Re: Fedora 19 cluster stack and Cluster registry components

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



First up, before I begin, I am looking to pacemaker for the future as well and do not yet use it. So please take whatever I say about pacemaker with a grain of sand. Andrew, on the other hand, is the author and anything he says can be taken as authoritative on the topic.

On the future;

I also have a 2-node project/product that I am working to update in time for the release of RHEL 7. Speaking entirely for myself, I can tell you that I am planning to use Pacemaker from RHEL 7.0. As a Red hat outsider, I can only speak as a member of the community, but I have every reason to believe that the pacemaker resource manager will be the one used from 7.0 and forward.

As for the CIB, yes, it's a local XML file stored on each node. Synchronization occurs via updates pushed over corosync to nodes active in the cluster. As I understand it, when a node that had been offline connects to the cluster, it receives any updates to the CIB.

Dealing with 2-node clusters, setting aside qdisk which has an uncertain future I believe, you can not use quorum. For this reason, it is possible for a node to boot up, fail to reach it's peer and think it's the only one running. It will start your HA services and voila, two nodes offering the same services at the same time in an uncoordinated manner. This is bad and it is called a "split-brain".

The way to avoid split-brains in 2-node clusters is to use fence devices, aka stonith devices (exact same thing by two different names). This is _always_ wise to use, but in 2-node clusters, it is critical.

So imagine back to your scenario;

If a node came up and tried to connect to it's peer but failed to do so, before proceeding, it would fence (usually forcibly power off) the other node. Only after doing so would it start the HA services. In this way, both nodes can never be offering the same HA service at the same time.

The risk here though is a "fence loop". If you set the cluster to start on boot and if there is a break in the connection, you can have an initial state where, upon the break in the network, both try to fence the other. The faster node wins, forcing the other node off and resuming to operate on it's own. This is fine and exactly what you want. However, now the fenced node powers back up, starts it's cluster stack, fails to reach it's peer and fences it. It finishes starting, offers the HA services and goes on it's way ... until the other node boots back up. :)

Personally, I avoid this by _not_ starting the cluster stack on boot. My reasoning is that, if a node fails and gets rebooted, I want to check it over myself before I let it back into the cluster (I get alert emails when something like this happens). It's not a risk from an HA perspective because it's services would have recovered on the surviving peer long before it reboots anyway. This also has the added benefit of avoiding a fence loop, no matter what happens.

Cheers

digimer

On 04/23/2013 02:07 PM, Michael Richmond wrote:
Andrew and Digimer,
Thank you for taking the time to respond, you have collaborated some of
what I've been putting together as the likely direction.

I am working on adapting some cluster-aware storage features for use in a
Linux cluster environment. With this kind of project it is useful to try
and predict where the Linux community is heading so that I can focus my
development work on what will be the "current" cluster stack around my
anticipated release dates. Any predictions are simply educated guesses
that may prove to be wrong, but are useful with regard to developing
plans. From my reading of various web pages and piecing things together I
found that RHEL 7 is intended to be based on Fedora 18, so I assume that
the new Pacemaker stack has a good chance of being rolled out in RHEL
7.1/7.2, or even possibly 7.0.

Hearing that there is official word that the intention is for Pacemaker to
be the official cluster stack helps me put my development plans together.


The project I am working on is focused on two-node clusters. But I also
need a persistent, cluster-wide data store to hold a small amount of state
(less than 1KB). This data store is what I refer to as a cluster-registry.
The state data records the last-known operational state for the storage
feature. This last-known state helps drive recovery operations for the
storage feature during node bring-up. This project is specifically aimed
at integrating generic functionality into the Linux cluster stack.

I have been thinking about using the cluster configuration file for this
storage which I assume is the CIB referenced by Andrew. But I can imagine
cases where the CIB file may loose updates if it does not utilize shared
storage media. My understanding is that the CIB file is stored on each
node using local disk storage.

