Re: backup manifests
Stephen Frost <sfrost@snowman.net>
Commits
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Try to avoid compiler warnings in optimized builds.
- 05021a2c0cd2 13.0 landed
-
Fix option related issues in pg_verifybackup.
- 0a89e93bfaa6 13.0 landed
-
Add index term for backup manifest in documentation.
- 4db819ba4039 13.0 landed
-
Code review for backup manifest.
- a2ac73e7be7a 13.0 landed
-
Document the backup manifest file format.
- 149f2ae88ab0 13.0 landed
-
Fix typo in pg_validatebackup documentation.
- c4f82a779d26 13.0 landed
-
Exclude backup_manifest file that existed in database, from BASE_BACKUP.
- 1ec50a81ec0a 13.0 landed
-
Msys2 tweaks for pg_validatebackup corruption test
- c3e4cbaab936 13.0 landed
-
Fix resource management bug with replication=database.
- 3e0d80fd8d3d 13.0 cited
-
Be more careful about time_t vs. pg_time_t in basebackup.c.
- db1531cae009 13.0 cited
-
pg_validatebackup: Fix 'make clean' to remove tmp_check.
- 9f8f881caa0f 13.0 landed
-
pg_validatebackup: Also use perl2host in TAP tests.
- 460314db08e8 13.0 landed
-
Generate backup manifests for base backups, and validate them.
- 0d8c9c1210c4 13.0 landed
-
Add checksum helper functions.
- c12e43a2e0d4 13.0 landed
-
pg_waldump: Add a --quiet option.
- ac44367efbef 13.0 landed
-
Catversion bump for b9b408c48724
- afb5465e0cfc 13.0 cited
-
pg_basebackup: Refactor code for reading COPY and tar data.
- 431ba7bebf13 13.0 landed
-
Use a ResourceOwner to track buffer pins in all cases.
- 3cb646264e8c 12.0 cited
-
Use ARMv8 CRC instructions where available.
- f044d71e331d 11.0 cited
-
Logical replication support for initial data copy
- 7c4f52409a8c 10.0 cited
-
Use Intel SSE 4.2 CRC instructions where available.
- 3dc2d62d0486 9.5.0 cited
-
Switch to CRC-32C in WAL and other places.
- 5028f22f6eb0 9.5.0 cited
-
Remove support for 64-bit CRC.
- 404bc51cde9d 9.5.0 cited
-
Change CRCs in WAL records from 64bit to 32bit for performance reasons.
- 21fda22ec46d 8.1.0 cited
Greetings, * Mark Dilger (mark.dilger@enterprisedb.com) wrote: > > On Mar 26, 2020, at 9:34 AM, Stephen Frost <sfrost@snowman.net> wrote: > > I'm not actually argueing about which hash functions we should support, > > but rather what the default is and if crc32c, specifically, is actually > > a reasonable choice. Just because it's fast and we already had an > > implementation of it doesn't justify its use as the default. Given that > > it doesn't actually provide the check that is generally expected of > > CRC checksums (100% detection of single-bit errors) when the file size > > gets over 512MB makes me wonder if we should have it at all, yes, but it > > definitely makes me think it shouldn't be our default. > > I don't understand your focus on the single-bit error issue. Maybe I'm wrong, but my understanding was that detecting single-bit errors was one of the primary design goals of CRC and why people talk about CRCs of certain sizes having 'limits'- that's the size at which single-bit errors will no longer, necessarily, be picked up and therefore that's where the CRC of that size starts falling down on that goal. > If you are sending your backup across the wire, single bit errors during transmission should already be detected as part of the networking protocol. The real issue has to be detection of the kinds of errors or modifications that are most likely to happen in practice. Which are those? People manually mucking with the files? Bugs in backup scripts? Corruption on the storage device? Truncated files? The more bits in the checksum (assuming a well designed checksum algorithm), the more likely we are to detect accidental modification, so it is no surprise if a 64-bit crc does better than 32-bit crc. But that logic can be taken arbitrarily far. I don't see the connection between, on the one hand, an analysis of single-bit error detection against file size, and on the other hand, the verification of backups. We'd like something that does a good job at detecting any differences between when the file was copied off of the server and when the command is run- potentially weeks or months later. I would expect most issues to end up being storage-level corruption over time where the backup is stored, which could be single bit flips or whole pages getting zeroed or various other things. Files changing size probably is one of the less common things, but, sure, that too. That we could take this "arbitrarily far" is actually entirely fine- that's a good reason to have alternatives, which this patch does have, but that doesn't mean we should have a default that's not suitable for the files that we know we're going to be storing. Consider that we could have used a 16-bit CRC instead, but does that actually make sense? Ok, sure, maybe someone really wants something super fast- but should that be our default? If not, then what criteria should we use for the default? > From a support perspective, I think the much more important issue is making certain that checksums are turned on. A one in a billion chance of missing an error seems pretty acceptable compared to the, let's say, one in two chance that your customer didn't use checksums. Why are we even allowing this to be turned off? Is there a usage case compelling that option? The argument is that adding checksums takes more time. I can understand that argument, though I don't really agree with it. Certainly a few percent really shouldn't be that big of an issue, and in many cases even a sha256 hash isn't going to have that dramatic of an impact on the actual overall time. Thanks, Stephen