5 include::attributes.txt[]
11 ha-manager - Proxmox VE HA Manager
16 include::ha-manager.1-synopsis.adoc[]
24 include::attributes.txt[]
30 Our modern society depends heavily on information provided by
31 computers over the network. Mobile devices amplified that dependency,
32 because people can access the network any time from anywhere. If you
33 provide such services, it is very important that they are available
36 We can mathematically define the availability as the ratio of (A) the
37 total time a service is capable of being used during a given interval
38 to (B) the length of the interval. It is normally expressed as a
39 percentage of uptime in a given year.
41 .Availability - Downtime per Year
42 [width="60%",cols="<d,d",options="header"]
43 |===========================================================
44 |Availability % |Downtime per year
49 |99.9999 |31.5 seconds
50 |99.99999 |3.15 seconds
51 |===========================================================
53 There are several ways to increase availability. The most elegant
54 solution is to rewrite your software, so that you can run it on
55 several host at the same time. The software itself need to have a way
56 to detect errors and do failover. This is relatively easy if you just
57 want to serve read-only web pages. But in general this is complex, and
58 sometimes impossible because you cannot modify the software
59 yourself. The following solutions works without modifying the
62 * Use reliable ``server'' components
64 NOTE: Computer components with same functionality can have varying
65 reliability numbers, depending on the component quality. Most vendors
66 sell components with higher reliability as ``server'' components -
67 usually at higher price.
69 * Eliminate single point of failure (redundant components)
70 ** use an uninterruptible power supply (UPS)
71 ** use redundant power supplies on the main boards
73 ** use redundant network hardware
74 ** use RAID for local storage
75 ** use distributed, redundant storage for VM data
78 ** rapidly accessible administrators (24/7)
79 ** availability of spare parts (other nodes in a {pve} cluster)
80 ** automatic error detection (provided by `ha-manager`)
81 ** automatic failover (provided by `ha-manager`)
83 Virtualization environments like {pve} make it much easier to reach
84 high availability because they remove the ``hardware'' dependency. They
85 also support to setup and use redundant storage and network
86 devices. So if one host fail, you can simply start those services on
87 another host within your cluster.
89 Even better, {pve} provides a software stack called `ha-manager`,
90 which can do that automatically for you. It is able to automatically
91 detect errors and do automatic failover.
93 {pve} `ha-manager` works like an ``automated'' administrator. First, you
94 configure what resources (VMs, containers, ...) it should
95 manage. `ha-manager` then observes correct functionality, and handles
96 service failover to another node in case of errors. `ha-manager` can
97 also handle normal user requests which may start, stop, relocate and
100 But high availability comes at a price. High quality components are
101 more expensive, and making them redundant duplicates the costs at
102 least. Additional spare parts increase costs further. So you should
103 carefully calculate the benefits, and compare with those additional
106 TIP: Increasing availability from 99% to 99.9% is relatively
107 simply. But increasing availability from 99.9999% to 99.99999% is very
108 hard and costly. `ha-manager` has typical error detection and failover
109 times of about 2 minutes, so you can get no more than 99.999%
115 * at least three cluster nodes (to get reliable quorum)
117 * shared storage for VMs and containers
119 * hardware redundancy (everywhere)
121 * hardware watchdog - if not available we fall back to the
122 linux kernel software watchdog (`softdog`)
124 * optional hardware fencing devices
127 [[ha_manager_resources]]
131 We call the primary management unit handled by `ha-manager` a
132 resource. A resource (also called ``service'') is uniquely
133 identified by a service ID (SID), which consists of the resource type
134 and an type specific ID, e.g.: `vm:100`. That example would be a
135 resource of type `vm` (virtual machine) with the ID 100.
137 For now we have two important resources types - virtual machines and
138 containers. One basic idea here is that we can bundle related software
139 into such VM or container, so there is no need to compose one big
140 service from other services, like it was done with `rgmanager`. In
141 general, a HA enabled resource should not depend on other resources.
147 This section provides an in detail description of the {PVE} HA-manager
148 internals. It describes how the CRM and the LRM work together.
