]>
Commit | Line | Data |
---|---|---|
22653ac8 DM |
1 | [[chapter-ha-manager]] |
2 | ifdef::manvolnum[] | |
7e2fdb3d DM |
3 | PVE(1) |
4 | ====== | |
22653ac8 DM |
5 | include::attributes.txt[] |
6 | ||
5f09af76 DM |
7 | :pve-toplevel: |
8 | ||
22653ac8 DM |
9 | NAME |
10 | ---- | |
11 | ||
734404b4 | 12 | ha-manager - Proxmox VE HA Manager |
22653ac8 | 13 | |
49a5e11c | 14 | SYNOPSIS |
22653ac8 DM |
15 | -------- |
16 | ||
17 | include::ha-manager.1-synopsis.adoc[] | |
18 | ||
19 | DESCRIPTION | |
20 | ----------- | |
21 | endif::manvolnum[] | |
22 | ||
23 | ifndef::manvolnum[] | |
24 | High Availability | |
25 | ================= | |
26 | include::attributes.txt[] | |
27 | endif::manvolnum[] | |
28 | ||
5f09af76 DM |
29 | ifdef::wiki[] |
30 | :pve-toplevel: | |
31 | endif::wiki[] | |
b5266e9f DM |
32 | |
33 | Our modern society depends heavily on information provided by | |
34 | computers over the network. Mobile devices amplified that dependency, | |
35 | because people can access the network any time from anywhere. If you | |
36 | provide such services, it is very important that they are available | |
37 | most of the time. | |
38 | ||
39 | We can mathematically define the availability as the ratio of (A) the | |
40 | total time a service is capable of being used during a given interval | |
41 | to (B) the length of the interval. It is normally expressed as a | |
42 | percentage of uptime in a given year. | |
43 | ||
44 | .Availability - Downtime per Year | |
45 | [width="60%",cols="<d,d",options="header"] | |
46 | |=========================================================== | |
47 | |Availability % |Downtime per year | |
48 | |99 |3.65 days | |
49 | |99.9 |8.76 hours | |
50 | |99.99 |52.56 minutes | |
51 | |99.999 |5.26 minutes | |
52 | |99.9999 |31.5 seconds | |
53 | |99.99999 |3.15 seconds | |
54 | |=========================================================== | |
55 | ||
04bde502 DM |
56 | There are several ways to increase availability. The most elegant |
57 | solution is to rewrite your software, so that you can run it on | |
58 | several host at the same time. The software itself need to have a way | |
2af6af05 | 59 | to detect errors and do failover. This is relatively easy if you just |
04bde502 DM |
60 | want to serve read-only web pages. But in general this is complex, and |
61 | sometimes impossible because you cannot modify the software | |
62 | yourself. The following solutions works without modifying the | |
63 | software: | |
64 | ||
8c1189b6 | 65 | * Use reliable ``server'' components |
04bde502 DM |
66 | |
67 | NOTE: Computer components with same functionality can have varying | |
2af6af05 | 68 | reliability numbers, depending on the component quality. Most vendors |
8c1189b6 | 69 | sell components with higher reliability as ``server'' components - |
04bde502 | 70 | usually at higher price. |
b5266e9f DM |
71 | |
72 | * Eliminate single point of failure (redundant components) | |
8c1189b6 FG |
73 | ** use an uninterruptible power supply (UPS) |
74 | ** use redundant power supplies on the main boards | |
75 | ** use ECC-RAM | |
76 | ** use redundant network hardware | |
77 | ** use RAID for local storage | |
78 | ** use distributed, redundant storage for VM data | |
b5266e9f DM |
79 | |
80 | * Reduce downtime | |
8c1189b6 FG |
81 | ** rapidly accessible administrators (24/7) |
82 | ** availability of spare parts (other nodes in a {pve} cluster) | |
83 | ** automatic error detection (provided by `ha-manager`) | |
84 | ** automatic failover (provided by `ha-manager`) | |
b5266e9f | 85 | |
5771d9b0 | 86 | Virtualization environments like {pve} make it much easier to reach |
8c1189b6 | 87 | high availability because they remove the ``hardware'' dependency. They |
04bde502 DM |
88 | also support to setup and use redundant storage and network |
89 | devices. So if one host fail, you can simply start those services on | |
43da8322 DM |
90 | another host within your cluster. |
91 | ||
