[wiredfool]

Looks like there's at least one person who's looking at doing something about the timeline issue: http://blog.tapoueh.org/articles/blog/_Back_from_PgCon2010.h... .

I'd bet that there are some pretty basic failure modes in the timeline preserving case where the slaves could be out of sync when one was promoted, and then that out of syncness could be propagated. I suspect that a missing transaction on the new master would trigger some sort of duplicate transaction oid issue, but a missing transaction on the slave would be more likely to go unnoticed.

I've just tested a case where I killed the master when I was running transactions against it, and it seems to work as well as the shutdown case. Bringing up the slave is where the timeline gets incremented.

I suppose I could throw one of the replication connections through a ip delay and intentionally introduce replication lag..

edit: Looks like http://www.postgresql.org/docs/9.0/static/warm-standby.html#... , section on monitoring gives the pg_current_xlog_location on the primary and the pg_last_xlog_receive_location on the slaves, which would at least tell one if the slaves are in sync, and if not, which one is the farthest ahead.

So, the process could be:

  * master dies. either gracefully or not.
  * all slaves are queried
  * most advanced one gets shutdown, promoted by ip and removing recovery.conf then started
  * all the other slaves should track those changes and bring themselves up to date.
  * Resync the old master as a new slave.

[bmurphy]

I just ran the same test. Set up a 2 slave cluster, killed slave 2, then killed the master. Ran pg_last_xlog_receive_location on each slave, picked the one that was furthest along in the timeline, promoted it to be the new master and the other slave caught up as expected.

That's great. That's the first time I've been able to get this to work smoothly. I'm sure there are still ways to break it but this gives me hope.