150 To provide High Availability two daemons run on each node:
154 The local resource manager (LRM), it controls the services running on
156 It reads the requested states for its services from the current manager
157 status file and executes the respective commands.
161 The cluster resource manager (CRM), it controls the cluster wide
162 actions of the services, processes the LRM results and includes the state
163 machine which controls the state of each service.
165 .Locks in the LRM & CRM
167 Locks are provided by our distributed configuration file system (pmxcfs).
168 They are used to guarantee that each LRM is active once and working. As a
169 LRM only executes actions when it holds its lock we can mark a failed node
170 as fenced if we can acquire its lock. This lets us then recover any failed
171 HA services securely without any interference from the now unknown failed node.
172 This all gets supervised by the CRM which holds currently the manager master
175 Local Resource Manager
176 ~~~~~~~~~~~~~~~~~~~~~~
178 The local resource manager (`pve-ha-lrm`) is started as a daemon on
179 boot and waits until the HA cluster is quorate and thus cluster wide
182 It can be in three states:
184 wait for agent lock::
186 The LRM waits for our exclusive lock. This is also used as idle state if no
187 service is configured.
191 The LRM holds its exclusive lock and has services configured.
195 The LRM lost its lock, this means a failure happened and quorum was lost.
197 After the LRM gets in the active state it reads the manager status
198 file in `/etc/pve/ha/manager_status` and determines the commands it
199 has to execute for the services it owns.
200 For each command a worker gets started, this workers are running in
201 parallel and are limited to at most 4 by default. This default setting
202 may be changed through the datacenter configuration key `max_worker`.
203 When finished the worker process gets collected and its result saved for
206 .Maximum Concurrent Worker Adjustment Tips
208 The default value of at most 4 concurrent workers may be unsuited for
209 a specific setup. For example may 4 live migrations happen at the same
210 time, which can lead to network congestions with slower networks and/or
211 big (memory wise) services. Ensure that also in the worst case no congestion
212 happens and lower the `max_worker` value if needed. In the contrary, if you
213 have a particularly powerful high end setup you may also want to increase it.
215 Each command requested by the CRM is uniquely identifiable by an UID, when
216 the worker finished its result will be processed and written in the LRM
217 status file `/etc/pve/nodes/<nodename>/lrm_status`. There the CRM may collect
218 it and let its state machine - respective the commands output - act on it.
220 The actions on each service between CRM and LRM are normally always synced.
221 This means that the CRM requests a state uniquely marked by an UID, the LRM
222 then executes this action *one time* and writes back the result, also
223 identifiable by the same UID. This is needed so that the LRM does not
224 executes an outdated command.
225 With the exception of the `stop` and the `error` command,
226 those two do not depend on the result produced and are executed
227 always in the case of the stopped state and once in the case of
232 The HA Stack logs every action it makes. This helps to understand what
233 and also why something happens in the cluster. Here its important to see
234 what both daemons, the LRM and the CRM, did. You may use
235 `journalctl -u pve-ha-lrm` on the node(s) where the service is and
236 the same command for the pve-ha-crm on the node which is the current master.
238 Cluster Resource Manager
239 ~~~~~~~~~~~~~~~~~~~~~~~~
241 The cluster resource manager (`pve-ha-crm`) starts on each node and
242 waits there for the manager lock, which can only be held by one node
243 at a time. The node which successfully acquires the manager lock gets
244 promoted to the CRM master.
246 It can be in three states:
248 wait for agent lock::
250 The CRM waits for our exclusive lock. This is also used as idle state if no
251 service is configured
255 The CRM holds its exclusive lock and has services configured
259 The CRM lost its lock, this means a failure happened and quorum was lost.
261 It main task is to manage the services which are configured to be highly
262 available and try to always enforce them to the wanted state, e.g.: a
263 enabled service will be started if its not running, if it crashes it will
264 be started again. Thus it dictates the LRM the actions it needs to execute.
266 When an node leaves the cluster quorum, its state changes to unknown.
267 If the current CRM then can secure the failed nodes lock, the services
268 will be 'stolen' and restarted on another node.
