]>
Commit | Line | Data |
---|---|---|
80c0adcb | 1 | [[chapter_ha_manager]] |
22653ac8 | 2 | ifdef::manvolnum[] |
b2f242ab DM |
3 | ha-manager(1) |
4 | ============= | |
5f09af76 DM |
5 | :pve-toplevel: |
6 | ||
22653ac8 DM |
7 | NAME |
8 | ---- | |
9 | ||
734404b4 | 10 | ha-manager - Proxmox VE HA Manager |
22653ac8 | 11 | |
49a5e11c | 12 | SYNOPSIS |
22653ac8 DM |
13 | -------- |
14 | ||
15 | include::ha-manager.1-synopsis.adoc[] | |
16 | ||
17 | DESCRIPTION | |
18 | ----------- | |
19 | endif::manvolnum[] | |
22653ac8 DM |
20 | ifndef::manvolnum[] |
21 | High Availability | |
22 | ================= | |
5f09af76 | 23 | :pve-toplevel: |
194d2f29 | 24 | endif::manvolnum[] |
b5266e9f DM |
25 | |
26 | Our modern society depends heavily on information provided by | |
27 | computers over the network. Mobile devices amplified that dependency, | |
28 | because people can access the network any time from anywhere. If you | |
29 | provide such services, it is very important that they are available | |
30 | most of the time. | |
31 | ||
32 | We can mathematically define the availability as the ratio of (A) the | |
33 | total time a service is capable of being used during a given interval | |
34 | to (B) the length of the interval. It is normally expressed as a | |
35 | percentage of uptime in a given year. | |
36 | ||
37 | .Availability - Downtime per Year | |
38 | [width="60%",cols="<d,d",options="header"] | |
39 | |=========================================================== | |
40 | |Availability % |Downtime per year | |
41 | |99 |3.65 days | |
42 | |99.9 |8.76 hours | |
43 | |99.99 |52.56 minutes | |
44 | |99.999 |5.26 minutes | |
45 | |99.9999 |31.5 seconds | |
46 | |99.99999 |3.15 seconds | |
47 | |=========================================================== | |
48 | ||
04bde502 DM |
49 | There are several ways to increase availability. The most elegant |
50 | solution is to rewrite your software, so that you can run it on | |
51 | several host at the same time. The software itself need to have a way | |
2af6af05 | 52 | to detect errors and do failover. This is relatively easy if you just |
04bde502 DM |
53 | want to serve read-only web pages. But in general this is complex, and |
54 | sometimes impossible because you cannot modify the software | |
55 | yourself. The following solutions works without modifying the | |
56 | software: | |
57 | ||
8c1189b6 | 58 | * Use reliable ``server'' components |
fd9e8984 | 59 | + |
04bde502 | 60 | NOTE: Computer components with same functionality can have varying |
2af6af05 | 61 | reliability numbers, depending on the component quality. Most vendors |
8c1189b6 | 62 | sell components with higher reliability as ``server'' components - |
04bde502 | 63 | usually at higher price. |
b5266e9f DM |
64 | |
65 | * Eliminate single point of failure (redundant components) | |
8c1189b6 FG |
66 | ** use an uninterruptible power supply (UPS) |
67 | ** use redundant power supplies on the main boards | |
68 | ** use ECC-RAM | |
69 | ** use redundant network hardware | |
70 | ** use RAID for local storage | |
71 | ** use distributed, redundant storage for VM data | |
b5266e9f DM |
72 | |
73 | * Reduce downtime | |
8c1189b6 FG |
74 | ** rapidly accessible administrators (24/7) |
75 | ** availability of spare parts (other nodes in a {pve} cluster) | |
76 | ** automatic error detection (provided by `ha-manager`) | |
77 | ** automatic failover (provided by `ha-manager`) | |
b5266e9f | 78 | |
5771d9b0 | 79 | Virtualization environments like {pve} make it much easier to reach |
8c1189b6 | 80 | high availability because they remove the ``hardware'' dependency. They |
04bde502 DM |
81 | also support to setup and use redundant storage and network |
82 | devices. So if one host fail, you can simply start those services on | |
43da8322 DM |
83 | another host within your cluster. |
84 | ||
