[ClusterLabs] How to set up fencing/stonith

Andrei Borzenkov arvidjaar at gmail.com
Wed May 16 04:20:45 UTC 2018


16.05.2018 06:52, Casey & Gina пишет:
> Hi, I'm trying to figure out how to get fencing/stonith going with
> pacemaker.
> 
> As far as I understand it, they are both part of the same thing -
> setting up stonith means setting up fencing.  If I'm mistaken on
> that, please let me know.
> 

They are often used interchangeably, although strictly speaking fencing
refers to making sure victim node cannot access (shared) resource while
stonith refers to making sure victim node is not running, usually by
turning it off externally. Fencing in this strict sense is more limited
as there are non-shared resources that still must be arbitrated (IP
address is the best example).

> Specifically, I'm wanting to use the external/vcenter plugin.  I've
> got the required vCenter CLI software installed and tested with
> `gethosts`, `on`, `off`, etc. commands as per
> /usr/share/doc/cluster-glue/stonith/README.vcenter.  I'm struggling
> to understand how to now get it set up with pacemaker.
> 
> Both the aforementioned document as well as
> https://www.hastexo.com/resources/hints-and-kinks/fencing-vmware-virtualized-pacemaker-nodes/
> have instructions for crm, not pcs, and I'm not sure how exactly to
> translate one to the other.  What I've done before in this
> circumstance is to install crmsh, execute the crm-based command, then
> look at the resulting .xml and try to figure out a pcs command that
> creates an equivalent result.  Anyways, those two instructions give
> very different commands, and I don't really understand either.
> 
> Firstly, I'll start with the documentation file included on my
> system, as I'm assuming that should be the most authoritative.  It
> provides the following two commands as examples:
> 
> crm configure primitive vfencing stonith::external/vcenter params \ 
> VI_SERVER="10.1.1.1" VI_CREDSTORE="/etc/vicredentials.xml" \ 
> HOSTLIST="hostname1=vmname1;hostname2=vmname2" RESETPOWERON="0" \ op
> monitor interval="60s"
> 
> crm configure clone Fencing vfencing
> 
> Why is the second line there?  What does it do?  Is it necessary?
> Unfortunately the document doesn't give any explanation.
> 

My understanding it that this is legacy. Once upon a time stonith
resource had to be started on a node to be usable. Today stonith
resource only provides monitoring, and stonithd will use it even if
pacemaker resource is not active. The only requirement is that resource
is not prohibited from being active on the node.

> Secondly, looking at the web link above, it says to add a primitive
> for each node in the cluster, as well as a location.  This seems
> rather different than the above approach.  Which is more correct?
> 

Single primitive without explicit constraint should actually be enough
using more or less recent pacemaker. Of course every node must fulfill
requirements (like having vCLI installed), if there are reasons to avoid
doing it everywhere you may restrict this resource to subset of nodes.

> Lastly, searching the web for some documentation on how to do this
> with PCS, I came across
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/configuring_the_red_hat_high_availability_add-on_with_pacemaker/s1-fencedevicecreate-haar
> - which has yet another totally different way of doing things, by
> adding a "fencing device".  Attempting to fiddle around with
> fence_vmware command doesn't seem to get me anywhere - how is this
> related to the external/vcenter module?
> 

RH historically used notion of "fencing" where heartbeat/pacemaker used
"stonith". As mentioned, they are in essence the same. Things may be
different in older RH versions which used different cluster stack, I am
not familiar with them.

> So I'm really confused about what I should do, and why there seems to
> be radically different ways presented, none of which I can easily
> grasp.  I assume these questions are the same regardless of which
> particular plugin is being used...
> 
> Is there some good documentation that explains this in better detail
> and can definitively tell me the best way of going about this,
> preferably with pcs?
> 
> Thank you,
> 



More information about the Users mailing list