]>
Commit | Line | Data |
---|---|---|
80c0adcb | 1 | [[chapter_ha_manager]] |
22653ac8 | 2 | ifdef::manvolnum[] |
b2f242ab DM |
3 | ha-manager(1) |
4 | ============= | |
5f09af76 DM |
5 | :pve-toplevel: |
6 | ||
22653ac8 DM |
7 | NAME |
8 | ---- | |
9 | ||
734404b4 | 10 | ha-manager - Proxmox VE HA Manager |
22653ac8 | 11 | |
49a5e11c | 12 | SYNOPSIS |
22653ac8 DM |
13 | -------- |
14 | ||
15 | include::ha-manager.1-synopsis.adoc[] | |
16 | ||
17 | DESCRIPTION | |
18 | ----------- | |
19 | endif::manvolnum[] | |
22653ac8 DM |
20 | ifndef::manvolnum[] |
21 | High Availability | |
22 | ================= | |
5f09af76 | 23 | :pve-toplevel: |
194d2f29 | 24 | endif::manvolnum[] |
b5266e9f DM |
25 | |
26 | Our modern society depends heavily on information provided by | |
27 | computers over the network. Mobile devices amplified that dependency, | |
28 | because people can access the network any time from anywhere. If you | |
29 | provide such services, it is very important that they are available | |
30 | most of the time. | |
31 | ||
049fc557 | 32 | We can mathematically define the availability as the ratio of (A), the |
b5266e9f | 33 | total time a service is capable of being used during a given interval |
049fc557 | 34 | to (B), the length of the interval. It is normally expressed as a |
b5266e9f DM |
35 | percentage of uptime in a given year. |
36 | ||
37 | .Availability - Downtime per Year | |
38 | [width="60%",cols="<d,d",options="header"] | |
39 | |=========================================================== | |
40 | |Availability % |Downtime per year | |
41 | |99 |3.65 days | |
42 | |99.9 |8.76 hours | |
43 | |99.99 |52.56 minutes | |
44 | |99.999 |5.26 minutes | |
45 | |99.9999 |31.5 seconds | |
46 | |99.99999 |3.15 seconds | |
47 | |=========================================================== | |
48 | ||
04bde502 DM |
49 | There are several ways to increase availability. The most elegant |
50 | solution is to rewrite your software, so that you can run it on | |
049fc557 DW |
51 | several hosts at the same time. The software itself needs to have a way |
52 | to detect errors and do failover. If you only want to serve read-only | |
53 | web pages, then this is relatively simple. However, this is generally complex | |
54 | and sometimes impossible, because you cannot modify the software yourself. The | |
55 | following solutions works without modifying the software: | |
04bde502 | 56 | |
8c1189b6 | 57 | * Use reliable ``server'' components |
fd9e8984 | 58 | + |
049fc557 | 59 | NOTE: Computer components with the same functionality can have varying |
2af6af05 | 60 | reliability numbers, depending on the component quality. Most vendors |
8c1189b6 | 61 | sell components with higher reliability as ``server'' components - |
04bde502 | 62 | usually at higher price. |
b5266e9f DM |
63 | |
64 | * Eliminate single point of failure (redundant components) | |
8c1189b6 FG |
65 | ** use an uninterruptible power supply (UPS) |
66 | ** use redundant power supplies on the main boards | |
67 | ** use ECC-RAM | |
68 | ** use redundant network hardware | |
69 | ** use RAID for local storage | |
70 | ** use distributed, redundant storage for VM data | |
b5266e9f DM |
71 | |
72 | * Reduce downtime | |
8c1189b6 FG |
73 | ** rapidly accessible administrators (24/7) |
74 | ** availability of spare parts (other nodes in a {pve} cluster) | |
75 | ** automatic error detection (provided by `ha-manager`) | |
76 | ** automatic failover (provided by `ha-manager`) | |
b5266e9f | 77 | |
5771d9b0 | 78 | Virtualization environments like {pve} make it much easier to reach |
8c1189b6 | 79 | high availability because they remove the ``hardware'' dependency. They |
049fc557 DW |
80 | also support the setup and use of redundant storage and network |
81 | devices, so if one host fails, you can simply start those services on | |
43da8322 DM |
82 | another host within your cluster. |
83 | ||
049fc557 | 84 | Better still, {pve} provides a software stack called `ha-manager`, |
43da8322 DM |
85 | which can do that automatically for you. It is able to automatically |
86 | detect errors and do automatic failover. | |
87 | ||
8c1189b6 | 88 | {pve} `ha-manager` works like an ``automated'' administrator. First, you |
43da8322 | 89 | configure what resources (VMs, containers, ...) it should |
049fc557 | 90 | manage. Then, `ha-manager` observes the correct functionality, and handles |
8c1189b6 | 91 | service failover to another node in case of errors. `ha-manager` can |
43da8322 DM |
92 | also handle normal user requests which may start, stop, relocate and |
93 | migrate a service. | |
04bde502 DM |
94 | |
95 | But high availability comes at a price. High quality components are | |
049fc557 | 96 | more expensive, and making them redundant doubles the costs at |
04bde502 DM |
97 | least. Additional spare parts increase costs further. So you should |
98 | carefully calculate the benefits, and compare with those additional | |
99 | costs. | |
100 | ||
101 | TIP: Increasing availability from 99% to 99.9% is relatively | |
d5c3a54a | 102 | simple. But increasing availability from 99.9999% to 99.99999% is very |
8c1189b6 | 103 | hard and costly. `ha-manager` has typical error detection and failover |
43da8322 DM |
104 | times of about 2 minutes, so you can get no more than 99.999% |
105 | availability. | |
b5266e9f | 106 | |
823fa863 | 107 | |
5bd515d4 DM |
108 | Requirements |
109 | ------------ | |
3810ae1e | 110 | |
823fa863 DM |
111 | You must meet the following requirements before you start with HA: |
