On Fri, Feb 19, 2010 at 03:31:10PM -0700, Steven Dake wrote:
> There are millions of lines of C code involved in directing a power
> fencing device to fence a node.  Generally in this case, the system
> directing the fencing is operating from a known good state.
> There are several hundred lines of C code that trigger a reboot when a
> watchdog timer isn't fed.  Generally in this case, the system directing
> the fencing (itself) has entered an undefined failure state.
> So a quick matrix:
> model            LOC       operating environment  
> power fencing    millions  well-defined
> self fencing     hundreds  undefined

I completely agree with you that less code is more trustworthy than more
in general.  But your thesis seems to be based entirely on the hundreds
vs millions difference which I simply don't see.  Anyone can configure a
watchdog to replace power fencing today, it's simple, and there will be
negligible difference in the amount of code that's involved.


Openais mailing list

Reply via email to