8c1189b6 | 85 | Even better, {pve} provides a software stack called `ha-manager`, |
43da8322 DM |
86 | which can do that automatically for you. It is able to automatically |
87 | detect errors and do automatic failover. | |
88 | ||
8c1189b6 | 89 | {pve} `ha-manager` works like an ``automated'' administrator. First, you |
43da8322 | 90 | configure what resources (VMs, containers, ...) it should |
8c1189b6 FG |
91 | manage. `ha-manager` then observes correct functionality, and handles |
92 | service failover to another node in case of errors. `ha-manager` can | |
43da8322 DM |
93 | also handle normal user requests which may start, stop, relocate and |
94 | migrate a service. | |
04bde502 DM |
95 | |
96 | But high availability comes at a price. High quality components are | |
97 | more expensive, and making them redundant duplicates the costs at | |
98 | least. Additional spare parts increase costs further. So you should | |
99 | carefully calculate the benefits, and compare with those additional | |
100 | costs. | |
101 | ||
102 | TIP: Increasing availability from 99% to 99.9% is relatively | |
103 | simply. But increasing availability from 99.9999% to 99.99999% is very | |
8c1189b6 | 104 | hard and costly. `ha-manager` has typical error detection and failover |
43da8322 DM |
105 | times of about 2 minutes, so you can get no more than 99.999% |
106 | availability. | |
b5266e9f | 107 | |
823fa863 | 108 | |
5bd515d4 DM |
109 | Requirements |
110 | ------------ | |
3810ae1e | 111 | |
823fa863 DM |
112 | You must meet the following requirements before you start with HA: |
113 | ||
5bd515d4 | 114 | * at least three cluster nodes (to get reliable quorum) |
43da8322 | 115 | |
5bd515d4 | 116 | * shared storage for VMs and containers |
43da8322 | 117 | |
5bd515d4 | 118 | * hardware redundancy (everywhere) |
3810ae1e | 119 | |
823fa863 DM |
120 | * use reliable “server” components |
121 | ||
5bd515d4 | 122 | * hardware watchdog - if not available we fall back to the |
8c1189b6 | 123 | linux kernel software watchdog (`softdog`) |
3810ae1e | 124 | |
5bd515d4 | 125 | * optional hardware fencing devices |
3810ae1e | 126 | |
3810ae1e | 127 | |
80c0adcb | 128 | [[ha_manager_resources]] |
5bd515d4 DM |
129 | Resources |
130 | --------- | |
131 | ||
8c1189b6 FG |
132 | We call the primary management unit handled by `ha-manager` a |
133 | resource. A resource (also called ``service'') is uniquely | |
5bd515d4 | 134 | identified by a service ID (SID), which consists of the resource type |
8c1189b6 FG |
135 | and an type specific ID, e.g.: `vm:100`. That example would be a |
136 | resource of type `vm` (virtual machine) with the ID 100. | |
5bd515d4 DM |
137 | |
138 | For now we have two important resources types - virtual machines and | |
139 | containers. One basic idea here is that we can bundle related software | |
140 | into such VM or container, so there is no need to compose one big | |
8c1189b6 | 141 | service from other services, like it was done with `rgmanager`. In |
5bd515d4 | 142 | general, a HA enabled resource should not depend on other resources. |
3810ae1e | 143 | |
22653ac8 | 144 | |
2b52e195 | 145 | How It Works |
22653ac8 DM |
146 | ------------ |
147 | ||
c7470421 DM |
148 | This section provides a detailed description of the {PVE} HA manager |
149 | internals. It describes all involved daemons and how they work | |
150 | together. To provide HA, two daemons run on each node: | |
3810ae1e | 151 | |
8c1189b6 | 152 | `pve-ha-lrm`:: |
3810ae1e | 153 | |
1600c60a DM |
154 | The local resource manager (LRM), which controls the services running on |
155 | the local node. It reads the requested states for its services from | |
156 | the current manager status file and executes the respective commands. | |
3810ae1e | 157 | |
8c1189b6 | 158 | `pve-ha-crm`:: |
3810ae1e | 159 | |
1600c60a DM |
160 | The cluster resource manager (CRM), which makes the cluster wide |
