[ClusterLabs] Pacemaker startup-fencing
Lars Ellenberg
lars.ellenberg at linbit.com
Wed Mar 16 13:18:20 UTC 2016
On Wed, Mar 16, 2016 at 01:47:52PM +0100, Ferenc Wágner wrote:
> >> And some more about fencing:
> >>
> >> 3. What's the difference in cluster behavior between
> >> - stonith-enabled=FALSE (9.3.2: how often will the stop operation be retried?)
> >> - having no configured STONITH devices (resources won't be started, right?)
> >> - failing to STONITH with some error (on every node)
> >> - timing out the STONITH operation
> >> - manual fencing
> >
> > I do not think there is much difference. Without fencing pacemaker
> > cannot make decision to relocate resources so cluster will be stuck.
>
> Then I wonder why I hear the "must have working fencing if you value
> your data" mantra so often (and always without explanation). After all,
> it does not risk the data, only the automatic cluster recovery, right?
stonith-enabled=false
means:
if some node becomes unresponsive,
it is immediately *assumed* it was "clean" dead.
no fencing takes place,
resource takeover happens without further protection.
That very much risks at least data divergence (replicas evoling
independently), if not data corruption (shared disks and the like).
--
: Lars Ellenberg
: LINBIT | Keeping the Digital World Running
: DRBD -- Heartbeat -- Corosync -- Pacemaker
: R&D, Integration, Ops, Consulting, Support
More information about the Users
mailing list