diff --git a/doc/sphinx/Clusters_from_Scratch/active-passive.rst b/doc/sphinx/Clusters_from_Scratch/active-passive.rst index 1699c43377..9b7b8feb5d 100644 --- a/doc/sphinx/Clusters_from_Scratch/active-passive.rst +++ b/doc/sphinx/Clusters_from_Scratch/active-passive.rst @@ -1,324 +1,324 @@ Create an Active/Passive Cluster -------------------------------- .. index:: pair: resource; IP address Add a Resource ############## Our first resource will be a floating IP address that the cluster can bring up on either node. Regardless of where any cluster service(s) are running, end users need to be able to communicate with them at a consistent address. Here, we will use ``192.168.122.120`` as the floating IP address, give it the imaginative name ``ClusterIP``, and tell the cluster to check whether it is still running every 30 seconds. .. WARNING:: The chosen address must not already be in use on the network, on a cluster node or elsewhere. Do not reuse an IP address one of the nodes already has configured. .. code-block:: console [root@pcmk-1 ~]# pcs resource create ClusterIP ocf:heartbeat:IPaddr2 \ ip=192.168.122.120 cidr_netmask=24 op monitor interval=30s Another important piece of information here is ``ocf:heartbeat:IPaddr2``. This tells Pacemaker three things about the resource you want to add: * The first field (``ocf`` in this case) is the standard to which the resource agent conforms and where to find it. * The second field (``heartbeat`` in this case) is known as the provider. Currently, this field is supported only for OCF resources. It tells Pacemaker which OCF namespace the resource script is in. * The third field (``IPaddr2`` in this case) is the name of the resource agent, the executable file responsible for starting, stopping, monitoring, and possibly promoting and demoting the resource. To obtain a list of the available resource standards (the ``ocf`` part of ``ocf:heartbeat:IPaddr2``), run: .. code-block:: console [root@pcmk-1 ~]# pcs resource standards lsb ocf service systemd To obtain a list of the available OCF resource providers (the ``heartbeat`` part of ``ocf:heartbeat:IPaddr2``), run: .. code-block:: console [root@pcmk-1 ~]# pcs resource providers heartbeat openstack pacemaker Finally, if you want to see all the resource agents available for a specific OCF provider (the ``IPaddr2`` part of ``ocf:heartbeat:IPaddr2``), run: .. code-block:: console [root@pcmk-1 ~]# pcs resource agents ocf:heartbeat apache conntrackd corosync-qnetd . . (skipping lots of resources to save space) . VirtualDomain Xinetd If you want to list all resource agents available on the system, run ``pcs resource list``. We'll skip that here. Now, verify that the IP resource has been added, and display the cluster's -status to see that it is now active. Note: There should be a stonith device by +status to see that it is now active. Note: There should be a fencing device by now, but it's okay if it doesn't look like the one below. .. code-block:: console [root@pcmk-1 ~]# pcs status Cluster name: mycluster Cluster Summary: * Stack: corosync * Current DC: pcmk-1 (version 2.1.2-4.el9-ada5c3b36e2) - partition with quorum * Last updated: Wed Jul 27 00:37:28 2022 * Last change: Wed Jul 27 00:37:14 2022 by root via cibadmin on pcmk-1 * 2 nodes configured * 2 resource instances configured Node List: * Online: [ pcmk-1 pcmk-2 ] Full List of Resources: * fence_dev (stonith:some_fence_agent): Started pcmk-1 * ClusterIP (ocf:heartbeat:IPaddr2): Started pcmk-2 Daemon Status: corosync: active/disabled pacemaker: active/disabled pcsd: active/enabled On the node where the ``ClusterIP`` resource is running, verify that the address has been added. .. code-block:: console [root@pcmk-2 ~]# ip -o addr show 1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever 1: lo inet6 ::1/128 scope host \ valid_lft forever preferred_lft forever 2: enp1s0 inet 192.168.122.102/24 brd 192.168.122.255 scope global noprefixroute enp1s0\ valid_lft forever preferred_lft forever 2: enp1s0 inet 192.168.122.120/24 brd 192.168.122.255 scope global secondary enp1s0\ valid_lft forever preferred_lft forever 2: enp1s0 inet6 fe80::5054:ff:fe95:209/64 scope link noprefixroute \ valid_lft forever preferred_lft forever Perform a Failover ################## Since our ultimate goal is high availability, we should test failover of our new resource before moving on. First, from the ``pcs status`` output in the previous step, find the node on which the IP address is running. You can see that the status of the ``ClusterIP`` resource is ``Started`` on a particular node (in this example, ``pcmk-2``). Shut down ``pacemaker`` and ``corosync`` on that machine to trigger a failover. .. code-block:: console [root@pcmk-2 ~]# pcs cluster stop pcmk-2 pcmk-2: Stopping Cluster (pacemaker)... pcmk-2: Stopping Cluster (corosync)... .. NOTE:: A cluster command such as ``pcs cluster stop `` can be run from any node in the cluster, not just the node where the cluster services will be stopped. Running ``pcs cluster stop`` without a ```` stops the cluster services on the local host. The same is true for ``pcs cluster start`` and many other such commands. Verify that ``pacemaker`` and ``corosync`` are no longer running: .. code-block:: console [root@pcmk-2 ~]# pcs status Error: error running crm_mon, is pacemaker running? Could not connect to pacemakerd: Connection refused crm_mon: Connection to cluster failed: Connection refused Go to the other node, and check the cluster status. .. code-block:: console [root@pcmk-1 ~]# pcs status Cluster name: mycluster Cluster Summary: * Stack: corosync * Current DC: pcmk-1 (version 2.1.2-4.el9-ada5c3b36e2) - partition with quorum * Last updated: Wed Jul 27 00:43:51 2022 * Last change: Wed Jul 27 00:43:14 2022 by root via cibadmin on pcmk-1 * 2 nodes configured * 2 resource instances configured Node List: * Online: [ pcmk-1 ] * OFFLINE: [ pcmk-2 ] Full List of Resources: * fence_dev (stonith:some_fence_agent): Started pcmk-1 * ClusterIP (ocf:heartbeat:IPaddr2): Started pcmk-1 Daemon Status: corosync: active/disabled pacemaker: active/disabled pcsd: active/enabled Notice that ``pcmk-2`` is ``OFFLINE`` for cluster purposes (its ``pcsd`` is still active, allowing it to receive ``pcs`` commands, but it is not participating in the cluster). Also notice that ``ClusterIP`` is now running on ``pcmk-1`` -- failover happened automatically, and no errors are reported. .. topic:: Quorum If a cluster splits into two (or more) groups of nodes that can no longer communicate with each other (a.k.a. *partitions*), *quorum* is used to prevent resources from starting on more nodes than desired, which would risk data corruption. A cluster has quorum when more than half of all known nodes are online in the same partition, or for the mathematically inclined, whenever the following inequality is true: .. code-block:: console total_nodes < 2 * active_nodes For