161 | decisions. It sends commands to the LRM, processes the results, | |
162 | and moves resources to other nodes if something fails. The CRM also | |
163 | handles node fencing. | |
164 | ||
3810ae1e TL |
165 | |
166 | .Locks in the LRM & CRM | |
167 | [NOTE] | |
168 | Locks are provided by our distributed configuration file system (pmxcfs). | |
5771d9b0 TL |
169 | They are used to guarantee that each LRM is active once and working. As a |
170 | LRM only executes actions when it holds its lock we can mark a failed node | |
171 | as fenced if we can acquire its lock. This lets us then recover any failed | |
5eba0743 | 172 | HA services securely without any interference from the now unknown failed node. |
3810ae1e TL |
173 | This all gets supervised by the CRM which holds currently the manager master |
174 | lock. | |
175 | ||
c7470421 DM |
176 | |
177 | Service States | |
178 | ~~~~~~~~~~~~~~ | |
179 | ||
180 | The CRM use a service state enumeration to record the current service | |
181 | state. We display this state on the GUI and you can query it using | |
182 | the `ha-manager` command line tool: | |
183 | ||
184 | ---- | |
185 | # ha-manager status | |
186 | quorum OK | |
187 | master elsa (active, Mon Nov 21 07:23:29 2016) | |
188 | lrm elsa (active, Mon Nov 21 07:23:22 2016) | |
189 | service ct:100 (elsa, stopped) | |
190 | service ct:102 (elsa, started) | |
191 | service vm:501 (elsa, started) | |
192 | ---- | |
193 | ||
194 | Here is the list of possible states: | |
195 | ||
196 | stopped:: | |
197 | ||
198 | Service is stopped (confirmed by LRM). If the LRM detects a stopped | |
199 | service is still running, it will stop it again. | |
200 | ||
201 | request_stop:: | |
202 | ||
203 | Service should be stopped. The CRM waits for confirmation from the | |
204 | LRM. | |
205 | ||
206 | started:: | |
207 | ||
208 | Service is active an LRM should start it ASAP if not already running. | |
209 | If the Service fails and is detected to be not running the LRM | |
210 | restarts it | |
211 | (see xref:ha_manager_start_failure_policy[Start Failure Policy]). | |
212 | ||
213 | fence:: | |
214 | ||
215 | Wait for node fencing (service node is not inside quorate cluster | |
216 | partition). As soon as node gets fenced successfully the service will | |
217 | be recovered to another node, if possible | |
218 | (see xref:ha_manager_fencing[Fencing]). | |
219 | ||
220 | freeze:: | |
221 | ||
222 | Do not touch the service state. We use this state while we reboot a | |
223 | node, or when we restart the LRM daemon | |
224 | (see xref:ha_manager_package_updates[Package Updates]). | |
225 | ||
226 | migrate:: | |
227 | ||
228 | Migrate service (live) to other node. | |
229 | ||
230 | error:: | |
231 | ||
232 | Service is disabled because of LRM errors. Needs manual intervention | |
233 | (see xref:ha_manager_error_recovery[Error Recovery]). | |
234 | ||
235 | ||
3810ae1e TL |
236 | Local Resource Manager |
237 | ~~~~~~~~~~~~~~~~~~~~~~ | |
238 | ||
8c1189b6 | 239 | The local resource manager (`pve-ha-lrm`) is started as a daemon on |
3810ae1e TL |
240 | boot and waits until the HA cluster is quorate and thus cluster wide |
241 | locks are working. | |
242 | ||
243 | It can be in three states: | |
244 | ||
b8663359 | 245 | wait for agent lock:: |
e1ea726a FG |
246 | |
247 | The LRM waits for our exclusive lock. This is also used as idle state if no | |
248 | service is configured. | |
249 | ||
b8663359 | 250 | active:: |
e1ea726a FG |
251 | |
252 | The LRM holds its exclusive lock and has services configured. | |
253 | ||
b8663359 | 254 | lost agent lock:: |
e1ea726a FG |
255 | |
256 | The LRM lost its lock, this means a failure happened and quorum was lost. | |
3810ae1e TL |
257 | |
258 | After the LRM gets in the active state it reads the manager status | |
8c1189b6 | 259 | file in `/etc/pve/ha/manager_status` and determines the commands it |