8c1189b6 | 92 | Even better, {pve} provides a software stack called `ha-manager`, |
43da8322 DM |
93 | which can do that automatically for you. It is able to automatically |
94 | detect errors and do automatic failover. | |
95 | ||
8c1189b6 | 96 | {pve} `ha-manager` works like an ``automated'' administrator. First, you |
43da8322 | 97 | configure what resources (VMs, containers, ...) it should |
8c1189b6 FG |
98 | manage. `ha-manager` then observes correct functionality, and handles |
99 | service failover to another node in case of errors. `ha-manager` can | |
43da8322 DM |
100 | also handle normal user requests which may start, stop, relocate and |
101 | migrate a service. | |
04bde502 DM |
102 | |
103 | But high availability comes at a price. High quality components are | |
104 | more expensive, and making them redundant duplicates the costs at | |
105 | least. Additional spare parts increase costs further. So you should | |
106 | carefully calculate the benefits, and compare with those additional | |
107 | costs. | |
108 | ||
109 | TIP: Increasing availability from 99% to 99.9% is relatively | |
110 | simply. But increasing availability from 99.9999% to 99.99999% is very | |
8c1189b6 | 111 | hard and costly. `ha-manager` has typical error detection and failover |
43da8322 DM |
112 | times of about 2 minutes, so you can get no more than 99.999% |
113 | availability. | |
b5266e9f | 114 | |
5bd515d4 DM |
115 | Requirements |
116 | ------------ | |
3810ae1e | 117 | |
5bd515d4 | 118 | * at least three cluster nodes (to get reliable quorum) |
43da8322 | 119 | |
5bd515d4 | 120 | * shared storage for VMs and containers |
43da8322 | 121 | |
5bd515d4 | 122 | * hardware redundancy (everywhere) |
3810ae1e | 123 | |
5bd515d4 | 124 | * hardware watchdog - if not available we fall back to the |
8c1189b6 | 125 | linux kernel software watchdog (`softdog`) |
3810ae1e | 126 | |
5bd515d4 | 127 | * optional hardware fencing devices |
3810ae1e | 128 | |
3810ae1e | 129 | |
5bd515d4 DM |
130 | Resources |
131 | --------- | |
132 | ||
8c1189b6 FG |
133 | We call the primary management unit handled by `ha-manager` a |
134 | resource. A resource (also called ``service'') is uniquely | |
5bd515d4 | 135 | identified by a service ID (SID), which consists of the resource type |
8c1189b6 FG |
136 | and an type specific ID, e.g.: `vm:100`. That example would be a |
137 | resource of type `vm` (virtual machine) with the ID 100. | |
5bd515d4 DM |
138 | |
139 | For now we have two important resources types - virtual machines and | |
140 | containers. One basic idea here is that we can bundle related software | |
141 | into such VM or container, so there is no need to compose one big | |
8c1189b6 | 142 | service from other services, like it was done with `rgmanager`. In |
5bd515d4 | 143 | general, a HA enabled resource should not depend on other resources. |
3810ae1e | 144 | |
22653ac8 | 145 | |
2b52e195 | 146 | How It Works |
22653ac8 DM |
147 | ------------ |
148 | ||
3810ae1e TL |
149 | This section provides an in detail description of the {PVE} HA-manager |
150 | internals. It describes how the CRM and the LRM work together. | |
151 | ||
152 | To provide High Availability two daemons run on each node: | |
153 | ||
8c1189b6 | 154 | `pve-ha-lrm`:: |
3810ae1e TL |
155 | |
156 | The local resource manager (LRM), it controls the services running on | |
157 | the local node. | |
158 | It reads the requested states for its services from the current manager | |
159 | status file and executes the respective commands. | |
160 | ||
8c1189b6 | 161 | `pve-ha-crm`:: |
3810ae1e TL |
162 | |
163 | The cluster resource manager (CRM), it controls the cluster wide | |
2af6af05 | 164 | actions of the services, processes the LRM results and includes the state |
3810ae1e TL |
165 | machine which controls the state of each service. |
166 | ||
167 | .Locks in the LRM & CRM | |
168 | [NOTE] | |
169 | Locks are provided by our distributed configuration file system (pmxcfs). | |
