Hello Tatsuo,<br><br><div class="gmail_quote">2012/2/28 Tatsuo Ishii <span dir="ltr"><<a href="mailto:ishii@postgresql.org" target="_blank">ishii@postgresql.org</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>> I was thinking in that direction before (adding backend flag, or another<br>
> configuration option to have pgpool failover only on health check).<br>
<br>
</div>No, I was proposing a flag which prevents pgpool from automatic<br>
failover in case the admin shutdown detected, because you don't want<br>
to be failovered by admin shutdown.<br></blockquote><div><br>Yes, that would handle detected admin shutdown, but one should be able to turn off failover on connection to backend failure too, to give health check complete control over failover:<br>
fail_over_on_backend_error = off<br>fail_over_on_backend_admin_shutdown = off<br>fail_over_on_backend_connect_failure = off<br><br>+ configure health check<br>+ configure appropriate backend flag to ALLOW_TO_FAILOVER<br>
<br>
</div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><br>
> But, I<br>
> came to conclusion that there is absolutely no purpose for healthcheck if<br>
> it's not sole process controlling failover. If you have an example to prove<br>
> me wrong, please share:<br>
> 1) example where one would want to enable healthcheck but not allow it to<br>
> cause failover at all<br>
<br>
</div>A is a streaming replication primary and B, C ... are standbys. A is<br>
protected by a HA technology (heartbeat, pacemaker or some such). Upon<br>
failure of A, D which is the cold standby of A will come up. don't<br>
want A failovers while wants B, C failovers. So user sets health check<br>
on and DISALLOW_TO_FAILOVER for A.<br></blockquote><div><br>If I understood correctly, in this case user doesn't actually need pgpool health check for backend A, but needs it for backends B and C - maybe health check or backend configuration should be extended so one can configure for which backend(s) pgpool health check is actually needed. By default backend could be configured that it supports health check (so if health check is configured that backend state would be checked by healthcheck, otherwise it wouldn't), and one would have to turn off health check support for given backend explicitly (so even if health check is configured, it would skip checking such backend).<br>
With this health check would not waste time or connection resources by skipping checking backends that shouldn't be checked.<br><br>So backend_healthcheck with two values {supports} and {skip}<br>
</div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Here is another one.<br>
<br>
A is a streaming replication primary and B, C ... are standbys. The<br>
system is used for OLAP type purpose. The OLAP application keeps on<br>
connection to standbys. Upon failure of A, it doesn't need to failover<br>
A because the application happily keeps on using standbys. So user<br>
sets health check on and DISALLOW_TO_FAILOVER for A. Probably fix and<br>
replacing A would be postpned to night time.<br></blockquote><div><br>Again, same solution - extend health check / backend configuration to support excluding backend from health check.<br> </div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><br>
> 2) example where one would want to enable healthcheck and have pgpool<br>
> failover immediately on anything other then health check (max retries)<br>
> failure<br>
<br>
</div>The network is very fast and stable. There are many servers and they<br>
are pretty busy. User don't like overhead of healthcheck, however user<br>
want to detect the failure of server as soon as possibole. So he<br>
disables health check. </blockquote><div><br>This case is not affected by proposed change/patch - if you check code again you'll see that it affects only users which have backend set to DISALLOW_TO_FAILOVER and at the same time have health check configured. For ones that have health check disabled (health_check_period = 0), that big if will never be entered.<br>
</div><br>Kind regards,<br>Stevo.<br></div><br>