Maximum Availability
This protection mode provides the highest level of data protection that is possible without compromising the availability of a primary database. Under normal operations, transactions do not commit until all redo data needed to recover those transactions has been written to the online redo log AND based on user configuration, one of the following is true:
-
redo has been received at the standby, I/O to the standby redo log has been initiated, and acknowledgement sent back to primary
-
redo has been received and written to standby redo log at the standby and acknowledgement sent back to primary
If the primary does not receive acknowledgement from at least one synchronized standby, then it operates as if it were in maximum performance mode to preserve primary database availability until it is again able to write its redo stream to a synchronized standby database.
If the primary database fails, then this mode ensures no data loss occurs provided there is at least one synchronized standby in the Oracle Data Guard configuration. See "Performance Versus Protection in Maximum Availability Mode" for information about the redo transport settings necessary to support Maximum Availability and associated trade-offs.
Transactions on the primary are considered protected as soon as Oracle Data Guard has written the redo data to persistent storage in a standby redo log file. Once that is done, acknowledgment is quickly made back to the primary database so that it can proceed to the next transaction. This minimizes the impact of synchronous transport on primary database throughput and response time. To fully benefit from complete Oracle Data Guard validation at the standby database, be sure to operate in real-time apply mode so that redo changes are applied to the standby database as fast as they are received. Oracle Data Guard signals any corruptions that are detected so that immediate corrective action can be taken.
Performance Versus Protection in Maximum Availability Mode
When you use Maximum Availability mode, it is important to understand the possible results of using the LOG_ARCHIVE_DEST_
n
attributes SYNC
/AFFIRM
versus SYNC
/NOAFFIRM
(FastSync) so that you can make the choice best suited to your needs.
When a transport is performed using SYNC/AFFIRM
, the primary performs write operations and waits for acknowledgment that the redo has been transmitted synchronously to the physical standby and written to disk. A SYNC/AFFIRM
transport provides an additional protection benefit at the expense of a performance impact caused by the time required to complete the I/O to the standby redo log.
When a transport is performed using SYNC/NOAFFIRM
, the primary performs write operations and waits only for acknowledgement that the data has been received on the standby, not that it has been written to disk. The SYNC/NOAFFIRM
transport can provide a performance benefit at the expense of potential exposure to data loss in a special case of multiple simultaneous failures.
With those definitions in mind, suppose you experience a catastrophic failure at the primary site at the same time that power is lost at the standby site. Whether data is lost depends on the transport mode being used. In the case of SYNC/AFFIRM
, in which there is a check to confirm that data is written to disk on the standby, there would be no data loss because the data would be available on the standby when the system was recovered. In the case of SYNC/NOAFFIRM
, in which there is no check that data has been written to disk on the standby, there may be some data loss.
Maximum Performance
This protection mode provides the highest level of data protection that is possible without affecting the performance of a primary database. This is accomplished by allowing transactions to commit as soon as all redo data generated by those transactions has been written to the online log. Redo data is also written to one or more standby databases, but this is done asynchronously with respect to transaction commitment, so primary database performance is unaffected by the time required to transmit redo data and receive acknowledgment from a standby database.
This protection mode offers slightly less data protection than maximum availability mode and has minimal impact on primary database performance.
This is the default protection mode.
Maximum Protection
Maximum protection is similar to maximum availability but provides an additional level of data protection in the event of multiple failure events. Unlike maximum availability, which allows the primary to continue processing if it is unable to receive acknowledgement from a standby database, maximum protection shuts the primary database down rather than allowing it to continue processing transactions that are unprotected.
Because this data protection mode prioritizes data protection over primary database availability, Oracle recommends that a minimum of two standby databases be used to protect a primary database that runs in maximum protection mode to prevent a single standby database failure from causing the primary database to shut down.
Maximum Performance的Network transmission mode可以是SYNC or ASYNC when using LGWR process. SYNC if using ARCH process
观察如下配置:
SQL> SELECT PROTECTION_MODE, PROTECTION_LEVEL FROM V$DATABASE;
PROTECTION_MODE PROTECTION_LEVEL
-------------------- --------------------
MAXIMUM PERFORMANCE MAXIMUM PERFORMANCE
SQL> sho parameter log_archive_dest_2
log_archive_dest_2 string SERVICE=dg2 LGWR SYNC AFFIRM VALID_FOR=(ONLINE_LOGFILES,PRIMARY_ROLE) DB_UNIQUE_NAME=dg2
这种设置相当于最高可用性模式
主库的alert文件和trc文件,trc文件显示的确是运行在最大可用模式:
Destination LOG_ARCHIVE_DEST_2 is in MAXIMUM AVAILABILITY mode
个人理解:主库在MAXIMUM PERFORMANCE模式下, LGWR SYNC 方式传输日志至备库,此时DG实际是 MAXIMUM AVAILABILITY ,主库接收备库收到日志的确认,主库才能完成提交;
但当网络存在延迟,等待超过了参数net-timeout的值的话就DG自动变成最大性能模式