<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 17, 2022 at 9:27 AM Ulrich Windl <<a href="mailto:Ulrich.Windl@rz.uni-regensburg.de" target="_blank">Ulrich.Windl@rz.uni-regensburg.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">>>> Klaus Wenninger <<a href="mailto:kwenning@redhat.com" target="_blank">kwenning@redhat.com</a>> schrieb am 16.02.2022 um 16:26 in<br>
Nachricht<br>
<<a href="mailto:CALrDAo28tNtQZORawC3Qg1%2B6pN8_EFbm-MSNrQcLcfa3kPBmqg@mail.gmail.com" target="_blank">CALrDAo28tNtQZORawC3Qg1+6pN8_EFbm-MSNrQcLcfa3kPBmqg@mail.gmail.com</a>>:<br>
> On Wed, Feb 16, 2022 at 3:09 PM Ulrich Windl <<br>
> <a href="mailto:Ulrich.Windl@rz.uni-regensburg.de" target="_blank">Ulrich.Windl@rz.uni-regensburg.de</a>> wrote:<br>
> <br>
>> Hi!<br>
>><br>
>> When changing some FC cables I noticed that sbd complained 2 seconds after<br>
>> the connection went down (event though the device is multi-pathed with<br>
>> other paths being still up).<br>
>> I don't know any sbd parameter being set so low that after 2 seconds sbd<br>
>> would panic. Which parameter (if any) is responsible for that?<br>
>><br>
>> In fact multipath takes up to 5 seconds to adjust paths.<br>
>><br>
>> Here are some sample events (sbd-1.5.0+20210720.f4ca41f-3.6.1.x86_64 from<br>
>> SLES15 SP3):<br>
>> Feb 14 13:01:36 h18 kernel: qla2xxx [0000:41:00.0]-500b:3: LOOP DOWN<br>
>> detected (2 7 0 0).<br>
>> Feb 14 13:01:38 h18 sbd[6621]: /dev/disk/by-id/dm-name-SBD_1-3P2:<br>
>> error: servant_md: slot read failed in servant.<br>
>> Feb 14 13:01:38 h18 sbd[6619]: /dev/disk/by-id/dm-name-SBD_1-3P1:<br>
>> error: servant_md: mbox read failed in servant.<br>
>> Feb 14 13:01:40 h18 sbd[6615]: warning: inquisitor_child: Servant<br>
>> /dev/disk/by-id/dm-name-SBD_1-3P1 is outdated (age: 11)<br>
>> Feb 14 13:01:40 h18 sbd[6615]: warning: inquisitor_child: Servant<br>
>> /dev/disk/by-id/dm-name-SBD_1-3P2 is outdated (age: 11)<br>
>> Feb 14 13:01:40 h18 sbd[6615]: warning: inquisitor_child: Majority of<br>
>> devices lost - surviving on pacemaker<br>
>> Feb 14 13:01:42 h18 kernel: sd 3:0:3:2: rejecting I/O to offline device<br>
>> Feb 14 13:01:42 h18 kernel: blk_update_request: I/O error, dev sdbt,<br>
>> sector 2048 op 0x0:(READ) flags 0x4200 phys_seg 1 prio class 1<br>
>> Feb 14 13:01:42 h18 kernel: device-mapper: multipath: 254:17: Failing path<br>
>> 68:112.<br>
>> Feb 14 13:01:42 h18 kernel: sd 3:0:1:2: rejecting I/O to offline device<br>
>><br>
>> Most puzzling is the fact that sbd reports a problem 4 seconds before the<br>
>> kernel reports an I/O error. I guess sbd "times out" the pending read.<br>
>><br>
> Yep - that is timeout_io defaulting to 3s.<br>
> You can set it with -I daemon start parameter.<br>
> Together with the rest of the default-timeout-scheme the 3s do make sense.<br>
> Not sure but if you increase that significantly you might have to adapt<br>
> other timeouts.<br>
<br>
We extended the timeouts so that sbd would survive an online firmware update of the storage system which may cause it not to respond for up to 30 seconds when the controllers restart.<br>
<br>
> There are a certain number of checks regarding relationship of timeouts but<br>
> they might not be exhaustive.<br>
> <br>
>><br>
>> The thing is: Both SBD disks are on different storage systems, each being<br>
>> connected by two separate FC fabrics, but still when disconnecting one<br>
>> cable from the host sbd panics.<br>
>> My guess is if "surviving on pacemaker" would not have happened, the node<br>
>> would be fenced; is that right?<br>
>><br>
>> The other thing I wonder is the "outdated age":<br>
>> How can the age be 11 (seconds) when the disk was disconnected 4 seconds<br>
>> ago?<br>
>> It seems here the age is "current time - time_of_last read" instead of<br>
>> "current_time - time_when read_attempt_started".<br>
>><br>
> Exactly! And that is the correct way to do it as we need to record the time<br>
> passed since last successful read.<br>
> There is no value in starting the clock when we start the read attempt as<br>
> these attempts are not synced throughout<br>
> the cluster.<br>
<br>
I don't understand: There is no heartbeat written to SBD that has to be read; instead the device is polled for messages.<br>
So the important point is how much the polling is delayed by some problem (not by some deliberate sleep).<br>
And I don't see why the measurement has to be synced throughout the cluster: Local is enough.<br>