5771d9b0 TL |
170 | They are used to guarantee that each LRM is active once and working. As a |
171 | LRM only executes actions when it holds its lock we can mark a failed node | |
172 | as fenced if we can acquire its lock. This lets us then recover any failed | |
5eba0743 | 173 | HA services securely without any interference from the now unknown failed node. |
3810ae1e TL |
174 | This all gets supervised by the CRM which holds currently the manager master |
175 | lock. | |
176 | ||
177 | Local Resource Manager | |
178 | ~~~~~~~~~~~~~~~~~~~~~~ | |
179 | ||
8c1189b6 | 180 | The local resource manager (`pve-ha-lrm`) is started as a daemon on |
3810ae1e TL |
181 | boot and waits until the HA cluster is quorate and thus cluster wide |
182 | locks are working. | |
183 | ||
184 | It can be in three states: | |
185 | ||
b8663359 | 186 | wait for agent lock:: |
e1ea726a FG |
187 | |
188 | The LRM waits for our exclusive lock. This is also used as idle state if no | |
189 | service is configured. | |
190 | ||
b8663359 | 191 | active:: |
e1ea726a FG |
192 | |
193 | The LRM holds its exclusive lock and has services configured. | |
194 | ||
b8663359 | 195 | lost agent lock:: |
e1ea726a FG |
196 | |
197 | The LRM lost its lock, this means a failure happened and quorum was lost. | |
3810ae1e TL |
198 | |
199 | After the LRM gets in the active state it reads the manager status | |
8c1189b6 | 200 | file in `/etc/pve/ha/manager_status` and determines the commands it |
2af6af05 | 201 | has to execute for the services it owns. |
3810ae1e | 202 | For each command a worker gets started, this workers are running in |
5eba0743 | 203 | parallel and are limited to at most 4 by default. This default setting |
8c1189b6 | 204 | may be changed through the datacenter configuration key `max_worker`. |
2af6af05 TL |
205 | When finished the worker process gets collected and its result saved for |
206 | the CRM. | |
3810ae1e | 207 | |
5eba0743 | 208 | .Maximum Concurrent Worker Adjustment Tips |
3810ae1e | 209 | [NOTE] |
5eba0743 | 210 | The default value of at most 4 concurrent workers may be unsuited for |
3810ae1e TL |
211 | a specific setup. For example may 4 live migrations happen at the same |
212 | time, which can lead to network congestions with slower networks and/or | |
213 | big (memory wise) services. Ensure that also in the worst case no congestion | |
8c1189b6 | 214 | happens and lower the `max_worker` value if needed. In the contrary, if you |
3810ae1e TL |
215 | have a particularly powerful high end setup you may also want to increase it. |
216 | ||
217 | Each command requested by the CRM is uniquely identifiable by an UID, when | |
218 | the worker finished its result will be processed and written in the LRM | |
8c1189b6 | 219 | status file `/etc/pve/nodes/<nodename>/lrm_status`. There the CRM may collect |
3810ae1e TL |
220 | it and let its state machine - respective the commands output - act on it. |
221 | ||
222 | The actions on each service between CRM and LRM are normally always synced. | |
223 | This means that the CRM requests a state uniquely marked by an UID, the LRM | |
224 | then executes this action *one time* and writes back the result, also | |
225 | identifiable by the same UID. This is needed so that the LRM does not | |
226 | executes an outdated command. | |
8c1189b6 | 227 | With the exception of the `stop` and the `error` command, |
c9aa5d47 | 228 | those two do not depend on the result produced and are executed |
3810ae1e TL |
229 | always in the case of the stopped state and once in the case of |
230 | the error state. | |
231 | ||
232 | .Read the Logs | |
233 | [NOTE] | |
234 | The HA Stack logs every action it makes. This helps to understand what | |
235 | and also why something happens in the cluster. Here its important to see | |
236 | what both daemons, the LRM and the CRM, did. You may use | |
237 | `journalctl -u pve-ha-lrm` on the node(s) where the service is and | |
