Lars Marowsky-Bree wrote:
> On 2007-07-13T13:34:59, Alan Robertson <[EMAIL PROTECTED]> wrote:
> 
>> Here's the bugzilla for that capability:
>> http://old.linux-foundation.org/developer_bugzilla/show_bug.cgi?id=1497
>>
>> This would greatly improve the situation for 2-node clusters and in most
>> cases would eliminate the possibility of mutual-STONITH.
> 
> This is what people are currently using quorumd for, and I actually
> think it is the smarter choice. (As in - the quorumd process has smarts
> to decide, whereas a ping node is just dumb and might return pings to
> both, in particular in the case of broken switches and stuff.)

_Of course_ quorumd does that job better - that's why I designed it -
over Lars' violent objections ;-).  It's also a lot more trouble to set
up.  The proposed ping quorum tiebreaker is much better than nothing -
which is exactly what most people are using, and it's trivial to set up.
 It provides a perfect fill-in-the-gap solution for people with a small
number of clusters.

Since it's STONITH that protects the data, all this protects you from is
mutual STONITH in some rare cases.  No data would be jeopardized by
using such a plugin.

Quorum modules can be used in sequence, and each returns one of three
values:
        HAVEQUORUM
        QUORUMTIE
        NOQUORUM

Only if a module returns QUORUMTIE is the next module consulted.  So,
the subsequent ones are used to "break the tie" given by previous
modules.  If the last module returns QUORUMTIE, it is treated as NOQUORUM.

So, for the rest of the crowd who doesn't know what's being discussed
here and the history behind it, here's a little more info about the
different quorum modules (all but one are implemented already).  They're
mostly listed in order of decreasing "quality" and also decreasing
complexity (except for majority vote, which is really simple)

  MajorityVote - returns TRUE if nactive >= ((nnode/2)+1).  This
            is a very traditional majority quorum method.  It can
            only produce false positives when the arithmetic fails,
            or if the underlying membership method fails to give
            a valid result.  It returns QUORUMTIE if
            nactive*2 == nnode.

  Quorumd - a software version of SCSI reserve (or equivalent)
            used as a sort of quorum tiebreaker.  Very useful for
            clusters with even numbers of nodes - _especially_ 2-node
            clusters.  A single quorumd can serve dozens or hundreds
            of clusters.  Don't misunderstand - it's not
            perfect, but it's reasonable.
            Improbable to cause false positives for quorum.
            You have to set up this quorum daemon, digital certificates
            for client and server, and ideally put it in a cluster with
            STONITH.  So, 1-2 more servers, and quite a bit of
            administrative overhead, and still the problem with
            quorum for the quorum daemon cluster ;-).
            Essential for clusters which are split across sites.
            Most probable cause of its giving a false positive:
                bug in the code.

 ping-quorum-thing:
        - A very simple poor-man's analog to the quorum daemon.
          All you have to have is something both nodes in the
          cluster can ping, and away you go.  Very simple to
          set up (just need something to ping), but certain
          kinds of network failure  conditions can result in false
          positives.  Here's what it takes to make this happen:
                1. both nodes are really up but can't communicate
                   with each other by any communication path.
                   AND
                2. Both nodes can ping this common node and
                   get a response back.
          The most probable condition in which this will occur
          is someone messing up the firewalls on _both_ machines
          at the same time.  Very odd switch failures can cause
          this as well - but are very unlikely.  Arp cache being
          hosed might also cause this.
          If the configuration includes
          no ping nodes, then this module should return QUORUMTIE.
          Very useful for a cluster which is _implementing_ the
          Quorumd service - unless you have two in your site (meaning
          four nodes).

two-node-quorum-tiebreaker:
          This module just says "If I have 2 nodes, I have quorum".
          This is very likely to produce false positive quorum
          indications.  Any time the two machines are both up and
          can't communicate by any path, then this will ALWAYS
          cause a false positive.  It's literally trivial to set
          up (it's the default).  It returns QUORUMTIE if the
          cluster has more than 2 nodes, or HASQUORUM otherwise.

And, what happens if your quorum service gives you a false positive?
        In all cases the same thing:  You might have both nodes
        each STONITH the other - assuming the communication failure
        still allows each node to communicate with the STONITH device.
        Is data harmed?  No.
        Is it annyoing?  Absolutely.
        Will it loop until humans intervene?  If rebooting the nodes
        fixes the cluster communication, then it will stop.  If it
        doesn't, then it will repeat until something intervenes to
        stop one of the nodes, or fix the network problem.

No method is perfect.  Given enough perversity in the universe, any
method _can_ fail.  Choose the most appropriate one for your environment.

Our current default is:
        MajorityVote, TwoNode

In my view, the right _default_ configuration if we had all these
implemented is:
        majorityvote
        pingquorum
        twonode

Then it would work like this:
        If we have a majority then we have quorum
        If we have exactly half the nodes, and have ping nodes
                configured and we can ping all our ping nodes (or >n/2?)
                then we have quorum
        If we have exactly half the nodes and have no ping
                nodes configured, and 2 nodes in
                the configuration, then we have quorum.

You cannot make the quorum daemon the default.  It is complex to
configure, and there is no way to automatically configure it in.  So,
this is a better alternative for the default than the current
"majority,2node" configuration.

This does not diminish in any way Lars' comments about the quorum daemon
providing a higher quality result than this.  That's by design.

But, this is a better two-node default than we could get any other way
that I know of.  And, it is arguably a better default for any cluster
with an even number of nodes.  One could easily give the pingquorum
module a parameter to tell it to return TIE if it's not dealing with a
2-node cluster.

It's worth repeating: data is never endangered if you're using STONITH.

-- 
    Alan Robertson <[EMAIL PROTECTED]>

"Openness is the foundation and preservative of friendship...  Let me
claim from you at all times your undisguised opinions." - William
Wilberforce
_______________________________________________________
Linux-HA-Dev: [email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

Reply via email to