[ClusterLabs] Is fencing really a must for Postgres failover?

[Digimer]

On 2019-02-11 6:34 a.m., Maciej S wrote:
> I was wondering if anyone can give a plain answer if fencing is really
> needed in case there are no shared resources being used (as far as I
> define shared resource). 
> 
> We want to use PAF or other Postgres (with replicated data files on the
> local drives) failover agent together with Corosync, Pacemaker and
> virtual IP resource and I am wondering if there is a need for fencing
> (which is very close bind to an infrastructure) if a Pacemaker is
> already controlling resources state. I know that in failover case there
> might be a need to add functionality to recover master that entered
> dirty shutdown state (eg. in case of power outage), but I can't see any
> case where fencing is really necessary. Am I wrong?
> 
> I was looking for a strict answer but I couldn't find one...
> 
> Regards,
> Maciej

Fencing is as required as a wearing a seat belt in a car. You can
physically make things work, but the first time you're "in an accident",
you're screwed.

Think of it this way;

If services can run in two or more places at the same time without
coordination, you don't need a cluster, just run things everywhere. If
you need coordination though, you need fencing.

The role of fencing is to force a node that has entered into an unknown
state and force it into a known state. In a system that requires
coordination, often times fencing is the only way to ensure sane operation.

Also, with pacemaker v2, fencing (stonith) became mandatory at a
programmatic level.

-- 
Digimer
Papers and Projects: https://alteeve.com/w/
"I am, somehow, less interested in the weight and convolutions of
Einstein’s brain than in the near certainty that people of equal talent
have lived and died in cotton fields and sweatshops." - Stephen Jay Gould