[DRBD-user] DRBD 9 Primary-Secondary, Pacemaker, and STONITH

Bryan K. Walton bwalton+1539795345 at leepfrog.com
Tue Nov 13 22:30:57 CET 2018


I have a two-node DRBD 9 resource configured in Primary-Secondary mode
with automatic failover configured with Pacemaker.

I know that I need to configure STONITH in Pacemaker and then set DRBD's
fencing to "resource-and-stonith".

The nodes are Supermicro servers with IPMI.  I'm planning to use IPMI
for my (first) fencing level.

Where I'm confused is regarding whether I must have a second fencing
level beyond IPMI?  Or will DRBD's fencing configuration, combined with
IPMI be good enough?

Looking at:
http://clusterlabs.org/pacemaker/doc/en-US/Pacemaker/1.1/pdf/Clusters_from_Scratch/Pacemaker-1.1-Clusters_from_Scratch-en-US.pdf

It reads: 

"A common mistake people make when choosing a STONITH device
is to use a remote power switch (such as many on-board IPMI controllers)
that shares power with the node it controls. If the power fails in such
a case, the cluster cannot be sure whether the node is really offline,
or active and suffering from a network fault, so the cluster will stop
all resources to avoid a possible split-brain situation."

I don't understand this.  If the power fails to a node, then won't the
node, by definition be down (since there is no power going to the node)?
So, how then could there be a split brain when one node has no power?

Is the above quote stating that if Pacemaker can't confirm that one
node has been STONITHed, that it won't allow the remaining node to work,
either?

Thanks!
Bryan Walton


More information about the drbd-user mailing list