@@ -1649,8 +1649,9 @@ SET ENABLE_SEQSCAN TO OFF;
16491649 <para>
16501650 Specifies whether transaction commit will wait for WAL records
16511651 to be written to disk before the command returns a <quote>success</>
1652- indication to the client. Valid values are <literal>on</>, <literal>remote_write</>,
1653- <literal>local</>, and <literal>off</>. The default, and safe, value
1652+ indication to the client. Valid values are <literal>on</>,
1653+ <literal>remote_write</>, <literal>local</>, and <literal>off</>.
1654+ The default, and safe, setting
16541655 is <literal>on</>. When <literal>off</>, there can be a delay between
16551656 when success is reported to the client and when the transaction is
16561657 really guaranteed to be safe against a server crash. (The maximum
@@ -1667,27 +1668,34 @@ SET ENABLE_SEQSCAN TO OFF;
16671668 </para>
16681669 <para>
16691670 If <xref linkend="guc-synchronous-standby-names"> is set, this
1670- parameter also controls whether or not transaction commit will wait
1671- for the transaction's WAL records to be flushed to disk and replicated
1672- to the standby server. When <literal>remote_write</>, the commit wait will
1673- last until a reply from the current synchronous standby indicates
1674- it has received the commit record of the transaction to memory.
1675- Normally this causes no data loss at the time of failover. However,
1676- if both primary and standby crash, and the database cluster of
1677- the primary gets corrupted, recent committed transactions might
1678- be lost. When <literal>on</>, the commit wait will last until a reply
1679- from the current synchronous standby indicates it has flushed
1680- the commit record of the transaction to durable storage. This
1681- avoids any data loss unless the database cluster of both primary and
1682- standby gets corrupted simultaneously. If synchronous
1671+ parameter also controls whether or not transaction commits will wait
1672+ for the transaction's WAL records to be replicated to the standby
1673+ server.
1674+ When set to <literal>on</>, commits will wait until a reply
1675+ from the current synchronous standby indicates it has received
1676+ the commit record of the transaction and flushed it to disk. This
1677+ ensures the transaction will not be lost unless both primary and
1678+ standby suffer corruption of their database storage.
1679+ When set to <literal>remote_write</>, commits will wait
1680+ until a reply from the current synchronous standby indicates it has
1681+ received the commit record of the transaction and written it out to
1682+ the standby's operating system, but the data has not necessarily
1683+ reached stable storage on the standby. This setting is sufficient to
1684+ ensure data preservation even if the standby instance of
1685+ <productname>PostgreSQL</> were to crash, but not if the standby
1686+ suffers an operating-system-level crash.
1687+ </para>
1688+ <para>
1689+ When synchronous
16831690 replication is in use, it will normally be sensible either to wait
1684- for both local flush and replication of WAL records, or
1691+ for both local flush to disk and replication of WAL records, or
16851692 to allow the transaction to commit asynchronously. However, the
1686- special value <literal>local</> is available for transactions that
1693+ setting <literal>local</> is available for transactions that
16871694 wish to wait for local flush to disk, but not synchronous replication.
1688- If <varname>synchronous_standby_names</> is not set, <literal>on</>,
1689- <literal>remote_write</> and <literal>local</> provide the same
1690- synchronization level; transaction commit only waits for local flush.
1695+ If <varname>synchronous_standby_names</> is not set, the settings
1696+ <literal>on</>, <literal>remote_write</> and <literal>local</> all
1697+ provide the same synchronization level: transaction commits only wait
1698+ for local flush to disk.
16911699 </para>
16921700 <para>
16931701 This parameter can be changed at any time; the behavior for any
0 commit comments