[Pacemaker] fencing best practices for virtual environments

Alberto Menichetti albmenichetti at tai.it
Tue Sep 11 19:06:50 UTC 2012

Hi Lars,

thank you very much for the deep explanation.


On 09/10/2012 03:42 PM, Lars Marowsky-Bree wrote:
> On 2012-09-10T14:40:43, Alberto Menichetti<albmenichetti at tai.it>  wrote:
>> Sorry, maybe I'm missing something, but suppose this scenario (also
>> remember that, being a 2-node cluster, I had to set
>> no-quorum-policy="ignore"):
>> 1. the virtual center is unavailable
>> 2. an event occurs that partition the cluster
>> 3. at this point, both the nodes could try to start a filesystem
>> resource, thus compromising the data safety.
> Because of 1, the nodes cannot fence, but will not start resources
> without a successful fence completion.
> Hence, in the case of a network partition with unavailable fencing setup
> and no-quorum-policy=ignore, resources will continue to run where they
> were running before the partition. (Which is the best one could hope for
> anyway.)
> If there's a real outage of one of the nodes, *and* the vcenter is down,
> then the surviving node won't take over because it can't fence. That
> leaves your data intact and the service down.
> Regards,
>      Lars

