[Linux-cluster] Fence device, How it work

Rick Stevens rstevens at vitalstream.com
Wed Nov 9 16:48:18 UTC 2005 

On Tue, 2005-11-08 at 16:46 -0800, Michael Will wrote:
> I was more thinking along those lines:
> 
> 1. node A fails
> 2. node B reboots node A
> 3. node A fails again because it has not been fixed.
> 
> now we could have a 2-3-2 loop. worst case situation is
> that 3. is actually
> 3.1 node A comes up and starts reaquiring its ressource
> 3.2 node A fails again because it has not been fixed
> 3.3 goto 2
> 
> Your recommendation f/g is exactly what I was wondering about
> as an alternative. I know it is possible but try to understand
> why it would not be the default behavior.
> 
> In active/passive heartbeat style setups I set the nice-failback
> option so it does not try to reclaim ressources unless the other
> node fails, but I wonder what is the best path in a multinode
> active/active setup.

IMHO, an auto reboot is never a good option.  Theoretically, node A
failed for some reason, and a human should examine it to find out what
the problem is/was.  Recovering a fenced node should require manual
operator intervention--if for no other reason than to verify that a
reboot will not cause a repeat of the incident.

Fencing should a) turn off the fenced node's ability to reacquire
resources; b) power down the fenced node (if possible); and c) alert the
operator that fencing occurred.

> Lon Hohberger wrote:
> > On Tue, 2005-11-08 at 07:52 -0800, Michael Will wrote:
> >   
> >>> Power-cycle. 
> >>>       
> >> I always wondered about this. If the node has a problem, chances are 
> >> that rebooting does not
> >> fix it. Now if the node comes up semi-functional and attempts to regain 
> >> control over the ressource
> >> that it owned before, then that could be bad. Should it not rather be 
> >> shut-down so an human intervention
> >> can fix it before it is being made operational again?
> >>     
> >
> > This is a bit long, but maybe it will clear some things up a little.  As
> > far as a node taking over a resource it thinks it still has after a
> > reboot (without notifying the other nodes of its intentions), that would
> > be a bug the cluster software, and a really *bad* one too!
> >
> > A couple of things to remember when thinking about failures and fencing:
> >
> > (a) Failures are rare.  A decent PC has something like a 99.95% uptime
> > (I wish I knew where I heard/read this long ago) uptime - with no
> > redundancy at all.  A server with ECC RAM, RAID for internal disks, etc.
> > probably has a higher uptime.
> >
> > (b) The hardware component most likely to fail is a hard disk (moving
> > parts).  If that's the root hard disk, the machine probably won't boot
> > again.  If it's the shared RAID set, then the whole cluster will likely
> > have problems.
> >
> > (c) I hate to say this, but the kernel is probably more likely to fail
> > (panic, hang) than any single piece of hardware.
> >
> > (d) Consider this (I think this is an example of what you said?):
> >     1. Node A fails
> >     2. Node B reboots node A
> >     3. Node A correctly boots and rejoins cluster
> >     4. Node A mounts a GFS file system correctly
> >     5. Node A corrupts the GFS file system
> >
> > What is the chance that 5 will happen without data corruption occurring
> > during before 1?  Very slim, but nonzero - which brings me to my next
> > point...
> >
> > (e) Always make backups of critical data, no matter what sort of block
> > device or cluster technology you are using.  A bad RAM chip (e.g. an
> > parity RAM chip missing a double-bit errors) can cause periodic, quiet
> > data corruption.  Chances of this happening are also very slim, but
> > again, nonzero.  Probably at least as likely to happen as (d).
> >
> > (f) If you're worried about (d) and are willing to take the expected
> > uptime hit for a given node when that node fails, even given (c), you
> > can always change the cluster configuration to turn "off" a node instead
> > of reboot it. :)
> >
> > (g) You can chkconfig --del the cluster components so that they don't
> > automatically start on reboot; same effect as (f): the node won't
> > reacquire the resources if it never rejoins the cluster...
> >
> >
> >   
> >> I/O fencing instead of power fencing kind of works like this, you undo 
> >> the i/o block once you know
> >> the node is fine again.
> >>     
> >
> > Typically, we refer to that as "fabric level fencing" vs. "power level
> > fencing", both fit in with the I/O fencing paradigm in preventing a node
> > from flushing buffers after it has misbehaved.
> >
> > Note that typically the only way to be 100% positive a node has no
> > buffers waiting after it has been fenced at the fabric level is a hard
> > reboot.
> >
> > Many administrators will reboot a failed node as a first attempt to fix
> > it anyway - so we're just saving them a step :)  (Again, if you want,
> > you can always do (f) or (g) above...)
> >
> > -- Lon
> >
> > --
> > Linux-cluster mailing list
> > Linux-cluster at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-cluster
> >   
> 
> 
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-    "Hello. My PID is Inigo Montoya.  You `kill -9'-ed my parent    -
-                     process.  Prepare to vi."                      -
----------------------------------------------------------------------

More information about the Linux-cluster mailing list