example, if a 5-node cluster split into 3- and 2-node paritions, the 3-node partition would have quorum and could continue serving resources. If a 6-node cluster split into two 3-node partitions, neither partition would have quorum; Pacemaker's default behavior in such cases is to stop all resources, in order to prevent data corruption. Two-node clusters are a special case. By the above definition, a two-node cluster would only have quorum when both nodes are running. This would make the creation of a two-node cluster pointless. However, Corosync has the ability to require only one node for quorum in a two-node cluster. The ``pcs cluster setup`` command will automatically configure ``two_node: 1`` in ``corosync.conf``, so a two-node cluster will "just work". .. NOTE:: You might wonder, "What if the nodes in a two-node cluster can't communicate with each other? Wouldn't this ``two_node: 1`` setting create a split-brain scenario, in which each node has quorum separately and they both try to manage the same cluster resources?" As long as fencing is configured, there is no danger of this. If the nodes lose contact with each other, each node will try to fence the other node. Resource management is disabled until fencing succeeds; neither node is allowed to start, stop, promote, or demote resources. After fencing succeeds, the surviving node can safely recover any resources that were running on the fenced node. If the fenced node boots up and rejoins the cluster, it does not have quorum until it can communicate with the surviving node at least once. This prevents "fence loops," in which a node gets fenced, reboots, rejoins the cluster, and fences the other node. This protective behavior is controlled by the ``wait_for_all: 1`` option, which is enabled automatically when ``two_node: 1`` is configured. If you are using a different cluster shell, you may have to configure ``corosync.conf`` appropriately yourself. Now, simulate node recovery by restarting the cluster stack on ``pcmk-2``, and check the cluster's status. (It may take a little while before the cluster gets going on the node, but it eventually will look like the below.) .. code-block:: console [root@pcmk-1 ~]# pcs status Cluster name: mycluster Cluster Summary: * Stack: corosync * Current DC: pcmk-1 (version 2.1.2-4.el9-ada5c3b36e2) - partition with quorum * Last updated: Wed Jul 27 00:45:17 2022 * Last change: Wed Jul 27 00:45:01 2022 by root via cibadmin on pcmk-1 * 2 nodes configured * 2 resource instances configured Node List: * Online: [ pcmk-1 pcmk-2 ] Full List of Resources: * fence_dev (stonith:some_fence_agent): Started pcmk-1 * ClusterIP (ocf:heartbeat:IPaddr2): Started pcmk-1 Daemon Status: corosync: active/disabled pacemaker: active/disabled pcsd: active/enabled .. index:: stickiness Prevent Resources from Moving after Recovery ############################################ In most circumstances, it is highly desirable to prevent healthy resources from being moved around the cluster. Moving resources almost always requires a period of downtime. For complex services such as databases, this period can be quite long. To address this, Pacemaker has the concept of resource *stickiness*, which controls how strongly a service prefers to stay running where it is. You may like to think of it as the "cost" of any downtime. By default, [#]_ Pacemaker assumes there is zero cost associated with moving resources and will do so to achieve "optimal" [#]_ resource placement. We can specify a different stickiness for every resource, but it is often sufficient to change the default. In |CFS_DISTRO| |CFS_DISTRO_VER|, the cluster setup process automatically configures a default resource stickiness score of 1. This is sufficient to prevent healthy resources from moving around the cluster when there are no user-configured constraints that influence where Pacemaker prefers to run those resources. .. code-block:: console [root@pcmk-1 ~]# pcs resource defaults Meta Attrs: build-resource-defaults resource-stickiness=1 For this example, we will increase the default resource stickiness to 100. Later in this guide, we will configure a location constraint with a score lower than the default resource stickiness. .. code-block:: console [root@pcmk-1 ~]# pcs resource defaults update resource-stickiness=100 Warning: Defaults do not apply to resources which override them with their own defined values [root@pcmk-1 ~]# pcs resource defaults Meta Attrs: build-resource-defaults resource-stickiness=100 .. [#] Zero resource stickiness is Pacemaker's default if you remove the default value that was created at cluster setup time, or if you're using an older version of Pacemaker that doesn't create this value at setup time. .. [#] Pacemaker's default definition of "optimal" may not always agree with yours. The order in which Pacemaker processes lists of resources and nodes creates implicit preferences in situations where the administrator has not explicitly specified them. diff --git a/doc/sphinx/Clusters_from_Scratch/ap-configuration.rst b/doc/sphinx/Clusters_from_Scratch/ap-configuration.rst index 0bd92a1f9f..384bac630f 100644 --- a/doc/sphinx/Clusters_from_Scratch/ap-configuration.rst +++ b/doc/sphinx/Clusters_from_Scratch/ap-configuration.rst @@ -1,345 +1,345 @@ Configuration Recap ------------------- Final Cluster Configuration ########################### .. code-block:: console [root@pcmk-1 ~]# pcs resource * ClusterIP (ocf:heartbeat:IPaddr2): Started pcmk-1 * WebSite (ocf:heartbeat:apache): Started pcmk-1 * Clone Set: WebData-clone [WebData] (promotable): * Promoted: [ pcmk-1 pcmk-2 ] * Clone Set: dlm-clone [dlm]: * Started: [ pcmk-1 pcmk-2 ] * Clone Set: WebFS-clone [WebFS]: * Started: [ pcmk-1 pcmk-2 ] .. code-block:: console [root@pcmk-1 ~]# pcs resource op defaults Meta Attrs: op_defaults-meta_attributes timeout=240s .. code-block:: console [root@pcmk-1 ~]# pcs stonith * fence_dev (stonith:some_fence_agent): Started pcmk-1 .. code-block:: console [root@pcmk-1 ~]# pcs constraint Location Constraints: Resource: WebSite Enabled on: Node: pcmk-2 (score:50) Ordering Constraints: start ClusterIP then start WebSite (kind:Mandatory) promote WebData-clone then start WebFS-clone (kind:Mandatory) start WebFS-clone then start WebSite (kind:Mandatory) start dlm-clone then start WebFS-clone (kind:Mandatory) Colocation Constraints: WebSite with ClusterIP (score:INFINITY) WebFS-clone with WebData-clone (score:INFINITY) (rsc-role:Started) (with-rsc-role:Promoted) WebSite with WebFS-clone (score:INFINITY) WebFS-clone with dlm-clone (score:INFINITY) Ticket Constraints: .. code-block:: console [root@pcmk-1 ~]# pcs status Cluster name: mycluster Cluster Summary: * Stack: corosync * Current DC: pcmk-1 (version 2.1.2-4.el9-ada5c3b36e2) - partition with quorum * Last updated: Wed Jul 27 08:57:57 2022 * Last change: Wed Jul 27 08:55:00 2022 by root via cibadmin on pcmk-1 * 2 nodes