On Tue, 2010-02-23 at 08:25 +0100, Dietmar Maurer wrote:
> > > There are thousands of interactions with power fencing and every one
> > > of them needs to work perfectly for power fencing to work.
> > 
> > Thats not the problem.
> > Its the false positives you need to worry about (devices that report
> > success when power fencing failed).
> > 
> > When power fencing fails healthy nodes get some sort of indication and
> > can take appropriate action.
> > If suicide fails, um...
> Ok, for that reason power fencing is better. 
> But what I've heard so far is that many users do not understand
> why fencing is required, and worse, they do not configure and test
> it correctly.
> So the question is if we can combine those approaches? Or is that
> mutual exclusive for some reason?

It would be beneficial to have implementations that supported one or the
other or both models at the same time.  Maximum flexibility for the
user.  Then the user can decide what their viewpoint is on reliability
just as I have outlined in this previous thread.  If they are super
paranoid, they might use both.  If they believe simplicity is superior,
they might choose self fencing.  If they feel that operating in a well
defined operating environment with more complexity is better, they could
choose that.

Currently there are two choices 1) power fencing 2) no fencing.


> - Dietmar

Openais mailing list

Reply via email to