HA Architecture
Roles
text
┌──────────────────────────────────────┐
│ Application │
└──────────────────────────────────────┘
│ 5433 / 5434
▼
┌──────────────────────────────────────┐
│ HAProxy (routing + health checks) │
└──────────────────────────────────────┘
│
┌───────────┼───────────┐
▼ ▼ ▼
┌───────┐ ┌───────┐ ┌───────┐
│ PG-1 │ │ PG-2 │ │ PG-3 │
│primary│ │replica│ │replica│
│Patroni│ │Patroni│ │Patroni│
└───┬───┘ └───┬───┘ └───┬───┘
│ │ │
└──────────┴──────────┘
│
┌────▼────┐
│ etcd │ (3 / 5 nodes)
└─────────┘- Patroni — a sidecar on every PG instance; it competes for the leader key and manages PG start/stop
- etcd — distributed lock + config store; records the current primary
- HAProxy — tracks Patroni's health endpoint and dynamically points
5433at the live primary
Failover flow
- The primary fails or Patroni loses contact
- The leader key's TTL expires
- Healthy replicas race for the new leader key
- The winner promotes itself as the new primary
- HAProxy's health check picks up the role change and updates routing
- The next client connection lands on the new primary
Typical RTO: 5–30 seconds depending on TTL, replication lag and client reconnect behaviour.
Manual switchover
bash
# Graceful planned switchover
patronictl -c /etc/patroni/patroni.yml switchover
# Forced failover
patronictl -c /etc/patroni/patroni.yml failoverOr via the Ansible playbook:
bash
./pgsql-reload.yml -l pg-meta -t primaryVIP
In addition to HAProxy, Pigsty optionally provides a VIP:
- L2 VIP — keepalived + ARP; requires a shared L2 network
- L3 VIP — DNS / BGP; suitable for cross-subnet deployments
Both make the primary-role switch transparent to the client. See NODE / VIP.
Split-brain and data safety
Pigsty uses synchronous replication + quorum to reduce split-brain risk:
synchronous_commit = on+synchronous_standby_names- etcd's three-node quorum — minority partitions step down on their own
- Timeline detection — see /docs/pgbackrest/
Going deeper
- Concept: High availability
- Patroni: /docs/patroni/
- etcd module: /docs/etcd/