configured * 9 resource instances configured Node List: * Online: [ pcmk-1 pcmk-2 ] Full List of Resources: * fence_dev (stonith:some_fence_agent): Started pcmk-1 * ClusterIP (ocf:heartbeat:IPaddr2): Started pcmk-1 * WebSite (ocf:heartbeat:apache): Started pcmk-1 * Clone Set: WebData-clone [WebData] (promotable): * Promoted: [ pcmk-1 pcmk-2 ] * Clone Set: dlm-clone [dlm]: * Started: [ pcmk-1 pcmk-2 ] * Clone Set: WebFS-clone [WebFS]: * Started: [ pcmk-1 pcmk-2 ] Daemon Status: corosync: active/disabled pacemaker: active/disabled pcsd: active/enabled .. code-block:: console [root@pcmk-1 ~]# pcs config Cluster Name: mycluster Corosync Nodes: pcmk-1 pcmk-2 Pacemaker Nodes: pcmk-1 pcmk-2 Resources: Resource: ClusterIP (class=ocf provider=heartbeat type=IPaddr2) Attributes: cidr_netmask=24 ip=192.168.122.120 Operations: monitor interval=30s (ClusterIP-monitor-interval-30s) start interval=0s timeout=20s (ClusterIP-start-interval-0s) stop interval=0s timeout=20s (ClusterIP-stop-interval-0s) Resource: WebSite (class=ocf provider=heartbeat type=apache) Attributes: configfile=/etc/httpd/conf/httpd.conf statusurl=http://localhost/server-status Operations: monitor interval=1min (WebSite-monitor-interval-1min) start interval=0s timeout=40s (WebSite-start-interval-0s) stop interval=0s timeout=60s (WebSite-stop-interval-0s) Clone: WebData-clone Meta Attrs: clone-max=2 clone-node-max=1 notify=true promotable=true promoted-max=2 promoted-node-max=1 Resource: WebData (class=ocf provider=linbit type=drbd) Attributes: drbd_resource=wwwdata Operations: demote interval=0s timeout=90 (WebData-demote-interval-0s) monitor interval=29s role=Promoted (WebData-monitor-interval-29s) monitor interval=31s role=Unpromoted (WebData-monitor-interval-31s) notify interval=0s timeout=90 (WebData-notify-interval-0s) promote interval=0s timeout=90 (WebData-promote-interval-0s) reload interval=0s timeout=30 (WebData-reload-interval-0s) start interval=0s timeout=240 (WebData-start-interval-0s) stop interval=0s timeout=100 (WebData-stop-interval-0s) Clone: dlm-clone Meta Attrs: interleave=true ordered=true Resource: dlm (class=ocf provider=pacemaker type=controld) Operations: monitor interval=60s (dlm-monitor-interval-60s) start interval=0s timeout=90s (dlm-start-interval-0s) stop interval=0s timeout=100s (dlm-stop-interval-0s) Clone: WebFS-clone Resource: WebFS (class=ocf provider=heartbeat type=Filesystem) Attributes: device=/dev/drbd1 directory=/var/www/html fstype=gfs2 Operations: monitor interval=20s timeout=40s (WebFS-monitor-interval-20s) start interval=0s timeout=60s (WebFS-start-interval-0s) stop interval=0s timeout=60s (WebFS-stop-interval-0s) Stonith Devices: Resource: fence_dev (class=stonith type=some_fence_agent) Attributes: pcmk_delay_base=pcmk-1:5s;pcmk-2:0s pcmk_host_map=pcmk-1:almalinux9-1;pcmk-2:almalinux9-2 Operations: monitor interval=60s (fence_dev-monitor-interval-60s) Fencing Levels: Location Constraints: Resource: WebSite Enabled on: Node: pcmk-2 (score:50) (id:location-WebSite-pcmk-2-50) Ordering Constraints: start ClusterIP then start WebSite (kind:Mandatory) (id:order-ClusterIP-WebSite-mandatory) promote WebData-clone then start WebFS-clone (kind:Mandatory) (id:order-WebData-clone-WebFS-mandatory) start WebFS-clone then start WebSite (kind:Mandatory) (id:order-WebFS-WebSite-mandatory) start dlm-clone then start WebFS-clone (kind:Mandatory) (id:order-dlm-clone-WebFS-mandatory) Colocation Constraints: WebSite with ClusterIP (score:INFINITY) (id:colocation-WebSite-ClusterIP-INFINITY) WebFS-clone with WebData-clone (score:INFINITY) (rsc-role:Started) (with-rsc-role:Promoted) (id:colocation-WebFS-WebData-clone-INFINITY) WebSite with WebFS-clone (score:INFINITY) (id:colocation-WebSite-WebFS-INFINITY) WebFS-clone with dlm-clone (score:INFINITY) (id:colocation-WebFS-dlm-clone-INFINITY) Ticket Constraints: Alerts: No alerts defined Resources Defaults: Meta Attrs: build-resource-defaults resource-stickiness=100 Operations Defaults: Meta Attrs: op_defaults-meta_attributes timeout=240s Cluster Properties: cluster-infrastructure: corosync cluster-name: mycluster dc-version: 2.1.2-4.el9-ada5c3b36e2 + fencing-enabled: true have-watchdog: false last-lrm-refresh: 1658896047 no-quorum-policy: freeze - stonith-enabled: true Tags: No tags defined Quorum: Options: Node List ######### .. code-block:: console [root@pcmk-1 ~]# pcs status nodes Pacemaker Nodes: Online: pcmk-1 pcmk-2 Standby: Standby with resource(s) running: Maintenance: Offline: Pacemaker Remote Nodes: Online: Standby: Standby with resource(s) running: Maintenance: Offline: Cluster Options ############### .. code-block:: console [root@pcmk-1 ~]# pcs property Cluster Properties: cluster-infrastructure: corosync cluster-name: mycluster dc-version: 2.1.2-4.el9-ada5c3b36e2 + fencing-enabled: true have-watchdog: false no-quorum-policy: freeze - stonith-enabled: true The output shows cluster-wide configuration options, as well as some baseline- level state information. The output includes: * ``cluster-infrastructure`` - the cluster communications layer in use * ``cluster-name`` - the cluster name chosen by the administrator when the cluster was created * ``dc-version`` - the version (including upstream source-code hash) of ``pacemaker`` used on the Designated Controller, which is the node elected to determine what actions are needed when events occur * ``have-watchdog`` - whether watchdog integration is enabled; set automatically when SBD is enabled -* ``stonith-enabled`` - whether nodes may be fenced as part of recovery +* ``fencing-enabled`` - whether nodes may be fenced as part of recovery .. NOTE:: This command is equivalent to ``pcs property config``. Resources ######### Default Options _______________ .. code-block:: console [root@pcmk-1 ~]# pcs resource defaults Meta Attrs: build-resource-defaults resource-stickiness=100 This shows cluster option defaults that apply to every resource that does not explicitly set the option itself. Above: * ``resource-stickiness`` - Specify how strongly a resource prefers to remain on its current node. Alternatively, you can view this as the level of aversion to moving healthy resources to other machines. Fencing _______ .. code-block:: console [root@pcmk-1 ~]# pcs stonith status * fence_dev (stonith:some_fence_agent): Started pcmk-1 [root@pcmk-1 ~]# pcs stonith config Resource: fence_dev (class=stonith type=some_fence_agent) Attributes: pcmk_delay_base=pcmk-1:5s;pcmk-2:0s pcmk_host_map=pcmk-1:almalinux9-1;pcmk-2:almalinux9-2 Operations: monitor interval=60s (fence_dev-monitor-interval-60s) Service Address _______________ Users of the services provided by the cluster require an unchanging address with which to access it. .. code-block:: console [root@pcmk-1 ~]# pcs resource config ClusterIP Resource: ClusterIP (class=ocf provider=heartbeat type=IPaddr2) Attributes: cidr_netmask=24 ip=192.168.122.120 Operations: monitor