[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Linux-cluster] Fencing quandry

We had a "that totally sucks" event the other night involving fencing.
In short - Red Hat 4.7, 2 node cluster using iLO fencing with HP blade

- passive node detemined active node was unresponsive (missed too many
- passive node initiates take-over and begins fencing process
- fencing agent successfully powers off blade server
- fencing agent sits in an endless loop trying to power on the blade,
which won't power up
- the cluster appears "stalled" at this point because fencing won't

I was able to complete the failover by swapping out the fencing agent
with a shell script that does "exit 0". This allowed the fencing agent
to complete so the resource manager could successfully relocate the

My question becomes: why isn't a successful power off considered
sufficient for a take-over of a service? If the power is off, you've
guaranteed that all resources are released by that node. By requiring a
successful power on (which may never happen due to hardware failure,)
the fencing agent becomes a single point of failure in the cluster. The
fencing agent should make an attempt to power on a down node but it
shouldn't hold up the failover process if that attempt fails.

Performance Engineer

OpSource, Inc.
"Your Success is Our Success"

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]