Hi all, I just found a whitepaper from XenServer - seem they implement some
kind of self-fencing:

-----text from XenServer High Availability Whitepaper-------
The worst-case scenario for HA is the situation where a host is thought to be 
off-line but is actually
still writing to the shared storage, because this can result in corruption of 
persistent data. To
prevent this situation without requiring active power strip controls, XenServer 
hypervisor-level fencing. This is a Xen modification which hard-powers off the 
host at a very
low-level if it does not hear regularly from a watchdog process running in the 
control domain.
Because it is implemented at a very low-level, this also protects the storage 
in the case where the
control domain becomes unresponsive for some reason.

Does that really make sense? That seem to be a very unreliable solution,
because there is no guarantee that a failed node 'self-fence' itself? Or
do I miss something?

- Dietmar

Openais mailing list

Reply via email to