interval=30s (ClusterIP-monitor-interval-30s) start interval=0s timeout=20s (ClusterIP-start-interval-0s) stop interval=0s timeout=20s (ClusterIP-stop-interval-0s) DRBD - Shared Storage _____________________ Here, we define the DRBD service and specify which DRBD resource (from ``/etc/drbd.d/\*.res``) it should manage. We make it a promotable clone resource and, in order to have an active/active setup, allow both instances to be promoted at the same time. We also set the notify option so that the cluster will tell the ``drbd`` agent when its peer changes state. .. code-block:: console [root@pcmk-1 ~]# pcs resource config WebData-clone Clone: WebData-clone Meta Attrs: clone-max=2 clone-node-max=1 notify=true promotable=true promoted-max=2 promoted-node-max=1 Resource: WebData (class=ocf provider=linbit type=drbd) Attributes: drbd_resource=wwwdata Operations: demote interval=0s timeout=90 (WebData-demote-interval-0s) monitor interval=29s role=Promoted (WebData-monitor-interval-29s) monitor interval=31s role=Unpromoted (WebData-monitor-interval-31s) notify interval=0s timeout=90 (WebData-notify-interval-0s) promote interval=0s timeout=90 (WebData-promote-interval-0s) reload interval=0s timeout=30 (WebData-reload-interval-0s) start interval=0s timeout=240 (WebData-start-interval-0s) stop interval=0s timeout=100 (WebData-stop-interval-0s) [root@pcmk-1 ~]# pcs constraint ref WebData-clone Resource: WebData-clone colocation-WebFS-WebData-clone-INFINITY order-WebData-clone-WebFS-mandatory Cluster Filesystem __________________ The cluster filesystem ensures that files are read and written correctly. We need to specify the block device (provided by DRBD), where we want it mounted and that we are using GFS2. Again, it is a clone because it is intended to be active on both nodes. The additional constraints ensure that it can only be started on nodes with active DLM and DRBD instances. .. code-block:: console [root@pcmk-1 ~]# pcs resource config WebFS-clone Clone: WebFS-clone Resource: WebFS (class=ocf provider=heartbeat type=Filesystem) Attributes: device=/dev/drbd1 directory=/var/www/html fstype=gfs2 Operations: monitor interval=20s timeout=40s (WebFS-monitor-interval-20s) start interval=0s timeout=60s (WebFS-start-interval-0s) stop interval=0s timeout=60s (WebFS-stop-interval-0s) [root@pcmk-1 ~]# pcs constraint ref WebFS-clone Resource: WebFS-clone colocation-WebFS-WebData-clone-INFINITY colocation-WebSite-WebFS-INFINITY colocation-WebFS-dlm-clone-INFINITY order-WebData-clone-WebFS-mandatory order-WebFS-WebSite-mandatory order-dlm-clone-WebFS-mandatory Apache ______ Lastly, we have the actual service, Apache. We need only tell the cluster where to find its main configuration file and restrict it to running on a node that has the required filesystem mounted and the IP address active. .. code-block:: console [root@pcmk-1 ~]# pcs resource config WebSite Resource: WebSite (class=ocf provider=heartbeat type=apache) Attributes: configfile=/etc/httpd/conf/httpd.conf statusurl=http://localhost/server-status Operations: monitor interval=1min (WebSite-monitor-interval-1min) start interval=0s timeout=40s (WebSite-start-interval-0s) stop interval=0s timeout=60s (WebSite-stop-interval-0s) [root@pcmk-1 ~]# pcs constraint ref WebSite Resource: WebSite colocation-WebSite-ClusterIP-INFINITY colocation-WebSite-WebFS-INFINITY location-WebSite-pcmk-2-50 order-ClusterIP-WebSite-mandatory order-WebFS-WebSite-mandatory diff --git a/doc/sphinx/Clusters_from_Scratch/fencing.rst b/doc/sphinx/Clusters_from_Scratch/fencing.rst index 65537bfdf1..fa413d4305 100644 --- a/doc/sphinx/Clusters_from_Scratch/fencing.rst +++ b/doc/sphinx/Clusters_from_Scratch/fencing.rst @@ -1,231 +1,232 @@ .. index:: fencing Configure Fencing ----------------- What is Fencing? ################ Fencing protects your data from being corrupted, and your application from becoming unavailable, due to unintended concurrent access by rogue nodes. Just because a node is unresponsive doesn't mean it has stopped accessing your data. The only way to be 100% sure that your data is safe, is to use fencing to ensure that the node is truly offline before allowing the data to be accessed from another node. Fencing also has a role to play in the event that a clustered service cannot be stopped. In this case, the cluster uses fencing to force the whole node offline, thereby making it safe to start the service elsewhere. Fencing is also known as STONITH, an acronym for "Shoot The Other Node In The Head", since the most popular form of fencing is cutting a host's power. In order to guarantee the safety of your data [#]_, fencing is enabled by default. .. NOTE:: It is possible to tell the cluster not to use fencing, by setting the - ``stonith-enabled`` cluster property to false: + ``fencing-enabled`` cluster property to false: .. code-block:: console - [root@pcmk-1 ~]# pcs property set stonith-enabled=false + [root@pcmk-1 ~]# pcs property set fencing-enabled=false [root@pcmk-1 ~]# pcs cluster verify --full However, this is completely inappropriate for a production cluster. It tells the cluster to simply pretend that failed nodes are safely powered off. Some vendors will refuse to support clusters that have fencing disabled. Even disabling it for a test cluster means you won't be able to test real failure scenarios. .. index:: single: fencing; device Choose a Fence Device ##################### The two broad categories of fence device are power fencing, which cuts off power to the target, and fabric fencing, which cuts off the target's access to some critical resource, such as a shared disk or access to the local network. Power fencing devices include: * Intelligent power switches * IPMI * Hardware watchdog device (alone, or in combination with shared storage used as a "poison pill" mechanism) Fabric fencing devices include: * Shared storage that can be cut off for a target host by another host (for example, an external storage device that supports SCSI-3 persistent reservations) * Intelligent network switches Using IPMI as a power fencing device may seem like a good choice. However, if the IPMI shares power and/or network access with the host (such as most onboard IPMI controllers), a power or network failure will cause both the host and its fencing device to fail. The cluster will be unable to recover, and must stop all resources to avoid a possible split-brain situation. Likewise, any device that relies on the machine being active (such as SSH-based "devices" sometimes used during testing) is inappropriate, because fencing will be required when the node is completely unresponsive. (Fence agents like ``fence_ilo_ssh``, which connects via SSH to an HP iLO but not to the cluster node, are fine.) Configure the Cluster for Fencing ################################# #. Install the fence agent(s). To see what packages are available, run ``dnf search fence-``. Be sure to install