On Fri, Feb 19, 2010 at 5:36 PM, Dietmar Maurer <diet...@proxmox.com> wrote: > Hi all, I just found a whitepaper from XenServer - seem they implement some > kind of self-fencing: > > -----text from XenServer High Availability Whitepaper------- > The worst-case scenario for HA is the situation where a host is thought to be > off-line but is actually > still writing to the shared storage, because this can result in corruption of > persistent data. To > prevent this situation without requiring active power strip controls, > XenServer employs > hypervisor-level fencing. This is a Xen modification which hard-powers off > the host at a very > low-level if it does not hear regularly from a watchdog process running in > the control domain. > Because it is implemented at a very low-level, this also protects the storage > in the case where the > control domain becomes unresponsive for some reason. > -------------- > > Does that really make sense? That seem to be a very unreliable solution, > because there is no guarantee that a failed node 'self-fence' itself? Or > do I miss something?
Do you trust a host, that has already failed in some way, to now start behaving correctly and fence itself? I wouldn't. _______________________________________________ Openais mailing list Openais@lists.linux-foundation.org https://lists.linux-foundation.org/mailman/listinfo/openais