On 5 May 2016 12:32 am, "Tom Lane" <t...@sss.pgh.pa.us> wrote: > > To repeat, I'm pretty hesitant to change this logic. While this is not > the first report we've ever heard of loss of pg_control, I believe I could > count those reports without running out of fingers on one hand --- and > that's counting since the last century. It will take quite a lot of > evidence to convince me that some other implementation will be more > reliable. If you just come and present a patch to use direct write, or > rename, or anything else for that matter, I'm going to reject it out of > hand unless you provide very strong evidence that it's going to be more > reliable than the current code across all the systems we support.
One thing we could do without much worry of being less reliable would be to keep two copies of pg_control. Write one, fsync, then write to the other and fsync that one. Oracle keeps a copy of the old control file so that you can always go back to an older version if a hardware or software bug currupts it. But they keep a lot more data in their control file and they can be quite large.