[[chapter-ha-manager]] ifdef::manvolnum[] PVE({manvolnum}) ================ include::attributes.txt[] NAME ---- ha-manager - Proxmox VE HA Manager SYNOPSYS -------- include::ha-manager.1-synopsis.adoc[] DESCRIPTION ----------- endif::manvolnum[] ifndef::manvolnum[] High Availability ================= include::attributes.txt[] endif::manvolnum[] Our modern society depends heavily on information provided by computers over the network. Mobile devices amplified that dependency, because people can access the network any time from anywhere. If you provide such services, it is very important that they are available most of the time. We can mathematically define the availability as the ratio of (A) the total time a service is capable of being used during a given interval to (B) the length of the interval. It is normally expressed as a percentage of uptime in a given year. .Availability - Downtime per Year [width="60%",cols="/lrm_status'. There the CRM may collect it and let its state machine - respective the commands output - act on it. The actions on each service between CRM and LRM are normally always synced. This means that the CRM requests a state uniquely marked by an UID, the LRM then executes this action *one time* and writes back the result, also identifiable by the same UID. This is needed so that the LRM does not executes an outdated command. With the exception of the 'stop' and the 'error' command, those two do not depend on the result produced and are executed always in the case of the stopped state and once in the case of the error state. .Read the Logs [NOTE] The HA Stack logs every action it makes. This helps to understand what and also why something happens in the cluster. Here its important to see what both daemons, the LRM and the CRM, did. You may use `journalctl -u pve-ha-lrm` on the node(s) where the service is and the same command for the pve-ha-crm on the node which is the current master. Cluster Resource Manager ~~~~~~~~~~~~~~~~~~~~~~~~ The cluster resource manager ('pve-ha-crm') starts on each node and waits there for the manager lock, which can only be held by one node at a time. The node which successfully acquires the manager lock gets promoted to the CRM master. It can be in three states: * *wait for agent lock*: the LRM waits for our exclusive lock. This is also used as idle sate if no service is configured * *active*: the LRM holds its exclusive lock and has services configured * *lost agent lock*: the LRM lost its lock, this means a failure happened and quorum was lost. It main task is to manage the services which are configured to be highly available and try to always enforce them to the wanted state, e.g.: a enabled service will be started if its not running, if it crashes it will be started again. Thus it dictates the LRM the actions it needs to execute. When an node leaves the cluster quorum, its state changes to unknown. If the current CRM then can secure the failed nodes lock, the services will be 'stolen' and restarted on another node. When a cluster member determines that it is no longer in the cluster quorum, the LRM waits for a new quorum to form. As long as there is no quorum the node cannot reset the watchdog. This will trigger a reboot after the watchdog then times out, this happens after 60 seconds. Configuration ------------- The HA stack is well integrated in the Proxmox VE API2. So, for example, HA can be configured via 'ha-manager' or the PVE web interface, which both provide an easy to use tool. The resource configuration file can be located at '/etc/pve/ha/resources.cfg' and the group configuration file at '/etc/pve/ha/groups.cfg'. Use the provided tools to make changes, there shouldn't be any need to edit them manually. Node Power Status ----------------- If a node needs maintenance you should migrate and or relocate all services which are required to run always on another node first. After that you can stop the LRM and CRM services. But note that the watchdog triggers if you stop it with active services. Package Updates --------------- When updating the ha-manager you should do one node after the other, never all at once for various reasons. First, while we test our software thoughtfully, a bug affecting your specific setup cannot totally be ruled out. Upgrading one node after the other and checking the functionality of each node after finishing the update helps to recover from an eventual problems, while updating all could render you in a broken cluster state and is generally not good practice. Also, the {pve} HA stack uses a request acknowledge protocol to perform actions between the cluster and the local resource manager. For restarting, the LRM makes a request to the CRM to freeze all its services. This prevents that they get touched by the Cluster during the short time the LRM is restarting. After that the LRM may safely close the watchdog during a restart. Such a restart happens on a update and as already stated a active master CRM is needed to acknowledge the requests from the LRM, if this is not the case the update process can be too long which, in the worst case, may result in a watchdog reset. Fencing ------- What Is Fencing ~~~~~~~~~~~~~~~ Fencing secures that on a node failure the dangerous node gets will be rendered unable to do any damage and that no resource runs twice when it gets recovered from the failed node. This is a really important task and one of the base principles to make a system Highly Available. If a node would not get fenced it would be in an unknown state where it may have still access to shared resources, this is really dangerous! Imagine that every network but the storage one broke, now while not reachable from the public network the VM still runs and writes on the shared storage. If we would not fence the node and just start up this VM on another Node we would get dangerous race conditions, atomicity violations the whole VM could be rendered unusable. The recovery could also simply fail if the storage protects from multiple mounts and thus defeat the purpose of HA. How {pve} Fences ~~~~~~~~~~~~~~~~~ There are different methods to fence a node, for example fence devices which cut off the