112 | ||
5bd515d4 | 113 | * at least three cluster nodes (to get reliable quorum) |
43da8322 | 114 | |
5bd515d4 | 115 | * shared storage for VMs and containers |
43da8322 | 116 | |
5bd515d4 | 117 | * hardware redundancy (everywhere) |
3810ae1e | 118 | |
823fa863 DM |
119 | * use reliable “server” components |
120 | ||
5bd515d4 | 121 | * hardware watchdog - if not available we fall back to the |
8c1189b6 | 122 | linux kernel software watchdog (`softdog`) |
3810ae1e | 123 | |
5bd515d4 | 124 | * optional hardware fencing devices |
3810ae1e | 125 | |
3810ae1e | 126 | |
80c0adcb | 127 | [[ha_manager_resources]] |
5bd515d4 DM |
128 | Resources |
129 | --------- | |
130 | ||
8c1189b6 FG |
131 | We call the primary management unit handled by `ha-manager` a |
132 | resource. A resource (also called ``service'') is uniquely | |
5bd515d4 | 133 | identified by a service ID (SID), which consists of the resource type |
049fc557 | 134 | and a type specific ID, for example `vm:100`. That example would be a |
8c1189b6 | 135 | resource of type `vm` (virtual machine) with the ID 100. |
5bd515d4 DM |
136 | |
137 | For now we have two important resources types - virtual machines and | |
138 | containers. One basic idea here is that we can bundle related software | |
a35aad4a | 139 | into such a VM or container, so there is no need to compose one big |
049fc557 | 140 | service from other services, as was done with `rgmanager`. In |
4c34defd | 141 | general, a HA managed resource should not depend on other resources. |
3810ae1e | 142 | |
22653ac8 | 143 | |
d4642672 DM |
144 | Management Tasks |
145 | ---------------- | |
146 | ||
147 | This section provides a short overview of common management tasks. The | |
148 | first step is to enable HA for a resource. This is done by adding the | |
149 | resource to the HA resource configuration. You can do this using the | |
150 | GUI, or simply use the command line tool, for example: | |
151 | ||
152 | ---- | |
153 | # ha-manager add vm:100 | |
154 | ---- | |
155 | ||
049fc557 | 156 | The HA stack now tries to start the resources and keep them |
d4642672 | 157 | running. Please note that you can configure the ``requested'' |
a35aad4a | 158 | resources state. For example you may want the HA stack to stop the |
d4642672 DM |
159 | resource: |
160 | ||
161 | ---- | |
162 | # ha-manager set vm:100 --state stopped | |
163 | ---- | |
164 | ||
165 | and start it again later: | |
166 | ||
167 | ---- | |
168 | # ha-manager set vm:100 --state started | |
169 | ---- | |
170 | ||
171 | You can also use the normal VM and container management commands. They | |
172 | automatically forward the commands to the HA stack, so | |
173 | ||
174 | ---- | |
175 | # qm start 100 | |
176 | ---- | |
177 | ||
049fc557 | 178 | simply sets the requested state to `started`. The same applies to `qm |
d4642672 DM |
179 | stop`, which sets the requested state to `stopped`. |
180 | ||
181 | NOTE: The HA stack works fully asynchronous and needs to communicate | |
049fc557 | 182 | with other cluster members. Therefore, it takes some seconds until you see |
d4642672 DM |
183 | the result of such actions. |
184 | ||
185 | To view the current HA resource configuration use: | |
186 | ||
187 | ---- | |
188 | # ha-manager config | |
189 | vm:100 | |
190 | state stopped | |
191 | ---- | |
192 | ||
193 | And you can view the actual HA manager and resource state with: | |
194 | ||
195 | ---- | |
196 | # ha-manager status | |
197 | quorum OK | |
198 | master node1 (active, Wed Nov 23 11:07:23 2016) | |
199 | lrm elsa (active, Wed Nov 23 11:07:19 2016) | |
200 | service vm:100 (node1, started) | |
201 | ---- | |
202 | ||
203 | You can also initiate resource migration to other nodes: | |
204 | ||
205 | ---- | |
206 | # ha-manager migrate vm:100 node2 | |
207 | ---- | |
208 | ||
209 | This uses online migration and tries to keep the VM running. Online | |
210 | migration needs to transfer all used memory over the network, so it is | |
049fc557 | 211 | sometimes faster to stop the VM, then restart it on the new node. This can be |
d4642672 DM |
212 | done using the `relocate` command: |
213 | ||
214 | ---- | |
215 | # ha-manager relocate vm:100 node2 | |
216 | ---- | |
217 | ||
218 | Finally, you can remove the resource from the HA configuration using | |
219 | the following command: | |
220 | ||
221 | ---- | |
222 | # ha-manager remove vm:100 | |
223 | ---- | |
224 | ||
225 | NOTE: This does not start or stop the resource. | |
226 | ||
a35aad4a | 227 | But all HA related tasks can be done in the GUI, so there is no need to |
d4642672 DM |
228 | use the command line at all. |
229 | ||
230 | ||
2b52e195 | 231 | How It Works |
22653ac8 DM |
232 | ------------ |
233 | ||
c7470421 DM |
234 | This section provides a detailed description of the {PVE} HA manager |
235 | internals. It describes all involved daemons and how they work | |
236 | together. To provide HA, two daemons run on each node: | |
3810ae1e | 237 | |
8c1189b6 | 238 | `pve-ha-lrm`:: |
3810ae1e | 239 | |
1600c60a DM |
240 | The local resource manager (LRM), which controls the services running on |
241 | the local node. It reads the requested states for its services from | |
242 | the current manager status file and executes the respective commands. | |
3810ae1e | 243 | |
8c1189b6 | 244 | `pve-ha-crm`:: |
3810ae1e | 245 | |
1600c60a DM |
246 | The cluster resource manager (CRM), which makes the cluster wide |
247 | decisions. It sends commands to the LRM, processes the results, | |
