Fri May 8 15:03:30 PDT 2009
- Previous message: [Slony1-commit] slony1-engine/tests/testpartition README generate_dml.sh
- Next message: [Slony1-commit] slony1-engine/doc/adminguide failover.sgml
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Update of /home/cvsd/slony1/slony1-engine/doc/adminguide In directory main.slony.info:/tmp/cvs-serv26359 Added Files: Tag: REL_1_2_STABLE raceconditions.sgml triggers.sgml Log Message: Add in new doc files from 2.0 branch --- NEW FILE: triggers.sgml --- <!-- $Id: triggers.sgml,v 1.3.4.1 2009-05-08 22:03:28 cbbrowne Exp $ --> <sect1 id="triggers"><title>&slony1; Trigger Handling</title> <indexterm><primary>trigger handling</primary></indexterm> <para> &slony1; has had two <quote>flavours</quote> of trigger handling:</para> <itemizedlist> <listitem><para> In versions up to 1.2, &postgres; had no awareness of replication, with the result that &slony1; needed to <quote>hack</quote> on the system catalog in order to deactivate, on subscribers, triggers that ought not to run.</para></listitem> </itemizedlist> <para> This has had a number of somewhat painful side-effects including:</para> <itemizedlist> <listitem><para> Corruption of the system catalog on subscribers, as existing triggers, that generally need to be hidden, are <quote>hacked</quote>, via <envar>pg_catalog.pg_trigger</envar>, to point to the index being used by &slony1; as its <quote>primary key</quote>.</para> <para> The very same thing was true for rules. </para> <para> This had the side-effect that <application>pg_dump</application> could not be used to pull proper schemas from subscriber nodes.</para></listitem> <listitem><para> It introduced the need to take out exclusive locks on <emphasis>all replicated tables</emphasis> when processing &rddlchanges; as triggers on each replicated table would need to be dropped and re-added during the course of processing.</para></listitem> </itemizedlist> <itemizedlist> <listitem><para> In &postgres; version 8.3, there is new functionality where triggers and rules can have their behaviour altered via <command>ALTER TABLE</command>, and specify any of the following further trigger-related options:</para></listitem> </itemizedlist> <itemizedlist> <listitem><para> <command> DISABLE TRIGGER trigger_name</command> </para></listitem> <listitem><para> <command> ENABLE TRIGGER trigger_name</command> </para></listitem> <listitem><para> <command> ENABLE REPLICA TRIGGER trigger_name</command> </para></listitem> <listitem><para> <command> ENABLE ALWAYS TRIGGER trigger_name</command> </para></listitem> <listitem><para> <command> DISABLE RULE rewrite_rule_name</command> </para></listitem> <listitem><para> <command> ENABLE RULE rewrite_rule_name</command> </para></listitem> <listitem><para> <command> ENABLE REPLICA RULE rewrite_rule_name</command> </para></listitem> <listitem><para> <command> ENABLE ALWAYS RULE rewrite_rule_name</command> </para></listitem> </itemizedlist> <para> A new GUC variable, <envar>session_replication_role</envar> controls whether the session is in origin, replica, or local mode, which then, in combination with the above enabling/disabling options, controls whether or not the trigger function actually runs. </para> <para> We may characterize when triggers fire, under &slony1; replication, based on the following table; the same rules apply to &postgres; rules.</para> <table id="triggerbehaviour"> <title> Trigger Behaviour </title> <tgroup cols="7"> <thead> <row> <entry>Trigger Form</entry> <entry>When Established</entry> <entry>Log Trigger</entry> <entry>denyaccess Trigger</entry> <entry>Action - origin</entry> <entry>Action - replica</entry> <entry> Action - local</entry> </row> </thead> <tbody> <row> <entry>DISABLE TRIGGER</entry> <entry>User request</entry> <entry>disabled on subscriber</entry> <entry>enabled on subscriber</entry> <entry>does not fire</entry> <entry>does not fire</entry> <entry>does not fire</entry> </row> <row> <entry>ENABLE TRIGGER</entry> <entry>Default</entry> <entry>enabled on subscriber</entry> <entry>disabled on subscriber</entry> <entry>fires</entry> <entry>does not fire</entry> <entry>fires</entry> </row> <row> <entry>ENABLE REPLICA TRIGGER</entry> <entry>User request</entry> <entry>inappropriate</entry> <entry>inappropriate</entry> <entry>does not fire</entry> <entry>fires</entry> <entry>does not fire</entry> </row> <row> <entry>ENABLE ALWAYS TRIGGER</entry> <entry>User request</entry> <entry>inappropriate</entry> <entry>inappropriate</entry> <entry>fires</entry> <entry>fires</entry> <entry>fires</entry> </row> </tbody> </tgroup> </table> <para> There