There are several ways to increase availability. The most elegant
solution is to rewrite your software, so that you can run it on
several host at the same time. The software itself need to have a way
-to detect erors and do failover. This is relatively easy if you just
+to detect errors and do failover. This is relatively easy if you just
want to serve read-only web pages. But in general this is complex, and
sometimes impossible because you cannot modify the software
yourself. The following solutions works without modifying the
* Use reliable "server" components
NOTE: Computer components with same functionality can have varying
-reliability numbers, depending on the component quality. Most verdors
+reliability numbers, depending on the component quality. Most vendors
sell components with higher reliability as "server" components -
usually at higher price.
* Eliminate single point of failure (redundant components)
- - use an uniteruptable power supply (UPS)
+ - use an uninterruptible power supply (UPS)
- use redundant power supplies on the main boards
- use ECC-RAM
- use redundant network hardware
* Reduce downtime
- - rapidly accessible adminstrators (24/7)
- - availability of spare parts (other nodes is a {pve} cluster)
+ - rapidly accessible administrators (24/7)
+ - availability of spare parts (other nodes in a {pve} cluster)
- automatic error detection ('ha-manager')
- automatic failover ('ha-manager')
-Virtualization environments like {pve} makes it much easier to reach
+Virtualization environments like {pve} make it much easier to reach
high availability because they remove the "hardware" dependency. They
also support to setup and use redundant storage and network
devices. So if one host fail, you can simply start those services on
'pve-ha-crm'::
The cluster resource manager (CRM), it controls the cluster wide
-actions of the services, processes the LRM result includes the state
+actions of the services, processes the LRM results and includes the state
machine which controls the state of each service.
.Locks in the LRM & CRM
[NOTE]
Locks are provided by our distributed configuration file system (pmxcfs).
-They are used to guarantee that each LRM is active and working as a
-LRM only executes actions when he has its lock we can mark a failed node
-as fenced if we get its lock. This lets us then recover the failed HA services
-securely without the failed (but maybe still running) LRM interfering.
+They are used to guarantee that each LRM is active once and working. As a
+LRM only executes actions when it holds its lock we can mark a failed node
+as fenced if we can acquire its lock. This lets us then recover any failed
+HA services securely without any interference from the now unknown failed Node.
This all gets supervised by the CRM which holds currently the manager master
lock.
After the LRM gets in the active state it reads the manager status
file in '/etc/pve/ha/manager_status' and determines the commands it
-has to execute for the service it owns.
+has to execute for the services it owns.
For each command a worker gets started, this workers are running in
parallel and are limited to maximal 4 by default. This default setting
may be changed through the datacenter configuration key "max_worker".
+When finished the worker process gets collected and its result saved for
+the CRM.
.Maximal Concurrent Worker Adjustment Tips
[NOTE]
at a time. The node which successfully acquires the manager lock gets
promoted to the CRM master.
-It can be in three states: TODO
+It can be in three states:
* *wait for agent lock*: the LRM waits for our exclusive lock. This is
also used as idle sate if no service is configured
and quorum was lost.
It main task is to manage the services which are configured to be highly
-available and try to get always bring them in the wanted state, e.g.: a
+available and try to always enforce them to the wanted state, e.g.: a
enabled service will be started if its not running, if it crashes it will
-be started again. Thus it dictates the LRM the wanted actions.
+be started again. Thus it dictates the LRM the actions it needs to execute.
When an node leaves the cluster quorum, its state changes to unknown.
If the current CRM then can secure the failed nodes lock, the services
When a cluster member determines that it is no longer in the cluster
quorum, the LRM waits for a new quorum to form. As long as there is no
quorum the node cannot reset the watchdog. This will trigger a reboot
-after 60 seconds.
+after the watchdog then times out, this happens after 60 seconds.
Configuration
-------------
-The HA stack is well integrated int the Proxmox VE API2. So, for
+The HA stack is well integrated in the Proxmox VE API2. So, for
example, HA can be configured via 'ha-manager' or the PVE web
interface, which both provide an easy to use tool.
After that you can stop the LRM and CRM services. But note that the
watchdog triggers if you stop it with active services.
+Package Updates
+---------------
+
+When updating the ha-manager you should do one node after the other, never
+all at once for various reasons. First, while we test our software
+thoughtfully, a bug affecting your specific setup cannot totally be ruled out.
+Upgrading one node after the other and checking the functionality of each node
+after finishing the update helps to recover from an eventual problems, while
+updating all could render you in a broken cluster state and is generally not
+good practice.
+
+Also, the {pve} HA stack uses a request acknowledge protocol to perform
+actions between the cluster and the local resource manager. For restarting,
+the LRM makes a request to the CRM to freeze all its services. This prevents
+that they get touched by the Cluster during the short time the LRM is restarting.
+After that the LRM may safely close the watchdog during a restart.
+Such a restart happens on a update and as already stated a active master
+CRM is needed to acknowledge the requests from the LRM, if this is not the case
+the update process can be too long which, in the worst case, may result in
+a watchdog reset.
+
+
Fencing
-------
Fencing secures that on a node failure the dangerous node gets will be rendered
unable to do any damage and that no resource runs twice when it gets recovered
-from the failed node.
+from the failed node. This is a really important task and one of the base
+principles to make a system Highly Available.
+
+If a node would not get fenced it would be in an unknown state where it may
+have still access to shared resources, this is really dangerous!
+Imagine that every network but the storage one broke, now while not
+reachable from the public network the VM still runs and writes on the shared
+storage. If we would not fence the node and just start up this VM on another
+Node we would get dangerous race conditions, atomicity violations the whole VM
+could be rendered unusable. The recovery could also simply fail if the storage
+protects from multiple mounts and thus defeat the purpose of HA.
+
+How {pve} Fences
+~~~~~~~~~~~~~~~~~
+
+There are different methods to fence a node, for example fence devices which
+cut off the power from the node or disable their communication completely.
+
+Those are often quite expensive and bring additional critical components in
+a system, because if they fail you cannot recover any service.
+
+We thus wanted to integrate a simpler method in the HA Manager first, namely
+self fencing with watchdogs.
+
+Watchdogs are widely used in critical and dependable systems since the
+beginning of micro controllers, they are often independent and simple
+integrated circuit which programs can use to watch them. After opening they need to
+report periodically. If, for whatever reason, a program becomes unable to do
+so the watchdogs triggers a reset of the whole server.
+
+Server motherboards often already include such hardware watchdogs, these need
+to be configured. If no watchdog is available or configured we fall back to the
+Linux Kernel softdog while still reliable it is not independent of the servers
+Hardware and thus has a lower reliability then a hardware watchdog.
Configure Hardware Watchdog
~~~~~~~~~~~~~~~~~~~~~~~~~~~
projects / pve-docs.git / blobdiff