248 | and moves resources to other nodes if something fails. The CRM also | |
249 | handles node fencing. | |
250 | ||
3810ae1e TL |
251 | |
252 | .Locks in the LRM & CRM | |
253 | [NOTE] | |
254 | Locks are provided by our distributed configuration file system (pmxcfs). | |
a35aad4a | 255 | They are used to guarantee that each LRM is active once and working. As an |
3821ecaf | 256 | LRM only executes actions when it holds its lock, we can mark a failed node |
049fc557 | 257 | as fenced if we can acquire its lock. This then lets us recover any failed |
5eba0743 | 258 | HA services securely without any interference from the now unknown failed node. |
049fc557 | 259 | This all gets supervised by the CRM which currently holds the manager master |
3810ae1e TL |
260 | lock. |
261 | ||
c7470421 DM |
262 | |
263 | Service States | |
264 | ~~~~~~~~~~~~~~ | |
265 | ||
049fc557 DW |
266 | The CRM uses a service state enumeration to record the current service |
267 | state. This state is displayed on the GUI and can be queried using | |
c7470421 DM |
268 | the `ha-manager` command line tool: |
269 | ||
270 | ---- | |
271 | # ha-manager status | |
272 | quorum OK | |
273 | master elsa (active, Mon Nov 21 07:23:29 2016) | |
274 | lrm elsa (active, Mon Nov 21 07:23:22 2016) | |
275 | service ct:100 (elsa, stopped) | |
276 | service ct:102 (elsa, started) | |
277 | service vm:501 (elsa, started) | |
278 | ---- | |
279 | ||
280 | Here is the list of possible states: | |
281 | ||
282 | stopped:: | |
283 | ||
284 | Service is stopped (confirmed by LRM). If the LRM detects a stopped | |
285 | service is still running, it will stop it again. | |
286 | ||
287 | request_stop:: | |
288 | ||
289 | Service should be stopped. The CRM waits for confirmation from the | |
290 | LRM. | |
291 | ||
1cd01666 DM |
292 | stopping:: |
293 | ||
294 | Pending stop request. But the CRM did not get the request so far. | |
295 | ||
c7470421 DM |
296 | started:: |
297 | ||
298 | Service is active an LRM should start it ASAP if not already running. | |
299 | If the Service fails and is detected to be not running the LRM | |
300 | restarts it | |
301 | (see xref:ha_manager_start_failure_policy[Start Failure Policy]). | |
302 | ||
1cd01666 DM |
303 | starting:: |
304 | ||
305 | Pending start request. But the CRM has not got any confirmation from the | |
306 | LRM that the service is running. | |
307 | ||
c7470421 DM |
308 | fence:: |
309 | ||
310 | Wait for node fencing (service node is not inside quorate cluster | |
049fc557 | 311 | partition). As soon as node gets fenced successfully the service will |
c7470421 DM |
312 | be recovered to another node, if possible |
313 | (see xref:ha_manager_fencing[Fencing]). | |
314 | ||
315 | freeze:: | |
316 | ||
317 | Do not touch the service state. We use this state while we reboot a | |
318 | node, or when we restart the LRM daemon | |
319 | (see xref:ha_manager_package_updates[Package Updates]). | |
320 | ||
581f2240 TL |
321 | ignored:: |
322 | ||
fb29acdd | 323 | Act as if the service were not managed by HA at all. |
581f2240 TL |
324 | Useful, when full control over the service is desired temporarily, |
325 | without removing it from the HA configuration. | |
326 | ||
327 | ||
c7470421 DM |
328 | migrate:: |
329 | ||
330 | Migrate service (live) to other node. | |
331 | ||
332 | error:: | |
333 | ||
334 | Service is disabled because of LRM errors. Needs manual intervention | |
335 | (see xref:ha_manager_error_recovery[Error Recovery]). | |
336 | ||
1cd01666 DM |
337 | queued:: |
338 | ||
339 | Service is newly added, and the CRM has not seen it so far. | |
340 | ||
341 | disabled:: | |
342 | ||
343 | Service is stopped and marked as `disabled` | |
344 | ||
c7470421 | 345 | |
3810ae1e TL |
346 | Local Resource Manager |
347 | ~~~~~~~~~~~~~~~~~~~~~~ | |
348 | ||
8c1189b6 | 349 | The local resource manager (`pve-ha-lrm`) is started as a daemon on |
3810ae1e TL |
350 | boot and waits until the HA cluster is quorate and thus cluster wide |
351 | locks are working. | |
352 | ||
353 | It can be in three states: | |
354 | ||
b8663359 | 355 | wait for agent lock:: |
e1ea726a FG |
356 | |
357 | The LRM waits for our exclusive lock. This is also used as idle state if no | |
358 | service is configured. | |
359 | ||
b8663359 | 360 | active:: |
e1ea726a FG |
361 | |
362 | The LRM holds its exclusive lock and has services configured. | |
363 | ||
b8663359 | 364 | lost agent lock:: |
e1ea726a FG |
365 | |
366 | The LRM lost its lock, this means a failure happened and quorum was lost. | |
3810ae1e TL |
367 | |
368 | After the LRM gets in the active state it reads the manager status | |
8c1189b6 | 369 | file in `/etc/pve/ha/manager_status` and determines the commands it |
2af6af05 | 370 | has to execute for the services it owns. |
a35aad4a | 371 | For each command a worker gets started, these workers are running in |
5eba0743 | 372 | parallel and are limited to at most 4 by default. This default setting |
8c1189b6 | 373 | may be changed through the datacenter configuration key `max_worker`. |
2af6af05 TL |
374 | When finished the worker process gets collected and its result saved for |
375 | the CRM. | |
3810ae1e | 376 | |
5eba0743 | 377 | .Maximum Concurrent Worker Adjustment Tips |
3810ae1e | 378 | [NOTE] |
5eba0743 | 379 | The default value of at most 4 concurrent workers may be unsuited for |
049fc557 | 380 | a specific setup. For example, 4 live migrations may occur at the same |