the package(s) on all cluster nodes. #. Configure the fence device itself to be able to fence your nodes and accept fencing requests. This includes any necessary configuration on the device and on the nodes, and any firewall or SELinux changes needed. Test the communication between the device and your nodes. #. Find the name of the correct fence agent: ``pcs stonith list`` #. Find the parameters associated with the device: ``pcs stonith describe `` -#. Create a local copy of the CIB: ``pcs cluster cib stonith_cfg`` +#. Create a local copy of the CIB: ``pcs cluster cib fencing_cfg`` -#. Create the fencing resource: ``pcs -f stonith_cfg stonith create [STONITH_DEVICE_OPTIONS]`` +#. Create the fencing resource: + ``pcs -f fencing_cfg stonith create [FENCING_DEVICE_OPTIONS]`` Any flags that do not take arguments, such as ``--ssl``, should be passed as ``ssl=1``. #. Ensure fencing is enabled in the cluster: - ``pcs -f stonith_cfg property set stonith-enabled=true`` + ``pcs -f fencing_cfg property set fencing-enabled=true`` #. If the device does not know how to fence nodes based on their cluster node name, you may also need to set the special ``pcmk_host_map`` parameter. See ``man pacemaker-fenced`` for details. #. If the device does not support the ``list`` command, you may also need to set the special ``pcmk_host_list`` and/or ``pcmk_host_check`` parameters. See ``man pacemaker-fenced`` for details. #. If the device does not expect the target to be specified with the ``port`` parameter, you may also need to set the special ``pcmk_host_argument`` parameter. See ``man pacemaker-fenced`` for details. -#. Commit the new configuration: ``pcs cluster cib-push stonith_cfg`` +#. Commit the new configuration: ``pcs cluster cib-push fencing_cfg`` #. Once the fence device resource is running, test it (you might want to stop the cluster on that machine first): ``pcs stonith fence `` Example ####### For this example, assume we have a chassis containing four nodes and a separately powered IPMI device active on ``10.0.0.1``. Following the steps above would go something like this: Step 1: Install the ``fence-agents-ipmilan`` package on both nodes. Step 2: Configure the IP address, authentication credentials, etc. in the IPMI device itself. Step 3: Choose the ``fence_ipmilan`` STONITH agent. Step 4: Obtain the agent's possible parameters: .. code-block:: console [root@pcmk-1 ~]# pcs stonith describe fence_ipmilan fence_ipmilan - Fence agent for IPMI fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. Stonith options: auth: IPMI Lan Auth type. cipher: Ciphersuite to use (same as ipmitool -C parameter) hexadecimal_kg: Hexadecimal-encoded Kg key for IPMIv2 authentication ip: IP address or hostname of fencing device ipport: TCP/UDP port to use for connection with device lanplus: Use Lanplus to improve security of connection method: Method to fence password: Login password or passphrase password_script: Script to run to retrieve password plug: IP address or hostname of fencing device (together with --port-as-ip) privlvl: Privilege level on IPMI device target: Bridge IPMI requests to the remote target address username: Login name quiet: Disable logging to stderr. Does not affect --verbose or --debug-file or logging to syslog. verbose: Verbose mode. Multiple -v flags can be stacked on the command line (e.g., -vvv) to increase verbosity. verbose_level: Level of debugging detail in output. Defaults to the number of --verbose flags specified on the command line, or to 1 if verbose=1 in a stonith device configuration (i.e., on stdin). debug_file: Write debug information to given file delay: Wait X seconds before fencing is started disable_timeout: Disable timeout (true/false) (default: true when run from Pacemaker 2.0+) ipmitool_path: Path to ipmitool binary login_timeout: Wait X seconds for cmd prompt after login port_as_ip: Make "port/plug" to be an alias to IP address power_timeout: Test X seconds for status change after ON/OFF power_wait: Wait X seconds after issuing ON/OFF shell_timeout: Wait X seconds for cmd prompt after issuing command stonith_status_sleep: Sleep X seconds between status calls during a STONITH action ipmitool_timeout: Timeout (sec) for IPMI operation retry_on: Count of attempts to retry power on use_sudo: Use sudo (without password) when calling 3rd party software sudo_path: Path to sudo binary pcmk_host_map: A mapping of host names to ports numbers for devices that do not support host names. Eg. node1:1;node2:2,3 would tell the cluster to use port 1 for node1 and ports 2 and 3 for node2 pcmk_host_list: A list of machines controlled by this device (Optional unless pcmk_host_check=static-list). pcmk_host_check: How to determine which machines are controlled by the device. Allowed values: dynamic-list (query the device via the 'list' command), static-list (check the pcmk_host_list attribute), status (query the device via the 'status' command), none (assume every device can fence every machine) pcmk_delay_max: Enable a delay of no more than the time specified before executing fencing actions. Pacemaker derives the overall delay by taking the value of pcmk_delay_base and adding a random delay value such that the sum is kept below this maximum. This prevents double fencing when using slow devices such as sbd. Use this to enable a random delay for fencing actions. The overall delay is derived from this random delay value adding a static delay so that the sum is kept below the maximum delay. pcmk_delay_base: Enable a base delay for fencing actions and specify base delay value. This enables a static delay for fencing actions, which can help avoid "death matches" where two nodes try to fence each other at the same time. If pcmk_delay_max is also used, a random delay will be added such that the total delay is kept below that value. This can be set to a single time value to apply to any node targeted by this device (useful if a separate device is configured for each target), or to a node map (for example, "node1:1s;node2:5") to set a different value per target. pcmk_action_limit: The maximum number of actions can be performed in parallel on this device Cluster property concurrent-fencing=true needs to be configured first. Then use this to specify the maximum number of actions can be performed in parallel on this device. -1 is unlimited. Default operations: monitor: interval=60s -Step 5: ``pcs cluster cib stonith_cfg`` +Step 5: ``pcs cluster cib fencing_cfg`` Step 6: Here are example parameters for creating our fence device resource: .. code-block:: console - [root@pcmk-1 ~]# pcs -f stonith_cfg stonith create ipmi-fencing fence_ipmilan \ + [root@pcmk-1 ~]# pcs -f fencing_cfg stonith create ipmi-fencing fence_ipmilan \ pcmk_host_list="pcmk-1 pcmk-2" ipaddr=10.0.0.1 login=testuser \ passwd=acd123 op monitor interval=60s - [root@pcmk-1 ~]# pcs -f stonith_cfg stonith + [root@pcmk-1 ~]# pcs -f fencing_cfg