This patch allows us to use additional replication slots for backup (RPO=0). For example, we can implement two options for working with a Barman.

Classic Stolon Architecture and Barman Backup

Barman offers 2 options for backup and archiving. Traditionally, Barman has supported standard WAL file shipping through PostgreSQL’s archive_command (usually via rsync/SSH). With this method, WAL files are archived only when PostgreSQL switches to a new WAL file. To keep it simple, this normally happens every 16MB worth of data changes.
Barman 1.6.0 introduces streaming of WAL files for PostgreSQL servers 9.2 or higher, as an additional method for transactional log archiving, through pg_receivexlog. WAL streaming is able to reduce the risk of data loss, bringing RPO down to near zero values.
Barman 2.0 introduces support for replication slots with PostgreSQL servers 9.4 or above, therefore allowing WAL streaming-only configurations. Moreover, you can now add Barman as a synchronous WAL receiver in your PostgreSQL 9.5 (or higher) cluster, and achieve zero data loss (RPO=0).
Thus, the traditional archiving of WAL logs can lead to data loss in the event of an accident. Therefore, we believe that we need to use both approaches for archiving WA-logs.

Synchronous WAL streaming

This feature is available only from PostgreSQL 9.5 and above. Barman can also reduce the Recovery Point Objective to zero, by collecting the transaction WAL files like a synchronous standby server would.

Stolon Architecture with 2 Nodes and Barman as 3rd Nodes

@saranhada Looks like you have two requirements:

a. You don't want that a primary blocks when there are less than MinSynchronousStandbys working standbys AND you don't want to just fallback to async repl but instead you want to send wal records to an external standby that will become Synchronous ONLY when the above condition happen.

Note that this isn't #330 (deactivate synchronous replication for cluster consisting of 2 nodes in case the slave fails).

and

b. You want an external synchronous standby for backups with rpo = 0 but only when there are less than MinSynchronousStandbys working standbys.

But I'm quite sure they can be summed in only one requirement:

• Add an option to define N Fallback synchronous standbys that will be added only when there are less than MinSynchronousStandbys working standbys.

The main issue with your implementation is that you can't control all of this using the FIRST method of the sync_standby_names parameters because it's acting outside stolon control (switching sync standbys without the sentinel knowing this). Let me explain:

This PR will define for the primary instance something like this: 1 (stolon_fdg4gs, add_name).

This means that if the standby keeper stolon_fdg4gs fails, the master instead of blocking will continue committing transactions since it can send data to pgBarman (or any other external pg instance defined by add_name).

If in a small time window a standby dies then the primary dies and the failed standby comes back before the sentinel notices this, it may happen that the standby is elected as master also if it's not in sync with the dead primary causing the loss of all the changes contained in the missed wal records.

That's the reason why we are forced to have FIRST value equal to the total number sync standbys. Will open a PR to document it better.

That's the reason why I was asking to just add the AdditionalSyncStandbys to db.Spec.SynchronousStandbys. But obviously this will block your primary if just one of the external sync standbys are down and you don't want this.

Proposed implementation

So the starting point is that it must be the sentinel to control all of this. And let's change the option name to some more clear like ExternalFallbackSyncStandbys.

A possible solution is to handle all of this in the sentinel (like we already do adding a fakestandby when there aren't enough keeper to force the primary to block): if the sentinel detects that the good standbys are less than MinSynchronousStandbys then add one or more ExternalFallbackSyncStandbys to reach MinSynchronousStandbys.

So, in a two node cluster, you'll have MinSynchronousStandbys = 1, if the standbys dies the sentinel will notice this, remove it from the db.Spec.SynchronousStandbys and add the first entry in ExternalFallbackSyncStandbys. In this way the primary will unblock. The above problem won't happen because the external standby will be added by the sentinel only if it detects that the internal standbys is dead. If the dead standby comes back it'll be readded to the list of sync stanbys and the external stanby will be removed.