3810ae1e | 381 | time, which can lead to network congestions with slower networks and/or |
049fc557 DW |
382 | big (memory wise) services. Also, ensure that in the worst case, congestion is |
383 | at a minimum, even if this means lowering the `max_worker` value. On the | |
384 | contrary, if you have a particularly powerful, high-end setup you may also want | |
385 | to increase it. | |
3810ae1e | 386 | |
049fc557 DW |
387 | Each command requested by the CRM is uniquely identifiable by a UID. When |
388 | the worker finishes, its result will be processed and written in the LRM | |
8c1189b6 | 389 | status file `/etc/pve/nodes/<nodename>/lrm_status`. There the CRM may collect |
049fc557 | 390 | it and let its state machine - respective to the commands output - act on it. |
3810ae1e TL |
391 | |
392 | The actions on each service between CRM and LRM are normally always synced. | |
a35aad4a | 393 | This means that the CRM requests a state uniquely marked by a UID, the LRM |
049fc557 | 394 | then executes this action *one time* and writes back the result, which is also |
3810ae1e | 395 | identifiable by the same UID. This is needed so that the LRM does not |
a35aad4a | 396 | execute an outdated command. |
049fc557 DW |
397 | The only exceptions to this behaviour are the `stop` and `error` commands; |
398 | these two do not depend on the result produced and are executed | |
3810ae1e TL |
399 | always in the case of the stopped state and once in the case of |
400 | the error state. | |
401 | ||
402 | .Read the Logs | |
403 | [NOTE] | |
404 | The HA Stack logs every action it makes. This helps to understand what | |
405 | and also why something happens in the cluster. Here its important to see | |
406 | what both daemons, the LRM and the CRM, did. You may use | |
407 | `journalctl -u pve-ha-lrm` on the node(s) where the service is and | |
408 | the same command for the pve-ha-crm on the node which is the current master. | |
409 | ||
410 | Cluster Resource Manager | |
411 | ~~~~~~~~~~~~~~~~~~~~~~~~ | |
22653ac8 | 412 | |
8c1189b6 | 413 | The cluster resource manager (`pve-ha-crm`) starts on each node and |
22653ac8 DM |
414 | waits there for the manager lock, which can only be held by one node |
415 | at a time. The node which successfully acquires the manager lock gets | |
3810ae1e TL |
416 | promoted to the CRM master. |
417 | ||
2af6af05 | 418 | It can be in three states: |
3810ae1e | 419 | |
b8663359 | 420 | wait for agent lock:: |
e1ea726a | 421 | |
97ae300a | 422 | The CRM waits for our exclusive lock. This is also used as idle state if no |
e1ea726a FG |
423 | service is configured |
424 | ||
b8663359 | 425 | active:: |
e1ea726a | 426 | |
97ae300a | 427 | The CRM holds its exclusive lock and has services configured |
e1ea726a | 428 | |
b8663359 | 429 | lost agent lock:: |
e1ea726a | 430 | |
97ae300a | 431 | The CRM lost its lock, this means a failure happened and quorum was lost. |
3810ae1e | 432 | |
a35aad4a | 433 | Its main task is to manage the services which are configured to be highly |
4c34defd TL |
434 | available and try to always enforce the requested state. For example, a |
435 | service with the requested state 'started' will be started if its not | |
436 | already running. If it crashes it will be automatically started again. | |
a35aad4a | 437 | Thus the CRM dictates the actions the LRM needs to execute. |
22653ac8 | 438 | |
049fc557 DW |
439 | When a node leaves the cluster quorum, its state changes to unknown. |
440 | If the current CRM can then secure the failed node's lock, the services | |
22653ac8 DM |
441 | will be 'stolen' and restarted on another node. |
442 | ||
443 | When a cluster member determines that it is no longer in the cluster | |
444 | quorum, the LRM waits for a new quorum to form. As long as there is no | |
445 | quorum the node cannot reset the watchdog. This will trigger a reboot | |
049fc557 | 446 | after the watchdog times out (this happens after 60 seconds). |
22653ac8 | 447 | |
85363588 | 448 | |
b8633a34 RV |
449 | HA Simulator |
450 | ------------ | |
451 | ||
452 | [thumbnail="screenshot/gui-ha-manager-status.png"] | |
453 | ||
454 | By using the HA simulator you can test and learn all functionalities of the | |
455 | Proxmox VE HA solutions. | |
456 | ||
3c5584e9 TL |
457 | By default, the simulator allows you to watch and test the behaviour of a |
458 | real-world 3 node cluster with 6 VMs. You can also add or remove additional VMs | |
459 | or Container. | |
b8633a34 RV |
460 | |
461 | You do not have to setup or configure a real cluster, the HA simulator runs out | |
462 | of the box. | |
463 | ||
464 | Install with apt: | |
465 | ||
466 | ---- | |
467 | apt install pve-ha-simulator | |
468 | ---- | |
469 | ||
049fc557 | 470 | You can even install the package on any Debian-based system without any |
b8633a34 RV |
471 | other Proxmox VE packages. For that you will need to download the package and |
472 | copy it to the system you want to run it on for installation. When you install | |
473 | the package with apt from the local file system it will also resolve the | |
474 | required dependencies for you. | |
475 | ||
476 | ||
049fc557 | 477 | To start the simulator on a remote machine you must have an X11 redirection to |
b8633a34 RV |
478 | your current system. |
479 | ||
480 | If you are on a Linux machine you can use: | |
481 | ||
482 | ---- | |
3c5584e9 | 483 | ssh root@<IPofPVE> -Y |
b8633a34 RV |
484 | ---- |
485 | ||
049fc557 | 486 | On Windows it works with https://mobaxterm.mobatek.net/[mobaxterm]. |
