<p dir="ltr"><br>
On 11/12/2015 4:40 PM, "Digimer" <<a href="mailto:lists@alteeve.ca">lists@alteeve.ca</a>> wrote:<br>
><br>
> On 11/12/15 12:12 AM, Igor Cicimov wrote:<br>
> ><br>
> ><br>
> > On Fri, Dec 11, 2015 at 3:08 AM, Digimer <<a href="mailto:lists@alteeve.ca">lists@alteeve.ca</a><br>
> > <mailto:<a href="mailto:lists@alteeve.ca">lists@alteeve.ca</a>>> wrote:<br>
> ><br>
> > On 10/12/15 09:27 AM, Fabrizio Zelaya wrote:<br>
> > > Thank you Lars and Adam for your recommendations.<br>
> > ><br>
> > > I have ping-timeout set to 5 and it still happened.<br>
> > ><br>
> > > Lars with this fencing idea. I have been contemplating this, however I<br>
> > > am rebuilding servers which are already in place, All the configuration<br>
> > > related to cman and drbd was literally copied and pasted from the old<br>
> > > servers.<br>
> ><br>
> > You can hook DRBD into cman's fencing with the rhch_fence fence handler,<br>
> > which is included with DRBD. This assumes, of course, that you have<br>
> > cman's fencing configured properly.<br>
> ><br>
> > > Is this concept of having dual-primary without fencing being a<br>
> > > mis-configuration something new?<br>
> ><br>
> > No, but it is often overlooked.<br>
> ><br>
> > > I ask this because as you would imagine by now, the old servers are<br>
> > > working with the exact same configuration and have no problems at all.<br>
> > > And while your idea makes perfect sense it would also make sense to have<br>
> > > the exact same problem on every version of drbd.<br>
> ><br>
> > Fencing is like a seatbelt. You can drive for years never needing it,<br>
> > but when you do, it saves you from hitting the windshield.<br>
> ><br>
> > Fencing is 100% needed, and all the more so with dual-primary.<br>
> ><br>
> ><br>
> > So this practically excludes the DRBD usage in the public clouds like<br>
> > AWS, right? Here shutting down the peer's power supply is impossible and<br>
> > using the CLI has no guarantee that shutting down a peer VM will ever<br>
> > happen since has to be done via the network. Even if the VM's have<br>
> > multiple network interfaces provisioned for redundancy in different<br>
> > subnets they are still virtual and there is possibility they end up on<br>
> > the same physical interface on the hypervisor host which has failed (or<br>
> > it's switch), causing the split brain in the first place.<br>
><br>
> As much as I may personally think that public clouds are not good<br>
> platforms for HA...<br>
><br>
> No, AWS is possible to use. There is a fence agent called (I believe)<br>
> fence_ec2 <br>
Yep that agent exists although it might create some security issues due to the permissions needed to run the API CLI calls (ssh key, certificate, iam role, etc) on the VM so it might not be an option for everyone.</p>
<p dir="ltr">that works by requesting an instance be terminated and then<br>
> waiting for the confirmation of that task completing. You would<br>
> configure this in cluster.conf and then hook DRBD into it by using<br>
> 'fence-handler "/path/to/rhcs_fence";' and 'fencing-policy<br>
> "resource-and-stonith";'. Then, if a node is lost, DRBD will block and<br>
> ask cman to fence the node, and wait for a success message.<br>
><br>
> All the other things you mention are reasons why I personally don't<br>
> consider the cloud a good platform, but it is used. For me, I insist on<br>
> dual fence methods; First using IPMI and, if that fails, falling back to<br>
> a pair of switched PDUs to cut the (redundant) PSUs off.<br>
Yeah no such goodies in ec2 :-)</p>
<p dir="ltr">><br>
> > > There is a difference to be consider I guess. I am now installing this<br>
> > > servers using SL6 as you saw in my original email, the old servers are<br>
> > > working with Debian 6.0.7<br>
> > ><br>
> > > The old servers are running drbd8-utils 2:8.3.7-2.1<br>
> ><br>
> > --<br>
> > Digimer<br>
> > Papers and Projects: <a href="https://alteeve.ca/w/">https://alteeve.ca/w/</a><br>
> > What if the cure for cancer is trapped in the mind of a person without<br>
> > access to education?<br>
> > _______________________________________________<br>
> > drbd-user mailing list<br>
> > <a href="mailto:drbd-user@lists.linbit.com">drbd-user@lists.linbit.com</a> <mailto:<a href="mailto:drbd-user@lists.linbit.com">drbd-user@lists.linbit.com</a>><br>
> > <a href="http://lists.linbit.com/mailman/listinfo/drbd-user">http://lists.linbit.com/mailman/listinfo/drbd-user</a><br>
> ><br>
> ><br>
><br>
><br>
> --<br>
> Digimer<br>
> Papers and Projects: <a href="https://alteeve.ca/w/">https://alteeve.ca/w/</a><br>
> What if the cure for cancer is trapped in the mind of a person without<br>
> access to education?<br>
</p>