<br></blockquote><div>I'm afraid I'm not really getting your point below.</div><div><br></div><div>Anyway the important part is that the last time having read the mailbox successfully as empty mustn't</div><div>be older than basically msgwait. (partly a result of the polls not synced throughout the cluster)</div><div>As we on top need to take into account signalling between the processes + poll-cycle + x the actual read </div><div>io-timeout should be substantially shorter.</div><div>Purpose of the code is not to print any critical logs but send heartbeats to the inquisitor so I guess there</div><div>is no real point in making it more complicated (and thus risky to fail - especially by making the code </div><div>multi-threaded if I'm getting that right) than it has to be.</div><div>We on top shouldn't mix responsibilities of the sbd-processes like the disk-watcher e.g. checking for msgwait-timeout.</div><div>If it takes too long we let it timeout and try again. And if the timeout is too short for the disk-setup then the io-timeout</div><div>should be raised to an appropriate value.</div><div>Purpose of the poll cycle is to define a maximum poll-rate. That makes it somehow related to</div><div>the io-timeout but I'm not sure if it is a good measure for some kind of a warning-level. I'd</div><div>prefer an explicit value or a percentage of the io-timeout.</div><div><br></div><div>But of course I could think of a couple of improvements that might at least be worth consideration:</div><div><br></div><div>- introduce a shorter warning-timeout on io_getevents we can use to issue a warning</div><div> timeout that indicates we are getting close to critical timeouts (similar as done with</div><div> msgwait-timeout elsewhere) - afterwards we'd have it wait for the rest</div><div>- introduce some automatism allowing a more relaxed io-timeout if other timeouts would allow</div><div> (like not a fixed default but something derived from other settings - but we always should be</div><div> careful introducing this kind of things instead of making each and every timeout</div><div> explicit and maybe just warn or error out it we find inconsistencies)</div><div>- maybe distribute io-timeout via the header together with other timeouts - again the drawbacks</div><div> of introducing a new header-format(-version) have to be taken into account</div><div><br></div><div>Regards,</div><div>Klaus</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Well, maybe I'm a bit to picky, but I wrote some code that handles read stalls, and it took me a few iterations to get it right.<br>
The interesting part is when the delay exceeds the polling interval, so critical alerts can be created while waiting for a response, but still counting as just "one" event:<br>
20220215 201347 (W)monitor_thread: no I/O for seq 14 at 503949.8447422 since 8.1015658, exceeding deadline at 503956.0947422 by 1.8515658<br>
20220215 201347 (N)check_thresholds: CRITICAL (max:1): 8.1015658 > 1.0000000<br>
20220215 201349 (W)monitor_thread: no I/O for seq 14 at 503949.8447422 since 10.6018244, exceeding deadline at 503956.0947422 by 4.3518244<br>
20220215 201349 (N)check_thresholds: CRITICAL (max:1): 10.6018244 > 1.0000000<br>
20220215 201352 (W)monitor_thread: no I/O for seq 14 at 503949.8447422 since 13.1020604, exceeding deadline at 503956.0947422 by 6.8520604<br>
20220215 201352 (N)check_thresholds: CRITICAL (max:1): 13.1020604 > 1.0000000<br>
20220215 201354 (W)monitor_thread: no I/O for seq 14 at 503949.8447422 since 15.6022895, exceeding deadline at 503956.0947422 by 9.3522895<br>
20220215 201354 (N)check_thresholds: CRITICAL (max:1): 15.6022895 > 1.0000000<br>
20220215 201357 (W)monitor_thread: no I/O for seq 14 at 503949.8447422 since 18.1025207, exceeding deadline at 503956.0947422 by 11.8525207<br>
20220215 201357 (N)check_thresholds: CRITICAL (max:1): 18.1025207 > 1.0000000<br>
20220215 201359 (W)monitor_thread: no I/O for seq 14 at 503949.8447422 since 20.6027195, exceeding deadline at 503956.0947422 by 14.3527195<br>
20220215 201359 (N)check_thresholds: CRITICAL (max:1): 20.6027195 > 1.0000000<br>
20220215 201400 (W)timing_thread: I/O delay 21.2324845 exceeded poll delay 5.0000000 (seq 14)<br>
20220215 201402 (N)check_thresholds: CRITICAL (max:2): 21.2324845 > 1.0000000<br>
<br>
Regards,<br>
Ulrich<br>
> <br>
> Regards,<br>
> Klaus<br>
> <br>
>><br>
>> Regards,<br>
>> Ulrich<br>
>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Manage your subscription:<br>
>> <a href="https://lists.clusterlabs.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.clusterlabs.org/mailman/listinfo/users</a> <br>
>><br>
>> ClusterLabs home: <a href="https://www.clusterlabs.org/" rel="noreferrer" target="_blank">https://www.clusterlabs.org/</a> <br>
>><br>
>><br>
<br>
<br>
<br>
_______________________________________________<br>
Manage your subscription:<br>
<a href="https://lists.clusterlabs.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.clusterlabs.org/mailman/listinfo/users</a><br>
<br>
ClusterLabs home: <a href="https://www.clusterlabs.org/" rel="noreferrer" target="_blank">https://www.clusterlabs.org/</a><br>
<br>
</blockquote></div></div>