270 When a cluster member determines that it is no longer in the cluster
271 quorum, the LRM waits for a new quorum to form. As long as there is no
272 quorum the node cannot reset the watchdog. This will trigger a reboot
273 after the watchdog then times out, this happens after 60 seconds.
278 The HA stack is well integrated in the Proxmox VE API2. So, for
279 example, HA can be configured via `ha-manager` or the PVE web
280 interface, which both provide an easy to use tool.
282 The resource configuration file can be located at
283 `/etc/pve/ha/resources.cfg` and the group configuration file at
284 `/etc/pve/ha/groups.cfg`. Use the provided tools to make changes,
285 there shouldn't be any need to edit them manually.
290 If a node needs maintenance you should migrate and or relocate all
291 services which are required to run always on another node first.
292 After that you can stop the LRM and CRM services. But note that the
293 watchdog triggers if you stop it with active services.
298 When updating the ha-manager you should do one node after the other, never
299 all at once for various reasons. First, while we test our software
300 thoughtfully, a bug affecting your specific setup cannot totally be ruled out.
301 Upgrading one node after the other and checking the functionality of each node
302 after finishing the update helps to recover from an eventual problems, while
303 updating all could render you in a broken cluster state and is generally not
306 Also, the {pve} HA stack uses a request acknowledge protocol to perform
307 actions between the cluster and the local resource manager. For restarting,
308 the LRM makes a request to the CRM to freeze all its services. This prevents
309 that they get touched by the Cluster during the short time the LRM is restarting.
310 After that the LRM may safely close the watchdog during a restart.
311 Such a restart happens on a update and as already stated a active master
312 CRM is needed to acknowledge the requests from the LRM, if this is not the case
313 the update process can be too long which, in the worst case, may result in
317 [[ha_manager_fencing]]
324 Fencing secures that on a node failure the dangerous node gets will be rendered
325 unable to do any damage and that no resource runs twice when it gets recovered
326 from the failed node. This is a really important task and one of the base
327 principles to make a system Highly Available.
329 If a node would not get fenced it would be in an unknown state where it may
330 have still access to shared resources, this is really dangerous!
331 Imagine that every network but the storage one broke, now while not
332 reachable from the public network the VM still runs and writes on the shared
333 storage. If we would not fence the node and just start up this VM on another
334 Node we would get dangerous race conditions, atomicity violations the whole VM
335 could be rendered unusable. The recovery could also simply fail if the storage
336 protects from multiple mounts and thus defeat the purpose of HA.
341 There are different methods to fence a node, for example fence devices which
342 cut off the power from the node or disable their communication completely.
344 Those are often quite expensive and bring additional critical components in
345 a system, because if they fail you cannot recover any service.
347 We thus wanted to integrate a simpler method in the HA Manager first, namely
348 self fencing with watchdogs.
350 Watchdogs are widely used in critical and dependable systems since the
351 beginning of micro controllers, they are often independent and simple
352 integrated circuit which programs can use to watch them. After opening they need to
353 report periodically. If, for whatever reason, a program becomes unable to do
354 so the watchdogs triggers a reset of the whole server.
356 Server motherboards often already include such hardware watchdogs, these need
357 to be configured. If no watchdog is available or configured we fall back to the
358 Linux Kernel softdog while still reliable it is not independent of the servers
359 Hardware and thus has a lower reliability then a hardware watchdog.
361 Configure Hardware Watchdog
362 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
363 By default all watchdog modules are blocked for security reasons as they are
364 like a loaded gun if not correctly initialized.
365 If you have a hardware watchdog available remove its kernel module from the
366 blacklist, load it with insmod and restart the `watchdog-mux` service or reboot
369 Recover Fenced Services
370 ~~~~~~~~~~~~~~~~~~~~~~~
372 After a node failed and its fencing was successful we start to recover services
373 to other available nodes and restart them there so that they can provide service
376 The selection of the node on which the services gets recovered is influenced
377 by the users group settings, the currently active nodes and their respective
378 active service count.
379 First we build a set out of the intersection between user selected nodes and
380 available nodes. Then the subset with the highest priority of those nodes
381 gets chosen as possible nodes for recovery. We select the node with the
382 currently lowest active service count as a new node for the service.
