|
rpm-build |
3ee90c |
:compat-mode: legacy
|
|
rpm-build |
3ee90c |
= Fencing =
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
////
|
|
rpm-build |
3ee90c |
We prefer [[ch-fencing]], but older versions of asciidoc don't deal well
|
|
rpm-build |
3ee90c |
with that construct for chapter headings
|
|
rpm-build |
3ee90c |
////
|
|
rpm-build |
3ee90c |
anchor:ch-fencing[Chapter 6, Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing, Configuration]
|
|
rpm-build |
3ee90c |
indexterm:[STONITH, Configuration]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
== What Is Fencing? ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
'Fencing' is the ability to make a node unable to run resources, even when that
|
|
rpm-build |
3ee90c |
node is unresponsive to cluster commands.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Fencing is also known as 'STONITH', an acronym for "Shoot The Other Node In The
|
|
rpm-build |
3ee90c |
Head", since the most common fencing method is cutting power to the node.
|
|
rpm-build |
3ee90c |
Another method is "fabric fencing", cutting the node's access to some
|
|
rpm-build |
3ee90c |
capability required to run resources (such as network access or a shared disk).
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
== Why Is Fencing Necessary? ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Fencing protects your data from being corrupted by malfunctioning nodes or
|
|
rpm-build |
3ee90c |
unintentional concurrent access to shared resources.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Fencing protects against the "split brain" failure scenario, where cluster
|
|
rpm-build |
3ee90c |
nodes have lost the ability to reliably communicate with each other but are
|
|
rpm-build |
3ee90c |
still able to run resources. If the cluster just assumed that uncommunicative
|
|
rpm-build |
3ee90c |
nodes were down, then multiple instances of a resource could be started on
|
|
rpm-build |
3ee90c |
different nodes.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
The effect of split brain depends on the resource type. For example, an IP
|
|
rpm-build |
3ee90c |
address brought up on two hosts on a network will cause packets to randomly be
|
|
rpm-build |
3ee90c |
sent to one or the other host, rendering the IP useless. For a database or
|
|
rpm-build |
3ee90c |
clustered file system, the effect could be much more severe, causing data
|
|
rpm-build |
3ee90c |
corruption or divergence.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Fencing also is used when a resource cannot otherwise be stopped. If a failed
|
|
rpm-build |
3ee90c |
resource fails to stop, it cannot be recovered elsewhere. Fencing the
|
|
rpm-build |
3ee90c |
resource's node is the only way to ensure the resource is recoverable.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Users may also configure the +on-fail+ property of any resource operation to
|
|
rpm-build |
3ee90c |
+fencing+, in which case the cluster will fence the resource's node if the
|
|
rpm-build |
3ee90c |
operation fails.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
== Fence Devices ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
A 'fence device' (or 'fencing device') is a special type of resource that
|
|
rpm-build |
3ee90c |
provides the means to fence a node.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Examples of fencing devices include intelligent power switches and IPMI devices
|
|
rpm-build |
3ee90c |
that accept SNMP commands to cut power to a node, and iSCSI controllers that
|
|
rpm-build |
3ee90c |
allow SCSI reservations to be used to cut a node's access to a shared disk.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Since fencing devices will be used to recover from loss of networking
|
|
rpm-build |
3ee90c |
connectivity to other nodes, it is essential that they do not rely on the same
|
|
rpm-build |
3ee90c |
network as the cluster itself, otherwise that network becomes a single point of
|
|
rpm-build |
3ee90c |
failure.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Since loss of a node due to power outage is indistinguishable from loss of
|
|
rpm-build |
3ee90c |
network connectivity to that node, it is also essential that at least one fence
|
|
rpm-build |
3ee90c |
device for a node does not share power with that node. For example, an on-board
|
|
rpm-build |
3ee90c |
IPMI controller that shares power with its host should not be used as the sole
|
|
rpm-build |
3ee90c |
fencing device for that host.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Since fencing is used to isolate malfunctioning nodes, no fence device should
|
|
rpm-build |
3ee90c |
rely on its target functioning properly. This includes, for example, devices
|
|
rpm-build |
3ee90c |
that ssh into a node and issue a shutdown command (such devices might be
|
|
rpm-build |
3ee90c |
suitable for testing, but never for production).
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
== Fence Agents ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
A 'fence agent' (or 'fencing agent') is a +stonith+-class resource agent.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
The fence agent standard provides commands (such as +off+ and +reboot+) that
|
|
rpm-build |
3ee90c |
the cluster can use to fence nodes. As with other resource agent classes,
|
|
rpm-build |
3ee90c |
this allows a layer of abstraction so that Pacemaker doesn't need any knowledge
|
|
rpm-build |
3ee90c |
about specific fencing technologies -- that knowledge is isolated in the agent.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
== When a Fence Device Can Be Used ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Fencing devices do not actually "run" like most services. Typically, they just
|
|
rpm-build |
3ee90c |
provide an interface for sending commands to an external device.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Additionally, fencing may be initiated by Pacemaker, by other cluster-aware software
|
|
rpm-build |
3ee90c |
such as DRBD or DLM, or manually by an administrator, at any point in the
|
|
rpm-build |
3ee90c |
cluster life cycle, including before any resources have been started.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
To accommodate this, Pacemaker does not require the fence device resource to be
|
|
rpm-build |
3ee90c |
"started" in order to be used. Whether a fence device is started or not
|
|
rpm-build |
3ee90c |
determines whether a node runs any recurring monitor for the device, and gives
|
|
rpm-build |
3ee90c |
the node a slight preference for being chosen to execute fencing using that
|
|
rpm-build |
3ee90c |
device.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
By default, any node can execute any fencing device. If a fence device is
|
|
rpm-build |
3ee90c |
disabled by setting its +target-role+ to Stopped, then no node can use that
|
|
rpm-build |
3ee90c |
device. If mandatory location constraints prevent a specific node from
|
|
rpm-build |
3ee90c |
"running" a fence device, then that node will never be chosen to execute
|
|
rpm-build |
3ee90c |
fencing using the device. A node may fence itself, but the cluster will choose
|
|
rpm-build |
3ee90c |
that only if no other nodes can do the fencing.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
A common configuration scenario is to have one fence device per target node.
|
|
rpm-build |
3ee90c |
In such a case, users often configure anti-location constraints so that
|
|
rpm-build |
3ee90c |
the target node does not monitor its own device. The best practice is to make
|
|
rpm-build |
3ee90c |
the constraint optional (i.e. a finite negative score rather than +-INFINITY+),
|
|
rpm-build |
3ee90c |
so that the node can fence itself if no other nodes can.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
== Limitations of Fencing Resources ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Fencing resources have certain limitations that other resource classes don't:
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
* They may have only one set of meta-attributes and one set of instance
|
|
rpm-build |
3ee90c |
attributes.
