which may backfire, if both nodes think the other one is down (split brain again) and start the shutdown procedure. okay, this is a very rare situation, and may happen only under strange load and scheduling parameters, but it will happen as any other "very rare situation" happens ;-). especially in HA environments they seem to happen much more often then in simple single point of failure environments ;-) you won'Ät loosew your filesystem, but the service is unavailable.
Nothing will give you 100%: eventually the switchover methods introduce more marginal P(fail) than the original setup had. Joy of reliability studies is figuring how to take the first partial of P(Fail) w/ respect to the switchover systems and set it to zero... Turns out the most reliable answer is a swag anyway :-)
--
Steven Lembark 2930 W. Palmer
Workhorse Computing Chicago, IL 60647
+1 800 762 1582