Of course the switch isn't instantaneus as if it's managed by the postgres instance but will permit the cluster to unblock after some seconds/minutes.

@sgotti I'm agree the name ExternalFallbackSyncStandbys sounds good. It really reflects the idea of the backup synchronous standbys.

Also I have reviewed the stolon source code again, of course I'm not an deep expert in it.

You proposed to migrate the logic into sentinel. I think I see a piece of code can be responsible for the creation of the required configuration. It seems to start here sentinel.go:952 =>

if !masterOK {
log.Infow("trying to find a new master to replace failed master")
.....
newMasterDB.Spec.SynchronousStandbys = []string{fakeStandbyName}

I have the following proposal:

• If the ExternalFallbackSyncStandbys parameter is not empty then just take its values and put into the "newMasterDB.Spec.SynchronousStandbys" list.

How do you think?

@saranhada Without testing a start to see if it works or there're some corner cases could be:

• Before

  stolon/cmd/sentinel/sentinel.go

  Line 1194 in 70464d3

  // If there're not enough real synchronous standbys add a fake synchronous standby because we have to be strict and make the master block transactions until MaxSynchronousStandbys real standbys are available

  add a check if len(synchronousStandbys) < int(*clusterSpec.MinSynchronousStandbys) { that will add N ExternalFallbackSyncStandbys to to reach MinSynchronousStandbys.

• Validate in clusterspec.Validate() that the provided ExternalFallbackSyncStandbys are not stolon names (use IsStolonName in

  stolon/common/common.go

  Line 65 in 70464d3

  func IsStolonName(name string) bool {

  ) to not clash with internal stolon names.

• I'll add some tests to see that all of this works to both sentinel/sentinel_test.go and integration tests in tests/integration

@sgotti
Your suggestion:
add a check if len(synchronousStandbys) < int(*clusterSpec.MinSynchronousStandbys) { that will add N ExternalFallbackSyncStandbys to to reach MinSynchronousStandbys.
will not work.

Please see the code in keeper.go:275:

// Setup synchronous replication
if db.Spec.SynchronousReplication && len(db.Spec.SynchronousStandbys) > 0 {
synchronousStandbys := []string{}
for _, synchronousStandby := range db.Spec.SynchronousStandbys {
synchronousStandbys = append(synchronousStandbys, common.StolonName(synchronousStandby))
}

Every sync name which we add in sentinel will be prefixed by "stolon_" in keeper.

I think we should implement the mentioned by you logic (add required the insufficient number of sync standby names) in keeper and take into consideration the MinSynchronousStandbys & MaxSynchronousStandbys

Every sync name which we add in sentinel will be prefixed by "stolon_" in keeper.

So lets remove this from the keeper and make the sentinel to generate a StolonName. The keeper will put the provided synchronous standby names as provided in the db spec without any change.

Also remove all the prefix checks and removal in the keeper:

to report them as is (so also the external stanbys are reported).

Perhaps there's something else to change in the sentinel. Let's see after these changes.

I think we should implement the mentioned by you logic (add required the insufficient number of sync standby names) in keeper and take into consideration the MinSynchronousStandbys & MaxSynchronousStandbys

The keeper just tries to converge to the clusterdata db spec and for this reason must not implement any cluster logic. The clusterdata db spec is calculated by the sentinel so all of this logic pertains to the sentinel.

@saranhada I rebased you branch on master and changed some parts to make it work. You can find it here (just one commit): https://github.com/sgotti/stolon/tree/saranhada-ADD_PARAMS_SYNC

• In the end, instead of keeping both internal and external standbys in db.Spec.SynchronousStanbys, I preferred to add a db.Spec.ExternalSynchronousStandbys since these are two different things. Se below.
• Added some comments to clarify that db.Spec.SynchronousStanbys is a list of internal db UIDs (not generic standby names) while db.Spec.ExternalSynchronousStandbys is a list of external standby names.
• For the above reason the fakestandbyname will now be added to db.Spec.ExternalSynchronousStandbys

Please take a look.

