Hi Andreas, > -----Ursprüngliche Nachricht----- > Von: "Andreas Kurz" <[EMAIL PROTECTED]> > Gesendet: 12.08.08 22:27:30 > An: "General Linux-HA mailing list" <[email protected]> > Betreff: Re: [Linux-HA] STONITH, default fencing time, forced-fencing > > Of course ... one instance should be enough but isn't it safer to make > sure that every node is able to stonith any other node ... no matter in > which state the complete cluster is? >
I thought this too longtime ago. I ended also configuring stonith as separate primitive resource for each node and constraints forcing a sonith plugin not to run on its controlled node. Why this: In my case (and I'm pretty sure that's also valid for other scenarios) the stonith device can only serve exactly ONE connection. That means only one user/plugin can connect to the stonith device at a time. As soon as I used clones I couldn't guarantee that only one clone connects to the stonith device at one time. The monitor action is implemented as a connection attempt with gathering some more or less meaningful status information. I got many (wrong) monitoring failures. And therefore using clones was not appropriate. Stonith plugin contributors should test and document if the plugin is "clone-aware". Another issue is that on a two node cluster the usage of clones where the clone instance running on the node it can't shoot (suicide forbidden) is IMHO more or less the same as using one primitive stonith ressource and an appropriate constraint avoiding a wrong node/stonith assignment. By the way: I really never got the feeling to understand the stonith subsystem and its behaviour more that 60%. Probably I/we have to take Dejan for one or more beer and asking him anything we don't know about this. :-)) Best regards Andreas Mock _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