238 | the same command for the pve-ha-crm on the node which is the current master. | |
239 | ||
240 | Cluster Resource Manager | |
241 | ~~~~~~~~~~~~~~~~~~~~~~~~ | |
22653ac8 | 242 | |
8c1189b6 | 243 | The cluster resource manager (`pve-ha-crm`) starts on each node and |
22653ac8 DM |
244 | waits there for the manager lock, which can only be held by one node |
245 | at a time. The node which successfully acquires the manager lock gets | |
3810ae1e TL |
246 | promoted to the CRM master. |
247 | ||
2af6af05 | 248 | It can be in three states: |
3810ae1e | 249 | |
b8663359 | 250 | wait for agent lock:: |
e1ea726a | 251 | |
97ae300a | 252 | The CRM waits for our exclusive lock. This is also used as idle state if no |
e1ea726a FG |
253 | service is configured |
254 | ||
b8663359 | 255 | active:: |
e1ea726a | 256 | |
97ae300a | 257 | The CRM holds its exclusive lock and has services configured |
e1ea726a | 258 | |
b8663359 | 259 | lost agent lock:: |
e1ea726a | 260 | |
97ae300a | 261 | The CRM lost its lock, this means a failure happened and quorum was lost. |
3810ae1e TL |
262 | |
263 | It main task is to manage the services which are configured to be highly | |
2af6af05 | 264 | available and try to always enforce them to the wanted state, e.g.: a |
3810ae1e | 265 | enabled service will be started if its not running, if it crashes it will |
2af6af05 | 266 | be started again. Thus it dictates the LRM the actions it needs to execute. |
22653ac8 DM |
267 | |
268 | When an node leaves the cluster quorum, its state changes to unknown. | |
269 | If the current CRM then can secure the failed nodes lock, the services | |
270 | will be 'stolen' and restarted on another node. | |
271 | ||
272 | When a cluster member determines that it is no longer in the cluster | |
273 | quorum, the LRM waits for a new quorum to form. As long as there is no | |
274 | quorum the node cannot reset the watchdog. This will trigger a reboot | |
2af6af05 | 275 | after the watchdog then times out, this happens after 60 seconds. |
22653ac8 | 276 | |
2b52e195 | 277 | Configuration |
22653ac8 DM |
278 | ------------- |
279 | ||
2af6af05 | 280 | The HA stack is well integrated in the Proxmox VE API2. So, for |
8c1189b6 | 281 | example, HA can be configured via `ha-manager` or the PVE web |
22653ac8 DM |
282 | interface, which both provide an easy to use tool. |
283 | ||
284 | The resource configuration file can be located at | |
8c1189b6 FG |
285 | `/etc/pve/ha/resources.cfg` and the group configuration file at |
286 | `/etc/pve/ha/groups.cfg`. Use the provided tools to make changes, | |
22653ac8 DM |
287 | there shouldn't be any need to edit them manually. |
288 | ||
3810ae1e TL |
289 | Node Power Status |
290 | ----------------- | |
291 | ||
292 | If a node needs maintenance you should migrate and or relocate all | |
293 | services which are required to run always on another node first. | |
294 | After that you can stop the LRM and CRM services. But note that the | |
295 | watchdog triggers if you stop it with active services. | |
296 | ||
5771d9b0 TL |
297 | Package Updates |
298 | --------------- | |
299 | ||
2af6af05 | 300 | When updating the ha-manager you should do one node after the other, never |
5771d9b0 TL |
301 | all at once for various reasons. First, while we test our software |
302 | thoughtfully, a bug affecting your specific setup cannot totally be ruled out. | |
303 | Upgrading one node after the other and checking the functionality of each node | |
304 | after finishing the update helps to recover from an eventual problems, while | |
305 | updating all could render you in a broken cluster state and is generally not | |
306 | good practice. | |
307 | ||
308 | Also, the {pve} HA stack uses a request acknowledge protocol to perform | |
309 | actions between the cluster and the local resource manager. For restarting, | |
310 | the LRM makes a request to the CRM to freeze all its services. This prevents | |
311 | that they get touched by the Cluster during the short time the LRM is restarting. | |