2af6af05 | 260 | has to execute for the services it owns. |
3810ae1e | 261 | For each command a worker gets started, this workers are running in |
5eba0743 | 262 | parallel and are limited to at most 4 by default. This default setting |
8c1189b6 | 263 | may be changed through the datacenter configuration key `max_worker`. |
2af6af05 TL |
264 | When finished the worker process gets collected and its result saved for |
265 | the CRM. | |
3810ae1e | 266 | |
5eba0743 | 267 | .Maximum Concurrent Worker Adjustment Tips |
3810ae1e | 268 | [NOTE] |
5eba0743 | 269 | The default value of at most 4 concurrent workers may be unsuited for |
3810ae1e TL |
270 | a specific setup. For example may 4 live migrations happen at the same |
271 | time, which can lead to network congestions with slower networks and/or | |
272 | big (memory wise) services. Ensure that also in the worst case no congestion | |
8c1189b6 | 273 | happens and lower the `max_worker` value if needed. In the contrary, if you |
3810ae1e TL |
274 | have a particularly powerful high end setup you may also want to increase it. |
275 | ||
276 | Each command requested by the CRM is uniquely identifiable by an UID, when | |
277 | the worker finished its result will be processed and written in the LRM | |
8c1189b6 | 278 | status file `/etc/pve/nodes/<nodename>/lrm_status`. There the CRM may collect |
3810ae1e TL |
279 | it and let its state machine - respective the commands output - act on it. |
280 | ||
281 | The actions on each service between CRM and LRM are normally always synced. | |
282 | This means that the CRM requests a state uniquely marked by an UID, the LRM | |
283 | then executes this action *one time* and writes back the result, also | |
284 | identifiable by the same UID. This is needed so that the LRM does not | |
285 | executes an outdated command. | |
8c1189b6 | 286 | With the exception of the `stop` and the `error` command, |
c9aa5d47 | 287 | those two do not depend on the result produced and are executed |
3810ae1e TL |
288 | always in the case of the stopped state and once in the case of |
289 | the error state. | |
290 | ||
291 | .Read the Logs | |
292 | [NOTE] | |
293 | The HA Stack logs every action it makes. This helps to understand what | |
294 | and also why something happens in the cluster. Here its important to see | |
295 | what both daemons, the LRM and the CRM, did. You may use | |
296 | `journalctl -u pve-ha-lrm` on the node(s) where the service is and | |
297 | the same command for the pve-ha-crm on the node which is the current master. | |
298 | ||
299 | Cluster Resource Manager | |
300 | ~~~~~~~~~~~~~~~~~~~~~~~~ | |
22653ac8 | 301 | |
8c1189b6 | 302 | The cluster resource manager (`pve-ha-crm`) starts on each node and |
22653ac8 DM |
303 | waits there for the manager lock, which can only be held by one node |
304 | at a time. The node which successfully acquires the manager lock gets | |
3810ae1e TL |
305 | promoted to the CRM master. |
306 | ||
2af6af05 | 307 | It can be in three states: |
3810ae1e | 308 | |
b8663359 | 309 | wait for agent lock:: |
e1ea726a | 310 | |
97ae300a | 311 | The CRM waits for our exclusive lock. This is also used as idle state if no |
e1ea726a FG |
312 | service is configured |
313 | ||
b8663359 | 314 | active:: |
e1ea726a | 315 | |
97ae300a | 316 | The CRM holds its exclusive lock and has services configured |
e1ea726a | 317 | |
b8663359 | 318 | lost agent lock:: |
e1ea726a | 319 | |
97ae300a | 320 | The CRM lost its lock, this means a failure happened and quorum was lost. |
3810ae1e TL |
321 | |
322 | It main task is to manage the services which are configured to be highly | |
2af6af05 | 323 | available and try to always enforce them to the wanted state, e.g.: a |
3810ae1e | 324 | enabled service will be started if its not running, if it crashes it will |
2af6af05 | 325 | be started again. Thus it dictates the LRM the actions it needs to execute. |
