The normal procedure for a master failover is that, after telling each node the new master, the daemons on the new master node are started the standard way, i.e., with voting. This, however, requires that a majority of nodes is still healthy; otherwise, the failover will result in the daemons not starting and thus a broken cluster. Therefore, reject master failovers with voting, unless we can verify that a majority of nodes is still responding.
Signed-off-by: Klaus Aehlig <[email protected]> --- lib/client/gnt_cluster.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/client/gnt_cluster.py b/lib/client/gnt_cluster.py index 0efe1d5..f1cabef 100644 --- a/lib/client/gnt_cluster.py +++ b/lib/client/gnt_cluster.py @@ -851,6 +851,14 @@ def MasterFailover(opts, args): @return: the desired exit code """ + if not opts.no_voting: + # Verify that a majority of nodes is still healthy + if not bootstrap.MajorityHealthy(): + ToStderr("Master-failover with voting is only possible if the majority" + " of nodes is still healthy; use the --no-voting option after" + " ensuring by other means that you won't end up in a dual-master" + " scenario.") + return 1 if opts.no_voting and not opts.yes_do_it: usertext = ("This will perform the failover even if most other nodes" " are down, or if this node is outdated. This is dangerous" -- 2.6.0.rc2.230.g3dd15c0
