[ClusterLabs] Wtrlt: Antw: Re: Antw: Re: how important would you consider to have two independent fencing device for each node ?
Ulrich Windl
Ulrich.Windl at rz.uni-regensburg.de
Thu Apr 20 06:43:52 UTC 2017
Should have gone to the list...
>>>> Digimer <lists at alteeve.ca> schrieb am 19.04.2017 um 17:20 in Nachricht
> <600637f1-fef8-0a3d-821c-7aecfa398ee2 at alteeve.ca>:
> > On 19/04/17 02:38 AM, Ulrich Windl wrote:
> >>>>> Digimer <lists at alteeve.ca> schrieb am 18.04.2017 um 19:08 in
Nachricht
> >> <26e49390-b384-b46e-4965-eba5bfe59636 at alteeve.ca>:
> >>> On 18/04/17 11:07 AM, Lentes, Bernd wrote:
> >>>> Hi,
> >>>>
> >>>> i'm currently establishing a two node cluster. Each node is a HP
server
> >> with
> >>> an ILO card.
> >>>> I can fence both of them, it's working fine.
> >>>> But what is if the ILO does not work correctly ? Then fencing is not
> >>> possible.
> >>>
> >>> Correct. If you only have iLO fencing, then the cluster would hang
> >>> (failed fencing is *not* an indication of node death).
> >>>
> >>>> I also have a switched PDU from APC. Each server has two power
supplies.
> >>> Currently one is connected to the normal power equipment, the other to
the
> >>> UPS.
> >>>> As a sort of redundancy, if the UPS does not work properly.
> >>>
> >>> That's a fine setup.
> >>>
> >>>> When i'd like to use the switched PDU as a fencing device i will loose
the
> >>
> >>> redundancy of two independent power sources, because then i have to
connect
> >>
> >>> both power supplies together to the UPS.
> >>>> I wouldn't like to do that.
> >>>
> >>> Not if you have two switched PDUs. This is what we do in our Anvil!
> >>> systems... One PDU feeds the first PSU in each node and the second PDU
> >>> feeds the second PSUs. Ideally both PDUs are fed by UPSes, but that's
> >>> not as important. One PDU on a UPS and one PDU directly from mains will
> >>> work.
> >>>
> >>>> How important would you consider to have two independent fencing device
for
> >>
> >>> each node ? I'd can't by another PDU, currently we are very poor.
> >>>
> >>> Depends entirely on your tolerance for interruption. *I* answer that
> >>> with "extremely important". However, most clusters out there have only
> >>> IPMI-based fencing, so they would obviously say "not so important".
> >>>
> >>>> Is there another way to create a second fencing device, independent
from
> >> the
> >>> ILO card ?
> >>>>
> >>>> Thanks.
> >>>
> >>> Sure, SBD would work. I've never seen IPMI not have a watchdog timer
> >>> (and iLO is IPMI++), as one example. It's slow, and needs shared
> >>> storage, but a small box somewhere running a small tgtd or iscsid
should
> >>> do the trick (note that I have never used SBD myself...).
> >>
> >> Slow is relative: If it takes 3 seconds from issuing the reset command
until
> >> the node is dead, it's fast enough for most cases. Even a switched PDU
has
> > some
> >> delays: The command has to be processed, the relay may "stick" a short
> > moment,
> >> the power supply's capacitors have to discharge (if you have two power
> > supplys,
> >> both need to)... And iLOs don't really like to be powered off.
> >>
> >> Ulrich
> >
> > The way I understand SBD, and correct me if I am wrong, recovery won't
> > begin until sometime after the watchdog timer kicks. If the watchdog
> > timer is 60 seconds, then your cluster will hang for >60 seconds (plus
> > fence delays, etc).
>
> I think it works differently: One task periodically reads ist mailbox slot
> for commands, and once a comment was read, it's executed immediately. Only
if
> the read task does hang for a long time, the watchdog itself triggers a
reset
> (as SBD seems dead). So the delay is actually made from the sum of "write
> delay", "read delay", "command excution".
>
> The manual page (LSES 11 SP4) states: "Set watchdog timeout to N seconds.
> This depends mostly on your storage latency; the majority of devices must be
> successfully read within this time, or else the node will self-fence." and
> "If a watchdog is used together with the "sbd" as is strongly recommended,
> the watchdog is activated at initial start of the sbd daemon. The watchdog
is
> refreshed every time the majority of SBD devices has been successfully read.
> Using a watchdog provides additional protection against "sbd" crashing."
>
> Final remark: I thing the developers of sbd were under drugs (or never saw a
> UNIX program before) when designing the options. For example: "-W Enable or
> disable use of the system watchdog to protect against the sbd processes
> failing and the node being left in an undefined state. Specify this once to
> enable, twice to disable." (MHO)
>
> Regards,
> Ulrich
>
> >
> > IPMI and PDUs can confirm fence the peer if ~5 seconds (plus fence
delays).
> >
> > --
> > Digimer
> > Papers and Projects: https://alteeve.com/w/
> > "I am, somehow, less interested in the weight and convolutions of
> > Einstein’s brain than in the near certainty that people of equal talent
> > have lived and died in cotton fields and sweatshops." - Stephen Jay Gould
>
>
>
>
More information about the Users
mailing list