22653ac8 DM |
326 | |
327 | When an node leaves the cluster quorum, its state changes to unknown. | |
328 | If the current CRM then can secure the failed nodes lock, the services | |
329 | will be 'stolen' and restarted on another node. | |
330 | ||
331 | When a cluster member determines that it is no longer in the cluster | |
332 | quorum, the LRM waits for a new quorum to form. As long as there is no | |
333 | quorum the node cannot reset the watchdog. This will trigger a reboot | |
2af6af05 | 334 | after the watchdog then times out, this happens after 60 seconds. |
22653ac8 | 335 | |
85363588 | 336 | |
2b52e195 | 337 | Configuration |
22653ac8 DM |
338 | ------------- |
339 | ||
85363588 DM |
340 | The HA stack is well integrated into the {pve} API. So, for example, |
341 | HA can be configured via the `ha-manager` command line interface, or | |
342 | the {pve} web interface - both interfaces provide an easy way to | |
343 | manage HA. Automation tools can use the API directly. | |
344 | ||
345 | All HA configuration files are within `/etc/pve/ha/`, so they get | |
346 | automatically distributed to the cluster nodes, and all nodes share | |
347 | the same HA configuration. | |
348 | ||
206c2476 DM |
349 | |
350 | Resources | |
351 | ~~~~~~~~~ | |
352 | ||
85363588 DM |
353 | The resource configuration file `/etc/pve/ha/resources.cfg` stores |
354 | the list of resources managed by `ha-manager`. A resource configuration | |
355 | inside that list look like this: | |
356 | ||
357 | ---- | |
8bdc398c | 358 | <type>: <name> |
85363588 DM |
359 | <property> <value> |
360 | ... | |
361 | ---- | |
362 | ||
698e5dd2 DM |
363 | It starts with a resource type followed by a resource specific name, |
364 | separated with colon. Together this forms the HA resource ID, which is | |
365 | used by all `ha-manager` commands to uniquely identify a resource | |
a9c77fec DM |
366 | (example: `vm:100` or `ct:101`). The next lines contain additional |
367 | properties: | |
85363588 DM |
368 | |
369 | include::ha-resources-opts.adoc[] | |
370 | ||
8bdc398c DM |
371 | Here is a real world example with one VM and one container. As you see, |
372 | the syntax of those files is really simple, so it is even posiible to | |
373 | read or edit those files using your favorite editor: | |
374 | ||
e7b9b0ac | 375 | .Configuration Example (`/etc/pve/ha/resources.cfg`) |
8bdc398c DM |
376 | ---- |
377 | vm: 501 | |
378 | state started | |
379 | max_relocate 2 | |
380 | ||
381 | ct: 102 | |
a319e18b DM |
382 | # Note: use default settings for everything |
383 | ---- | |
384 | ||
385 | Above config was generated using the `ha-manager` command line tool: | |
386 | ||
387 | ---- | |
388 | # ha-manager add vm:501 --state started --max_relocate 2 | |
389 | # ha-manager add ct:102 | |
8bdc398c DM |
390 | ---- |
391 | ||
85363588 | 392 | |
1acab952 | 393 | [[ha_manager_groups]] |
206c2476 DM |
394 | Groups |
395 | ~~~~~~ | |
396 | ||
85363588 DM |
397 | The HA group configuration file `/etc/pve/ha/groups.cfg` is used to |
398 | define groups of cluster nodes. A resource can be restricted to run | |
206c2476 DM |
399 | only on the members of such group. A group configuration look like |
400 | this: | |
85363588 | 401 | |
206c2476 DM |
402 | ---- |
403 | group: <group> | |
404 | nodes <node_list> | |
405 | <property> <value> | |
406 | ... | |
407 | ---- | |
85363588 | 408 | |
206c2476 | 409 | include::ha-groups-opts.adoc[] |
22653ac8 | 410 | |
1acab952 DM |
411 | A commom requirement is that a resource should run on a specific |
412 | node. Usually the resource is able to run on other nodes, so you can define | |
413 | an unrestricted group with a single member: | |
414 | ||
415 | ---- | |
416 | # ha-manager groupadd prefer_node1 --nodes node1 | |
417 | ---- | |
418 | ||
419 | For bigger clusters, it makes sense to define a more detailed failover | |
