[Pacemaker] Fencing of movable VirtualDomains

Daniel Dehennin daniel.dehennin at baby-gnu.org
Thu Oct 2 12:41:39 EDT 2014


Hello,

I'm setting up a 3 nodes OpenNebula[1] cluster on Debian Wheezy using a
SAN for shared storage and KVM as hypervisor.

The OpenNebula fontend is a VM for HA[2].

I had some quorum issues when the node running the fontend die as the
two other nodes loose quorum, so I added a pure quorum node in
standby="on" mode.

My physical hosts are fenced using stonith:external/ipmi, which works
great, one stonith device per node with a anti-location on itself.

I have more troubles fencing the VMs since they can move.

I try to define a stonith device per VM and colocate it with the VM
itslef like this:

#+begin_src
primitive ONE-Frontend ocf:heartbeat:VirtualDomain \
        params config="/var/lib/one/datastores/one/one.xml" \
        op start interval="0" timeout="90" \
        op stop interval="0" timeout="100" \
        meta target-role="Stopped"
primitive Quorum-Node ocf:heartbeat:VirtualDomain \
        params config="/var/lib/one/datastores/one/quorum.xml" \
        op start interval="0" timeout="90" \
        op stop interval="0" timeout="100" \
        meta target-role="Started" is-managed="true"
primitive Stonith-Quorum-Node stonith:external/libvirt \
        params hostlist="quorum" hypervisor_uri="qemu:///system"
        pcmk_host_list="quorum" pcmk_host_check="static-list" \
        op monitor interval="30m" \
        meta target-role="Started"
location ONE-Fontend-fenced-by-hypervisor Stonith-ONE-Frontend \
        rule $id="ONE-Fontend-fenced-by-hypervisor-rule" inf: #uname ne quorum or #uname ne one
location ONE-Frontend-run-on-hypervisor ONE-Frontend \
        rule $id="ONE-Frontend-run-on-hypervisor-rule" 20: #uname eq nebula1 \
        rule $id="ONE-Frontend-run-on-hypervisor-rule-0" 30: #uname eq nebula2 \
        rule $id="ONE-Frontend-run-on-hypervisor-rule-1" 40: #uname eq nebula3
location Quorum-Node-fenced-by-hypervisor Stonith-Quorum-Node \
        rule $id="Quorum-Node-fenced-by-hypervisor-rule" inf: #uname ne quorum or #uname ne one
location Quorum-Node-run-on-hypervisor Quorum-Node \
        rule $id="Quorum-Node-run-on-hypervisor-rule" 50: #uname eq nebula1 \
        rule $id="Quorum-Node-run-on-hypervisor-rule-0" 40: #uname eq nebula2 \
        rule $id="Quorum-Node-run-on-hypervisor-rule-1" 30: #uname eq nebula3
colocation Fence-ONE-Frontend-on-its-hypervisor inf: ONE-Frontend
        Stonith-ONE-Frontend
colocation Fence-Quorum-Node-on-its-hypervisor inf: Quorum-Node
        Stonith-Quorum-Node
property $id="cib-bootstrap-options" \
        dc-version="1.1.7-ee0730e13d124c3d58f00016c3376a1de5323cff" \
        cluster-infrastructure="openais" \
        expected-quorum-votes="5" \
        stonith-enabled="true" \
        last-lrm-refresh="1412242734" \
        stonith-timeout="30" \
        symmetric-cluster="false"
#+end_src

But, I can not start the Quorum-Node resource, I get the following in logs:

#+begin_src
info: can_fence_host_with_device: Stonith-nebula2-IPMILAN can not fence quorum: static-list
#+end_src

All the examples I found describe a configuration where each VM stay on
a single hypervisor, in which case libvirt is configured to listen on
TCP and the “hypervisor_uri” point to it.

Does someone have ideas on configuring stonith:external/libvirt for
movable VMs?

Regards.

Footnotes: 
[1]  http://opennebula.org/

[2]  http://docs.opennebula.org/4.8/advanced_administration/high_availability/oneha.html

-- 
Daniel Dehennin
Récupérer ma clef GPG: gpg --recv-keys 0xCC1E9E5B7A6FE2DF
Fingerprint: 3E69 014E 5C23 50E8 9ED6  2AAD CC1E 9E5B 7A6F E2DF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 342 bytes
Desc: not available
URL: <http://lists.clusterlabs.org/pipermail/pacemaker/attachments/20141002/02184bef/attachment-0002.sig>


More information about the Pacemaker mailing list