[pve-devel] [PATCH ha-manager v4 4/4] allow use of external fencing devices

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Mar 16 13:01:30 CET 2016


A node now can be fenced with the use of external hardware fence
devices.
Those device can be configured at /etc/pve/ha/fence.cfg
also the fencing option in the datacenter configuration file must
be set to either 'hardware' or 'both', else configured devices
will *not* be used.

If hardware is selected as mode a valid device config *must* be
made, the fencing will not be marked as successful even if the CRM
could theoretical acquire the lock from the failed node!
This is done as some setups may require a HW fence agent to cut the
node off and where a watchdog which resets the node may be
dangerous.

We always *must* acquire the log before we can mark the failed node
as fenced and place it into the 'unknown' state and recover its
services.

The CRM bails out in case of an lost manager lock event where
$manager->cleanup() gets called.
There we kill all remaining open fence processes, if any,
and reset the fence status.

The currents masters manager class processes the running fencing
jobs, this means picking up finished fence workers and evaluating
their result.

Now regressions test with faked virtual HW fence devices are also
possible.
The current virtual devices succeed always, this will be changed
in a future patch to allow testing of more (dangerous) corner cases.

Device can be configured in the testdir/fence.cfg file and follow
the exactly same format as the real ones (see man dlm.conf)

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---

changes since v3:
* adapt regression test output to new log messages
* log when HW fencing succeeded

 src/PVE/HA/Manager.pm                   | 12 +++++++-
 src/PVE/HA/NodeStatus.pm                | 41 ++++++++++++++++++++++++-
 src/test/test-hw-fence1/README          |  1 +
 src/test/test-hw-fence1/cmdlist         |  4 +++
 src/test/test-hw-fence1/fence.cfg       |  6 ++++
 src/test/test-hw-fence1/hardware_status |  5 ++++
 src/test/test-hw-fence1/log.expect      | 53 +++++++++++++++++++++++++++++++++
 src/test/test-hw-fence1/manager_status  |  1 +
 src/test/test-hw-fence1/service_config  |  5 ++++
 9 files changed, 126 insertions(+), 2 deletions(-)
 create mode 100644 src/test/test-hw-fence1/README
 create mode 100644 src/test/test-hw-fence1/cmdlist
 create mode 100644 src/test/test-hw-fence1/fence.cfg
 create mode 100644 src/test/test-hw-fence1/hardware_status
 create mode 100644 src/test/test-hw-fence1/log.expect
 create mode 100644 src/test/test-hw-fence1/manager_status
 create mode 100644 src/test/test-hw-fence1/service_config

diff --git a/src/PVE/HA/Manager.pm b/src/PVE/HA/Manager.pm
index 9b4e6f2..9426151 100644
--- a/src/PVE/HA/Manager.pm
+++ b/src/PVE/HA/Manager.pm
@@ -8,6 +8,7 @@ use Data::Dumper;
 use PVE::Tools;
 use PVE::HA::Tools ':exit_codes';
 use PVE::HA::NodeStatus;
+use PVE::HA::Fence;
 
 my $fence_delay = 60;
 
@@ -38,7 +39,13 @@ sub new {
 sub cleanup {
     my ($self) = @_;
 
-    # todo: ?
+    my $haenv = $self->{haenv};
+
+    # reset pending fence jobs and node states
+    if (PVE::HA::Fence::has_fencing_job($haenv->nodename())) {
+	$haenv->log('notice', "bailing out from running fence jobs");
+	PVE::HA::Fence::bail_out($haenv);
+    }
 }
 
 sub flush_master_status {
@@ -422,6 +429,9 @@ sub manage {
 	    &$recover_fenced_service($self, $sid, $sc->{$sid});
 	}
 
+	# pick up and evaluate fence jobs
+	PVE::HA::Fence::process_fencing($haenv);
+
 	last if !$repeat;
     }
 
diff --git a/src/PVE/HA/NodeStatus.pm b/src/PVE/HA/NodeStatus.pm
index eb174cb..cc8f744 100644
--- a/src/PVE/HA/NodeStatus.pm
+++ b/src/PVE/HA/NodeStatus.pm
@@ -2,6 +2,7 @@ package PVE::HA::NodeStatus;
 
 use strict;
 use warnings;
+use PVE::HA::Fence;
 
 use Data::Dumper;
 
