Gluster users - Mar 2016 - Default quorum for 2 way replication

hi,
      So far default quorum for 2-way replication is 'none' (i.e. 
files/directories may go into split-brain) and for 3-way replication and 
arbiter based replication it is 'auto' (files/directories won't go
into
split-brain). There are requests to make default as 'auto' for 2-way 
replication as well. The line of reasoning is that people value data 
integrity (files not going into split-brain) more than HA (operation of 
mount even when bricks go down). And admins should explicitly change it 
to 'none' when they are fine with split-brains in 2-way replication. We 
were wondering if you have any inputs about what is a sane default for 
2-way replication.

I like the default to be 'none'. Reason: If we have 'auto' as
quorum for
2-way replication and first brick dies, there is no HA. If users are 
fine with it, it is better to use plain distribute volume rather than 
replication with quorum as 'auto'. What are your thoughts on the matter?
Please guide us in the right direction.

Pranith

On 03/04/2016 05:26 PM, Pranith Kumar Karampuri wrote:
> hi,
>      So far default quorum for 2-way replication is 'none' (i.e. 
> files/directories may go into split-brain) and for 3-way replication 
> and arbiter based replication it is 'auto' (files/directories
won't go
> into split-brain). There are requests to make default as 'auto' for
> 2-way replication as well. The line of reasoning is that people value 
> data integrity (files not going into split-brain) more than HA 
> (operation of mount even when bricks go down). And admins should 
> explicitly change it to 'none' when they are fine with split-brains
in
> 2-way replication. We were wondering if you have any inputs about what 
> is a sane default for 2-way replication.
>
> I like the default to be 'none'. Reason: If we have 'auto'
as quorum
> for 2-way replication and first brick dies, there is no HA.

+1.  Quorum does not make sense when there are only 2 parties. There is 
no majority voting. Arbiter volumes are a better option.
If someone wants some background, please see 'Client quorum' and 
'Replica 2 and Replica 3 volumes' section of 
http://gluster.readthedocs.org/en/latest/Administrator%20Guide/arbiter-volumes-and-quorum/


-Ravi
> If users are fine with it, it is better to use plain distribute volume 
> rather than replication with quorum as 'auto'. What are your
thoughts
> on the matter? Please guide us in the right direction.
>
> Pranith

> I like the default to be 'none'. Reason: If we have 'auto'
as quorum for
> 2-way replication and first brick dies, there is no HA. If users are
> fine with it, it is better to use plain distribute volume
"Availability" is a tricky word.  Does it mean access to data now, or
later despite failure?  Taking a volume down due to loss of quorum might
be equivalent to having no replication in the first sense, but certainly
not in the second.  When the possibility (likelihood?) of split brain is
considered, enforcing quorum actually does a *better* job of preserving
availability in the second sense.  I believe this second sense is most
often what users care about, and therefore quorum enforcement should be
the default.

I think we all agree that quorum is a bit slippery when N=2.  That's
where there really is a tradeoff between (immediate) availability and
(highest levels of) data integrity.  That's why arbiters showed up first
in the NSR specs, and later in AFR.  We should definitely try to push
people toward N>=3 as much as we can.  However, the ability to "scale
down" is one of the things that differentiate us vs. both our Ceph
cousins and our true competitors.  Many of our users will stop at N=2 no
matter what we say.  However unwise that might be, we must still do what
we can to minimize harm when things go awry.