312 | After that the LRM may safely close the watchdog during a restart. | |
313 | Such a restart happens on a update and as already stated a active master | |
314 | CRM is needed to acknowledge the requests from the LRM, if this is not the case | |
315 | the update process can be too long which, in the worst case, may result in | |
316 | a watchdog reset. | |
317 | ||
2af6af05 | 318 | |
3810ae1e TL |
319 | Fencing |
320 | ------- | |
321 | ||
5eba0743 | 322 | What is Fencing |
3810ae1e TL |
323 | ~~~~~~~~~~~~~~~ |
324 | ||
325 | Fencing secures that on a node failure the dangerous node gets will be rendered | |
326 | unable to do any damage and that no resource runs twice when it gets recovered | |
5771d9b0 TL |
327 | from the failed node. This is a really important task and one of the base |
328 | principles to make a system Highly Available. | |
329 | ||
330 | If a node would not get fenced it would be in an unknown state where it may | |
331 | have still access to shared resources, this is really dangerous! | |
332 | Imagine that every network but the storage one broke, now while not | |
333 | reachable from the public network the VM still runs and writes on the shared | |
334 | storage. If we would not fence the node and just start up this VM on another | |
335 | Node we would get dangerous race conditions, atomicity violations the whole VM | |
336 | could be rendered unusable. The recovery could also simply fail if the storage | |
337 | protects from multiple mounts and thus defeat the purpose of HA. | |
338 | ||
339 | How {pve} Fences | |
340 | ~~~~~~~~~~~~~~~~~ | |
341 | ||
342 | There are different methods to fence a node, for example fence devices which | |
343 | cut off the power from the node or disable their communication completely. | |
344 | ||
345 | Those are often quite expensive and bring additional critical components in | |
346 | a system, because if they fail you cannot recover any service. | |
347 | ||
348 | We thus wanted to integrate a simpler method in the HA Manager first, namely | |
349 | self fencing with watchdogs. | |
350 | ||
351 | Watchdogs are widely used in critical and dependable systems since the | |
352 | beginning of micro controllers, they are often independent and simple | |
353 | integrated circuit which programs can use to watch them. After opening they need to | |
354 | report periodically. If, for whatever reason, a program becomes unable to do | |
355 | so the watchdogs triggers a reset of the whole server. | |
356 | ||
357 | Server motherboards often already include such hardware watchdogs, these need | |
358 | to be configured. If no watchdog is available or configured we fall back to the | |
359 | Linux Kernel softdog while still reliable it is not independent of the servers | |
360 | Hardware and thus has a lower reliability then a hardware watchdog. | |
3810ae1e TL |
361 | |
362 | Configure Hardware Watchdog | |
363 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
364 | By default all watchdog modules are blocked for security reasons as they are | |
365 | like a loaded gun if not correctly initialized. | |
c9aa5d47 | 366 | If you have a hardware watchdog available remove its kernel module from the |
8c1189b6 | 367 | blacklist, load it with insmod and restart the `watchdog-mux` service or reboot |
c9aa5d47 | 368 | the node. |
3810ae1e | 369 | |
2957ef80 TL |
370 | Recover Fenced Services |
371 | ~~~~~~~~~~~~~~~~~~~~~~~ | |
372 | ||
373 | After a node failed and its fencing was successful we start to recover services | |
374 | to other available nodes and restart them there so that they can provide service | |
375 | again. | |
376 | ||
377 | The selection of the node on which the services gets recovered is influenced | |
378 | by the users group settings, the currently active nodes and their respective | |
379 | active service count. | |
380 | First we build a set out of the intersection between user selected nodes and | |
