[Cluster-devel] unfencing

Fabio M. Di Nitto fabbione at fabbione.net
Thu Feb 26 06:51:57 UTC 2009


On Mon, 2009-02-23 at 13:09 -0600, David Teigland wrote:
> On Mon, Feb 23, 2009 at 07:52:55PM +0100, Fabio M. Di Nitto wrote:
> > > A node unfences *itself* when it boots up.  As such, power-unfencing doesn't
> > > make sense; unfencing is only meant to reverse storage fencing.
> > 
> > What can stop a user to run fence_node -U from another node to do remote
> > (un)fencing?
> 
> It would work.  Users can do anything they like, that's beside the point.

I was thinking about 2 little points..

Given the time at which fence_node -U will fire, you probably want to
add a cman_init + cman_is_active + cman_finish loop in fence_node to
make sure cman is ready to reply to our ccs queries, otherwise we might
have a race condition at boot time (it might be already there.. didn't
really check the code). All our daemons do that to give cman time to
bootstrap.

The second thing would be to set a minimal protection mechanism by
allowing fence_node -U to be fired only for the node that it is invoking
it. So if we run on node A, fence_node -U can only execute unfencing
operations for node A. For testing purposes then we could add a manual
override such as "--i-understand-this-operation-can-destroy-the-world".

Fabio




More information about the Cluster-devel mailing list