Cluster fencing – Unlike many common thoughts, high-availability is not the highest priority of an high-availability cluster, but only the 2nd one. The highest priority of an high-availability cluster is maintenance of data integrity by prevention of multiple concurrent access of nodes to the shared disk.
On different cluster, depending on the vendor, this can be achieved by different methods, either by prevention of access based on the status of the cluster (for example – Microsoft Cluster, which will not allow access to the disks without cluster management and coordination), by panicking the node in question (Oracle RAC, for example, or IBM HACMP), or by preventing failover unless the status of the other node, as well as all heartbeat links were ok up to the exact moment of failure (VCS, for example).
Another method is based on a fence, or “Shoot the Other Node in the Head”. This “fence” is usually based on an hardware device which has no dependencies for the node’s OS, and is capable of shutting it down, many times brutally, upon request. A good fencing device can be a UPS, which supports the other node. The whole idea is that in a case of uncertainty, either one of the nodes can attempt to ‘kill’ the other node, independently of any connectivity issue one of them might experience. This race result is quite obvious: one node remains alive, capable of taking over the resource groups, the other node is off, unable to access the disk in an uncontrolled manner.
Linux-based clusters will not force you to use fencing of any sort, however, for a production environments, setups without any fencing device will be unsupported, as the cluster cannot handle cases of split-brain or uncertainty. These hardware devices, which can be, as said before, a manageable UPS, a remote-control power-switch, the server’s own IPMI (or any other independent system such as HP ILO, IBM HMC, etc), and even the fiber switch – as long as it can prevent the node in question from accessing the disks, are quite expensive, but comparing to hours of restore-from-backup, they sure justify their price.
On many sites there is a demand for a “test” setup which will be as similar to the production setup as possible. This test setup can be used to test upgrades, configuration changes, etc. Using fencing in this environment is important, for two reasons:
1. Simulation of the production system behavior is achieved with as similar setup as possible, and fencing takes an important part in the cluster and its logic.
2. A replicated production environment contain data which might have some importance, and if not that, at least re-replicating it from the production environment after a case of uncontrolled access to the disk by a faulty node (and this test cluster is in a higher risk, as defined by its role), or restoring from tapes is unpleasant and time consuming.
So we agree that the test cluster should have some sort of fencing device, even if not similar to production’s one, for the sake of the cluster logic.
On some sites, there is a demand for more than one test environment. Both setups – a single test environment and multiple test environments can be defined to work as guests on a virtual server. Virtualization assists in saving hardware (and power, and cooling) costs, and allows for easy duplication and replication, so this is a case where it is ideal for the task. This said, it brings up a problem – fencing a virtual server has implications – we can kill all guest systems in one go. We wouldn’t want that to happen. Lucky for us, RedHat Cluster has a fencing device for VMware, which, although not recommended in a production environment, will suffice for a test environment. These are the steps required to setup one such VMware fencing device in RHCS5:
1. Download the latest CVS fence_vmware from here. You can use this direct link (use with “save target as”). Save it in your /sbin directory under the name fence_vmware, and give it execution permissions.
2. Edit fence_vmware. In line 249 change the string “port” to “vmname”.
3. Install VMware Perl API on both cluster nodes. You will need to have gcc and openssl-devel installed on your system to be able to do so.
4. Change your fencing based on this example:
<?xml version="1.0"?> <cluster alias="Gfs-test" config_version="39" name="Gfs-test"> <fence_daemon clean_start="0" post_fail_delay="0" post_join_delay="3"/> <clusternodes> <clusternode name="cent2" nodeid="1" votes="1"> <fence> <method name="1"> <device name="man2"/> </method> </fence> </clusternode> <clusternode name="cent1" nodeid="2" votes="1"> <fence> <method name="1"> <device name="man1"/> </method> <method name="2"> <device domain="22 " name="11 "/> </method> </fence> </clusternode> </clusternodes> <cman expected_votes="1" two_node="1"/> <fencedevices> <fencedevice agent="fence_vmware" name="man2" ipaddr="192.168.88.1" login="user" passwd="password" vmname="c:vmwarevirt2rhel5.vmx"/> <fencedevice agent="fence_vmware" name="man1" ipaddr="192.168.88.1" login="user" passwd="password" vmname="c:vmwarevirt1rhel5.vmx"/> </fencedevices> <rm> <failoverdomains/> <resources> <fs device="/dev/sda" force_fsck="0" force_unmount="0" fsid="5" fstype="ext3" mountpoint="/data" name="sda" options="" self_fence="0"/> </resources> <service autostart="1" name="smartd"> <ip address="192.168.88.201" monitor_link="1"/> </service> <service autostart="1" name="disk1"> <fs ref="sda"/> </service> </rm> </cluster>
Change to your relevant VMware username and password.
If you have a Centos system, you will be required to perform these three steps:
1. ‘ln -s /usr/sbin/cman_tool /sbin/cman_tool‘
2. ‘cp /etc/redhat-release /etc/redhat-release.orig‘
3. ‘echo “Red Hat Enterprise Linux Server release 5 (Tikanga)” > /etc/redhat-release‘
This should do the trick. Good luck, and thanks again to Yoni who brought and fought the configuration steps.
Per comments (and a bit-late – common logic) I have broken lines in the XML quote for cluster.conf. In cases these line breaks might break something in RedHat Cluster, I have added the original xml file here: cluster.conf