@@ -177,11 +178,49 @@ sub fence_node {
 	&$set_node_state($self, $node, 'fence');
     }
 
-    my $success = $haenv->get_ha_agent_lock($node);
+    my ($success, $hw_fence_success) = (0, 0);
+
+    my $fencing_mode = $haenv->fencing_mode();
+
+    if ($fencing_mode eq 'hardware' || $fencing_mode eq 'both') {
+
+	$hw_fence_success = PVE::HA::Fence::is_node_fenced($node);
+
+	# bad fence.cfg or no devices and only hardware fencing configured
+	if ($hw_fence_success < 0 && $fencing_mode eq 'hardware') {
+	    $haenv->log('err', "Fencing of node '$node' failed and needs " .
+			"manual intervention!");
+	    return 0;
+	}
+
+	if ($hw_fence_success > 0) {
+	    # we fenced the node, now we're allowed to "steal" its lock
+	    $haenv->log('notice', "fencing of node '$node' succeeded, " .
+			"trying to get its agent lock");
+	    $haenv->release_ha_agent_lock($node);
+
+	} elsif ($hw_fence_success == 0 && !PVE::HA::Fence::has_fencing_job($node)) {
+
+	    # start fencing if not yet succeeded and node has no fence job running
+	    if (PVE::HA::Fence::start_fencing($haenv, $node)) {
+		$haenv->log('notice', "Started fencing off node '$node'");
+	    }
+
+	}
+    }
+
+    # we *always* need the lock, it secures that we are allowed to recover the
+    # fenced node services, but we are *not* allowed to mark the fence operation
+    # as successful if we use the 'hardware' mode as the node could be still active
+    # on the storage  while the cluster network is dead and thus the lock timed out
+    if ($hw_fence_success || $fencing_mode ne 'hardware' ) {
+	$success = $haenv->get_ha_agent_lock($node);
+    }
 
     if ($success) {
 	$haenv->log("info", "fencing: acknowleged - got agent lock for node '$node'");
 	&$set_node_state($self, $node, 'unknown');
+	PVE::HA::Fence::reset($node) if ($fencing_mode ne 'watchdog');
     }
 