383 That minimizes the possibility of an overload, which else could cause an
384 unresponsive node and as a result a chain reaction of node failures in the
387 [[ha_manager_groups]]
391 A group is a collection of cluster nodes which a service may be bound to.
398 List of group node members where a priority can be given to each node.
399 A service bound to this group will run on the nodes with the highest priority
400 available. If more nodes are in the highest priority class the services will
401 get distributed to those node if not already there. The priorities have a
402 relative meaning only.
404 You want to run all services from a group on `node1` if possible. If this node
405 is not available, you want them to run equally splitted on `node2` and `node3`, and
406 if those fail it should use `node4`.
407 To achieve this you could set the node list to:
409 ha-manager groupset mygroup -nodes "node1:2,node2:1,node3:1,node4"
413 Resources bound to this group may only run on nodes defined by the
414 group. If no group node member is available the resource will be
415 placed in the stopped state.
417 Lets say a service uses resources only available on `node1` and `node2`,
418 so we need to make sure that HA manager does not use other nodes.
419 We need to create a 'restricted' group with said nodes:
421 ha-manager groupset mygroup -nodes "node1,node2" -restricted
425 The resource won't automatically fail back when a more preferred node
426 (re)joins the cluster.
428 * You need to migrate a service to a node which hasn't the highest priority
429 in the group at the moment, to tell the HA manager to not move this service
430 instantly back set the 'nofailback' option and the service will stay on
433 * A service was fenced and it got recovered to another node. The admin
434 repaired the node and brought it up online again but does not want that the
435 recovered services move straight back to the repaired node as he wants to
436 first investigate the failure cause and check if it runs stable. He can use
437 the 'nofailback' option to achieve this.
441 ---------------------
443 The start failure policy comes in effect if a service failed to start on a
444 node once ore more times. It can be used to configure how often a restart
445 should be triggered on the same node and how often a service should be
446 relocated so that it gets a try to be started on another node.
447 The aim of this policy is to circumvent temporary unavailability of shared
448 resources on a specific node. For example, if a shared storage isn't available
449 on a quorate node anymore, e.g. network problems, but still on other nodes,
450 the relocate policy allows then that the service gets started nonetheless.
452 There are two service start recover policy settings which can be configured
453 specific for each resource.
457 Maximum number of tries to restart an failed service on the actual
458 node. The default is set to one.
462 Maximum number of tries to relocate the service to a different node.
463 A relocate only happens after the max_restart value is exceeded on the
464 actual node. The default is set to one.
466 NOTE: The relocate count state will only reset to zero when the
467 service had at least one successful start. That means if a service is
468 re-enabled without fixing the error only the restart policy gets
474 If after all tries the service state could not be recovered it gets
475 placed in an error state. In this state the service won't get touched
476 by the HA stack anymore. To recover from this state you should follow
479 * bring the resource back into a safe and consistent state (e.g.,
482 * disable the ha resource to place it in an stopped state
484 * fix the error which led to this failures
486 * *after* you fixed all errors you may enable the service again
492 This are how the basic user-initiated service operations (via
497 The service will be started by the LRM if not already running.
501 The service will be stopped by the LRM if running.
505 The service will be relocated (live) to another node.
509 The service will be removed from the HA managed resource list. Its
510 current state will not be touched.
514 `start` and `stop` commands can be issued to the resource specific tools
515 (like `qm` or `pct`), they will forward the request to the
516 `ha-manager` which then will execute the action and set the resulting
517 service state (enabled, disabled).
525 Service is stopped (confirmed by LRM), if detected running it will get stopped
530 Service should be stopped. Waiting for confirmation from LRM.
534 Service is active an LRM should start it ASAP if not already running.
535 If the Service fails and is detected to be not running the LRM restarts it.
539 Wait for node fencing (service node is not inside quorate cluster
541 As soon as node gets fenced successfully the service will be recovered to
542 another node, if possible.
546 Do not touch the service state. We use this state while we reboot a
547 node, or when we restart the LRM daemon.
551 Migrate service (live) to other node.
555 Service disabled because of LRM errors. Needs manual intervention.
559 include::pve-copyright.adoc[]