420 | behavior. For example, you may want to run a set of services on | |
421 | `node1` if possible. If `node1` is not available, you want to run them | |
422 | equally splitted on `node2` and `node3`. If those nodes also fail the | |
423 | services should run on `node4`. To achieve this you could set the node | |
424 | list to: | |
425 | ||
426 | ---- | |
427 | # ha-manager groupadd mygroup1 -nodes "node1:2,node2:1,node3:1,node4" | |
428 | ---- | |
429 | ||
430 | Another use case is if a resource uses other resources only available | |
431 | on specific nodes, lets say `node1` and `node2`. We need to make sure | |
432 | that HA manager does not use other nodes, so we need to create a | |
433 | restricted group with said nodes: | |
434 | ||
435 | ---- | |
436 | # ha-manager groupadd mygroup2 -nodes "node1,node2" -restricted | |
437 | ---- | |
438 | ||
439 | Above commands created the following group configuration fils: | |
440 | ||
441 | .Configuration Example (`/etc/pve/ha/groups.cfg`) | |
442 | ---- | |
443 | group: prefer_node1 | |
444 | nodes node1 | |
445 | ||
446 | group: mygroup1 | |
447 | nodes node2:1,node4,node1:2,node3:1 | |
448 | ||
449 | group: mygroup2 | |
450 | nodes node2,node1 | |
451 | restricted 1 | |
452 | ---- | |
453 | ||
454 | ||
455 | The `nofailback` options is mostly useful to avoid unwanted resource | |
456 | movements during administartion tasks. For example, if you need to | |
457 | migrate a service to a node which hasn't the highest priority in the | |
458 | group, you need to tell the HA manager to not move this service | |
459 | instantly back by setting the `nofailback` option. | |
460 | ||
461 | Another scenario is when a service was fenced and it got recovered to | |
462 | another node. The admin tries to repair the fenced node and brings it | |
463 | up online again to investigate the failure cause and check if it runs | |
464 | stable again. Setting the `nofailback` flag prevents that the | |
465 | recovered services move straight back to the fenced node. | |
466 | ||
22653ac8 | 467 | |
3810ae1e TL |
468 | Node Power Status |
469 | ----------------- | |
470 | ||
471 | If a node needs maintenance you should migrate and or relocate all | |
472 | services which are required to run always on another node first. | |
473 | After that you can stop the LRM and CRM services. But note that the | |
474 | watchdog triggers if you stop it with active services. | |
475 | ||
c7470421 DM |
476 | |
477 | [[ha_manager_package_updates]] | |
5771d9b0 TL |
478 | Package Updates |
479 | --------------- | |
480 | ||
2af6af05 | 481 | When updating the ha-manager you should do one node after the other, never |
5771d9b0 TL |
482 | all at once for various reasons. First, while we test our software |
483 | thoughtfully, a bug affecting your specific setup cannot totally be ruled out. | |
484 | Upgrading one node after the other and checking the functionality of each node | |
485 | after finishing the update helps to recover from an eventual problems, while | |
486 | updating all could render you in a broken cluster state and is generally not | |
487 | good practice. | |
488 | ||
489 | Also, the {pve} HA stack uses a request acknowledge protocol to perform | |
490 | actions between the cluster and the local resource manager. For restarting, | |
491 | the LRM makes a request to the CRM to freeze all its services. This prevents | |
492 | that they get touched by the Cluster during the short time the LRM is restarting. | |
493 | After that the LRM may safely close the watchdog during a restart. | |
494 | Such a restart happens on a update and as already stated a active master | |
495 | CRM is needed to acknowledge the requests from the LRM, if this is not the case | |
496 | the update process can be too long which, in the worst case, may result in | |
497 | a watchdog reset. | |
498 | ||
2af6af05 | 499 | |
80c0adcb | 500 | [[ha_manager_fencing]] |