stonith * ipmi-fencing (stonith:fence_ipmilan): Stopped Steps 7-10: Enable fencing in the cluster: .. code-block:: console - [root@pcmk-1 ~]# pcs -f stonith_cfg property set stonith-enabled=true - [root@pcmk-1 ~]# pcs -f stonith_cfg property + [root@pcmk-1 ~]# pcs -f fencing_cfg property set fencing-enabled=true + [root@pcmk-1 ~]# pcs -f fencing_cfg property Cluster Properties: cluster-infrastructure: corosync cluster-name: mycluster dc-version: 2.0.5-4.el8-ba59be7122 + fencing-enabled: true have-watchdog: false - stonith-enabled: true -Step 11: ``pcs cluster cib-push stonith_cfg --config`` +Step 11: ``pcs cluster cib-push fencing_cfg --config`` Step 12: Test: .. code-block:: console [root@pcmk-1 ~]# pcs cluster stop pcmk-2 [root@pcmk-1 ~]# pcs stonith fence pcmk-2 After a successful test, login to any rebooted nodes, and start the cluster (with ``pcs cluster start``). .. [#] If the data is corrupt, there is little point in continuing to make it available. diff --git a/doc/sphinx/Clusters_from_Scratch/verification.rst b/doc/sphinx/Clusters_from_Scratch/verification.rst index d6b35eac59..392196683b 100644 --- a/doc/sphinx/Clusters_from_Scratch/verification.rst +++ b/doc/sphinx/Clusters_from_Scratch/verification.rst @@ -1,222 +1,222 @@ Start and Verify Cluster ------------------------ Start the Cluster ################# Now that Corosync is configured, it is time to start the cluster. The command below will start the ``corosync`` and ``pacemaker`` services on both nodes in the cluster. .. code-block:: console [root@pcmk-1 ~]# pcs cluster start --all pcmk-1: Starting Cluster... pcmk-2: Starting Cluster... .. NOTE:: An alternative to using the ``pcs cluster start --all`` command is to issue either of the below command sequences on each node in the cluster separately: .. code-block:: console # pcs cluster start Starting Cluster... or .. code-block:: console # systemctl start corosync.service # systemctl start pacemaker.service .. IMPORTANT:: In this example, we are not enabling the ``corosync`` and ``pacemaker`` services to start at boot. If a cluster node fails or is rebooted, you will need to run ``pcs cluster start [ | --all]`` to start the cluster on it. While you can enable the services to start at boot (for example, using ``pcs cluster enable [ | --all]``), requiring a manual start of cluster services gives you the opportunity to do a post-mortem investigation of a node failure before returning it to the cluster. Verify Corosync Installation ################################ First, use ``corosync-cfgtool`` to check whether cluster communication is happy: .. code-block:: console [root@pcmk-1 ~]# corosync-cfgtool -s Local node ID 1, transport knet LINK ID 0 udp addr = 192.168.122.101 status: nodeid: 1: localhost nodeid: 2: connected We can see here that everything appears normal with our fixed IP address (not a ``127.0.0.x`` loopback address) listed as the ``addr``, and ``localhost`` and ``connected`` for the statuses of nodeid 1 and nodeid 2, respectively. If you see something different, you might want to start by checking the node's network, firewall, and SELinux configurations. Next, check the membership and quorum APIs: .. code-block:: console [root@pcmk-1 ~]# corosync-cmapctl | grep members runtime.members.1.config_version (u64) = 0 runtime.members.1.ip (str) = r(0) ip(192.168.122.101) runtime.members.1.join_count (u32) = 1 runtime.members.1.status (str) = joined runtime.members.2.config_version (u64) = 0 runtime.members.2.ip (str) = r(0) ip(192.168.122.102) runtime.members.2.join_count (u32) = 1 runtime.members.2.status (str) = joined [root@pcmk-1 ~]# pcs status corosync Membership information ---------------------- Nodeid Votes Name 1 1 pcmk-1 (local) 2 1 pcmk-2 You should see both nodes have joined the cluster. Verify Pacemaker Installation ################################# Now that we have confirmed that Corosync is functional, we can check the rest of the stack. Pacemaker has already been started, so verify the necessary processes are running: .. code-block:: console [root@pcmk-1 ~]# ps axf PID TTY STAT TIME COMMAND 2 ? S 0:00 [kthreadd] ...lots of processes... 17121 ? SLsl 0:01 /usr/sbin/corosync -f 17133 ? Ss 0:00 /usr/sbin/pacemakerd 17134 ? Ss 0:00 \_ /usr/libexec/pacemaker/pacemaker-based 17135 ? Ss 0:00 \_ /usr/libexec/pacemaker/pacemaker-fenced 17136 ? Ss 0:00 \_ /usr/libexec/pacemaker/pacemaker-execd 17137 ? Ss 0:00 \_ /usr/libexec/pacemaker/pacemaker-attrd 17138 ? Ss 0:00 \_ /usr/libexec/pacemaker/pacemaker-schedulerd 17139 ? Ss 0:00 \_ /usr/libexec/pacemaker/pacemaker-controld If that looks OK, check the ``pcs status`` output: .. code-block:: console [root@pcmk-1 ~]# pcs status Cluster name: mycluster WARNINGS: No stonith devices and stonith-enabled is not false Cluster Summary: * Stack: corosync * Current DC: pcmk-2 (version 2.1.2-4.el9-ada5c3b36e2) - partition with quorum * Last updated: Wed Jul 27 00:09:55 2022 * Last change: Wed Jul 27 00:07:08 2022 by hacluster via crmd on pcmk-2 * 2 nodes configured * 0 resource instances configured Node List: * Online: [ pcmk-1 pcmk-2 ] Full List of Resources: * No resources Daemon Status: corosync: active/disabled pacemaker: active/disabled pcsd: active/enabled Finally, ensure there are no start-up errors from ``corosync`` or ``pacemaker`` (aside from messages relating to not having STONITH configured, which are OK at this point): .. code-block:: console [root@pcmk-1 ~]# journalctl -b | grep -i error .. NOTE:: Other operating systems may report startup errors in other locations (for example, ``/var/log/messages``). Repeat these checks on the other node. The results should be the same. Explore the Existing Configuration ################################## For those who are not of afraid of XML, you can see the raw cluster configuration and status by using the ``pcs cluster cib`` command. .. topic:: The last XML you'll see in this document .. code-block:: console [root@pcmk-1 ~]# pcs cluster cib .. code-block:: xml Before we make any changes, it's a good idea to check the validity of the configuration. .. code-block:: console [root@pcmk-1 ~]# pcs cluster verify --full Error: invalid cib: (unpack_resources) error: Resource start-up disabled since no STONITH resources have been defined - (unpack_resources) error: Either configure some or disable STONITH with the stonith-enabled option + (unpack_resources) error: Either configure some or disable STONITH with the fencing-enabled option (unpack_resources) error: NOTE: Clusters with shared data need STONITH to ensure data integrity crm_verify: Errors found during check: config not valid Error: Errors have occurred, therefore pcs is unable to continue As you can see, the tool has found some errors. The cluster will not start any resources until we configure STONITH. diff --git a/doc/sphinx/Pacemaker_Administration/administrative.rst b/doc/sphinx/Pacemaker_Administration/administrative.rst