381 | available nodes. Then the subset with the highest priority of those nodes | |
382 | gets chosen as possible nodes for recovery. We select the node with the | |
383 | currently lowest active service count as a new node for the service. | |
384 | That minimizes the possibility of an overload, which else could cause an | |
385 | unresponsive node and as a result a chain reaction of node failures in the | |
386 | cluster. | |
387 | ||
2b52e195 | 388 | Groups |
22653ac8 DM |
389 | ------ |
390 | ||
391 | A group is a collection of cluster nodes which a service may be bound to. | |
392 | ||
2b52e195 | 393 | Group Settings |
22653ac8 DM |
394 | ~~~~~~~~~~~~~~ |
395 | ||
396 | nodes:: | |
397 | ||
c9aa5d47 TL |
398 | List of group node members where a priority can be given to each node. |
399 | A service bound to this group will run on the nodes with the highest priority | |
400 | available. If more nodes are in the highest priority class the services will | |
401 | get distributed to those node if not already there. The priorities have a | |
402 | relative meaning only. | |
93d2a4f9 | 403 | Example;; |
b352bff4 DM |
404 | You want to run all services from a group on `node1` if possible. If this node |
405 | is not available, you want them to run equally splitted on `node2` and `node3`, and | |
406 | if those fail it should use `node4`. | |
93d2a4f9 TL |
407 | To achieve this you could set the node list to: |
408 | [source,bash] | |
409 | ha-manager groupset mygroup -nodes "node1:2,node2:1,node3:1,node4" | |
22653ac8 DM |
410 | |
411 | restricted:: | |
412 | ||
5eba0743 | 413 | Resources bound to this group may only run on nodes defined by the |
22653ac8 DM |
414 | group. If no group node member is available the resource will be |
415 | placed in the stopped state. | |
93d2a4f9 | 416 | Example;; |
01911cf3 DM |
417 | Lets say a service uses resources only available on `node1` and `node2`, |
418 | so we need to make sure that HA manager does not use other nodes. | |
419 | We need to create a 'restricted' group with said nodes: | |
420 | [source,bash] | |
421 | ha-manager groupset mygroup -nodes "node1,node2" -restricted | |
22653ac8 DM |
422 | |
423 | nofailback:: | |
424 | ||
5eba0743 | 425 | The resource won't automatically fail back when a more preferred node |
22653ac8 | 426 | (re)joins the cluster. |
93d2a4f9 TL |
427 | Examples;; |
428 | * You need to migrate a service to a node which hasn't the highest priority | |
429 | in the group at the moment, to tell the HA manager to not move this service | |
20fa8c22 | 430 | instantly back set the 'nofailback' option and the service will stay on |
345f5fe0 | 431 | the current node. |
93d2a4f9 | 432 | |
345f5fe0 DM |
433 | * A service was fenced and it got recovered to another node. The admin |
434 | repaired the node and brought it up online again but does not want that the | |
93d2a4f9 TL |
435 | recovered services move straight back to the repaired node as he wants to |
436 | first investigate the failure cause and check if it runs stable. He can use | |
345f5fe0 | 437 | the 'nofailback' option to achieve this. |
22653ac8 DM |
438 | |
439 | ||
a3189ad1 TL |
440 | Start Failure Policy |
441 | --------------------- | |
442 | ||
443 | The start failure policy comes in effect if a service failed to start on a | |
444 | node once ore more times. It can be used to configure how often a restart | |
445 | should be triggered on the same node and how often a service should be | |
446 | relocated so that it gets a try to be started on another node. | |
447 | The aim of this policy is to circumvent temporary unavailability of shared | |
448 | resources on a specific node. For example, if a shared storage isn't available | |
449 | on a quorate node anymore, e.g. network problems, but still on other nodes, | |
450 | the relocate policy allows then that the service gets started nonetheless. | |
451 | ||
452 | There are two service start recover policy settings which can be configured | |
22653ac8 DM |