3810ae1e TL |
501 | Fencing |
502 | ------- | |
503 | ||
5eba0743 | 504 | What is Fencing |
3810ae1e TL |
505 | ~~~~~~~~~~~~~~~ |
506 | ||
507 | Fencing secures that on a node failure the dangerous node gets will be rendered | |
508 | unable to do any damage and that no resource runs twice when it gets recovered | |
5771d9b0 TL |
509 | from the failed node. This is a really important task and one of the base |
510 | principles to make a system Highly Available. | |
511 | ||
512 | If a node would not get fenced it would be in an unknown state where it may | |
513 | have still access to shared resources, this is really dangerous! | |
514 | Imagine that every network but the storage one broke, now while not | |
515 | reachable from the public network the VM still runs and writes on the shared | |
516 | storage. If we would not fence the node and just start up this VM on another | |
517 | Node we would get dangerous race conditions, atomicity violations the whole VM | |
518 | could be rendered unusable. The recovery could also simply fail if the storage | |
519 | protects from multiple mounts and thus defeat the purpose of HA. | |
520 | ||
521 | How {pve} Fences | |
522 | ~~~~~~~~~~~~~~~~~ | |
523 | ||
524 | There are different methods to fence a node, for example fence devices which | |
525 | cut off the power from the node or disable their communication completely. | |
526 | ||
527 | Those are often quite expensive and bring additional critical components in | |
528 | a system, because if they fail you cannot recover any service. | |
529 | ||
530 | We thus wanted to integrate a simpler method in the HA Manager first, namely | |
531 | self fencing with watchdogs. | |
532 | ||
533 | Watchdogs are widely used in critical and dependable systems since the | |
534 | beginning of micro controllers, they are often independent and simple | |
535 | integrated circuit which programs can use to watch them. After opening they need to | |
536 | report periodically. If, for whatever reason, a program becomes unable to do | |
537 | so the watchdogs triggers a reset of the whole server. | |
538 | ||
539 | Server motherboards often already include such hardware watchdogs, these need | |
540 | to be configured. If no watchdog is available or configured we fall back to the | |
541 | Linux Kernel softdog while still reliable it is not independent of the servers | |
542 | Hardware and thus has a lower reliability then a hardware watchdog. | |
3810ae1e TL |
543 | |
544 | Configure Hardware Watchdog | |
545 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
546 | By default all watchdog modules are blocked for security reasons as they are | |
547 | like a loaded gun if not correctly initialized. | |
c9aa5d47 | 548 | If you have a hardware watchdog available remove its kernel module from the |
8c1189b6 | 549 | blacklist, load it with insmod and restart the `watchdog-mux` service or reboot |
c9aa5d47 | 550 | the node. |
3810ae1e | 551 | |
2957ef80 TL |
552 | Recover Fenced Services |
553 | ~~~~~~~~~~~~~~~~~~~~~~~ | |
554 | ||
555 | After a node failed and its fencing was successful we start to recover services | |
556 | to other available nodes and restart them there so that they can provide service | |
557 | again. | |
558 | ||
559 | The selection of the node on which the services gets recovered is influenced | |
560 | by the users group settings, the currently active nodes and their respective | |
561 | active service count. | |
562 | First we build a set out of the intersection between user selected nodes and | |
563 | available nodes. Then the subset with the highest priority of those nodes | |
564 | gets chosen as possible nodes for recovery. We select the node with the | |
565 | currently lowest active service count as a new node for the service. | |
566 | That minimizes the possibility of an overload, which else could cause an | |