are, correspondingly, now, several ways in which &slony1; interacts with this. Let us outline those times that are interesting: </para> <itemizedlist> <listitem><para> Before replication is set up, <emphasis>every</emphasis> database starts out in <quote>origin</quote> status, and, by default, all triggers are of the <command>ENABLE TRIGGER</command> form, so they all run, as is normal in a system uninvolved in replication. </para> </listitem> <listitem><para> When a &slony1; subscription is set up, on the origin node, both the <function>logtrigger</function> and <function>denyaccess</function> triggers are added, the former being enabled, and running, the latter being disabled, so it does not run. </para> <para> From a locking perspective, each <xref linkend="stmtsetaddtable"> request will need to briefly take out an exclusive lock on each table as it attaches these triggers, which is much the same as has always been the case with &slony1;. </para> </listitem> <listitem><para> On the subscriber, the subscription process will add the same triggers, but with the polarities <quote>reversed</quote>, to protect data from accidental corruption on subscribers. </para> <para> From a locking perspective, again, there is not much difference from earlier &slony1; behaviour, as the subscription process, due to running <command>TRUNCATE</command>, copying data, and altering table schemas, requires <emphasis>extensive</emphasis> exclusive table locks, and the changes in trigger behaviour do not change those requirements. </para> <para> However, note that the ability to enable and disable triggers in a &postgres;-supported fashion means that we have had no need to <quote>corrupt</quote> the system catalog, so we have the considerable advantage that <application>pg_dump</application> may be used to draw a completely consistent backup against any node in a &slony1; cluster.</para> </listitem> <listitem><para> If you take a <application>pg_dump</application> of a &slony1; node, and drop out the &slony1; namespace, this now cleanly removes <emphasis>all</emphasis> &slony1; components, leaving the database, <emphasis>including its schema,</emphasis> in a <quote>pristine</quote>, consistent fashion, ready for whatever use may be desired. </para> </listitem> <listitem><para> &rddlchanges; is now performed in quite a different way: rather than altering each replicated table to <quote>take it out of replicated mode</quote>, &slony1; instead simply shifts into the <command>local</command> status for the duration of this event. </para> <para> On the origin, this deactivates the <function>logtrigger</function> trigger. </para> <para> On each subscriber, this deactivates the <function>denyaccess</function> trigger. </para> <para> This may be expected to allow DDL changes to become <emphasis>enormously</emphasis> less expensive, since, rather than needing to take out exclusive locks on <emphasis>all</emphasis> replicated tables (as used to be mandated by the action of dropping and adding back the &slony1;-created triggers), the only tables that are locked are those ones that the DDL script was specifically acting on. </para> </listitem> <listitem><para> At the time of invoking <xref linkend="stmtmoveset"> against the former origin, &slony1; must transform that node into a subscriber, which requires dropping the <function>lockset</function> triggers, disabling the <function>logtrigger</function> triggers, and enabling the <function>denyaccess</function> triggers. </para> <para> At about the same time, when processing <xref linkend="stmtmoveset"> against the new origin, &slony1; must transform that node into an origin, which requires disabling the formerly active <function>denyaccess</function> triggers, and enabling the <function>logtrigger</function> triggers. </para> <para> From a locking perspective, this will not behave differently from older versions of &slony1;; to disable and enable the respective triggers requires taking out exclusive locks on all replicated tables. </para> </listitem> <listitem><para> Similarly to <xref linkend="stmtmoveset">, <xref linkend="stmtfailover"> transforms a subscriber node into an origin, which requires disabling the formerly active <function>denyaccess</function> triggers, and enabling the <function>logtrigger</function> triggers. The locking implications are again, much the same, requiring an exclusive lock on each such table. </para> </listitem> </itemizedlist> </sect1> <!