     return $success;
diff --git a/src/test/test-hw-fence1/README b/src/test/test-hw-fence1/README
new file mode 100644
index 0000000..d0dea4b
--- /dev/null
+++ b/src/test/test-hw-fence1/README
@@ -0,0 +1 @@
+Test failover after single node network failure with HW fence devices.
diff --git a/src/test/test-hw-fence1/cmdlist b/src/test/test-hw-fence1/cmdlist
new file mode 100644
index 0000000..eee0e40
--- /dev/null
+++ b/src/test/test-hw-fence1/cmdlist
@@ -0,0 +1,4 @@
+[
+    [ "power node1 on", "power node2 on", "power node3 on"],
+    [ "network node3 off" ]
+]
diff --git a/src/test/test-hw-fence1/fence.cfg b/src/test/test-hw-fence1/fence.cfg
new file mode 100644
index 0000000..0bbe096
--- /dev/null
+++ b/src/test/test-hw-fence1/fence.cfg
@@ -0,0 +1,6 @@
+# see man dlm.conf
+device virt fence_virt ip="127.0.0.1"
+connect virt node=node1 plug=100
+connect virt node=node2 plug=101
+connect virt node=node3 plug=102
+
diff --git a/src/test/test-hw-fence1/hardware_status b/src/test/test-hw-fence1/hardware_status
new file mode 100644
index 0000000..451beb1
--- /dev/null
+++ b/src/test/test-hw-fence1/hardware_status
@@ -0,0 +1,5 @@
+{
+  "node1": { "power": "off", "network": "off" },
+  "node2": { "power": "off", "network": "off" },
+  "node3": { "power": "off", "network": "off" }
+}
diff --git a/src/test/test-hw-fence1/log.expect b/src/test/test-hw-fence1/log.expect
new file mode 100644
index 0000000..26eeb6e
--- /dev/null
+++ b/src/test/test-hw-fence1/log.expect
@@ -0,0 +1,53 @@
+info      0     hardware: starting simulation
+info     20      cmdlist: execute power node1 on
+info     20    node1/crm: status change startup => wait_for_quorum
+info     20    node1/lrm: status change startup => wait_for_agent_lock
+info     20      cmdlist: execute power node2 on
+info     20    node2/crm: status change startup => wait_for_quorum
+info     20    node2/lrm: status change startup => wait_for_agent_lock
+info     20      cmdlist: execute power node3 on
+info     20    node3/crm: status change startup => wait_for_quorum
+info     20    node3/lrm: status change startup => wait_for_agent_lock
+info     20    node1/crm: got lock 'ha_manager_lock'
+info     20    node1/crm: status change wait_for_quorum => master
+info     20    node1/crm: node 'node1': state changed from 'unknown' => 'online'
+info     20    node1/crm: node 'node2': state changed from 'unknown' => 'online'
+info     20    node1/crm: node 'node3': state changed from 'unknown' => 'online'
+info     20    node1/crm: adding new service 'vm:101' on node 'node1'
+info     20    node1/crm: adding new service 'vm:102' on node 'node2'
+info     20    node1/crm: adding new service 'vm:103' on node 'node3'
+info     20    node1/crm: service 'vm:102': state changed from 'started' to 'request_stop'
+info     21    node1/lrm: got lock 'ha_agent_node1_lock'
+info     21    node1/lrm: status change wait_for_agent_lock => active
+info     21    node1/lrm: starting service vm:101
+info     21    node1/lrm: service status vm:101 started
+info     22    node2/crm: status change wait_for_quorum => slave
+info     23    node2/lrm: got lock 'ha_agent_node2_lock'
+info     23    node2/lrm: status change wait_for_agent_lock => active
+info     24    node3/crm: status change wait_for_quorum => slave
+info     25    node3/lrm: got lock 'ha_agent_node3_lock'
+info     25    node3/lrm: status change wait_for_agent_lock => active
+info     25    node3/lrm: starting service vm:103
+info     25    node3/lrm: service status vm:103 started
+info     40    node1/crm: service 'vm:102': state changed from 'request_stop' to 'stopped'
+info    120      cmdlist: execute network node3 off
+info    120    node1/crm: node 'node3': state changed from 'online' => 'unknown'
+info    124    node3/crm: status change slave => wait_for_quorum
+info    125    node3/lrm: status change active => lost_agent_lock
+info    160    node1/crm: service 'vm:103': state changed from 'started' to 'fence'
+info    160    node1/crm: node 'node3': state changed from 'unknown' => 'fence'
+noti    160    node1/crm: Start fencing of node 'node3'
+noti    160    node1/crm: [fence 'node3'] execute fence command: fence_virt --ip=127.0.0.1 --plug=102
+info    160   fence_virt: execute power node3 off
+info    160    node3/crm: killed by poweroff
+info    160    node3/lrm: killed by poweroff
+noti    160    node1/crm: Started fencing off node 'node3'
+noti    160    node1/crm: fencing of node 'node3' succeeded, trying to get its agent lock
+info    160    node1/crm: got lock 'ha_agent_node3_lock'
+info    160    node1/crm: fencing: acknowleged - got agent lock for node 'node3'
+info    160    node1/crm: node 'node3': state changed from 'fence' => 'unknown'
+info    160    node1/crm: recover service 'vm:103' from fenced node 'node3' to node 'node2'
+info    160    node1/crm: service 'vm:103': state changed from 'fence' to 'started'  (node = node2)
+info    163    node2/lrm: starting service vm:103
+info    163    node2/lrm: service status vm:103 started
+info    720     hardware: exit simulation - done
diff --git a/src/test/test-hw-fence1/manager_status b/src/test/test-hw-fence1/manager_status
new file mode 100644
index 0000000..9e26dfe
--- /dev/null
+++ b/src/test/test-hw-fence1/manager_status
@@ -0,0 +1 @@
+{}
diff --git a/src/test/test-hw-fence1/service_config b/src/test/test-hw-fence1/service_config
new file mode 100644
index 0000000..0e05ab4
--- /dev/null
+++ b/src/test/test-hw-fence1/service_config
@@ -0,0 +1,5 @@
+{
+    "vm:101": { "node": "node1", "state": "enabled" },
+    "vm:102": { "node": "node2" },
+    "vm:103": { "node": "node3", "state": "enabled" }
+}
-- 
2.1.4





More information about the pve-devel mailing list