yourself. The following solutions works without modifying the
software:
-* Use reliable "server" components
+* Use reliable ``server'' components
NOTE: Computer components with same functionality can have varying
reliability numbers, depending on the component quality. Most vendors
-sell components with higher reliability as "server" components -
+sell components with higher reliability as ``server'' components -
usually at higher price.
* Eliminate single point of failure (redundant components)
-
- - use an uninterruptible power supply (UPS)
- - use redundant power supplies on the main boards
- - use ECC-RAM
- - use redundant network hardware
- - use RAID for local storage
- - use distributed, redundant storage for VM data
+** use an uninterruptible power supply (UPS)
+** use redundant power supplies on the main boards
+** use ECC-RAM
+** use redundant network hardware
+** use RAID for local storage
+** use distributed, redundant storage for VM data
* Reduce downtime
-
- - rapidly accessible administrators (24/7)
- - availability of spare parts (other nodes in a {pve} cluster)
- - automatic error detection ('ha-manager')
- - automatic failover ('ha-manager')
+** rapidly accessible administrators (24/7)
+** availability of spare parts (other nodes in a {pve} cluster)
+** automatic error detection (provided by `ha-manager`)
+** automatic failover (provided by `ha-manager`)
Virtualization environments like {pve} make it much easier to reach
-high availability because they remove the "hardware" dependency. They
+high availability because they remove the ``hardware'' dependency. They
also support to setup and use redundant storage and network
devices. So if one host fail, you can simply start those services on
another host within your cluster.
-Even better, {pve} provides a software stack called 'ha-manager',
+Even better, {pve} provides a software stack called `ha-manager`,
which can do that automatically for you. It is able to automatically
detect errors and do automatic failover.
-{pve} 'ha-manager' works like an "automated" administrator. First, you
+{pve} `ha-manager` works like an ``automated'' administrator. First, you
configure what resources (VMs, containers, ...) it should
-manage. 'ha-manager' then observes correct functionality, and handles
-service failover to another node in case of errors. 'ha-manager' can
+manage. `ha-manager` then observes correct functionality, and handles
+service failover to another node in case of errors. `ha-manager` can
also handle normal user requests which may start, stop, relocate and
migrate a service.
TIP: Increasing availability from 99% to 99.9% is relatively
simply. But increasing availability from 99.9999% to 99.99999% is very
-hard and costly. 'ha-manager' has typical error detection and failover
+hard and costly. `ha-manager` has typical error detection and failover
times of about 2 minutes, so you can get no more than 99.999%
availability.
* hardware redundancy (everywhere)
* hardware watchdog - if not available we fall back to the
- linux kernel software watchdog ('softdog')
+ linux kernel software watchdog (`softdog`)
* optional hardware fencing devices
Resources
---------
-We call the primary management unit handled by 'ha-manager' a
-resource. A resource (also called "service") is uniquely
+We call the primary management unit handled by `ha-manager` a
+resource. A resource (also called ``service'') is uniquely
identified by a service ID (SID), which consists of the resource type
-and an type specific ID, e.g.: 'vm:100'. That example would be a
-resource of type 'vm' (virtual machine) with the ID 100.
+and an type specific ID, e.g.: `vm:100`. That example would be a
+resource of type `vm` (virtual machine) with the ID 100.
For now we have two important resources types - virtual machines and
containers. One basic idea here is that we can bundle related software
into such VM or container, so there is no need to compose one big
-service from other services, like it was done with 'rgmanager'. In
+service from other services, like it was done with `rgmanager`. In
general, a HA enabled resource should not depend on other resources.
To provide High Availability two daemons run on each node:
-'pve-ha-lrm'::
+`pve-ha-lrm`::
The local resource manager (LRM), it controls the services running on
the local node.
It reads the requested states for its services from the current manager
status file and executes the respective commands.
-'pve-ha-crm'::
+`pve-ha-crm`::
The cluster resource manager (CRM), it controls the cluster wide
actions of the services, processes the LRM results and includes the state
They are used to guarantee that each LRM is active once and working. As a
LRM only executes actions when it holds its lock we can mark a failed node
as fenced if we can acquire its lock. This lets us then recover any failed
-HA services securely without any interference from the now unknown failed Node.
+HA services securely without any interference from the now unknown failed node.
This all gets supervised by the CRM which holds currently the manager master
lock.
Local Resource Manager
~~~~~~~~~~~~~~~~~~~~~~
-The local resource manager ('pve-ha-lrm') is started as a daemon on
+The local resource manager (`pve-ha-lrm`) is started as a daemon on
boot and waits until the HA cluster is quorate and thus cluster wide
locks are working.
It can be in three states:
-* *wait for agent lock*: the LRM waits for our exclusive lock. This is
- also used as idle sate if no service is configured
-* *active*: the LRM holds its exclusive lock and has services configured
-* *lost agent lock*: the LRM lost its lock, this means a failure happened
- and quorum was lost.
+wait for agent lock::
+
+The LRM waits for our exclusive lock. This is also used as idle state if no
+service is configured.
+
+active::
+
+The LRM holds its exclusive lock and has services configured.
+
+lost agent lock::
+
+The LRM lost its lock, this means a failure happened and quorum was lost.
After the LRM gets in the active state it reads the manager status
-file in '/etc/pve/ha/manager_status' and determines the commands it
+file in `/etc/pve/ha/manager_status` and determines the commands it
has to execute for the services it owns.
For each command a worker gets started, this workers are running in
-parallel and are limited to maximal 4 by default. This default setting
-may be changed through the datacenter configuration key "max_worker".
+parallel and are limited to at most 4 by default. This default setting
+may be changed through the datacenter configuration key `max_worker`.
When finished the worker process gets collected and its result saved for
the CRM.
-.Maximal Concurrent Worker Adjustment Tips
+.Maximum Concurrent Worker Adjustment Tips
[NOTE]
-The default value of 4 maximal concurrent Workers may be unsuited for
+The default value of at most 4 concurrent workers may be unsuited for
a specific setup. For example may 4 live migrations happen at the same
time, which can lead to network congestions with slower networks and/or
big (memory wise) services. Ensure that also in the worst case no congestion
-happens and lower the "max_worker" value if needed. In the contrary, if you
+happens and lower the `max_worker` value if needed. In the contrary, if you
have a particularly powerful high end setup you may also want to increase it.
Each command requested by the CRM is uniquely identifiable by an UID, when
the worker finished its result will be processed and written in the LRM
-status file '/etc/pve/nodes/<nodename>/lrm_status'. There the CRM may collect
+status file `/etc/pve/nodes/<nodename>/lrm_status`. There the CRM may collect
it and let its state machine - respective the commands output - act on it.
The actions on each service between CRM and LRM are normally always synced.
then executes this action *one time* and writes back the result, also
identifiable by the same UID. This is needed so that the LRM does not
executes an outdated command.
-With the exception of the 'stop' and the 'error' command,
-those two do not depend on the result produce and are executed
+With the exception of the `stop` and the `error` command,
+those two do not depend on the result produced and are executed
always in the case of the stopped state and once in the case of
the error state.
Cluster Resource Manager
~~~~~~~~~~~~~~~~~~~~~~~~
-The cluster resource manager ('pve-ha-crm') starts on each node and
+The cluster resource manager (`pve-ha-crm`) starts on each node and
waits there for the manager lock, which can only be held by one node
at a time. The node which successfully acquires the manager lock gets
promoted to the CRM master.
It can be in three states:
-* *wait for agent lock*: the LRM waits for our exclusive lock. This is
- also used as idle sate if no service is configured
-* *active*: the LRM holds its exclusive lock and has services configured
-* *lost agent lock*: the LRM lost its lock, this means a failure happened
- and quorum was lost.
+wait for agent lock::
+
+The CRM waits for our exclusive lock. This is also used as idle state if no
+service is configured
+
+active::
+
+The CRM holds its exclusive lock and has services configured
+
+lost agent lock::
+
+The CRM lost its lock, this means a failure happened and quorum was lost.
It main task is to manage the services which are configured to be highly
available and try to always enforce them to the wanted state, e.g.: a
-------------
The HA stack is well integrated in the Proxmox VE API2. So, for
-example, HA can be configured via 'ha-manager' or the PVE web
+example, HA can be configured via `ha-manager` or the PVE web
interface, which both provide an easy to use tool.
The resource configuration file can be located at
-'/etc/pve/ha/resources.cfg' and the group configuration file at
-'/etc/pve/ha/groups.cfg'. Use the provided tools to make changes,
+`/etc/pve/ha/resources.cfg` and the group configuration file at
+`/etc/pve/ha/groups.cfg`. Use the provided tools to make changes,
there shouldn't be any need to edit them manually.
Node Power Status
Fencing
-------
-What Is Fencing
+What is Fencing
~~~~~~~~~~~~~~~
Fencing secures that on a node failure the dangerous node gets will be rendered
~~~~~~~~~~~~~~~~~~~~~~~~~~~
By default all watchdog modules are blocked for security reasons as they are
like a loaded gun if not correctly initialized.
-If you have a hardware watchdog available remove its module from the blacklist
-and restart 'the watchdog-mux' service.
-
+If you have a hardware watchdog available remove its kernel module from the
+blacklist, load it with insmod and restart the `watchdog-mux` service or reboot
+the node.
+
+Recover Fenced Services
+~~~~~~~~~~~~~~~~~~~~~~~
+
+After a node failed and its fencing was successful we start to recover services
+to other available nodes and restart them there so that they can provide service
+again.
+
+The selection of the node on which the services gets recovered is influenced
+by the users group settings, the currently active nodes and their respective
+active service count.
+First we build a set out of the intersection between user selected nodes and
+available nodes. Then the subset with the highest priority of those nodes
+gets chosen as possible nodes for recovery. We select the node with the
+currently lowest active service count as a new node for the service.
+That minimizes the possibility of an overload, which else could cause an
+unresponsive node and as a result a chain reaction of node failures in the
+cluster.
Groups
------
nodes::
-list of group node members
+List of group node members where a priority can be given to each node.
+A service bound to this group will run on the nodes with the highest priority
+available. If more nodes are in the highest priority class the services will
+get distributed to those node if not already there. The priorities have a
+relative meaning only.
+ Example;;
+ You want to run all services from a group on node1 if possible, if this node
+ is not available you want them to run equally splitted on node2 and node3 and
+ if those fail it should use the other group members.
+ To achieve this you could set the node list to:
+[source,bash]
+ ha-manager groupset mygroup -nodes "node1:2,node2:1,node3:1,node4"
restricted::
-resources bound to this group may only run on nodes defined by the
+Resources bound to this group may only run on nodes defined by the
group. If no group node member is available the resource will be
placed in the stopped state.
+ Example;;
+ A Service can run just on a few nodes, as he uses resources from only found
+ on those, we created a group with said nodes and as we know that else all
+ other nodes get implicitly added with lowest priority we set the restricted
+ option.
nofailback::
-the resource won't automatically fail back when a more preferred node
+The resource won't automatically fail back when a more preferred node
(re)joins the cluster.
-
-
-Recovery Policy
----------------
-
-There are two service recover policy settings which can be configured
+ Examples;;
+ * You need to migrate a service to a node which hasn't the highest priority
+ in the group at the moment, to tell the HA manager to not move this service
+ instantly back set the nofailnback option and the service will stay on
+
+ * A service was fenced and he got recovered to another node. The admin
+ repaired the node and brang it up online again but does not want that the
+ recovered services move straight back to the repaired node as he wants to
+ first investigate the failure cause and check if it runs stable. He can use
+ the nofailback option to achieve this.
+
+
+Start Failure Policy
+---------------------
+
+The start failure policy comes in effect if a service failed to start on a
+node once ore more times. It can be used to configure how often a restart
+should be triggered on the same node and how often a service should be
+relocated so that it gets a try to be started on another node.
+The aim of this policy is to circumvent temporary unavailability of shared
+resources on a specific node. For example, if a shared storage isn't available
+on a quorate node anymore, e.g. network problems, but still on other nodes,
+the relocate policy allows then that the service gets started nonetheless.
+
+There are two service start recover policy settings which can be configured
specific for each resource.
max_restart::
-maximal number of tries to restart an failed service on the actual
+Maximum number of tries to restart an failed service on the actual
node. The default is set to one.
max_relocate::
-maximal number of tries to relocate the service to a different node.
+Maximum number of tries to relocate the service to a different node.
A relocate only happens after the max_restart value is exceeded on the
actual node. The default is set to one.
by the HA stack anymore. To recover from this state you should follow
these steps:
-* bring the resource back into an safe and consistent state (e.g:
+* bring the resource back into a safe and consistent state (e.g.,
killing its process)
* disable the ha resource to place it in an stopped state
------------------
This are how the basic user-initiated service operations (via
-'ha-manager') work.
+`ha-manager`) work.
enable::
-the service will be started by the LRM if not already running.
+The service will be started by the LRM if not already running.
disable::
-the service will be stopped by the LRM if running.
+The service will be stopped by the LRM if running.
migrate/relocate::
-the service will be relocated (live) to another node.
+The service will be relocated (live) to another node.
remove::
-the service will be removed from the HA managed resource list. Its
+The service will be removed from the HA managed resource list. Its
current state will not be touched.
start/stop::
-start and stop commands can be issued to the resource specific tools
-(like 'qm' or 'pct'), they will forward the request to the
-'ha-manager' which then will execute the action and set the resulting
+`start` and `stop` commands can be issued to the resource specific tools
+(like `qm` or `pct`), they will forward the request to the
+`ha-manager` which then will execute the action and set the resulting
service state (enabled, disabled).
stopped::
-Service is stopped (confirmed by LRM)
+Service is stopped (confirmed by LRM), if detected running it will get stopped
+again.
request_stop::
started::
Service is active an LRM should start it ASAP if not already running.
+If the Service fails and is detected to be not running the LRM restarts it.
fence::
Wait for node fencing (service node is not inside quorate cluster
partition).
+As soon as node gets fenced successfully the service will be recovered to
+another node, if possible.
freeze::
projects / pve-docs.git / blobdiff