b8633a34 | 487 | |
049fc557 DW |
488 | After connecting to an existing {pve} with the simulator installed or |
489 | installing it on your local Debian-based system manually, you can try it out as | |
3c5584e9 TL |
490 | follows. |
491 | ||
049fc557 DW |
492 | First you need to create a working directory where the simulator saves its |
493 | current state and writes its default config: | |
b8633a34 RV |
494 | |
495 | ---- | |
496 | mkdir working | |
497 | ---- | |
498 | ||
049fc557 | 499 | Then, simply pass the created directory as a parameter to 'pve-ha-simulator': |
b8633a34 RV |
500 | |
501 | ---- | |
502 | pve-ha-simulator working/ | |
503 | ---- | |
504 | ||
3c5584e9 TL |
505 | You can then start, stop, migrate the simulated HA services, or even check out |
506 | what happens on a node failure. | |
b8633a34 | 507 | |
2b52e195 | 508 | Configuration |
22653ac8 DM |
509 | ------------- |
510 | ||
85363588 DM |
511 | The HA stack is well integrated into the {pve} API. So, for example, |
512 | HA can be configured via the `ha-manager` command line interface, or | |
513 | the {pve} web interface - both interfaces provide an easy way to | |
514 | manage HA. Automation tools can use the API directly. | |
515 | ||
516 | All HA configuration files are within `/etc/pve/ha/`, so they get | |
517 | automatically distributed to the cluster nodes, and all nodes share | |
518 | the same HA configuration. | |
519 | ||
206c2476 | 520 | |
4c34defd | 521 | [[ha_manager_resource_config]] |
206c2476 DM |
522 | Resources |
523 | ~~~~~~~~~ | |
524 | ||
1ff5e4e8 | 525 | [thumbnail="screenshot/gui-ha-manager-status.png"] |
863a8f3a | 526 | |
4d63b3cc | 527 | |
85363588 DM |
528 | The resource configuration file `/etc/pve/ha/resources.cfg` stores |
529 | the list of resources managed by `ha-manager`. A resource configuration | |
a35aad4a | 530 | inside that list looks like this: |
85363588 DM |
531 | |
532 | ---- | |
8bdc398c | 533 | <type>: <name> |
85363588 DM |
534 | <property> <value> |
535 | ... | |
536 | ---- | |
537 | ||
698e5dd2 DM |
538 | It starts with a resource type followed by a resource specific name, |
539 | separated with colon. Together this forms the HA resource ID, which is | |
540 | used by all `ha-manager` commands to uniquely identify a resource | |
a9c77fec DM |
541 | (example: `vm:100` or `ct:101`). The next lines contain additional |
542 | properties: | |
85363588 DM |
543 | |
544 | include::ha-resources-opts.adoc[] | |
545 | ||
8bdc398c | 546 | Here is a real world example with one VM and one container. As you see, |
470d4313 | 547 | the syntax of those files is really simple, so it is even possible to |
8bdc398c DM |
548 | read or edit those files using your favorite editor: |
549 | ||
e7b9b0ac | 550 | .Configuration Example (`/etc/pve/ha/resources.cfg`) |
8bdc398c DM |
551 | ---- |
552 | vm: 501 | |
553 | state started | |
554 | max_relocate 2 | |
555 | ||
556 | ct: 102 | |
a319e18b DM |
557 | # Note: use default settings for everything |
558 | ---- | |
559 | ||
1ff5e4e8 | 560 | [thumbnail="screenshot/gui-ha-manager-add-resource.png"] |
4d63b3cc | 561 | |
049fc557 | 562 | The above config was generated using the `ha-manager` command line tool: |
a319e18b DM |
563 | |
564 | ---- | |
565 | # ha-manager add vm:501 --state started --max_relocate 2 | |
566 | # ha-manager add ct:102 | |
8bdc398c DM |
567 | ---- |
568 | ||
85363588 | 569 | |
1acab952 | 570 | [[ha_manager_groups]] |
206c2476 DM |
571 | Groups |
572 | ~~~~~~ | |
573 | ||
1ff5e4e8 | 574 | [thumbnail="screenshot/gui-ha-manager-groups-view.png"] |
4d63b3cc | 575 | |
85363588 DM |
576 | The HA group configuration file `/etc/pve/ha/groups.cfg` is used to |
577 | define groups of cluster nodes. A resource can be restricted to run | |
206c2476 DM |
578 | only on the members of such group. A group configuration look like |
579 | this: | |
85363588 | 580 | |
206c2476 DM |
581 | ---- |
582 | group: <group> | |
583 | nodes <node_list> | |
584 | <property> <value> | |
585 | ... | |
586 | ---- | |
85363588 | 587 | |
206c2476 | 588 | include::ha-groups-opts.adoc[] |
22653ac8 | 589 | |
1ff5e4e8 | 590 | [thumbnail="screenshot/gui-ha-manager-add-group.png"] |
4d63b3cc | 591 | |
e60ce90c | 592 | A common requirement is that a resource should run on a specific |
1acab952 DM |
593 | node. Usually the resource is able to run on other nodes, so you can define |
594 | an unrestricted group with a single member: | |
595 | ||
596 | ---- | |
597 | # ha-manager groupadd prefer_node1 --nodes node1 | |
598 | ---- | |
599 | ||
600 | For bigger clusters, it makes sense to define a more detailed failover | |
601 | behavior. For example, you may want to run a set of services on | |
602 | `node1` if possible. If `node1` is not available, you want to run them | |
049fc557 | 603 | equally split on `node2` and `node3`. If those nodes also fail, the |
1acab952 DM |
604 | services should run on `node4`. To achieve this you could set the node |
605 | list to: | |
606 | ||
607 | ---- | |
608 | # ha-manager groupadd mygroup1 -nodes "node1:2,node2:1,node3:1,node4" | |
609 | ---- | |
610 | ||
611 | Another use case is if a resource uses other resources only available | |
612 | on specific nodes, lets say `node1` and `node2`. We need to make sure | |
613 | that HA manager does not use other nodes, so we need to create a | |
614 | restricted group with said nodes: | |
615 | ||
616 | ---- | |
617 | # ha-manager groupadd mygroup2 -nodes "node1,node2" -restricted | |
618 | ---- | |
619 | ||
