[ClusterLabs] Inconclusive recap for bonding (balance-rr) vs. HA (Was: why is node fenced ?)

Jan Pokorný jpokorny at redhat.com
Thu May 30 11:53:38 EDT 2019 

On 20/05/19 14:35 +0200, Jan Pokorný wrote:
> On 20/05/19 08:28 +0200, Ulrich Windl wrote:
>>> One network interface is gone for a short period. But it's in a
>>> bonding device (round-robin), so the connection shouldn't be lost.
>>> Both nodes are connected directly, there is no switch in between.
>> 
>> I think you misunderstood: a round-robin bonding device is not
>> fault-safe IMHO, but it depends a lot on your cabling details. Also
>> you did not show the logs on the other nodes.
> 
> That was sort of my point.  I think that in this case, the
> fault tolerance together with TCP's "best effort" makes the case
> effectively fault-recoverable (except for some pathological scenarios
> perhaps) -- so the whole "value proposition" for that mode can
> make false impressions even for when it's not the case ... like
> with corosync (since it intentionally opts for unreliable
> transport for performance/scalability).
> 
> (saying that as someone who has just about a single hands-on
> experiment with bonding behind...)

Ok, I've tried to read up on the subject a bit -- still no more
hands-on so feel free to correct or amend my conclusions below.
This discusses a Linux setup.

First of all, I think that claiming further unspecified balance-rr
bonding mode to be SPOF solving solution is a myth -- and relying on
that unconditionally is a way to fail hard.

It needs in-depth considerations, I think:

1. some bonding modes (incl. mentioned balance-rr and active-backup)
   vitally depend on ability to actually detect a link failure

2. configuration of the bonding therefore needs to specify what's the
   most optimal way to detect such failures for given selection of
   network adapters (it seems the configuration for a resulting bond
   instance is shares across the enslaved devices -- it would then
   mean that preferably the same models shall be used, since this
   optimality is then shared inherently), that is, either

   - miimon, or
   - arp_interval and arp_ip_target
   
   parameters need to be specified to the kernel bonding module

   when this is not done, presumed non-SPOF interconnect still
   remains SPOF (!)

3. then, it is being discussed that there's hardly a notion of
   real-time detection of the link failure -- since all such
   indications are basically being polled for, and moreover,
   drivers for particular adapters can add up to the propagation
   delay, meaning the detection happens in order of hundreds+
   milliseconds after the fact -- which makes me think that
   such faulty link behaves essentially as a blackhole for such
   a period of time

4. finally, to get back to what I've meant with diametral differences
   between casual TCP vs. corosync (considering UDP unicast) traffic
   and which may play a role here as well, is that mentioned TCP's
   "best effort" with built-in confirmations will not normally give
   up in order of tens of seconds and more (please correct me),
   but in corosync case, with default "token" parameter of 1 second,
   multiplied with retransmit attempts (4 by default, see
   token_retransmits_before_loss_cons), we operate within the order
   of lower seconds (again, please correct me)

   therefore, specifying the above parameters for bonding in
   an excessive manner compard to corosync configuration (like
   miimon=10000) could under further circumstances mean the
   same SPOF effect, e.g. when

   - packets_per_slave parameter specified in a way it will
     contain all those possibly repeated attempts in the
     corosync exchange (selected link may be, out of bad luck,
     be the faulty one while the failure hasn't been detected
     yet)

   - (unsure if can happen) when logical messages corosync
     exchanges doesn't fit a single UDP datagram (low MTU?), and
     packets_per_slave is 1 (default), complete message is
     never successfully transmitted, since its part will always
     be carried over the faulty link (again, while its failure
     hasn't been detected yet), IIUIC


Looks quite tricky, overall.  Myself, I'd likely opt to live with
admitted SPOF than with something that's possibly haisen-SPOF
(your mileage may vary, don't take it as FUD, just a reminder
that discretion is always needed in HA world).

I didn't investigate more, but if there are any bonding modes with
actual redundancy, it could be a more reliable SPOF-in-interconnect
avoidance (but then, you also need more switches...).  I don't know
enough to comment on RRP (allegedly discouraged[1]) or kronosnet
for such a task.

Would be glad if someone more knowledgable could chime in to share
the insights and show where the limits to bonding are, especially
in HA settings.


Some references:

https://github.com/torvalds/linux/blob/master/Documentation/networking/bonding.txt
https://wiki.linuxfoundation.org/networking/bonding
https://wiki.debian.org/Bonding


[1] https://lists.clusterlabs.org/pipermail/users/2019-April/025651.html

-- 
Jan (Poki)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20190530/9c3834ca/attachment.sig>

More information about the Users mailing list