453 | specific for each resource. |
454 | ||
455 | max_restart:: | |
456 | ||
5eba0743 | 457 | Maximum number of tries to restart an failed service on the actual |
22653ac8 DM |
458 | node. The default is set to one. |
459 | ||
460 | max_relocate:: | |
461 | ||
5eba0743 | 462 | Maximum number of tries to relocate the service to a different node. |
22653ac8 DM |
463 | A relocate only happens after the max_restart value is exceeded on the |
464 | actual node. The default is set to one. | |
465 | ||
0abc65b0 | 466 | NOTE: The relocate count state will only reset to zero when the |
22653ac8 DM |
467 | service had at least one successful start. That means if a service is |
468 | re-enabled without fixing the error only the restart policy gets | |
469 | repeated. | |
470 | ||
2b52e195 | 471 | Error Recovery |
22653ac8 DM |
472 | -------------- |
473 | ||
474 | If after all tries the service state could not be recovered it gets | |
475 | placed in an error state. In this state the service won't get touched | |
476 | by the HA stack anymore. To recover from this state you should follow | |
477 | these steps: | |
478 | ||
5eba0743 | 479 | * bring the resource back into a safe and consistent state (e.g., |
22653ac8 DM |
480 | killing its process) |
481 | ||
482 | * disable the ha resource to place it in an stopped state | |
483 | ||
484 | * fix the error which led to this failures | |
485 | ||
486 | * *after* you fixed all errors you may enable the service again | |
487 | ||
488 | ||
2b52e195 | 489 | Service Operations |
22653ac8 DM |
490 | ------------------ |
491 | ||
492 | This are how the basic user-initiated service operations (via | |
8c1189b6 | 493 | `ha-manager`) work. |
22653ac8 DM |
494 | |
495 | enable:: | |
496 | ||
5eba0743 | 497 | The service will be started by the LRM if not already running. |
22653ac8 DM |
498 | |
499 | disable:: | |
500 | ||
5eba0743 | 501 | The service will be stopped by the LRM if running. |
22653ac8 DM |
502 | |
503 | migrate/relocate:: | |
504 | ||
5eba0743 | 505 | The service will be relocated (live) to another node. |
22653ac8 DM |
506 | |
507 | remove:: | |
508 | ||
5eba0743 | 509 | The service will be removed from the HA managed resource list. Its |
22653ac8 DM |
510 | current state will not be touched. |
511 | ||
512 | start/stop:: | |
513 | ||
8c1189b6 FG |
514 | `start` and `stop` commands can be issued to the resource specific tools |
515 | (like `qm` or `pct`), they will forward the request to the | |
516 | `ha-manager` which then will execute the action and set the resulting | |
22653ac8 DM |
517 | service state (enabled, disabled). |
518 | ||
519 | ||
2b52e195 | 520 | Service States |
22653ac8 DM |
521 | -------------- |
522 | ||
523 | stopped:: | |
524 | ||
c9aa5d47 TL |
525 | Service is stopped (confirmed by LRM), if detected running it will get stopped |
526 | again. | |
22653ac8 DM |
527 | |
528 | request_stop:: | |
529 | ||
530 | Service should be stopped. Waiting for confirmation from LRM. | |
531 | ||
532 | started:: | |
533 | ||
534 | Service is active an LRM should start it ASAP if not already running. | |
c9aa5d47 | 535 | If the Service fails and is detected to be not running the LRM restarts it. |
22653ac8 DM |
536 | |
537 | fence:: | |
538 | ||
539 | Wait for node fencing (service node is not inside quorate cluster | |
540 | partition). | |
c9aa5d47 TL |
541 | As soon as node gets fenced successfully the service will be recovered to |
542 | another node, if possible. | |
22653ac8 DM |
543 | |
544 | freeze:: | |
545 | ||
546 | Do not touch the service state. We use this state while we reboot a | |
547 | node, or when we restart the LRM daemon. | |
548 | ||
549 | migrate:: | |
550 | ||
551 | Migrate service (live) to other node. | |
552 | ||
553 | error:: | |
554 | ||
555 | Service disabled because of LRM errors. Needs manual intervention. | |
556 | ||
557 | ||
558 | ifdef::manvolnum[] | |
559 | include::pve-copyright.adoc[] | |
560 | endif::manvolnum[] | |
561 |