|
|
rpm-build |
3ee90c |
* If <<ch-rules,rules>> are used to determine fencing resource options, these
|
|
rpm-build |
3ee90c |
may only be evaluated when first read, meaning that later changes to the
|
|
rpm-build |
3ee90c |
rules will have no effect. Therefore, it is better to avoid confusion and not
|
|
rpm-build |
3ee90c |
use rules at all with fencing resources.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
These limitations could be revisited if there is significant user demand.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
== Special Options for Fencing Resources ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
The table below lists special instance attributes that may be set for any
|
|
rpm-build |
3ee90c |
fencing resource ('not' meta-attributes, even though they are interpreted by
|
|
rpm-build |
3ee90c |
pacemaker rather than the fence agent). These are also listed in the man page
|
|
rpm-build |
3ee90c |
for +pacemaker-fenced+.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
.Additional Properties of Fencing Resources
|
|
rpm-build |
3ee90c |
[width="95%",cols="8m,3,6,<12",options="header",align="center"]
|
|
rpm-build |
3ee90c |
|=========================================================
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|Field
|
|
rpm-build |
3ee90c |
|Type
|
|
rpm-build |
3ee90c |
|Default
|
|
rpm-build |
3ee90c |
|Description
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|stonith-timeout
|
|
rpm-build |
3ee90c |
|NA
|
|
rpm-build |
3ee90c |
|NA
|
|
rpm-build |
3ee90c |
a|Older versions used this to override the default period to wait for a STONITH (reboot, on, off) action to complete for this device.
|
|
rpm-build |
3ee90c |
It has been replaced by the +pcmk_reboot_timeout+ and +pcmk_off_timeout+ properties.
|
|
rpm-build |
3ee90c |
indexterm:[stonith-timeout,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,stonith-timeout]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
////
|
|
rpm-build |
3ee90c |
(not yet implemented)
|
|
rpm-build |
3ee90c |
priority
|
|
rpm-build |
3ee90c |
integer
|
|
rpm-build |
3ee90c |
0
|
|
rpm-build |
3ee90c |
The priority of the STONITH resource. Devices are tried in order of highest priority to lowest.
|
|
rpm-build |
3ee90c |
indexterm priority,Fencing
|
|
rpm-build |
3ee90c |
indexterm Fencing,Property,priority
|
|
rpm-build |
3ee90c |
////
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|provides
|
|
rpm-build |
3ee90c |
|string
|
|
rpm-build |
3ee90c |
|
|
|
rpm-build |
3ee90c |
|Any special capability provided by the fence device. Currently, only one such
|
|
rpm-build |
3ee90c |
capability is meaningful: +unfencing+ (see <<s-unfencing>>).
|
|
rpm-build |
3ee90c |
indexterm:[provides,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,provides]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_host_map
|
|
rpm-build |
3ee90c |
|string
|
|
rpm-build |
3ee90c |
|
|
|
rpm-build |
3ee90c |
|A mapping of host names to ports numbers for devices that do not support host names.
|
|
rpm-build |
3ee90c |
Example: +node1:1;node2:2,3+ tells the cluster to use port 1 for
|
|
rpm-build |
3ee90c |
*node1* and ports 2 and 3 for *node2*. If +pcmk_host_check+ is explicitly set
|
|
rpm-build |
3ee90c |
to +static-list+, either this or +pcmk_host_list+ must be set.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_host_map,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_host_map]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_host_list
|
|
rpm-build |
3ee90c |
|string
|
|
rpm-build |
3ee90c |
|
|
|
rpm-build |
3ee90c |
|A list of machines controlled by this device. If +pcmk_host_check+ is
|
|
rpm-build |
3ee90c |
explicitly set to +static-list+, either this or +pcmk_host_map+ must be set.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_host_list,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_host_list]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_host_check
|
|
rpm-build |
3ee90c |
|string
|
|
rpm-build |
3ee90c |
|A value appropriate to other configuration options and
|
|
rpm-build |
3ee90c |
device capabilities (see note below)
|
|
rpm-build |
3ee90c |
a|How to determine which machines are controlled by the device.
|
|
rpm-build |
3ee90c |
Allowed values:
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
* +dynamic-list:+ query the device via the "list" command
|
|
rpm-build |
3ee90c |
* +static-list:+ check the +pcmk_host_list+ or +pcmk_host_map+ attribute
|
|
rpm-build |
3ee90c |
* +status:+ query the device via the "status" command
|
|
rpm-build |
3ee90c |
* +none:+ assume every device can fence every machine
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_host_check,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_host_check]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_delay_max
|
|
rpm-build |
3ee90c |
|time
|
|
rpm-build |
3ee90c |
|0s
|
|
rpm-build |
3ee90c |
|Enable a random delay of up to the time specified before executing fencing
|
|
rpm-build |
3ee90c |
actions. This is sometimes used in two-node clusters to ensure that the
|
|
rpm-build |
3ee90c |
nodes don't fence each other at the same time. The overall delay introduced
|
|
rpm-build |
3ee90c |
by pacemaker is derived from this random delay value adding a static delay so
|
|
rpm-build |
3ee90c |
that the sum is kept below the maximum delay.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_delay_max,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_delay_max]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_delay_base
|
|
rpm-build |
3ee90c |
|time
|
|
rpm-build |
3ee90c |
|0s
|
|
rpm-build |
3ee90c |
|Enable a static delay before executing fencing actions. This can be used
|
|
rpm-build |
3ee90c |
e.g. in two-node clusters to ensure that the nodes don't fence each other,
|
|
rpm-build |
3ee90c |
by having separate fencing resources with different values. The node that is
|
|
rpm-build |
3ee90c |
fenced with the shorter delay will lose a fencing race. The overall delay
|
|
rpm-build |
3ee90c |
introduced by pacemaker is derived from this value plus a random delay such
|
|
rpm-build |
3ee90c |
that the sum is kept below the maximum delay.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_delay_base,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_delay_base]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_action_limit
|
|
rpm-build |
3ee90c |
|integer
|
|
rpm-build |
3ee90c |
|1
|
|
rpm-build |
3ee90c |
|The maximum number of actions that can be performed in parallel on this
|
|
rpm-build |
3ee90c |
device, if the cluster option +concurrent-fencing+ is +true+. -1 is unlimited.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_action_limit,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_action_limit]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_host_argument
|
|
rpm-build |
3ee90c |
|string
|
|
rpm-build |
3ee90c |
|port
|
|
rpm-build |
3ee90c |
|'Advanced use only.' Which parameter should be supplied to the resource agent
|
|
rpm-build |
3ee90c |
to identify the node to be fenced. Some devices do not support the standard
|
|
rpm-build |
3ee90c |
+port+ parameter or may provide additional ones. Use this to specify an
|
|
rpm-build |
3ee90c |
alternate, device-specific parameter. A value of +none+ tells the
|
|
rpm-build |
3ee90c |
cluster not to supply any additional parameters.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_host_argument,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_host_argument]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_reboot_action
|
|
rpm-build |
3ee90c |
|string
|
|
rpm-build |
3ee90c |
|reboot
|
|
rpm-build |
3ee90c |
|'Advanced use only.' The command to send to the resource agent in order to
|
|
rpm-build |
3ee90c |
reboot a node. Some devices do not support the standard commands or may provide
|
|
rpm-build |
3ee90c |