567 | unresponsive node and as a result a chain reaction of node failures in the | |
568 | cluster. | |
569 | ||
22653ac8 | 570 | |
c7470421 | 571 | [[ha_manager_start_failure_policy]] |
a3189ad1 TL |
572 | Start Failure Policy |
573 | --------------------- | |
574 | ||
575 | The start failure policy comes in effect if a service failed to start on a | |
576 | node once ore more times. It can be used to configure how often a restart | |
577 | should be triggered on the same node and how often a service should be | |
578 | relocated so that it gets a try to be started on another node. | |
579 | The aim of this policy is to circumvent temporary unavailability of shared | |
580 | resources on a specific node. For example, if a shared storage isn't available | |
581 | on a quorate node anymore, e.g. network problems, but still on other nodes, | |
582 | the relocate policy allows then that the service gets started nonetheless. | |
583 | ||
584 | There are two service start recover policy settings which can be configured | |
22653ac8 DM |
585 | specific for each resource. |
586 | ||
587 | max_restart:: | |
588 | ||
5eba0743 | 589 | Maximum number of tries to restart an failed service on the actual |
22653ac8 DM |
590 | node. The default is set to one. |
591 | ||
592 | max_relocate:: | |
593 | ||
5eba0743 | 594 | Maximum number of tries to relocate the service to a different node. |
22653ac8 DM |
595 | A relocate only happens after the max_restart value is exceeded on the |
596 | actual node. The default is set to one. | |
597 | ||
0abc65b0 | 598 | NOTE: The relocate count state will only reset to zero when the |
22653ac8 DM |
599 | service had at least one successful start. That means if a service is |
600 | re-enabled without fixing the error only the restart policy gets | |
601 | repeated. | |
602 | ||
c7470421 DM |
603 | |
604 | [[ha_manager_error_recovery]] | |
2b52e195 | 605 | Error Recovery |
22653ac8 DM |
606 | -------------- |
607 | ||
608 | If after all tries the service state could not be recovered it gets | |
609 | placed in an error state. In this state the service won't get touched | |
610 | by the HA stack anymore. To recover from this state you should follow | |
611 | these steps: | |
612 | ||
5eba0743 | 613 | * bring the resource back into a safe and consistent state (e.g., |
22653ac8 DM |
614 | killing its process) |
615 | ||
616 | * disable the ha resource to place it in an stopped state | |
617 | ||
618 | * fix the error which led to this failures | |
619 | ||
620 | * *after* you fixed all errors you may enable the service again | |
621 | ||
622 | ||
8b598c33 | 623 | [[ha_manager_service_operations]] |
2b52e195 | 624 | Service Operations |
22653ac8 DM |
625 | ------------------ |
626 | ||
627 | This are how the basic user-initiated service operations (via | |
8c1189b6 | 628 | `ha-manager`) work. |
22653ac8 DM |
629 | |
630 | enable:: | |
631 | ||
5eba0743 | 632 | The service will be started by the LRM if not already running. |
22653ac8 DM |
633 | |
634 | disable:: | |
635 | ||
5eba0743 | 636 | The service will be stopped by the LRM if running. |
22653ac8 DM |
637 | |
638 | migrate/relocate:: | |
639 | ||
5eba0743 | 640 | The service will be relocated (live) to another node. |
22653ac8 DM |
641 | |
642 | remove:: | |
643 | ||
5eba0743 | 644 | The service will be removed from the HA managed resource list. Its |
22653ac8 DM |
645 | current state will not be touched. |
646 | ||
647 | start/stop:: | |
648 | ||
8c1189b6 FG |
649 | `start` and `stop` commands can be issued to the resource specific tools |
650 | (like `qm` or `pct`), they will forward the request to the | |
651 | `ha-manager` which then will execute the action and set the resulting | |
22653ac8 DM |
652 | service state (enabled, disabled). |
653 | ||
654 | ||
22653ac8 DM |
655 | ifdef::manvolnum[] |
656 | include::pve-copyright.adoc[] | |
657 | endif::manvolnum[] | |
658 |