index 7c8b346193..6add435857 100644 --- a/doc/sphinx/Pacemaker_Administration/administrative.rst +++ b/doc/sphinx/Pacemaker_Administration/administrative.rst @@ -1,150 +1,150 @@ .. index:: single: administrative mode Administrative Modes -------------------- Intrusive administration can be performed on a Pacemaker cluster without causing resource failures, recovery, and fencing, by putting the cluster or a subset of it into an administrative mode. Pacemaker supports several administrative modes: * Maintenance mode for the entire cluster, specific nodes, or specific resources * Unmanaged resources * Disabled configuration items * Standby mode for specific nodes Rules may be used to automatically set any of these modes for specific times or other conditions. .. index:: pair: administrative mode; maintenance mode .. _maintenance_mode: Maintenance Mode ################ In maintenance mode, the cluster will not start or stop resources. Recurring monitors for affected resources will be paused, except those specifying ``role`` as ``Stopped``. To put a specific resource into maintenance mode, set the resource's ``maintenance`` meta-attribute to ``true``. To put all active resources on a specific node into maintenance mode, set the node's ``maintenance`` node attribute to ``true``. When enabled, this overrides resource-specific maintenance mode. .. warning:: Restarting Pacemaker on a node that is in single-node maintenance mode will likely lead to undesirable effects. If ``maintenance`` is set as a transient attribute, it will be erased when Pacemaker is stopped, which will immediately take the node out of maintenance mode and likely get it fenced. If set as a permanent attribute, any resources active on the node will have their local history erased when Pacemaker is restarted, so the cluster will no longer consider them running on the node and thus will consider them managed again, allowing them to be started elsewhere. To put all resources in the cluster into maintenance mode, set the ``maintenance-mode`` cluster option to ``true``. When enabled, this overrides node- or resource- specific maintenance mode. Maintenance mode, at any level, overrides other administrative modes. .. index:: pair: administrative mode; unmanaged resources .. _unmanaged_resources: Unmanaged Resources ################### An unmanaged resource will not be started or stopped by the cluster. A resource may become unmanaged in several ways: * The administrator may set the ``is-managed`` resource meta-attribute to ``false`` (whether for a specific resource, or all resources without an explicit setting via ``rsc_defaults``) * :ref:`Maintenance mode ` causes affected resources to become unmanaged (and overrides any ``is-managed`` setting) * Certain types of failure cause affected resources to become unmanaged. These include: - * Failed stop operations when the ``stonith-enabled`` cluster property is set + * Failed stop operations when the ``fencing-enabled`` cluster property is set to ``false`` * Failure of an operation that has ``on-fail`` set to ``block`` * A resource detected as incorrectly active on more than one node when its ``multiple-active`` meta-attribute is set to ``block`` * A resource constrained by a revoked ``rsc_ticket`` with ``loss-policy`` set to ``freeze`` * Resources with ``requires`` set (or defaulting) to anything other than ``nothing`` in a partition that loses quorum when the ``no-quorum-policy`` cluster option is set to ``freeze`` Recurring actions are not affected by unmanaging a resource. .. warning:: Manually starting an unmanaged resource on a different node is strongly discouraged. It will at least cause the cluster to consider the resource failed, and may require the resource's ``target-role`` to be set to ``Stopped`` then ``Started`` in order for recovery to succeed. .. index:: pair: administrative mode; disabled configuration .. _disabled_configuration: Disabled Configuration ###################### Some configuration elements disable particular behaviors: -* The ``stonith-enabled`` cluster option, when set to ``false``, disables node +* The ``fencing-enabled`` cluster option, when set to ``false``, disables node fencing. This is highly discouraged, as it can lead to data unavailability, loss, or corruption. * The ``stop-all-resources`` cluster option, when set to ``true``, causes all resources to be stopped. * Certain elements support an ``enabled`` meta-attribute, which if set to ``false``, causes the cluster to act as if the specific element is not configured. These include ``op``, ``alert`` *(since 2.1.6)*, and ``recipient`` *(since 2.1.6)*. ``enabled`` may be set for specific ``op`` elements, or all operations without an explicit setting via ``op_defaults``. .. index:: pair: administrative mode; standby .. _standby: Standby Mode ############ When a node is put into standby, all resources will be moved away from the node, and all recurring operations will be stopped on the node, except those specifying ``role`` as ``Stopped`` (which will be newly initiated if appropriate). A node may be put into standby mode by setting its ``standby`` node attribute to ``true``. The attribute may be queried and set using the ``crm_standby`` tool. .. index:: pair: administrative mode; rules Rules ##### Rules may be used to set administrative mode options automatically according to various criteria such as date and time. See the "Rules" chapter of the *Pacemaker Explained* document for details. diff --git a/doc/sphinx/Pacemaker_Administration/configuring.rst b/doc/sphinx/Pacemaker_Administration/configuring.rst index 6943b24582..2132a44607 100644 --- a/doc/sphinx/Pacemaker_Administration/configuring.rst +++ b/doc/sphinx/Pacemaker_Administration/configuring.rst @@ -1,263 +1,263 @@ .. index:: single: configuration single: CIB Configuring Pacemaker --------------------- Pacemaker's configuration, the CIB, is stored in XML format. Cluster administrators have multiple options for modifying the configuration either via the XML, or at a more abstract (and easier for humans to understand) level. Pacemaker reacts to configuration changes as soon as they are saved. Pacemaker's command-line tools and most higher-level tools provide the ability to batch changes together and commit them at once, rather than make a series of small changes, which could cause avoid unnecessary actions as Pacemaker responds to each change individually. Pacemaker tracks revisions to the configuration and will reject any update older than the current revision. Thus, it is a good idea to serialize all changes to the configuration. Avoid attempting simultaneous changes, whether on the same node or different nodes, and whether manually or using some automated configuration tool. .. note:: It is not necessary to update the configuration on all cluster nodes. Pacemaker immediately synchronizes changes to all active members of the cluster. To