additional ones. Use this to specify an alternate, device-specific command.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_reboot_action,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_reboot_action]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_reboot_timeout
|
|
rpm-build |
3ee90c |
|time
|
|
rpm-build |
3ee90c |
|60s
|
|
rpm-build |
3ee90c |
|'Advanced use only.' Specify an alternate timeout to use for `reboot` actions
|
|
rpm-build |
3ee90c |
instead of the value of +stonith-timeout+. Some devices need much more or less
|
|
rpm-build |
3ee90c |
time to complete than normal. Use this to specify an alternate, device-specific
|
|
rpm-build |
3ee90c |
timeout.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_reboot_timeout,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_reboot_timeout]
|
|
rpm-build |
3ee90c |
indexterm:[stonith-timeout,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,stonith-timeout]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_reboot_retries
|
|
rpm-build |
3ee90c |
|integer
|
|
rpm-build |
3ee90c |
|2
|
|
rpm-build |
3ee90c |
|'Advanced use only.' The maximum number of times to retry the `reboot` command
|
|
rpm-build |
3ee90c |
within the timeout period. Some devices do not support multiple connections, and
|
|
rpm-build |
3ee90c |
operations may fail if the device is busy with another task, so Pacemaker will
|
|
rpm-build |
3ee90c |
automatically retry the operation, if there is time remaining. Use this option
|
|
rpm-build |
3ee90c |
to alter the number of times Pacemaker retries before giving up.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_reboot_retries,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_reboot_retries]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_off_action
|
|
rpm-build |
3ee90c |
|string
|
|
rpm-build |
3ee90c |
|off
|
|
rpm-build |
3ee90c |
|'Advanced use only.' The command to send to the resource agent in order to
|
|
rpm-build |
3ee90c |
shut down a node. Some devices do not support the standard commands or may provide
|
|
rpm-build |
3ee90c |
additional ones. Use this to specify an alternate, device-specific command.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_off_action,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_off_action]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_off_timeout
|
|
rpm-build |
3ee90c |
|time
|
|
rpm-build |
3ee90c |
|60s
|
|
rpm-build |
3ee90c |
|'Advanced use only.' Specify an alternate timeout to use for `off` actions
|
|
rpm-build |
3ee90c |
instead of the value of +stonith-timeout+. Some devices need much more or less
|
|
rpm-build |
3ee90c |
time to complete than normal. Use this to specify an alternate, device-specific
|
|
rpm-build |
3ee90c |
timeout.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_off_timeout,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_off_timeout]
|
|
rpm-build |
3ee90c |
indexterm:[stonith-timeout,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,stonith-timeout]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_off_retries
|
|
rpm-build |
3ee90c |
|integer
|
|
rpm-build |
3ee90c |
|2
|
|
rpm-build |
3ee90c |
|'Advanced use only.' The maximum number of times to retry the `off` command
|
|
rpm-build |
3ee90c |
within the timeout period. Some devices do not support multiple connections, and
|
|
rpm-build |
3ee90c |
operations may fail if the device is busy with another task, so Pacemaker will
|
|
rpm-build |
3ee90c |
automatically retry the operation, if there is time remaining. Use this option
|
|
rpm-build |
3ee90c |
to alter the number of times Pacemaker retries before giving up.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_off_retries,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_off_retries]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_list_action
|
|
rpm-build |
3ee90c |
|string
|
|
rpm-build |
3ee90c |
|list
|
|
rpm-build |
3ee90c |
|'Advanced use only.' The command to send to the resource agent in order to
|
|
rpm-build |
3ee90c |
list nodes. Some devices do not support the standard commands or may provide
|
|
rpm-build |
3ee90c |
additional ones. Use this to specify an alternate, device-specific command.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_list_action,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_list_action]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_list_timeout
|
|
rpm-build |
3ee90c |
|time
|
|
rpm-build |
3ee90c |
|60s
|
|
rpm-build |
3ee90c |
|'Advanced use only.' Specify an alternate timeout to use for `list` actions
|
|
rpm-build |
3ee90c |
instead of the value of +stonith-timeout+. Some devices need much more or less
|
|
rpm-build |
3ee90c |
time to complete than normal. Use this to specify an alternate, device-specific
|
|
rpm-build |
3ee90c |
timeout.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_list_timeout,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_list_timeout]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_list_retries
|
|
rpm-build |
3ee90c |
|integer
|
|
rpm-build |
3ee90c |
|2
|
|
rpm-build |
3ee90c |
|'Advanced use only.' The maximum number of times to retry the `list` command
|
|
rpm-build |
3ee90c |
within the timeout period. Some devices do not support multiple connections, and
|
|
rpm-build |
3ee90c |
operations may fail if the device is busy with another task, so Pacemaker will
|
|
rpm-build |
3ee90c |
automatically retry the operation, if there is time remaining. Use this option
|
|
rpm-build |
3ee90c |
to alter the number of times Pacemaker retries before giving up.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_list_retries,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_list_retries]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_monitor_action
|
|
rpm-build |
3ee90c |
|string
|
|
rpm-build |
3ee90c |
|monitor
|
|
rpm-build |
3ee90c |
|'Advanced use only.' The command to send to the resource agent in order to
|
|
rpm-build |
3ee90c |
report extended status. Some devices do not support the standard commands or may provide
|
|
rpm-build |
3ee90c |
additional ones. Use this to specify an alternate, device-specific command.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_monitor_action,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_monitor_action]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_monitor_timeout
|
|
rpm-build |
3ee90c |
|time
|
|
rpm-build |
3ee90c |
|60s
|
|
rpm-build |
3ee90c |
|'Advanced use only.' Specify an alternate timeout to use for `monitor` actions
|
|
rpm-build |
3ee90c |
instead of the value of +stonith-timeout+. Some devices need much more or less
|
|
rpm-build |
3ee90c |
time to complete than normal. Use this to specify an alternate, device-specific
|
|
rpm-build |
3ee90c |
timeout.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_monitor_timeout,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_monitor_timeout]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_monitor_retries
|
|
rpm-build |
3ee90c |
|integer
|
|
rpm-build |
3ee90c |
|2
|
|
rpm-build |
3ee90c |
|'Advanced use only.' The maximum number of times to retry the `monitor` command
|
|
rpm-build |
3ee90c |
within the timeout period. Some devices do not support multiple connections, and
|
|
rpm-build |
3ee90c |
operations may fail if the device is busy with another task, so Pacemaker will
|
|
rpm-build |
3ee90c |
automatically retry the operation, if there is time remaining. Use this option
|
|
rpm-build |
3ee90c |
to alter the number of times Pacemaker retries before giving up.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_monitor_retries,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_monitor_retries]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_status_action
|
|
rpm-build |
3ee90c |
|string
|
|
rpm-build |
3ee90c |
|status
|
|
rpm-build |
3ee90c |
|'Advanced use only.' The command to send to the resource agent in order to
|
|
rpm-build |
