[dm-devel] Improving mirror fault handling.

malahal at us.ibm.com malahal at us.ibm.com
Tue Jan 13 03:26:52 UTC 2009 

Jonathan Brassow [jbrassow at redhat.com] wrote:
>  *    A => Alive - No failures
>  *    D => Dead - A write failure occurred leaving mirror out-of-sync
>  *    S => Sync - A sychronization failure occurred, mirror out-of-sync
>  *    R => Read - A read failure occurred, mirror data unaffected
> We can do so much more with this information than the immediate removal
> of an offending device.  'S' could cause us to simply suspend/resume the
> device to restart the resynchronization process - giving us another shot
> at it.  'R' could mean that we have a unrecoverable read error - a block
> relocation might be initiated via a write.  In the case of a 'D', we
> could wait some user configured amount of time (or %'age out of sync)
> before removing the offending device, as it could be a transient
> failure.
> 
> 2) Improve parsing of mirror status output in the DSO
> - Location => LVM2/daemons/dmeventd/plugins/mirror/dmeventd_mirror.c
> - Be able to determine failure types (need more states then just
> 'ME_FAILURE')
> - At the very least, we improve the log messages at this phase and it
> sets us up to improve the handling of each error type - potentially
> ignoring some error types for now (like read failures).
> 
> 3) Implement different methods to handle the different error types
> 
> 4) Transient fault handling
> - Since we can't just assume "wait 5 seconds and then see if the failure
> still exists", we are going to have to make this configurable.
> Discussion should proceed on this in parallel with #2 and #3, since this
> phase will take a long time for everyone to agree.  We have to determine
> where the user specifies the configuration - lvm.conf?  CLI?  We also
> have to determine /what/ their configuration will be based on - time?
> percentage of mirror out-of-sync?

Thank you Jonathan for the nice write up. Transient failure are
generally recoverable after a period of time. The 'time' may vary from
device to device though. lvm.conf based configuration is a good place to
start. Do we really need LV or PV based configuration for this
'timeout'?

The recovery itself doesn't depend on the %of out-of-sync regions, but
that is a good place to start looking for re-allocating the regions if
configured for re-allocation.

Here are my thoughts:
	handle_mirror_transient_failure()
	{
		do {
			if (device-came-back-to-life()) {
				start-resynchronization();
				break;
			}

			if (reallocation-timeout exceeded or
			    re-allocation-too-much out-of-sync) {
				re-allocate();
				break;
			}
			if (some-other-timeout exceeded) {
				log a message and break;
			}
			sleep(for-few-seconds);
			timeout =- few-seconds;
		} while (1)
	}

Thanks, Malahal.

More information about the dm-devel mailing list