.png)
1 day ago
5
pgrwl is a PostgreSQL write-ahead log (WAL) receiver written in Go. It’s a drop-in, container-friendly alternative to pg_receivewal, supporting streaming replication, encryption, compression, and remote storage (S3, SFTP).
Designed for disaster recovery and PITR (Point-in-Time Recovery), pgrwl ensures zero data loss (RPO=0) and seamless integration with Kubernetes environments.
- About
- Usage
- Quick Start
- Configuration Reference
- Installation
- Disaster Recovery Use Cases
- Architecture
- Contributing
- Developer Notes
- License
-
The project serves as a research platform to explore streaming WAL archiving with a target of RPO=0 during recovery.
-
It's primarily designed for use in containerized environments.
-
The utility replicates all key features of pg_receivewal, including automatic reconnection on connection loss, streaming into partial files, extensive error checking and more.
-
The tool is easy to install as a single binary and simple to debug - just use your preferred editor and a Docker container running PostgreSQL.
Receive mode is the main loop of the WAL receiver.
Serve mode is used during restore to serve archived WAL files from storage.
restore_command example for postgresql.conf:
The configuration file is in JSON or YML format (*.json is preferred). It supports environment variable placeholders like ${PGRWL_SECRET_ACCESS_KEY}.
- Download the latest binary for your platform from the Releases page.
- Place the binary in your system's PATH (e.g., /usr/local/bin).
The full process may look like this (a typical, rough, and simplified example):
- You have a cron job that performs a base backup of your cluster every three days.
- You run pgrwl as a systemd unit or a Kubernetes pod (depending on your infrastructure).
- You have a configured retention worker that prunes WAL files older than three days.
- With this setup, you're able to restore your cluster - in the event of a crash - to any second within the past three days.
pgrwl is designed to always stream WAL data to the local filesystem first. This design ensures durability and correctness, especially in synchronous replication setups where PostgreSQL waits for the replica to confirm the commit.
- Incoming WAL data is written directly to *.partial files in a local directory.
- These *.partial files are synced (fsync) after each write to ensure that WAL segments are fully durable on disk.
- Once a WAL segment is fully received, the *.partial suffix is removed, and the file is considered complete.
Compression and encryption are applied only after a WAL segment is completed:
- Completed files are passed to the uploader worker, which may compress and/or encrypt them before uploading to a remote backend (e.g., S3, SFTP).
- The uploader worker ignores partial files and operates only on finalized, closed segments.
This model avoids the complexity and risk of streaming incomplete WAL data directly to remote storage, which can lead to inconsistencies or partial restores. By ensuring that all WAL files are locally durable and only completed files are uploaded, pgrwl guarantees restore safety and clean segment handoff for disaster recovery.
In short: PostgreSQL requires acknowledgments for commits in synchronous setups, and relying on external systems for critical paths (like WAL streaming) could introduce unacceptable delays or failures. This architecture mitigates that risk.
- After each WAL segment is written, an fsync is performed on the currently open WAL file to ensure durability.
- An fsync is triggered when a WAL segment is completed and the *.partial file is renamed to its final form.
- An fsync is triggered when a keepalive message is received from the server with the reply_requested option set.
- Additionally, fsync is called whenever an error occurs during the receive-copy loop.
There’s a significant difference between using archive_command and archiving WAL files via the streaming replication protocol.
The archive_command is triggered only after a WAL file is fully completed-typically when it reaches 16 MiB (the default segment size). This means that in a crash scenario, you could lose up to 16 MiB of data.
You can mitigate this by setting a lower archive_timeout (e.g., 1 minute), but even then, in a worst-case scenario, you risk losing up to 1 minute of data. Also, it’s important to note that PostgreSQL preallocates WAL files to the configured wal_segment_size, so they are created with full size regardless of how much data has been written. (Quote from documentation: It is therefore unwise to set a very short archive_timeout - it will bloat your archive storage.).
In contrast, streaming WAL archiving-when used with replication slots and the synchronous_standby_names parameter-ensures that the system can be restored to the latest committed transaction. This approach provides true zero data loss (RPO=0), making it ideal for high-durability requirements.
Contributions are welcomed and greatly appreciated. See CONTRIBUTING.md for details on submitting patches and the contribution workflow.
These principles guide the development of pgrwl to ensure long-term maintainability, ease of use, and operational clarity:
- Simplicity: Prioritize simplicity in both development and usage. The system should be easy to run, understand, and extend.
- Durability: WAL files must be reliably persisted to prevent data loss - no compromises.
- Predictability: The application should behave consistently and transparently across different environments and scenarios.
- Simple Configuration: Users should be able to configure and launch the application with minimal effort - ideally with a single YAML file and a few environment variables.
- Easy Debugging: Troubleshooting should not require navigating complex dependencies. The system must produce helpful, traceable logs.
- Anyone should be able to:
- Understand what the application does.
- Use it confidently without prior deep knowledge of PostgreSQL internals.
- Contribute to it without needing to reverse-engineer its design.
- Structured Logging: All logs use structured formats (e.g., JSON or text with context) and support verbose tracing when needed.
- Metrics: Prometheus-compatible metrics are exposed for observability, health checks, and integration with monitoring dashboards.
Here an example of a 'golden' fundamental test. It verifies that we can restore to the latest committed transaction after an abrupt system crash. It also checks that the WAL files generated are byte-for-byte identical to those generated by pg_receivewal.
- Initialize and start a PostgreSQL cluster
- Run WAL receivers (pgrwl and pg_receivewal)
- Create a base backup
- Create a table, and insert the current timestamp every second (in the background)
- Run pgbench to populate the database with 1 million rows
- Generate additional data (~512 MiB)
- Concurrently create 100 tables with 10000 rows each.
- Terminate the insert-script job
- Run pg_dumpall and save the output as plain SQL
- Terminate all PostgreSQL processes and delete the PGDATA directory (termination is force and abnormal)
- Restore PGDATA from the base backup, add recovery.signal, and configure restore_command
- Rename all *.partial WAL files in the WAL archive directories
- Start the PostgreSQL cluster (cluster should recover to the latest committed transaction)
- Run pg_dumpall after the cluster is ready
- Diff the pg_dumpall results (before and after)
- Check the insert-script logs and verify that the table contains the last inserted row
- Compare WAL directories (filenames and contents must match 100%)
- Clean up WAL directories and rerun the WAL archivers on a new timeline (cleanup is necessary since we run receivers with --no-loop option)
- Compare the WAL directories again
✅ All targets should complete successfully before submitting changes or opening a PR.
- pg_receivewal Documentation
- pg_receivewal Source Code
- Streaming Replication Protocol
- Continuous Archiving and Point-in-Time Recovery
- Setting Up WAL Archiving
MIT License. See LICENSE for details.