3ee90c |
report status. Some devices do not support the standard commands or may provide
|
|
rpm-build |
3ee90c |
additional ones. Use this to specify an alternate, device-specific command.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_status_action,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_status_action]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_status_timeout
|
|
rpm-build |
3ee90c |
|time
|
|
rpm-build |
3ee90c |
|60s
|
|
rpm-build |
3ee90c |
|'Advanced use only.' Specify an alternate timeout to use for `status` actions
|
|
rpm-build |
3ee90c |
instead of the value of +stonith-timeout+. Some devices need much more or less
|
|
rpm-build |
3ee90c |
time to complete than normal. Use this to specify an alternate, device-specific
|
|
rpm-build |
3ee90c |
timeout.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_status_timeout,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_status_timeout]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|pcmk_status_retries
|
|
rpm-build |
3ee90c |
|integer
|
|
rpm-build |
3ee90c |
|2
|
|
rpm-build |
3ee90c |
|'Advanced use only.' The maximum number of times to retry the `status` command
|
|
rpm-build |
3ee90c |
within the timeout period. Some devices do not support multiple connections, and
|
|
rpm-build |
3ee90c |
operations may fail if the device is busy with another task, so Pacemaker will
|
|
rpm-build |
3ee90c |
automatically retry the operation, if there is time remaining. Use this option
|
|
rpm-build |
3ee90c |
to alter the number of times Pacemaker retries before giving up.
|
|
rpm-build |
3ee90c |
indexterm:[pcmk_status_retries,Fencing]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,Property,pcmk_status_retries]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|=========================================================
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
[NOTE]
|
|
rpm-build |
3ee90c |
====
|
|
rpm-build |
3ee90c |
The default value for +pcmk_host_check+ is +static-list+ if either
|
|
rpm-build |
3ee90c |
+pcmk_host_list+ or +pcmk_host_map+ is configured. If neither of those are
|
|
rpm-build |
3ee90c |
configured, the default is +dynamic-list+ if the fence device supports the list
|
|
rpm-build |
3ee90c |
action, or +status+ if the fence device supports the status action but not the
|
|
rpm-build |
3ee90c |
list action. If none of those conditions apply, the default is +none+.
|
|
rpm-build |
3ee90c |
====
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
[[s-unfencing]]
|
|
rpm-build |
3ee90c |
== Unfencing ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
With fabric fencing (such as cutting network or shared disk access rather than
|
|
rpm-build |
3ee90c |
power), it is expected that the cluster will fence the node, and
|
|
rpm-build |
3ee90c |
then a system administrator must manually investigate what went wrong, correct
|
|
rpm-build |
3ee90c |
any issues found, then reboot (or restart the cluster services on) the node.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Once the node reboots and rejoins the cluster, some fabric fencing devices
|
|
rpm-build |
3ee90c |
require an explicit command to restore the node's access. This capability is
|
|
rpm-build |
3ee90c |
called 'unfencing' and is typically implemented as the fence agent's +on+
|
|
rpm-build |
3ee90c |
command.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
If any cluster resource has +requires+ set to +unfencing+, then that resource
|
|
rpm-build |
3ee90c |
will not be probed or started on a node until that node has been unfenced.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
== Fence Devices Dependent on Other Resources ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
In some cases, a fence device may require some other cluster resource (such as
|
|
rpm-build |
3ee90c |
an IP address) to be active in order to function properly.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
This is obviously undesirable in general: fencing may be required when the
|
|
rpm-build |
3ee90c |
depended-on resource is not active, or fencing may be required because the node
|
|
rpm-build |
3ee90c |
running the depended-on resource is no longer responding.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
However, this may be acceptable under certain conditions:
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
* The dependent fence device should not be able to target any node that is
|
|
rpm-build |
3ee90c |
allowed to run the depended-on resource.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
* The depended-on resource should not be disabled during production operation.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
* The +concurrent-fencing+ cluster property should be set to +true+. Otherwise,
|
|
rpm-build |
3ee90c |
if both the node running the depended-on resource and some node targeted by
|
|
rpm-build |
3ee90c |
the dependent fence device need to be fenced, the fencing of the node
|
|
rpm-build |
3ee90c |
running the depended-on resource might be ordered first, making the second
|
|
rpm-build |
3ee90c |
fencing impossible and blocking further recovery. With concurrent fencing,
|
|
rpm-build |
3ee90c |
the dependent fence device might fail at first due to the depended-on
|
|
rpm-build |
3ee90c |
resource being unavailable, but it will be retried and eventually succeed
|
|
rpm-build |
3ee90c |
once the resource is brought back up.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Even under those conditions, there is one unlikely problem scenario. The DC
|
|
rpm-build |
3ee90c |
always schedules fencing of itself after any other fencing needed, to avoid
|
|
rpm-build |
3ee90c |
unnecessary repeated DC elections. If the dependent fence device targets the
|
|
rpm-build |
3ee90c |
DC, and both the DC and a different node running the depended-on resource need
|
|
rpm-build |
3ee90c |
to be fenced, the DC fencing will always fail and block further recovery. Note,
|
|
rpm-build |
3ee90c |
however, that losing a DC node entirely causes some other node to become DC and
|
|
rpm-build |
3ee90c |
schedule the fencing, so this is only a risk when a stop or other operation
|
|
rpm-build |
3ee90c |
with +on-fail+ set to +fencing+ fails on the DC.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
== Configuring Fencing ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
. Find the correct driver:
|
|
rpm-build |
3ee90c |
+
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
# stonith_admin --list-installed
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
. Find the required parameters associated with the device
|
|
rpm-build |
3ee90c |
(replacing $AGENT_NAME with the name obtained from the previous step):
|
|
rpm-build |
3ee90c |
+
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
# stonith_admin --metadata --agent $AGENT_NAME
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
. Create a file called +stonith.xml+ containing a primitive resource
|
|
rpm-build |
3ee90c |
with a class of +stonith+, a type equal to the agent name obtained earlier,
|
|
rpm-build |
3ee90c |
and a parameter for each of the values returned in the previous step.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
. If the device does not know how to fence nodes based on their uname,
|
|
rpm-build |
3ee90c |
you may also need to set the special +pcmk_host_map+ parameter. See
|
|
rpm-build |
3ee90c |
`man pacemaker-fenced` for details.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
. If the device does not support the `list` command, you may also need
|
|
rpm-build |
3ee90c |
to set the special +pcmk_host_list+ and/or +pcmk_host_check+
|
|
rpm-build |
3ee90c |
parameters. See `man pacemaker-fenced` for details.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
. If the device does not expect the victim to be specified with the
|
|
rpm-build |
3ee90c |