For example, consider a two-node cluster that is configured with a quorum
disk on shared storage media. If at a given point in time NodeB is up and
NodeB is down. NodeA can form quorate and start cluster services
(including HA applications). Assume that NodeA updates the CIB to record
some state update. If NodeB starts booting but before NodeB joins the
cluster, NodeA crashes. At this point, the updated CIB only resides on
NodeA and cannot be accessed by NodeB even if NodeB can access the quorum
disk as form quorate. Effectively, NodeB cannot be aware of the update
from NodeA which will result in an implicit roll-back of any updates
performed by NodeA.

With a two-node cluster, there are two options for resolving this:
* prevent any update to the cluster registry/CIB unless all nodes are part
of the cluster. (This is not practical since it undermines some of the
reasons for building clusters.)
* store the cluster registry on shared storage so that there is one source
of truth.

It is possible that the nature of the data stored in the CIB is resilient
to the example scenario that I describe. In this case, maybe the CIB is
not an appropriate data store for my cluster registry data. In this case I
am either looking for an appropriate Linux component to use for my cluster
registry, or I will build a custom data store that provides atomic update
semantics on shared storage.

Any thoughts and/or pointers would be appreciated.

Thanks,
Michael Richmond

--
michael richmond | principal software engineer | flashsoft, sandisk |
+1.408.425.6731




On 22/4/13 4:37 PM, "Andrew Beekhof" <andrew@xxxxxxxxxxx> wrote:


On 23/04/2013, at 4:59 AM, Digimer <lists@xxxxxxxxxx> wrote:

On 04/22/2013 02:36 PM, Michael Richmond wrote:
Hello,
I am researching the new cluster stack that is scheduled to be
delivered
in Fedora 19. Does anyone on this list have a sense for the timeframe
for this new stack to be rolled into a RHEL release? (I assume the
earliest would be RHEL 7.)

On the Windows platform, Microsoft Cluster Services provides a
cluster-wide registry service that is basically a cluster-wide
key:value
store with atomic updates and support to store the registry on shared
disk. The  storage on shared disk allows access and use of the registry
in cases where nodes are frequently joining and leaving the cluster.

Are there any component(s) that can be used to provide a similar
registry in the Linux cluster stack? (The current RHEL 6 stack, and/or
the new Fedora 19 stack.)

Thanks in advance for your information,
Michael Richmond

Hi Michael,

  First up, Red Hat's policy of what is coming is "we'll announce on
release day". So anything else is a guess. As it is, Pacemaker is in
tech-preview in RHEL 6, and the best guess is that it will be the
official resource manager in RHEL 7, but it's just that, a guess.

I believe we're officially allowed to say that it is our _intention_ that
Pacemaker will be the one and only supported stack in RHEL7.


  As for the registry question; I am not entirely sure what it is you
are asking here (sorry, not familiar with windows). I can say that
pacemaker uses something called the CIB (cluster information base) which
is an XML file containing the cluster's configuration and state. It can
be updated from any node and the changes will push to the other nodes
immediately.

How many of these attributes are you planning to have?
You can throw a few in there, but I'd not use it for 100's or 1000's of
them - its mainly designed to store the resource/service configuration.


Does this answer your question?

  The current RHEL 6 cluster is corosync + cman + rgmanager. It also
uses an XML config and it can be updated from any node and push out to
the other nodes.

  Perhaps a better way to help would be to ask what, exactly, you want
to build your cluster for?

Cheers

--
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without
access to education?

--
Linux-cluster mailing list
Linux-cluster@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/linux-cluster



________________________________

PLEASE NOTE: The information contained in this electronic mail message is intended only for the use of the designated recipient(s) named above. If the reader of this message is not the intended recipient, you are hereby notified that you have received this message in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify the sender by telephone or e-mail (as shown above) immediately and destroy any and all copies of this message in your possession (whether hard copies or electronically stored copies).




--
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without access to education?

--
Linux-cluster mailing list
Linux-cluster@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/linux-cluster




[Index of Archives]     [Corosync Cluster Engine]     [GFS]     [Linux Virtualization]     [Centos Virtualization]     [Centos]     [Linux RAID]     [Fedora Users]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite Camping]

  Powered by Linux