049fc557 | 620 | The above commands created the following group configuration file: |
1acab952 DM |
621 | |
622 | .Configuration Example (`/etc/pve/ha/groups.cfg`) | |
623 | ---- | |
624 | group: prefer_node1 | |
625 | nodes node1 | |
626 | ||
627 | group: mygroup1 | |
628 | nodes node2:1,node4,node1:2,node3:1 | |
629 | ||
630 | group: mygroup2 | |
631 | nodes node2,node1 | |
632 | restricted 1 | |
633 | ---- | |
634 | ||
635 | ||
636 | The `nofailback` options is mostly useful to avoid unwanted resource | |
e60ce90c | 637 | movements during administration tasks. For example, if you need to |
049fc557 DW |
638 | migrate a service to a node which doesn't have the highest priority in the |
639 | group, you need to tell the HA manager not to instantly move this service | |
640 | back by setting the `nofailback` option. | |
1acab952 DM |
641 | |
642 | Another scenario is when a service was fenced and it got recovered to | |
643 | another node. The admin tries to repair the fenced node and brings it | |
049fc557 DW |
644 | up online again to investigate the cause of failure and check if it runs |
645 | stably again. Setting the `nofailback` flag prevents the recovered services from | |
646 | moving straight back to the fenced node. | |
1acab952 | 647 | |
22653ac8 | 648 | |
80c0adcb | 649 | [[ha_manager_fencing]] |
3810ae1e TL |
650 | Fencing |
651 | ------- | |
652 | ||
0d427077 DM |
653 | On node failures, fencing ensures that the erroneous node is |
654 | guaranteed to be offline. This is required to make sure that no | |
655 | resource runs twice when it gets recovered on another node. This is a | |
049fc557 | 656 | really important task, because without this, it would not be possible to |
0d427077 DM |
657 | recover a resource on another node. |
658 | ||
bdfd4601 | 659 | If a node did not get fenced, it would be in an unknown state where |
0d427077 | 660 | it may have still access to shared resources. This is really |
049fc557 | 661 | dangerous! Imagine that every network but the storage one broke. Now, |
0d427077 DM |
662 | while not reachable from the public network, the VM still runs and |
663 | writes to the shared storage. | |
664 | ||
665 | If we then simply start up this VM on another node, we would get a | |
049fc557 DW |
666 | dangerous race condition, because we write from both nodes. Such |
667 | conditions can destroy all VM data and the whole VM could be rendered | |
668 | unusable. The recovery could also fail if the storage protects against | |
0d427077 DM |
669 | multiple mounts. |
670 | ||
5771d9b0 TL |
671 | |
672 | How {pve} Fences | |
0d427077 | 673 | ~~~~~~~~~~~~~~~~ |
5771d9b0 | 674 | |
61972f55 DM |
675 | There are different methods to fence a node, for example, fence |
676 | devices which cut off the power from the node or disable their | |
677 | communication completely. Those are often quite expensive and bring | |
678 | additional critical components into a system, because if they fail you | |
679 | cannot recover any service. | |
680 | ||
681 | We thus wanted to integrate a simpler fencing method, which does not | |
682 | require additional external hardware. This can be done using | |
683 | watchdog timers. | |
684 | ||
685 | .Possible Fencing Methods | |
686 | - external power switches | |
687 | - isolate nodes by disabling complete network traffic on the switch | |
688 | - self fencing using watchdog timers | |
689 | ||
049fc557 DW |
690 | Watchdog timers have been widely used in critical and dependable systems |
691 | since the beginning of microcontrollers. They are often simple, independent | |
692 | integrated circuits which are used to detect and recover from computer malfunctions. | |
61972f55 DM |
693 | |
694 | During normal operation, `ha-manager` regularly resets the watchdog | |
695 | timer to prevent it from elapsing. If, due to a hardware fault or | |
696 | program error, the computer fails to reset the watchdog, the timer | |
049fc557 | 697 | will elapse and trigger a reset of the whole server (reboot). |
61972f55 DM |
698 | |
699 | Recent server motherboards often include such hardware watchdogs, but | |
700 | these need to be configured. If no watchdog is available or | |
701 | configured, we fall back to the Linux Kernel 'softdog'. While still | |
702 | reliable, it is not independent of the servers hardware, and thus has | |
703 | a lower reliability than a hardware watchdog. | |
3810ae1e | 704 | |
a472fde8 | 705 | |
3810ae1e TL |
706 | Configure Hardware Watchdog |
707 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
a472fde8 DM |
708 | |
709 | By default, all hardware watchdog modules are blocked for security | |
710 | reasons. They are like a loaded gun if not correctly initialized. To | |
711 | enable a hardware watchdog, you need to specify the module to load in | |
712 | '/etc/default/pve-ha-manager', for example: | |
713 | ||
714 | ---- | |
715 | # select watchdog module (default is softdog) | |
716 | WATCHDOG_MODULE=iTCO_wdt | |
717 | ---- | |
718 | ||
049fc557 | 719 | This configuration is read by the 'watchdog-mux' service, which loads |
a472fde8 DM |
720 | the specified module at startup. |
721 | ||
3810ae1e | 722 | |
2957ef80 TL |
723 | Recover Fenced Services |
724 | ~~~~~~~~~~~~~~~~~~~~~~~ | |
725 | ||
480e67e1 DM |
726 | After a node failed and its fencing was successful, the CRM tries to |
727 | move services from the failed node to nodes which are still online. | |
728 | ||
729 | The selection of nodes, on which those services gets recovered, is | |
