[Pacemaker] DRBD and fencing
Lars Ellenberg
lars.ellenberg at linbit.com
Thu Mar 11 06:16:47 EST 2010
On Thu, Mar 11, 2010 at 03:34:50PM +0800, Martin Aspeli wrote:
> I was wondering, though, if fencing at the DRBD level would get
> around the possible problem with a full power outage taking the
> fencing device down.
>
> In my poor understanding of things, it'd work like this:
>
> - Pacemaker runs on master and slave
> - Master loses all power
> - Pacemaker on slave notices something is wrong, and prepares to
> start up postgres on slave, which will now also be the one writing
> to the DRBD disk
> - Before it can do that, it wants to fence off DRBD
> - It does that by saying to the local DRBD, "even if the other node
> tries to send you stuff, ignore it".
If DRBD is still connected, and the other side is "Primary",
and you did not allow-two-primaries, the local side will refuse
to be promoted.
If you want it to go Primary anyways,
you can of coures disconnect it: drbdadm disconnect
Then make it primary.
And live with (likely) diverging datasets.
(aka "resource internal split brain")
You later need to chose which dataset is going to survive.
See the DRBD User's Guide for how to "resolve" split brains.
Do NOT configure auto-recover policies
unless you mean to automatically destroy data
(some do; which is why these policies exist).
> This would avoid the risk of
> data corruption on slave. Before master could came back up, it'd
> need to wipe its local partition and re-sync from slave (which is
> now the new primary).
Maybe just read the whole DRBD User's Guide, that should resolve any
conceptual misunderstandings of DRBD you may still have.
--
: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com
DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.
More information about the Pacemaker
mailing list