive-timeout">
+       are set. (See <xref linkend="backup-archiving-wal">)
+      </para>
+     </listitem>
+     <listitem>
+      <para>
+       Make a Base Backup of the Primary Server. (See <xref
+       linkend="backup-base-backup">)
+      </para>
+     </listitem>
+     <listitem>
+      <para>
+       Begin recovery on the Standby Server from the local WAL archive,
+       using a recovery.conf that specifies a restore_command that waits as
+       described previously. (See <xref linkend="backup-pitr-recovery">)
+      </para>
+     </listitem>
+    </orderedlist>
+   </para>
+
+   <para>
+    Recovery treats the WAL Archive as read-only, so once a WAL file has
+    been copied to the Standby system it can be copied to tape at the same
+    time as it is being used by the Standby database server to recover.
+    Thus, running a Standby Server for High Availability can be performed at
+    the same time as files are stored for longer term Disaster Recovery
+    purposes. 
+   </para>
+
+   <para>
+    For testing purposes, it is possible to run both Primary and Standby
+    servers on the same system. This does not provide any worthwhile
+    improvement on server robustness, nor would it be described as HA.
+   </para>
+  </sect2>
+
+  <sect2 id="warm-standby-failover">
+   <title>Failover</title>
+
+   <para>
+    If the Primary Server fails then the Standby Server should take begin
+    failover procedures.
+   </para>
+
+   <para>
+    If the Standby Server fails then no failover need take place. If the
+    Standby Server can be restarted, then the recovery process can also be
+    immediately restarted, taking advantage of Restartable Recovery.
+   </para>
+
+   <para>
+    If the Primary Server fails and then immediately restarts, you must have
+    a mechanism for informing it that it is no longer the Primary. This is
+    sometimes known as STONITH (Should the Other Node In The Head), which is
+    necessary to avoid situations where both systems think they are the
+    Primary, which can lead to confusion and ultimately data loss.
+   </para>
+
+   <para>
+    Many failover systems use just two systems, the Primary and the Standby,
+    connected by some kind of heartbeat mechanism to continually verify the
+    connectivity between the two and the viability of the Primary. It is
+    also possible to use a third system, known as a Witness Server to avoid
+    some problems of inappropriate failover, but the additional complexity
+    may not be worthwhile unless it is set-up with sufficient care and
+    rigorous testing.
+   </para>
+
+   <para>
+    At the instant that failover takes place to the Standby, we have only a
+    single server in operation. This is known as a degenerate state.
+    The former Standby is now the Primary, but the former Primary is down 
+    and may stay down. We must now fully re-create a Standby server, 
+    either on the former Primary system when it comes up, or on a third, 
+    possibly new, system. Once complete the Primary and Standby can be 
+    considered to have switched roles. Some people choose to use a third 
+    server to provide additional protection across the failover interval, 
+    though clearly this complicates the system configuration and 
+    operational processes (and this can also act as a Witness Server).
+   </para>
+
+   <para>
+    So, switching from Primary to Standby Server can be fast, but requires
+    some time to re-prepare the failover cluster. Regular switching from
+    Primary to Standby is encouraged, since it allows the regular downtime
+    one each system required to maintain HA. This also acts as a test of the
+    failover so that it definitely works when you really need it. Written
+    administration procedures are advised.
+   </para>
+  </sect2>
+
+  <sect2 id="warm-standby-record">
+   <title>Implementing Record-based Log Shipping</title>
+
+   <para>
+    The main features for Log Shipping in this release are based around the
+    file-based Log Shipping described above. It is also possible to
+    implement record-based Log Shipping using the pg_xlogfile_name_offset()
+    function, though this requires custom development.
+   </para>
+
+   <para>
+    An external program can call pg_xlogfile_name_offset() to find out the
+    filename and the exact byte offset within it of the latest WAL pointer.
+    If the external program regularly polls the server it can find out how
+    far forward the pointer has moved. It can then access the WAL file
+    directly and copy those bytes across to a less up-to-date copy on a
+    Standby Server.
+   </para>
+  </sect2>
+ </sect1>
+
  <sect1 id="migration">
   <title>Migration Between Releases</title>
 