`port` parameter, you may also need to set the special
|
|
rpm-build |
3ee90c |
+pcmk_host_argument+ parameter. See `man pacemaker-fenced` for details.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
. Upload it into the CIB using cibadmin:
|
|
rpm-build |
3ee90c |
+
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
# cibadmin -C -o resources --xml-file stonith.xml
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
. Set +stonith-enabled+ to true:
|
|
rpm-build |
3ee90c |
+
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
# crm_attribute -t crm_config -n stonith-enabled -v true
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
. Once the stonith resource is running, you can test it by executing the
|
|
rpm-build |
3ee90c |
following (although you might want to stop the cluster on that machine
|
|
rpm-build |
3ee90c |
first):
|
|
rpm-build |
3ee90c |
+
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
# stonith_admin --reboot nodename
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
=== Example Fencing Configuration ===
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Assume we have a chassis containing four nodes and an IPMI device
|
|
rpm-build |
3ee90c |
active on 192.0.2.1. We would choose the `fence_ipmilan` driver,
|
|
rpm-build |
3ee90c |
and obtain the following list of parameters:
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
.Obtaining a list of Fence Agent Parameters
|
|
rpm-build |
3ee90c |
====
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
# stonith_admin --metadata -a fence_ipmilan
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
[source,XML]
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
<resource-agent name="fence_ipmilan" shortdesc="Fence agent for IPMI over LAN">
|
|
rpm-build |
3ee90c |
<symlink name="fence_ilo3" shortdesc="Fence agent for HP iLO3"/>
|
|
rpm-build |
3ee90c |
<symlink name="fence_ilo4" shortdesc="Fence agent for HP iLO4"/>
|
|
rpm-build |
3ee90c |
<symlink name="fence_idrac" shortdesc="Fence agent for Dell iDRAC"/>
|
|
rpm-build |
3ee90c |
<symlink name="fence_imm" shortdesc="Fence agent for IBM Integrated Management Module"/>
|
|
rpm-build |
3ee90c |
<longdesc>
|
|
rpm-build |
3ee90c |
</longdesc>
|
|
rpm-build |
3ee90c |
<vendor-url>
|
|
rpm-build |
3ee90c |
</vendor-url>
|
|
rpm-build |
3ee90c |
<parameters>
|
|
rpm-build |
3ee90c |
<parameter name="auth" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-A"/>
|
|
rpm-build |
3ee90c |
<content type="string"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="ipaddr" unique="0" required="1">
|
|
rpm-build |
3ee90c |
<getopt mixed="-a"/>
|
|
rpm-build |
3ee90c |
<content type="string"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="passwd" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-p"/>
|
|
rpm-build |
3ee90c |
<content type="string"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="passwd_script" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-S"/>
|
|
rpm-build |
3ee90c |
<content type="string"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="lanplus" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-P"/>
|
|
rpm-build |
3ee90c |
<content type="boolean"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="login" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-l"/>
|
|
rpm-build |
3ee90c |
<content type="string"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="action" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-o"/>
|
|
rpm-build |
3ee90c |
<content type="string" default="reboot"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="timeout" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-t"/>
|
|
rpm-build |
3ee90c |
<content type="string"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="cipher" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-C"/>
|
|
rpm-build |
3ee90c |
<content type="string"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="method" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-M"/>
|
|
rpm-build |
3ee90c |
<content type="string" default="onoff"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="power_wait" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-T"/>
|
|
rpm-build |
3ee90c |
<content type="string" default="2"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="delay" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-f"/>
|
|
rpm-build |
3ee90c |
<content type="string"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="privlvl" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-L"/>
|
|
rpm-build |
3ee90c |
<content type="string"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
<parameter name="verbose" unique="0" required="0">
|
|
rpm-build |
3ee90c |
<getopt mixed="-v"/>
|
|
rpm-build |
3ee90c |
<content type="boolean"/>
|
|
rpm-build |
3ee90c |
<shortdesc lang="en">
|
|
rpm-build |
3ee90c |
</shortdesc>
|
|
rpm-build |
3ee90c |
</parameter>
|
|
rpm-build |
3ee90c |
</parameters>
|
|
rpm-build |
3ee90c |
<actions>
|
|
rpm-build |
3ee90c |
<action name="on"/>
|
|
rpm-build |
3ee90c |
<action name="off"/>
|
|
rpm-build |
3ee90c |
<action name="reboot"/>
|
|
rpm-build |
3ee90c |
<action name="status"/>
|
|
rpm-build |
3ee90c |
<action name="diag"/>
|
|
rpm-build |
3ee90c |
<action name="list"/>
|
|
rpm-build |
3ee90c |
<action name="monitor"/>
|
|
rpm-build |
3ee90c |
<action name="metadata"/>
|
|
rpm-build |
3ee90c |
<action name="stop" timeout="20s"/>
|
|
rpm-build |
3ee90c |
<action name="start" timeout="20s"/>
|
|
rpm-build |
3ee90c |
</actions>
|
|
rpm-build |
3ee90c |
</resource-agent>
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
====
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Based on that, we would create a fencing resource fragment that might look
|
|
rpm-build |
3ee90c |
like this:
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
.An IPMI-based Fencing Resource
|
|
rpm-build |
3ee90c |
====
|
|
rpm-build |
3ee90c |
[source,XML]
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
<primitive id="Fencing" class="stonith" type="fence_ipmilan" >
|
|
rpm-build |
3ee90c |
<instance_attributes id="Fencing-params" >
|
|
rpm-build |
3ee90c |
<nvpair id="Fencing-passwd" name="passwd" value="testuser" />
|
|
rpm-build |
3ee90c |
<nvpair id="Fencing-login" name="login" value="abc123" />
|
|
rpm-build |
3ee90c |
<nvpair id="Fencing-ipaddr" name="ipaddr" value="192.0.2.1" />
|
|
rpm-build |
3ee90c |
<nvpair id="Fencing-pcmk_host_list" name="pcmk_host_list" value="pcmk-1 pcmk-2" />
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
<operations >
|
|
rpm-build |
3ee90c |
<op id="Fencing-monitor-10m" interval="10m" name="monitor" timeout="300s" />
|
|
rpm-build |
3ee90c |
</operations>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
====
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Finally, we need to enable fencing:
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
# crm_attribute -t crm_config -n stonith-enabled -v true
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
== Fencing Topologies ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Pacemaker supports fencing nodes with multiple devices through a feature called
|
|
rpm-build |
3ee90c |
'fencing topologies'. Fencing topologies may be used to provide alternative
|
|
rpm-build |
3ee90c |
devices in case one fails, or to require multiple devices to all be executed
|
|
rpm-build |
3ee90c |
successfully in order to consider the node successfully fenced, or even a
|
|
rpm-build |
3ee90c |
combination of the two.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Create the individual devices as you normally would, then define one or more
|
|
rpm-build |
3ee90c |
+fencing-level+ entries in the +fencing-topology+ section of the configuration.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
* Each fencing level is attempted in order of ascending +index+. Allowed
|
|
rpm-build |
3ee90c |
values are 1 through 9.
