On 22/06/16 01:38 PM, John R Pierce wrote:> On 6/21/2016 10:01 PM, Tom Robinson wrote: >> Currently when I migrate a guest, I can all too easily start it up on >> both hosts! There must be some >> way to fence these off but I'm just not sure how to do this. > > in addition to power fencing as described by others, you can also fence > at the ethernet switch layer, where you disable the switch port(s) that > the dead host is on. this of course requires managed switches that your > cluster management software can talk to. if you're using dedicated > networking for ISCSI (often done for high performance), you can just > disable that port.This is called "fabric fencing" and was originally the only supported option in the very early days of HA. It has fallen out of favour for several reasons, but it does still work fine. The main issues is that it leaves the node in an unclean state. If an admin (out of ignorance or panic) reconnects the node, all hell can break lose. So generally power cycling is much safer. -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education?
On 6/22/2016 10:47 AM, Digimer wrote:> This is called "fabric fencing" and was originally the only supported > option in the very early days of HA. It has fallen out of favour for > several reasons, but it does still work fine. The main issues is that it > leaves the node in an unclean state. If an admin (out of ignorance or > panic) reconnects the node, all hell can break lose. So generally power > cycling is much safer.how is that any different than said ignorant admin powering up the shutdown node ? -- john r pierce, recycling bits in santa cruz
Once upon a time, John R Pierce <pierce at hogranch.com> said:> On 6/22/2016 10:47 AM, Digimer wrote: > >This is called "fabric fencing" and was originally the only supported > >option in the very early days of HA. It has fallen out of favour for > >several reasons, but it does still work fine. The main issues is that it > >leaves the node in an unclean state. If an admin (out of ignorance or > >panic) reconnects the node, all hell can break lose. So generally power > >cycling is much safer. > > how is that any different than said ignorant admin powering up the > shutdown node ?On boot, the cluster software assumes it is "wrong" and doesn't connect to any resources until it can verify state. If the node is just disconnected and left running, and later reconnected, it can try to write out (now old/incorrect) data to the storage, corrupting things. Speaking of shared storage, another fencing option is SCSI reservations. It can be terribly finicky, but it can be useful. -- Chris Adams <linux at cmadams.net>