-- Keep this comment at the end of the file Local variables: mode:sgml sgml-omittag:nil sgml-shorttag:t sgml-minimize-attributes:nil sgml-always-quote-attributes:t sgml-indent-step:1 sgml-indent-data:t sgml-parent-document:"slony.sgml" sgml-exposed-tags:nil sgml-local-catalogs:("/usr/lib/sgml/catalog") sgml-local-ecat-files:nil End: --> --- NEW FILE: raceconditions.sgml --- <!-- $Id: raceconditions.sgml,v 1.1.4.1 2009-05-08 22:03:28 cbbrowne Exp $ --> <sect1 id="raceconditions"><title>Race Conditions and &slony1;</title> <indexterm><primary>race conditions</primary></indexterm> <para> No, this has nothing to do with racial harmony or lack thereof; the <ulink url="http://www.wikipedia.org/"> Wikipedia </ulink> describes it thus: <quote>A race condition or race hazard is a flaw in a system or process whereby the output of the process is unexpectedly and critically dependent on the sequence or timing of other events. </quote> In computing applications, race conditions arise most frequently in distributed or threaded applications when multiple parts of the application depend on some piece of shared state, and, if this state is not properly managed, confusion (error!) arises. More particularly, this usually involves situations where the state can change between the time it was checked and the time of use of the state. </para> <para> &slony1; has run into a number of race conditions during its history: <itemizedlist> <listitem><para> <xref linkend="stmtmoveset"> had, during the 1.0 and 1.1 branches, the problem that nodes did not have any way to prevent them from processing <command>SYNC</command> events from the new origin node (which their state would cause them to consider a mere provider, and therefore <emphasis>not</emphasis> a source of replicable data) before recognizing the role change from subscriber to provider. </para> <para> This was fixed by introducing a new <command>ACCEPT SET</command> event that would be submitted by the new origin; this allowed subscribers to be aware of their need to wait for the <command> MOVE SET </command> event.</para> </listitem> <listitem><para>In a number of places, &slony1; has the SQL <command>lock table sl_config_lock;</command> in order to prevent race conditions while changing the sl_log_status sequence value. </para> </listitem> <listitem><para> The &lslon; option <xref linkend="slon-config-sync-interval-timeout"> is used to prevent a possible race condition in which the action sequence is bumped by the trigger while inserting the log row, which makes this bump is immediately visible to the sync thread, but where the resulting log rows are not visible yet. </para> </listitem> <listitem><para> The <quote>snapshot visibility</quote> approach used by &slony1; to determine what replicated data is to be associated with a specific <command>SYNC</command> avoids race conditions that would be associated with trying to purely use timestamps or ID ranges to determine what data is to be replicated. </para> </listitem> <listitem><para> In the 1.2 branch, up to version 1.2.11, which fixed this, <link linkend="logshipping"> log shipping </link> had a race condition where any time configuration is reloaded by the &lslon; (as takes place with a number of events, notably <xref linkend="stmtsubscribeset">), there was a risk of the <command>SYNC</command> IDs used to ensure proper ordering and application of log shipping archive log files being off by one. </para> <para> This was resolved in 1.2.11 by moving the ID number from an in-memory variable (susceptible to all sorts of troubles) to being managed, transaction-safe, in the subscriber database. </para> <para> The problem was never exposed by the <link linkend="testbed"> test bed framework, </link> nicely demonstrating the common finding that race conditions are frequently highly dependent on patterns of data input or of application timing. </para> </listitem> </itemizedlist> </para> </sect1> <!-- Keep this comment at the end of the file Local variables: mode:sgml sgml-omittag:nil sgml-shorttag:t sgml-minimize-attributes:nil sgml-always-quote-attributes:t sgml-indent-step:1 sgml-indent-data:t sgml-parent-document:"slony.sgml" sgml-exposed-tags:nil sgml-local-catalogs:("/usr/lib/sgml/catalog") sgml-local-ecat-files:nil End: -->
- Previous message: [Slony1-commit] slony1-engine/tests/testpartition README generate_dml.sh
- Next message: [Slony1-commit] slony1-engine/doc/adminguide failover.sgml
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Slony1-commit mailing list