|
|
rpm-build |
3ee90c |
* If a device fails, processing terminates for the current level.
|
|
rpm-build |
3ee90c |
No further devices in that level are exercised, and the next level is attempted instead.
|
|
rpm-build |
3ee90c |
* If the operation succeeds for all the listed devices in a level, the level is deemed to have passed.
|
|
rpm-build |
3ee90c |
* The operation is finished when a level has passed (success), or all levels have been attempted (failed).
|
|
rpm-build |
3ee90c |
* If the operation failed, the next step is determined by the scheduler
|
|
rpm-build |
3ee90c |
and/or the controller.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Some possible uses of topologies include:
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
* Try on-board IPMI, then an intelligent power switch if that fails
|
|
rpm-build |
3ee90c |
* Try fabric fencing of both disk and network, then fall back to power fencing
|
|
rpm-build |
3ee90c |
if either fails
|
|
rpm-build |
3ee90c |
* Wait up to a certain time for a kernel dump to complete, then cut power to
|
|
rpm-build |
3ee90c |
the node
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
.Properties of Fencing Levels
|
|
rpm-build |
3ee90c |
[width="95%",cols="1m,<3",options="header",align="center"]
|
|
rpm-build |
3ee90c |
|=========================================================
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|Field
|
|
rpm-build |
3ee90c |
|Description
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|id
|
|
rpm-build |
3ee90c |
|A unique name for the level
|
|
rpm-build |
3ee90c |
indexterm:[id,fencing-level]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,fencing-level,id]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|target
|
|
rpm-build |
3ee90c |
|The name of a single node to which this level applies
|
|
rpm-build |
3ee90c |
indexterm:[target,fencing-level]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,fencing-level,target]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|target-pattern
|
|
rpm-build |
3ee90c |
|An extended regular expression (as defined in
|
|
rpm-build |
3ee90c |
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_04[POSIX])
|
|
rpm-build |
3ee90c |
matching the names of nodes to which this level applies
|
|
rpm-build |
3ee90c |
indexterm:[target-pattern,fencing-level]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,fencing-level,target-pattern]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|target-attribute
|
|
rpm-build |
3ee90c |
|The name of a node attribute that is set (to +target-value+) for nodes to
|
|
rpm-build |
3ee90c |
which this level applies
|
|
rpm-build |
3ee90c |
indexterm:[target-attribute,fencing-level]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,fencing-level,target-attribute]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|target-value
|
|
rpm-build |
3ee90c |
|The node attribute value (of +target-attribute+) that is set for nodes to
|
|
rpm-build |
3ee90c |
which this level applies
|
|
rpm-build |
3ee90c |
indexterm:[target-attribute,fencing-level]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,fencing-level,target-attribute]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|index
|
|
rpm-build |
3ee90c |
|The order in which to attempt the levels.
|
|
rpm-build |
3ee90c |
Levels are attempted in ascending order 'until one succeeds'.
|
|
rpm-build |
3ee90c |
Valid values are 1 through 9.
|
|
rpm-build |
3ee90c |
indexterm:[index,fencing-level]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,fencing-level,index]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|devices
|
|
rpm-build |
3ee90c |
|A comma-separated list of devices that must all be tried for this level
|
|
rpm-build |
3ee90c |
indexterm:[devices,fencing-level]
|
|
rpm-build |
3ee90c |
indexterm:[Fencing,fencing-level,devices]
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|=========================================================
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
.Fencing topology with different devices for different nodes
|
|
rpm-build |
3ee90c |
====
|
|
rpm-build |
3ee90c |
[source,XML]
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
<cib crm_feature_set="3.0.6" validate-with="pacemaker-1.2" admin_epoch="1" epoch="0" num_updates="0">
|
|
rpm-build |
3ee90c |
<configuration>
|
|
rpm-build |
3ee90c |
...
|
|
rpm-build |
3ee90c |
<fencing-topology>
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
<fencing-level id="f-p1.1" target="pcmk-1" index="1" devices="poison-pill"/>
|
|
rpm-build |
3ee90c |
<fencing-level id="f-p1.2" target="pcmk-1" index="2" devices="power"/>
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
<fencing-level id="f-p2.1" target="pcmk-2" index="1" devices="disk,network"/>
|
|
rpm-build |
3ee90c |
<fencing-level id="f-p2.2" target="pcmk-2" index="2" devices="power"/>
|
|
rpm-build |
3ee90c |
</fencing-topology>
|
|
rpm-build |
3ee90c |
...