730 | influenced by the resource `group` settings, the list of currently active | |
731 | nodes, and their respective active service count. | |
732 | ||
733 | The CRM first builds a set out of the intersection between user selected | |
734 | nodes (from `group` setting) and available nodes. It then choose the | |
735 | subset of nodes with the highest priority, and finally select the node | |
736 | with the lowest active service count. This minimizes the possibility | |
737 | of an overloaded node. | |
738 | ||
739 | CAUTION: On node failure, the CRM distributes services to the | |
049fc557 | 740 | remaining nodes. This increases the service count on those nodes, and |
480e67e1 DM |
741 | can lead to high load, especially on small clusters. Please design |
742 | your cluster so that it can handle such worst case scenarios. | |
2957ef80 | 743 | |
22653ac8 | 744 | |
c7470421 | 745 | [[ha_manager_start_failure_policy]] |
a3189ad1 TL |
746 | Start Failure Policy |
747 | --------------------- | |
748 | ||
049fc557 | 749 | The start failure policy comes into effect if a service failed to start on a |
a35aad4a | 750 | node one or more times. It can be used to configure how often a restart |
a3189ad1 | 751 | should be triggered on the same node and how often a service should be |
049fc557 | 752 | relocated, so that it has an attempt to be started on another node. |
a3189ad1 TL |
753 | The aim of this policy is to circumvent temporary unavailability of shared |
754 | resources on a specific node. For example, if a shared storage isn't available | |
049fc557 DW |
755 | on a quorate node anymore, for instance due to network problems, but is still |
756 | available on other nodes, the relocate policy allows the service to start | |
757 | nonetheless. | |
a3189ad1 TL |
758 | |
759 | There are two service start recover policy settings which can be configured | |
22653ac8 DM |
760 | specific for each resource. |
761 | ||
762 | max_restart:: | |
763 | ||
049fc557 | 764 | Maximum number of attempts to restart a failed service on the actual |
22653ac8 DM |
765 | node. The default is set to one. |
766 | ||
767 | max_relocate:: | |
768 | ||
049fc557 | 769 | Maximum number of attempts to relocate the service to a different node. |
22653ac8 DM |
770 | A relocate only happens after the max_restart value is exceeded on the |
771 | actual node. The default is set to one. | |
772 | ||
0abc65b0 | 773 | NOTE: The relocate count state will only reset to zero when the |
22653ac8 | 774 | service had at least one successful start. That means if a service is |
4c34defd | 775 | re-started without fixing the error only the restart policy gets |
22653ac8 DM |
776 | repeated. |
777 | ||
c7470421 DM |
778 | |
779 | [[ha_manager_error_recovery]] | |
2b52e195 | 780 | Error Recovery |
22653ac8 DM |
781 | -------------- |
782 | ||
049fc557 DW |
783 | If, after all attempts, the service state could not be recovered, it gets |
784 | placed in an error state. In this state, the service won't get touched | |
c5bca1ae | 785 | by the HA stack anymore. The only way out is disabling a service: |
d02982f7 | 786 | |
c5bca1ae TL |
787 | ---- |
788 | # ha-manager set vm:100 --state disabled | |
789 | ---- | |
d02982f7 | 790 | |
c5bca1ae TL |
791 | This can also be done in the web interface. |
792 | ||
793 | To recover from the error state you should do the following: | |
22653ac8 | 794 | |
c5bca1ae TL |
795 | * bring the resource back into a safe and consistent state (e.g.: |
796 | kill its process if the service could not be stopped) | |
22653ac8 | 797 | |
c5bca1ae | 798 | * disable the resource to remove the error flag |
22653ac8 DM |
799 | |
800 | * fix the error which led to this failures | |
801 | ||
4c34defd | 802 | * *after* you fixed all errors you may request that the service starts again |
22653ac8 DM |
803 | |
804 | ||
26513dae DM |
805 | [[ha_manager_package_updates]] |
806 | Package Updates | |
807 | --------------- | |
808 | ||
049fc557 | 809 | When updating the ha-manager, you should do one node after the other, never |
26513dae | 810 | all at once for various reasons. First, while we test our software |
049fc557 | 811 | thoroughly, a bug affecting your specific setup cannot totally be ruled out. |
d5c3a54a FE |
812 | Updating one node after the other and checking the functionality of each node |
813 | after finishing the update helps to recover from eventual problems, while | |
814 | updating all at once could result in a broken cluster and is generally not | |
26513dae DM |
815 | good practice. |
816 | ||
817 | Also, the {pve} HA stack uses a request acknowledge protocol to perform | |
818 | actions between the cluster and the local resource manager. For restarting, | |
819 | the LRM makes a request to the CRM to freeze all its services. This prevents | |
049fc557 DW |
820 | them from getting touched by the Cluster during the short time the LRM is restarting. |
821 | After that, the LRM may safely close the watchdog during a restart. | |
7dd7a0b7 TL |
822 | Such a restart happens normally during a package update and, as already stated, |
823 | an active master CRM is needed to acknowledge the requests from the LRM. If | |
fb29acdd FG |
824 | this is not the case the update process can take too long which, in the worst |
825 | case, may result in a reset triggered by the watchdog. | |
26513dae DM |
826 | |
827 | ||
a9023144 DM |
828 | Node Maintenance |
829 | ---------------- | |
52a75187 | 830 | |
049fc557 DW |
831 | It is sometimes necessary to shutdown or reboot a node to do maintenance tasks, |
