On Fri, Jan 20, 2006 at 04:21:15PM -0500, Christopher Browne wrote:
> Maximizing availability, which is what HA is forcibly and unambiguously
> about, may not be exactly the same thing as providing guarantees that
> committed transactions can never be lost.

Right.  And even banks are forced to make some compromises here.  For
instance, nobody can do 2PC or any synchronous transaction
replication across WANs.  So a perfect, up to the millisecond version
of the bank can't be online somewhere else.  In a system I'm familiar
with, the transaction log is 2PCd somewhere else at transaction time,
but not live data.  If the remote site had to come into use, you'd
have a few minutes of recovery time while you replayed and caught up.  

And remember, this is assuming total destruction of the primary
system -- all the disks and everything.  If it matters slightly less
what order exactly transactions happen in, then you're ok.  So the
mitigation trick here is to hold transactions above a certain dollar
value under certain very unlikely circumstances.  Banks have all
sorts of provisions for this kind of thing; it's also why they hire
scores of risk-mitigation people.

But would I use Slony as the _only_ wheel in my HA machine?  Not on a
bet.

A

-- 
Andrew Sullivan  | ajs at crankycanuck.ca
The whole tendency of modern prose is away from concreteness.
		--George Orwell