|
|
rpm-build |
3ee90c |
<configuration>
|
|
rpm-build |
3ee90c |
<status/>
|
|
rpm-build |
3ee90c |
</cib>
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
====
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
=== Example Dual-Layer, Dual-Device Fencing Topologies ===
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
The following example illustrates an advanced use of +fencing-topology+ in a cluster with the following properties:
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
* 3 nodes (2 active prod-mysql nodes, 1 prod_mysql-rep in standby for quorum purposes)
|
|
rpm-build |
3ee90c |
* the active nodes have an IPMI-controlled power board reached at 192.0.2.1 and 192.0.2.2
|
|
rpm-build |
3ee90c |
* the active nodes also have two independent PSUs (Power Supply Units)
|
|
rpm-build |
3ee90c |
connected to two independent PDUs (Power Distribution Units) reached at
|
|
rpm-build |
3ee90c |
198.51.100.1 (port 10 and port 11) and 203.0.113.1 (port 10 and port 11)
|
|
rpm-build |
3ee90c |
* the first fencing method uses the `fence_ipmi` agent
|
|
rpm-build |
3ee90c |
* the second fencing method uses the `fence_apc_snmp` agent targetting 2 fencing devices (one per PSU, either port 10 or 11)
|
|
rpm-build |
3ee90c |
* fencing is only implemented for the active nodes and has location constraints
|
|
rpm-build |
3ee90c |
* fencing topology is set to try IPMI fencing first then default to a "sure-kill" dual PDU fencing
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
In a normal failure scenario, STONITH will first select +fence_ipmi+ to try to kill the faulty node.
|
|
rpm-build |
3ee90c |
Using a fencing topology, if that first method fails, STONITH will then move on to selecting +fence_apc_snmp+ twice:
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
* once for the first PDU
|
|
rpm-build |
3ee90c |
* again for the second PDU
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
The fence action is considered successful only if both PDUs report the required status. If any of them fails, STONITH loops back to the first fencing method, +fence_ipmi+, and so on until the node is fenced or fencing action is cancelled.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
.First fencing method: single IPMI device
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Each cluster node has it own dedicated IPMI channel that can be called for fencing using the following primitives:
|
|
rpm-build |
3ee90c |
[source,XML]
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql1_ipmi" type="fence_ipmilan">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql1_ipmi-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-ipaddr" name="ipaddr" value="192.0.2.1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-passwd" name="passwd" value="finishme"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-verbose" name="verbose" value="true"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-lanplus" name="lanplus" value="true"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql2_ipmi" type="fence_ipmilan">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql2_ipmi-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-ipaddr" name="ipaddr" value="192.0.2.2"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-passwd" name="passwd" value="finishme"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-verbose" name="verbose" value="true"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql2"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-lanplus" name="lanplus" value="true"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
.Second fencing method: dual PDU devices
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Each cluster node also has two distinct power channels controlled by two
|
|
rpm-build |
3ee90c |
distinct PDUs. That means a total of 4 fencing devices configured as follows:
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
- Node 1, PDU 1, PSU 1 @ port 10
|
|
rpm-build |
3ee90c |
- Node 1, PDU 2, PSU 2 @ port 10
|
|
rpm-build |
3ee90c |
- Node 2, PDU 1, PSU 1 @ port 11
|
|
rpm-build |
3ee90c |
- Node 2, PDU 2, PSU 2 @ port 11
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
The matching fencing agents are configured as follows:
|
|
rpm-build |
3ee90c |
[source,XML]
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql1_apc1" type="fence_apc_snmp">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql1_apc1-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-ipaddr" name="ipaddr" value="198.51.100.1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-port" name="port" value="10"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-passwd" name="passwd" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql1"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql1_apc2" type="fence_apc_snmp">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql1_apc2-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-ipaddr" name="ipaddr" value="203.0.113.1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-port" name="port" value="10"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-passwd" name="passwd" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql1"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql2_apc1" type="fence_apc_snmp">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql2_apc1-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-ipaddr" name="ipaddr" value="198.51.100.1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-port" name="port" value="11"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-passwd" name="passwd" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql2"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql2_apc2" type="fence_apc_snmp">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql2_apc2-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-ipaddr" name="ipaddr" value="203.0.113.1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-port" name="port" value="11"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-passwd" name="passwd" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql2"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
.Location Constraints
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
To prevent STONITH from trying to run a fencing agent on the same node it is
|
|
rpm-build |
3ee90c |
supposed to fence, constraints are placed on all the fencing primitives:
|
|
rpm-build |
3ee90c |
[source,XML]
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
<constraints>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql1_ipmi" node="prod-mysql1" rsc="fence_prod-mysql1_ipmi" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql2_ipmi" node="prod-mysql2" rsc="fence_prod-mysql2_ipmi" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql1_apc2" node="prod-mysql1" rsc="fence_prod-mysql1_apc2" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql1_apc1" node="prod-mysql1" rsc="fence_prod-mysql1_apc1" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql2_apc1" node="prod-mysql2" rsc="fence_prod-mysql2_apc1" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql2_apc2" node="prod-mysql2" rsc="fence_prod-mysql2_apc2" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
</constraints>
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
.Fencing topology
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Now that all the fencing resources are defined, it's time to create the right topology.
|
|
rpm-build |
3ee90c |
We want to first fence using IPMI and if that does not work, fence both PDUs to effectively and surely kill the node.
|
|
rpm-build |
3ee90c |
[source,XML]
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
<fencing-topology>
|
|
rpm-build |
3ee90c |
<fencing-level devices="fence_prod-mysql1_ipmi" id="fencing-2" index="1" target="prod-mysql1"/>
|
|
rpm-build |
3ee90c |
<fencing-level devices="fence_prod-mysql1_apc1,fence_prod-mysql1_apc2" id="fencing-3" index="2" target="prod-mysql1"/>
|
|
rpm-build |
3ee90c |
<fencing-level devices="fence_prod-mysql2_ipmi" id="fencing-0" index="1" target="prod-mysql2"/>
|
|
rpm-build |
3ee90c |
<fencing-level devices="fence_prod-mysql2_apc1,fence_prod-mysql2_apc2" id="fencing-1" index="2" target="prod-mysql2"/>
|
|
rpm-build |
3ee90c |
</fencing-topology>
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
Please note, in +fencing-topology+, the lowest +index+ value determines the priority of the first fencing method.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
.Final configuration
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
Put together, the configuration looks like this:
|
|
rpm-build |
3ee90c |
[source,XML]
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
<cib admin_epoch="0" crm_feature_set="3.0.7" epoch="292" have-quorum="1" num_updates="29" validate-with="pacemaker-1.2">
|
|
rpm-build |
3ee90c |
<configuration>
|
|
rpm-build |
3ee90c |
<crm_config>
|
|
rpm-build |
3ee90c |
<cluster_property_set id="cib-bootstrap-options">
|
|
rpm-build |
3ee90c |
<nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
|
|
rpm-build |
3ee90c |
<nvpair id="cib-bootstrap-options-stonith-action" name="stonith-action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="cib-bootstrap-options-expected-quorum-votes" name="expected-quorum-votes" value="3"/>
|
|
rpm-build |
3ee90c |
...
|
|
rpm-build |
3ee90c |
</cluster_property_set>
|
|
rpm-build |
3ee90c |
</crm_config>
|
|
rpm-build |
3ee90c |
<nodes>
|
|
rpm-build |
3ee90c |
<node id="prod-mysql1" uname="prod-mysql1">
|
|
rpm-build |
3ee90c |
<node id="prod-mysql2" uname="prod-mysql2"/>
|
|
rpm-build |
3ee90c |
<node id="prod-mysql-rep1" uname="prod-mysql-rep1"/>
|
|
rpm-build |
3ee90c |
<instance_attributes id="prod-mysql-rep1">
|
|
rpm-build |
3ee90c |
<nvpair id="prod-mysql-rep1-standby" name="standby" value="on"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</node>
|
|
rpm-build |
3ee90c |
</nodes>
|
|
rpm-build |
3ee90c |
<resources>
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql1_ipmi" type="fence_ipmilan">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql1_ipmi-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-ipaddr" name="ipaddr" value="192.0.2.1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-passwd" name="passwd" value="finishme"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-verbose" name="verbose" value="true"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_ipmi-instance_attributes-lanplus" name="lanplus" value="true"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql2_ipmi" type="fence_ipmilan">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql2_ipmi-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-ipaddr" name="ipaddr" value="192.0.2.2"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-passwd" name="passwd" value="finishme"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-verbose" name="verbose" value="true"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql2"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_ipmi-instance_attributes-lanplus" name="lanplus" value="true"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql1_apc1" type="fence_apc_snmp">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql1_apc1-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-ipaddr" name="ipaddr" value="198.51.100.1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-port" name="port" value="10"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-passwd" name="passwd" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc1-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql1"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql1_apc2" type="fence_apc_snmp">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql1_apc2-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-ipaddr" name="ipaddr" value="203.0.113.1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-port" name="port" value="10"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-passwd" name="passwd" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql1_apc2-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql1"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql2_apc1" type="fence_apc_snmp">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql2_apc1-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-ipaddr" name="ipaddr" value="198.51.100.1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-port" name="port" value="11"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-passwd" name="passwd" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc1-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql2"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
<primitive class="stonith" id="fence_prod-mysql2_apc2" type="fence_apc_snmp">
|
|
rpm-build |
3ee90c |
<instance_attributes id="fence_prod-mysql2_apc2-instance_attributes">
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-ipaddr" name="ipaddr" value="203.0.113.1"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-action" name="action" value="off"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-port" name="port" value="11"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-login" name="login" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-passwd" name="passwd" value="fencing"/>
|
|
rpm-build |
3ee90c |
<nvpair id="fence_prod-mysql2_apc2-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="prod-mysql2"/>
|
|
rpm-build |
3ee90c |
</instance_attributes>
|
|
rpm-build |
3ee90c |
</primitive>
|
|
rpm-build |
3ee90c |
</resources>
|
|
rpm-build |
3ee90c |
<constraints>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql1_ipmi" node="prod-mysql1" rsc="fence_prod-mysql1_ipmi" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql2_ipmi" node="prod-mysql2" rsc="fence_prod-mysql2_ipmi" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql1_apc2" node="prod-mysql1" rsc="fence_prod-mysql1_apc2" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql1_apc1" node="prod-mysql1" rsc="fence_prod-mysql1_apc1" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql2_apc1" node="prod-mysql2" rsc="fence_prod-mysql2_apc1" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
<rsc_location id="l_fence_prod-mysql2_apc2" node="prod-mysql2" rsc="fence_prod-mysql2_apc2" score="-INFINITY"/>
|
|
rpm-build |
3ee90c |
</constraints>
|
|
rpm-build |
3ee90c |
<fencing-topology>
|
|
rpm-build |
3ee90c |
<fencing-level devices="fence_prod-mysql1_ipmi" id="fencing-2" index="1" target="prod-mysql1"/>
|
|
rpm-build |
3ee90c |
<fencing-level devices="fence_prod-mysql1_apc1,fence_prod-mysql1_apc2" id="fencing-3" index="2" target="prod-mysql1"/>
|
|
rpm-build |
3ee90c |
<fencing-level devices="fence_prod-mysql2_ipmi" id="fencing-0" index="1" target="prod-mysql2"/>
|
|
rpm-build |
3ee90c |
<fencing-level devices="fence_prod-mysql2_apc1,fence_prod-mysql2_apc2" id="fencing-1" index="2" target="prod-mysql2"/>
|
|
rpm-build |
3ee90c |
</fencing-topology>
|
|
rpm-build |
3ee90c |
...
|
|
rpm-build |
3ee90c |
</configuration>
|
|
rpm-build |
3ee90c |
</cib>
|
|
rpm-build |
3ee90c |
----
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
== Remapping Reboots ==
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
When the cluster needs to reboot a node, whether because +stonith-action+ is +reboot+ or because
|
|
rpm-build |
3ee90c |
a reboot was manually requested (such as by `stonith_admin --reboot`), it will remap that to
|
|
rpm-build |
3ee90c |
other commands in two cases:
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
. If the chosen fencing device does not support the +reboot+ command, the cluster
|
|
rpm-build |
3ee90c |
will ask it to perform +off+ instead.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
. If a fencing topology level with multiple devices must be executed, the cluster
|
|
rpm-build |
3ee90c |
will ask all the devices to perform +off+, then ask the devices to perform +on+.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
To understand the second case, consider the example of a node with redundant
|
|
rpm-build |
3ee90c |
power supplies connected to intelligent power switches. Rebooting one switch
|
|
rpm-build |
3ee90c |
and then the other would have no effect on the node. Turning both switches off,
|
|
rpm-build |
3ee90c |
and then on, actually reboots the node.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
In such a case, the fencing operation will be treated as successful as long as
|
|
rpm-build |
3ee90c |
the +off+ commands succeed, because then it is safe for the cluster to recover
|
|
rpm-build |
3ee90c |
any resources that were on the node. Timeouts and errors in the +on+ phase will
|
|
rpm-build |
3ee90c |
be logged but ignored.
|
|
rpm-build |
3ee90c |
|
|
rpm-build |
3ee90c |
When a reboot operation is remapped, any action-specific timeout for the
|
|
rpm-build |
3ee90c |
remapped action will be used (for example, +pcmk_off_timeout+ will be used when
|
|
rpm-build |
3ee90c |
executing the +off+ command, not +pcmk_reboot_timeout+).
|