pg_replica 0.3.0

Consensus-driven failover for PostgreSQL (Raft control plane)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

# Design decisions (ADR-style)

Each entry: the decision, the rationale, and the alternative we rejected.

---

## D1 — Raft replicates control state, NOT data

**Decision.** The Raft log carries only small cluster-control entries (membership,
leader term, failover decisions, fencing tokens). The actual database content is
replicated by **Postgres physical (WAL) streaming replication**.

**Why.** "Use Raft to replicate the full database" means putting every write
through a Raft log and rebuilding storage on top of it — that is what CockroachDB
and TiKV do, and it is a *multi-year* engineering effort that throws away
Postgres's WAL, MVCC, and on-disk format. It would also make us *not Postgres*.
Physical WAL replication already copies **everything we want** — heap, indexes,
and the shared catalog `pg_authid` (roles/users + SCRAM verifiers) — correctly and
fast. So Raft's job is consensus on *who leads*, not moving bytes.

**Rejected.** Data-over-Raft (reimplementing the storage engine). Too big, and it
discards the entire reason to stay on Postgres.

**Consequence.** "Replicates roles and DDL" is satisfied by physical replication,
not by us. We must never claim otherwise.

---

## D2 — Physical replication, not logical

**Decision.** Use streaming **physical** replication as the data plane.

**Why.** Only physical replication copies **global objects** — roles live in the
cluster-wide `pg_authid`, which logical replication and pgactive explicitly do
**not** carry. Since "replicate roles + DDL + everything" is the whole point,
physical is the only fit. Replicas are read-only; that's acceptable (single-writer
HA, like a Mongo replica set).

**Rejected.** Logical replication (no roles/DDL/globals) and active-active
(pgactive: no global objects, conflict hell). Both fail the core requirement.

---

## D3 — Extension + bgworker, not a standalone daemon

**Decision.** Ship as a Postgres **extension** whose **background worker** hosts
the Raft node and orchestration. Rely on the existing OS supervisor
(systemd / Docker `restart: always`) for the Postgres *process* lifecycle.

**Why.** The user wants "a Postgres plugin," and most of the work *can* live in a
bgworker: a node whose Postgres is down doesn't need to vote (survivors hold
quorum); standbys being promoted are *up*, so their bgworker can `pg_promote()`
itself; a deposed primary that's up runs its own bgworker and self-demotes on
quorum loss. The one thing a bgworker genuinely cannot do is **start a Postgres
that is down** (chicken/egg) — so we delegate *only that* to systemd/Docker, which
every deployment already has.

**Rejected.** A separate Go/Rust daemon à la Patroni/Stolon. It would work, but
it's heavier and contradicts the "plugin" goal. We accept one honest limitation
(process lifecycle is the supervisor's job) to keep the plugin form factor.

**Risk.** A *hung but not dead* Postgres can wedge its bgworker. Mitigation: a
watchdog timer that makes a stuck node refuse/relinquish leadership.

---

## D4 — Embedded Raft, no external DCS

**Decision.** Embed Raft (`openraft`) inside the extension. No etcd, Consul, or k8s.

**Why.** The stated goal is fewer moving parts than CloudNativePG/Patroni-etcd.
An embedded quorum removes an entire external system to deploy, secure, and
operate. Patroni's `raft` (pysyncobj) mode proves the pattern is viable; we do it
natively and lighter.

**Rejected.** External DCS (operational weight) and single-monitor designs like
pg_auto_failover (the monitor is itself a SPOF and not a quorum).

---

## D5 — Rust + pgrx + openraft

**Decision.** Implement in Rust: the extension via **pgrx**, consensus via
**openraft** (async, event-driven Raft) hosted on a small embedded tokio runtime
inside the background worker.

**Why.** "Light on resources" rules out the JVM and argues against a Go control
plane; Rust gives a small static `.so` with no GC pauses in the failover path.
pgrx keeps us in the same toolchain as the ParadeDB-style stack already in use.
openraft leaves storage and transport to us (a single versioned `Decision` value
plus a tiny TCP/JSON RPC — both trivial here).

---

## D6 — Quorum-only, odd node counts

**Decision.** Support 3 and 5 nodes; refuse to pretend 2-node is safe.

**Why.** Raft needs a majority; 2 nodes can't form a safe majority on partition
(both think they're right, or neither can proceed). 3 tolerates 1 failure, 5
tolerates 2. We document this loudly rather than offering a footgun.

---

## D7 — Safety over availability by default

**Decision.** Default to **never two writable primaries**, even at the cost of a
brief write outage during failover. Synchronous (zero-loss) mode is opt-in.

**Why.** A search/cache can be rebuilt; a system of record that double-writes is
corrupted. Fencing + quorum + most-advanced-replica selection prioritize
correctness. Operators who want zero data loss enable quorum-sync and accept the
latency.