Postgres running cluster security patch


We would like to migrate from Heroku to
The pros of are that we can use Warsaw region to handle our customers and the pricing looks good. I did initial configuration with postgres cluster and app works very well for now.

But not sure how much effort it will need from us to maintain this regarding the postgres.
On heroku it’s fire and forget - no problems since 4 years - we just do code and push to github - everything works well (but is expensive) no devops knowledge needed.

On In two places you differentiate this:

  1. First Place:
  • We won’t upgrade your Postgres cluster to a new version automatically. You can run fly image update to get the latest available point release
  • We won’t apply security patches to running clusters
    (source link to post)
  1. Second Place:
    Upgrading Postgres versions & security patches - provides tools like fly image update to upgrade your database instances to new minor versions of Postgres, but you’ll have to run the upgrades yourself. Same for security patches: you’ll have to apply those to running Postgres clusters.
    (source link to post)

You differentiate those two things:

  1. using fly image update for updating version of Postgres

  2. “applying security patches to running Postgres clusters”

If I understand correctly It looks applying security patches is different thing than running fly image update - does it mean login to working cluster machine and do some kind of updating linux machine or do updates in fly.toml files and re-deploying ?

How to apply security patch to running Postgres cluster? Is it related to any kind of downtime ?

Hey @psagan,

The reason you need to perform an update may be slightly different, but the process is the same. fly image update should be all you need.

Thank you @shaun . If I have two postgres machines in cluster in the same region - will there be any downtime during running fly image update ? Or they are done sequentially one after another so no downtime experienced ? (I can’t test it now because all my machines are up-to-date).

It will perform the standard rolling update process.

  1. Update the standby
  2. Perform a failover
  3. Update the old primary

There may be a brief interruption as connections are re-rerouted during step 2.

Great, thank you for explanation and your help! :grinning: