[Pacemaker] fencing best practices for virtual environments
Lars Marowsky-Bree
lmb at suse.com
Mon Sep 10 13:42:56 UTC 2012
On 2012-09-10T14:40:43, Alberto Menichetti <albmenichetti at tai.it> wrote:
> Sorry, maybe I'm missing something, but suppose this scenario (also
> remember that, being a 2-node cluster, I had to set
> no-quorum-policy="ignore"):
> 1. the virtual center is unavailable
> 2. an event occurs that partition the cluster
> 3. at this point, both the nodes could try to start a filesystem
> resource, thus compromising the data safety.
Because of 1, the nodes cannot fence, but will not start resources
without a successful fence completion.
Hence, in the case of a network partition with unavailable fencing setup
and no-quorum-policy=ignore, resources will continue to run where they
were running before the partition. (Which is the best one could hope for
anyway.)
If there's a real outage of one of the nodes, *and* the vcenter is down,
then the surviving node won't take over because it can't fence. That
leaves your data intact and the service down.
Regards,
Lars
--
Architect Storage/HA
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg)
"Experience is the name everyone gives to their mistakes." -- Oscar Wilde
More information about the Pacemaker
mailing list