[DRBD-cvs] svn commit by phil - r2131 - in trunk: . scripts - A big
updated in the way should deal with resource and
drbd-cvs at lists.linbit.com
drbd-cvs at lists.linbit.com
Wed Apr 5 12:17:58 CEST 2006
Author: phil
Date: 2006-04-05 12:17:57 +0200 (Wed, 05 Apr 2006)
New Revision: 2131
Modified:
trunk/ROADMAP
trunk/scripts/drbd.conf
Log:
A big updated in the way should deal with resource and node fencing
(stonith).
Modified: trunk/ROADMAP
===================================================================
--- trunk/ROADMAP 2006-04-04 14:11:13 UTC (rev 2130)
+++ trunk/ROADMAP 2006-04-05 10:17:57 UTC (rev 2131)
@@ -116,13 +116,13 @@
In the other case it modifies the meta data directly by
calling drbdmeta.
- remove option value: on-disconnect=suspend_io
+ remove option: on-disconnect
New meta-data flag: "Outdated"
introduce:
disk {
- split-brain-fix;
+ fencing [ dont-care | resource-only | resource-and-stonith ];
}
handlers {
@@ -133,10 +133,11 @@
handler (yes a call to userspace from kernel space). The handler's
returncodes are:
- 3 -> peer is inconsistent
- 4 -> peer is outdated (presumabely this handler outdated it)
+ 3 -> peer is inconsistent
+ 4 -> peer is outdated (this handler outdated it) [ resource fencing ]
5 -> peer was down / unreachable
6 -> peer is primary
+ 7 -> peer got stonithed [ node fencing ]
Let us assume that we have two boxes (N1 and N2) and that these
two boxes are connected by two networks (net and cnet [ clinets'-net ]).
@@ -144,15 +145,15 @@
Net is used by DRBD, while heartbeat uses both, net and cnet
I know that you are talking about fencing by STONITH, but DRBD is
- not limited to that. Here comes my understanding of how fencing
- (other than STONITH) should work with DRBD-0.8 :
+ not limited to that. Here comes my understanding of how resource fencing
+ should works with DRBDv8 :
N1 net N2
P/S --- S/P everything up and running.
P/? - - S/? network breaks ; N1 freezes IO
P/? - - S/? N1 fences N2:
In the STONITH case: turn off N2.
- In the "smart" case:
+ In the resource fencing case:
N1 asks N2 to fence itself from the storage via cnet.
HB calls "drbdadm outdate r0" on N2.
N2 replies to N1 that fencing is done via cnet.
@@ -162,15 +163,40 @@
N2 got the the "Outdated" flag set in its meta-data, by the outdate
command.
- The "split-brain-fix" enables this behaviour. If this option is
- omitted, the handler is not called nor IO is frozen on disconnect.
+ The fencing is set to resource-only enables this behaviour. In the
+ resource-only case the outdate-peer handler should have a return
+ value of 3, 4, 5 or 6, but should not return 7.
- Eventually introduce a "suspend" and a "resume" command to
- to reach the freezed state without the need to disconnect the peer.
- It might turn out to be usefull for other tasks as well.
+ In case "fencing" is set to "resource-and-stonith", all IO operations
+ get immediately frozen (even all currently outstanding IO operations
+ will not finish) upon loss of connection.
- 66% DONE / TODO: IO freezing is not done yet.
+ Then the "outdate-peer" handler is started. In this configuration
+ the outdate peer handler might return any of the documented return
+ values.
+ When the outdate-peer handler returns IO is resumed.
+
+ Notes:
+ * Why do we need to freeze IO in the "resource-and-stonith" case:
+ Stonith protects you when all communication pathes fail. In
+ that case both (isolated) nodes try to stonith each other.
+ If the current primary would continue to allow IO it could
+ accept transactions, but could get stonithed by the
+ currently secondary node.
+ -> Therefore others could see commited transactions that
+ would be gone after the successfull stonith operation.
+
+ * The outedate peer handler also gets called if an unconnected
+ secondary wants to become primary.
+ In other words it only may become primary when it knows that
+ the peer is outdated/inconsistent.
+
+ * We need to store the fact that the peer is outdated/inconsistent
+ in the meta-data. To allow an stand allone primary to be rebooted.
+
+ 50% DONE / TODO: IO freezing is not done yet.
+
8 New command drbdmeta
We move the read_gc.pl/write_gc.pl to the user directory.
@@ -481,7 +507,7 @@
NB: If they are needed, I think they can be implemented
as special UUID values.
- 99% DONE. Kernel part is implemented, userlang parts are implemented,
+ 99% DONE. Kernel part is implemented, userland parts are implemented,
--humand and --timeout-expired are removed.
Everything seems to work so far.
Modified: trunk/scripts/drbd.conf
===================================================================
--- trunk/scripts/drbd.conf 2006-04-04 14:11:13 UTC (rev 2130)
+++ trunk/scripts/drbd.conf 2006-04-05 10:17:57 UTC (rev 2131)
@@ -178,13 +178,20 @@
#
on-io-error detach;
- # Enables the use of the outdate-peer handler, as well as freezing
- # of IO while we are primary and the peer's disk state is unknown.
- # The outdate-peer handler is used then to resove the situation
- # as quick as possible.
- # BTW, becoming primary on a disconnected node may also trigger the
- # execution of the outdate-peer handler.
- # split-brain-fix;
+ # Controls the fencing policy, default is "dont-care". Before you
+ # set any policy you need to make sure that you have a working
+ # outdate-peer handler. Possible values are:
+ # "dont-care" -> Never call the outdate-peer handler. [ DEFAULT ]
+ # "resource-only" -> Call the outdate-peer handler if we primary and
+ # loose the connection to the secondary. As well
+ # whenn a unconnected secondary wants to become
+ # primary.
+ # "resource-and-stonith"
+ # -> Calls the outdate-peer handler and freezes local
+ # IO immediately after loss of connection. This is
+ # necessary if your heartbeat can STONITH the other
+ # node.
+ # fencing resource-only;
# In case you only want to use a fraction of the available space
# you might use the "size" option here.
@@ -220,13 +227,6 @@
# considered dead, even if it still answers ping requests.
# ko-count 4;
- # if the connection to the peer is lost you have the choice of
- # "reconnect" -> Try to reconnect (AKA WFConnection state)
- # "stand_alone" -> Do not reconnect (AKA StandAlone state)
- # "freeze_io" -> Try to reconnect but freeze all IO until
- # the connection is established again.
- # on-disconnect reconnect;
-
# If you want to use OCFS2/openGFS on top of DRBD enable
# this optione, and only enable it if you are going to use
# one of these filesystems. Do not enable it for ext2,
More information about the drbd-cvs
mailing list