Re: PITR potentially broken in 9.2

On Wed, Dec 5, 2012 at 11:17 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Jeff Janes <jeff(dot)janes(at)gmail(dot)com> writes:
>> Right now if I'm doing a PITR and want to look around before blessing
>> the restore, I have to:
>> [ do painful stuff ]
>
> Yeah. The worst thing about this is the cost of stepping too far
> forward, but I doubt we can do much about that --- WAL isn't reversible
> and I can't see us making it so. What we can get rid of is the pain
> of shutting down to move the recovery target forward.
>
> Another thought here is that it would be good to have some kind of
> visibility of the last few potential stop points (timestamps/XIDs),
> so that if you do roll too far forward, you have some idea of what
> to try after you reset everything. A zero-order implementation of
> that would be to emit LOG messages as we replay each potential
> commit, but maybe we can do better.

probably embellishments on xlogdump or xlogreader would be the way to go.

>
>> I would also be nice if only the superuser is allowed to connect to
>> the hot standby when pause_at_recovery_target=true, until after
>> pg_xlog_replay_resume() is called.
>
> Uh, why? Other users won't be able to do anything except look around;

On some systems, 95% of users never do anything (that the database
knows about) except look around. But I think it would be unfortunate
to accidentally show them data that will soon be revoked.

> they can't force the database to become read/write. I can't see that
> it's a good idea for recovery to play games with the pg_hba rules;
> too much chance of screwing things up for too little benefit.

OK. I don't know at all what is involved in implementing such a
thing. But a DBA in the middle of a rather arcane but urgent task has
a pretty high chance of screwing things up, too.

Cheers,

Jeff