You can just take my commit and put it in your branch and force push to update this PR (no need to open a new PR).

This is completely unrelated to this issue....but does Barman work with Stolon and is configuration any different than a regular Barman Postgres setup?

This is completely unrelated to this issue....but does Barman work with Stolon and is configuration any different than a regular Barman Postgres setup?

@marct83 can you please ask this question on the gitter channel so more people can help you and we don't pollute this PR? Thanks.

No problem. Delete my comments. Thanks

@saranhada I saw you imported my commit but also added another commit (2f25a26) that is adding unneeded things (ExternalFallbackSyncStandbys is not used and need).

You said on gitter that you completed manual tests but before this PR can be merged we need some automatic tests. We need some unit tests in cmd/sentinel/sentinel.go and an integration tests in tests/integration/ha_test.go. For this last one a possible implementation idea is to use the Standby cluster feature to set up a stanby cluster as a synchronous standby (it'll be the same as you barman instance but we can reuse the code used in other tests) and do all the thing you probably did manually.

If you have some problems adding them I can do it for you in the next days when I have some time.

@sgotti sorry for the late response.
Can you please confirm now that the created code is OK? ...and I should created auto-tests.
If not then I'd prefer to accomplish with the code/logic and after that to create tests. I'm absolutely agree that I have to create the tests as well.

@saranhada The logic related to the FallbackExternalSyncStandbys looks good but I'm quite sure there'll be bugs that we could catch only if we write tests to cover the changes. As I explained before I don't understand why you added commit 2f25a26

Additionally:

• The part related to creating additional replication slot is a different feature than the FallbackExternalSyncStanbys and should be split in its own PR. I haven't reviewed it because it's difficutl to see if it does what it's meant to do without some tests. Can you open a new PR for it so I can review it separately from this?

• Added some comment for the new fields validation.

@sgotti do you suggest to split the PR into the following 2?

1. Additional replication slots
2. Fallback sync standbys

Regarding option 2 I understand the integration tests are required. But how about option 1? DO you require it? I think unit tests will be enough.

@sgotti do you suggest to split the PR into the following 2?

1. Additional replication slots
2. Fallback sync standbys

yes.

Regarding option 2 I understand the integration tests are required. But how about option 1? DO you require it? I think unit tests will be enough.

Now the current updateReplSlots is covered by the current integration tests. In its current shape we cannot cover it with just an unit test since to test it we need a running keeper and postgres instance. To make an unit test you should split it in two part, one that does the get and the drop/create on the postgres instance and a function than given the current replication slots and the desired slots will return a list of slots to drop and a list of slots to create (so an unit test can be created on that function).

But I'd say to just start splitting it in its own PR, then let's see which kind of tests are needed. I could write something myself to let you see how this test could be done.

Reopened

@sgotti I fixed your last comment. I'm agree with your logic. But there is one question left. Lets consider a stolon cluster:

1. 2 keeper nodes sync (master - slave)
2. 1 barman node connected as "externalFallbackSyncStandbys"
3. minSynchronousStandbys = 1

In this cluster I kill "standby keeper", but I see that master keeper doesn't rebuild synchronous_standby_names attribute. At leaves it as untouched.
I need the "synchronous_standby_names" to be set into "barman".

May I ask you to point a piece code which is responsible for the specified scenario?

May I ask you to point a piece code which is responsible for the specified scenario?

Perhaps I lost something but wasn't the purpose of this patch to do this? And this should be done here: https://github.com/sorintlab/stolon/pull/410/files#diff-9961d4546ef09e0152c558e820699523R1324

When the sentinel declares the standby as not good it'll catch this code and add an external synchronous standby.

Hi @sgotti,

can we continue the conversation on this PR?

@saranhada yes