where both systems think they are the
primary, which will lead to confusion and ultimately data loss.
</para>
<para>
Many failover systems use just two systems, the primary and the standby,
connected by some kind of heartbeat mechanism to continually verify the
connectivity between the two and the viability of the primary. It is
also possible to use a third system (called a witness server) to prevent
some cases of inappropriate failover, but the additional complexity
might not be worthwhile unless it is set up with sufficient care and
rigorous testing.
</para>
<para>
<productname>PostgreSQL</productname> does not provide the system
software required to identify a failure on the primary and notify
the standby database server. Many such tools exist and are well
integrated with the operating system facilities required for
successful failover, such as IP address migration.
</para>
<para>
Once failover to the standby occurs, there is only a
single server in operation. This is known as a degenerate state.
The former standby is now the primary, but the former primary is down
and might stay down. To return to normal operation, a standby server
must be recreated,
either on the former primary system when it comes up, or on a third,
possibly new, system. The <xref linkend="app-pgrewind"/> utility can be
used to speed up this process on large clusters.
Once complete, the primary and standby can be
considered to have switched roles. Some people choose to use a third
server to provide backup for the new primary until the new standby
server is recreated,
though clearly this complicates the system configuration and
operational processes.
</para>
<para>
So, switching from primary to standby server can be fast but requires
some time to re-prepare the failover cluster. Regular switching from
primary to standby is useful, since it allows regular downtime on
each system for maintenance. This also serves as a test of the
failover mechanism to ensure that it will really work when you need it.
Written administration procedures are advised.
</para>
<para>
If you have opted for logical replication slot synchronization (see
<xref linkend="logicaldecoding-replication-slots-synchronization"/>),
then before switching to the standby server, it is recommended to check
if the logical slots synchronized on the standby server are ready
for failover. This can be done by following the steps described in
<xref linkend="logical-replication-failover"/>.
</para>
<para>
To trigger failover of a log-shipping standby server, run
<command>pg_ctl promote</command> or call <function>pg_promote()</function>.
If you're setting up reporting servers that are only used to offload
read-only queries from the primary, not for high availability purposes,
you don't need to promote.
</para>
</sect1>
<sect1 id="hot-standby">
<title>Hot Standby</title>
<indexterm zone="high-availability">
<primary>hot standby</primary>
</indexterm>
<para>
Hot standby is the term used to describe the ability to connect to
the server and run read-only queries while the server is in archive
recovery or standby mode. This
is useful both for replication purposes and for restoring a backup
to a desired state with great precision.
The term hot standby also refers to the ability of the server to move
from recovery through to normal operation while users continue running
queries and/or keep their connections open.
</para>
<para>
Running queries in hot standby mode is similar to normal query operation,
though there are several usage and administrative differences
explained below.
</para>
<sect2 id="hot-standby-users">
<title>User's Overview</title>
<para>
When the <xref linkend="guc-hot-standby"/> parameter is