power from the node or disable their communication completely. Those are often quite expensive and bring additional critical components in a system, because if they fail you cannot recover any service. We thus wanted to integrate a simpler method in the HA Manager first, namely self fencing with watchdogs. Watchdogs are widely used in critical and dependable systems since the beginning of micro controllers, they are often independent and simple integrated circuit which programs can use to watch them. After opening they need to report periodically. If, for whatever reason, a program becomes unable to do so the watchdogs triggers a reset of the whole server. Server motherboards often already include such hardware watchdogs, these need to be configured. If no watchdog is available or configured we fall back to the Linux Kernel softdog while still reliable it is not independent of the servers Hardware and thus has a lower reliability then a hardware watchdog. Configure Hardware Watchdog ~~~~~~~~~~~~~~~~~~~~~~~~~~~ By default all watchdog modules are blocked for security reasons as they are like a loaded gun if not correctly initialized. If you have a hardware watchdog available remove its kernel module from the blacklist, load it with insmod and restart the 'watchdog-mux' service or reboot the node. Recover Fenced Services ~~~~~~~~~~~~~~~~~~~~~~~ After a node failed and its fencing was successful we start to recover services to other available nodes and restart them there so that they can provide service again. The selection of the node on which the services gets recovered is influenced by the users group settings, the currently active nodes and their respective active service count. First we build a set out of the intersection between user selected nodes and available nodes. Then the subset with the highest priority of those nodes gets chosen as possible nodes for recovery. We select the node with the currently lowest active service count as a new node for the service. That minimizes the possibility of an overload, which else could cause an unresponsive node and as a result a chain reaction of node failures in the cluster. Groups ------ A group is a collection of cluster nodes which a service may be bound to. Group Settings ~~~~~~~~~~~~~~ nodes:: List of group node members where a priority can be given to each node. A service bound to this group will run on the nodes with the highest priority available. If more nodes are in the highest priority class the services will get distributed to those node if not already there. The priorities have a relative meaning only. restricted:: resources bound to this group may only run on nodes defined by the group. If no group node member is available the resource will be placed in the stopped state. nofailback:: the resource won't automatically fail back when a more preferred node (re)joins the cluster. Start Failure Policy --------------------- The start failure policy comes in effect if a service failed to start on a node once ore more times. It can be used to configure how often a restart should be triggered on the same node and how often a service should be relocated so that it gets a try to be started on another node. The aim of this policy is to circumvent temporary unavailability of shared resources on a specific node. For example, if a shared storage isn't available on a quorate node anymore, e.g. network problems, but still on other nodes, the relocate policy allows then that the service gets started nonetheless. There are two service start recover policy settings which can be configured specific for each resource. max_restart:: maximal number of tries to restart an failed service on the actual node. The default is set to one. max_relocate:: maximal number of tries to relocate the service to a different node. A relocate only happens after the max_restart value is exceeded on the actual node. The default is set to one. NOTE: The relocate count state will only reset to zero when the service had at least one successful start. That means if a service is re-enabled without fixing the error only the restart policy gets repeated. Error Recovery -------------- If after all tries the service state could not be recovered it gets placed in an error state. In this state the service won't get touched by the HA stack anymore. To recover from this state you should follow these steps: * bring the resource back into an safe and consistent state (e.g: killing its process) * disable the ha resource to place it in an stopped state * fix the error which led to this failures * *after* you fixed all errors you may enable the service again Service Operations ------------------ This are how the basic user-initiated service operations (via 'ha-manager') work. enable:: the service will be started by the LRM if not already running. disable:: the service will be stopped by the LRM if running. migrate/relocate:: the service will be relocated (live) to another node. remove:: the service will be removed from the HA managed resource list. Its current state will not be touched. start/stop:: start and stop commands can be issued to the resource specific tools (like 'qm' or 'pct'), they will forward the request to the 'ha-manager' which then will execute the action and set the resulting service state (enabled, disabled). Service States -------------- stopped:: Service is stopped (confirmed by LRM), if detected running it will get stopped again. request_stop:: Service should be stopped. Waiting for confirmation from LRM. started:: Service is active an LRM should start it ASAP if not already running. If the Service fails and is detected to be not running the LRM restarts it. fence:: Wait for node fencing (service node is not inside quorate cluster partition). As soon as node gets fenced successfully the service will be recovered to another node, if possible. freeze:: Do not touch the service state. We use this state while we reboot a node, or when we restart the LRM daemon. migrate:: Migrate service (live) to other node. error:: Service disabled because of LRM errors. Needs manual intervention. ifdef::manvolnum[] include::pve-copyright.adoc[] endif::manvolnum[]