832 | such as to replace hardware, or simply to install a new kernel image. This is | |
833 | also true when using the HA stack. The behaviour of the HA stack during a | |
834 | shutdown can be configured. | |
a9023144 | 835 | |
a4a67cdb TL |
836 | [[ha_manager_shutdown_policy]] |
837 | Shutdown Policy | |
838 | ~~~~~~~~~~~~~~~ | |
a9023144 | 839 | |
a4a67cdb TL |
840 | Below you will find a description of the different HA policies for a node |
841 | shutdown. Currently 'Conditional' is the default due to backward compatibility. | |
049fc557 | 842 | Some users may find that 'Migrate' behaves more as expected. |
a9023144 | 843 | |
a4a67cdb TL |
844 | Migrate |
845 | ^^^^^^^ | |
a9023144 | 846 | |
a4a67cdb | 847 | Once the Local Resource manager (LRM) gets a shutdown request and this policy |
049fc557 | 848 | is enabled, it will mark itself as unavailable for the current HA manager. |
a4a67cdb | 849 | This triggers a migration of all HA Services currently located on this node. |
049fc557 DW |
850 | The LRM will try to delay the shutdown process, until all running services get |
851 | moved away. But, this expects that the running services *can* be migrated to | |
852 | another node. In other words, the service must not be locally bound, for example | |
853 | by using hardware passthrough. As non-group member nodes are considered as | |
854 | runnable target if no group member is available, this policy can still be used | |
855 | when making use of HA groups with only some nodes selected. But, marking a group | |
856 | as 'restricted' tells the HA manager that the service cannot run outside of the | |
857 | chosen set of nodes. If all of those nodes are unavailable, the shutdown will | |
858 | hang until you manually intervene. Once the shut down node comes back online | |
859 | again, the previously displaced services will be moved back, if they were not | |
860 | already manually migrated in-between. | |
a9023144 | 861 | |
a4a67cdb TL |
862 | NOTE: The watchdog is still active during the migration process on shutdown. |
863 | If the node loses quorum it will be fenced and the services will be recovered. | |
a9023144 | 864 | |
e9833be4 TL |
865 | If you start a (previously stopped) service on a node which is currently being |
866 | maintained, the node needs to be fenced to ensure that the service can be moved | |
049fc557 | 867 | and started on another available node. |
e9833be4 | 868 | |
a4a67cdb TL |
869 | Failover |
870 | ^^^^^^^^ | |
871 | ||
872 | This mode ensures that all services get stopped, but that they will also be | |
873 | recovered, if the current node is not online soon. It can be useful when doing | |
049fc557 DW |
874 | maintenance on a cluster scale, where live-migrating VMs may not be possible if |
875 | too many nodes are powered off at a time, but you still want to ensure HA | |
a4a67cdb TL |
876 | services get recovered and started again as soon as possible. |
877 | ||
878 | Freeze | |
879 | ^^^^^^ | |
880 | ||
881 | This mode ensures that all services get stopped and frozen, so that they won't | |
882 | get recovered until the current node is online again. | |
883 | ||
884 | Conditional | |
885 | ^^^^^^^^^^^ | |
886 | ||
3dc611ff TL |
887 | The 'Conditional' shutdown policy automatically detects if a shutdown or a |
888 | reboot is requested, and changes behaviour accordingly. | |
889 | ||
a4a67cdb TL |
890 | .Shutdown |
891 | ||
049fc557 DW |
892 | A shutdown ('poweroff') is usually done if it is planned for the node to stay |
893 | down for some time. The LRM stops all managed services in this case. This means | |
894 | that other nodes will take over those services afterwards. | |
a4a67cdb TL |
895 | |
896 | NOTE: Recent hardware has large amounts of memory (RAM). So we stop all | |
897 | resources, then restart them to avoid online migration of all that RAM. If you | |
898 | want to use online migration, you need to invoke that manually before you | |
899 | shutdown the node. | |
900 | ||
901 | ||
902 | .Reboot | |
a9023144 | 903 | |
a4a67cdb TL |
904 | Node reboots are initiated with the 'reboot' command. This is usually done |
905 | after installing a new kernel. Please note that this is different from | |
906 | ``shutdown'', because the node immediately starts again. | |
a9023144 | 907 | |
a4a67cdb TL |
908 | The LRM tells the CRM that it wants to restart, and waits until the CRM puts |
909 | all resources into the `freeze` state (same mechanism is used for | |
049fc557 DW |
910 | xref:ha_manager_package_updates[Package Updates]). This prevents those resources |
911 | from being moved to other nodes. Instead, the CRM starts the resources after the | |
912 | reboot on the same node. | |
a9023144 DM |
913 | |
914 | ||
915 | Manual Resource Movement | |
3dc611ff | 916 | ^^^^^^^^^^^^^^^^^^^^^^^^ |
a9023144 | 917 | |
049fc557 | 918 | Last but not least, you can also manually move resources to other nodes, before |
a4a67cdb TL |
919 | you shutdown or restart a node. The advantage is that you have full control, |
920 | and you can decide if you want to use online migration or not. | |
a9023144 DM |
921 | |
922 | NOTE: Please do not 'kill' services like `pve-ha-crm`, `pve-ha-lrm` or | |
049fc557 | 923 | `watchdog-mux`. They manage and use the watchdog, so this can result in an |
a4a67cdb | 924 | immediate node reboot or even reset. |
52a75187 DM |
925 | |
926 | ||
22653ac8 DM |
927 | ifdef::manvolnum[] |
928 | include::pve-copyright.adoc[] | |
929 | endif::manvolnum[] | |
930 |