reduce bandwidth, the cluster only broadcasts the incremental updates that result from your changes and uses checksums to ensure that each copy is consistent. Configuration Using Higher-level Tools ###################################### Most users will benefit from using higher-level tools provided by projects separate from Pacemaker. Popular ones include the crm shell and pcs. [#]_ See those projects' documentation for details on how to configure Pacemaker using them. Configuration Using Pacemaker's Command-Line Tools ################################################## Pacemaker provides lower-level, command-line tools to manage the cluster. Most configuration tasks can be performed with these tools, without needing any XML knowledge. To enable STONITH for example, one could run: .. code-block:: none - # crm_attribute --name stonith-enabled --update 1 + # crm_attribute --name fencing-enabled --update 1 Or, to check whether **node1** is allowed to run resources, there is: .. code-block:: none # crm_standby --query --node node1 Or, to change the failure threshold of **my-test-rsc**, one can use: .. code-block:: none # crm_resource -r my-test-rsc --set-parameter migration-threshold --parameter-value 3 --meta Examples of using these tools for specific cases will be given throughout this document where appropriate. See the man pages for further details. See :ref:`cibadmin` for how to edit the CIB using XML. See :ref:`crm_shadow` for a way to make a series of changes, then commit them all at once to the live cluster. .. index:: single: configuration; CIB properties single: CIB; properties single: CIB property Working with CIB Properties ___________________________ Although these fields can be written to by the user, in most cases the cluster will overwrite any values specified by the user with the "correct" ones. To change the ones that can be specified by the user, for example ``admin_epoch``, one should use: .. code-block:: none # cibadmin --modify --xml-text '' A complete set of CIB properties will look something like this: .. topic:: XML attributes set for a cib element .. code-block:: xml .. index:: single: configuration; cluster options Querying and Setting Cluster Options ____________________________________ Cluster options can be queried and modified using the ``crm_attribute`` tool. To get the current value of ``cluster-delay``, you can run: .. code-block:: none # crm_attribute --query --name cluster-delay which is more simply written as .. code-block:: none # crm_attribute -G -n cluster-delay If a value is found, you'll see a result like this: .. code-block:: none # crm_attribute -G -n cluster-delay scope=crm_config name=cluster-delay value=60s If no value is found, the tool will display an error: .. code-block:: none # crm_attribute -G -n clusta-deway scope=crm_config name=clusta-deway value=(null) Error performing operation: No such device or address To use a different value (for example, 30 seconds), simply run: .. code-block:: none # crm_attribute --name cluster-delay --update 30s To go back to the cluster's default value, you can delete the value, for example: .. code-block:: none # crm_attribute --name cluster-delay --delete Deleted crm_config option: id=cib-bootstrap-options-cluster-delay name=cluster-delay When Options are Listed More Than Once ______________________________________ If you ever see something like the following, it means that the option you're modifying is present more than once. .. topic:: Deleting an option that is listed twice .. code-block:: none # crm_attribute --name batch-limit --delete Please choose from one of the matches below and supply the 'id' with --id Multiple attributes match name=batch-limit in crm_config: Value: 50 (set=cib-bootstrap-options, id=cib-bootstrap-options-batch-limit) Value: 100 (set=custom, id=custom-batch-limit) In such cases, follow the on-screen instructions to perform the requested action. To determine which value is currently being used by the cluster, refer to the "Rules" chapter of *Pacemaker Explained*. .. index:: single: configuration; remote .. _remote_connection: Connecting from a Remote Machine ################################ It is possible to run configuration commands from a machine that is not part of the cluster. For security reasons, this capability is disabled by default. If you wish to allow remote access, set the ``remote-tls-port`` (encrypted) or ``remote-clear-port`` (unencrypted) CIB properties (attributes of the ``cib`` element). Encrypted communication can be performed keyless (which makes it subject to man-in-the-middle attacks), but a better option is to also use TLS certificates. To enable TLS certificates, it is recommended to first set up your own Certificate Authority (CA) and generate a root CA certificate. Then create a public/private key pair and certificate signing request (CSR) for your server. Use the CA to sign this CSR. Then, create a public/private key pair and CSR for each remote system that you wish to have remote access. Use the CA to sign the CSRs. It is recommended to use a unique certificate for each remote system so they can be revoked if necessary. The server's public/private key pair and signed certificate should be installed to the |PCMK_CONFIG_DIR| directory and owned by ``CIB_user``. Remember that private keys should not be readable by anyone other than their owner. Finally, edit the |PCMK_CONFIG_FILE| file to refer to these credentials: .. code-block:: none PCMK_ca_file="/etc/pacemaker/ca.cert.pem" PCMK_cert_file="/etc/pacemaker/server.cert.pem" PCMK_key_file="/etc/pacemaker/server.key.pem" The administrator's machine simply needs Pacemaker installed. To connect to the cluster, set the following environment variables: * :ref:`CIB_port ` (required) * :ref:`CIB_server ` * :ref:`CIB_user ` * :ref:`CIB_passwd ` * :ref:`CIB_encrypted ` Only the Pacemaker daemon user (|CRM_DAEMON_USER|) may be used as ``CIB_user``. To use TLS certificates, the administrator's machine also needs their public/private key pair, signed client certificate, and root CA certificate. Those must additionally be specified with the following environment variables: * :ref:`CIB_ca_file ` * :ref:`CIB_cert_file ` * :ref:`CIB_key_file ` As an example, if **node1** is a cluster node, and the CIB is configured with ``remote-tls-port`` set to 1234, the administrator could read the current cluster configuration using the following commands, and would be prompted for the daemon user's password: .. code-block:: none # export CIB_server=node1; export CIB_port=1234; export CIB_encrypted=true # export CIB_ca_file=/etc/pacemaker/ca.cert.pem # export CIB_cert_file=/etc/pacemaker/admin.cert.pem # export CIB_key_file=/etc/pacemaker/admin.key.pem # cibadmin -Q Optionally, :ref:`CIB_crl_file ` may be set to the location of a Certificate Revocation List in PEM format. .. note:: Pacemaker must have been built with PAM support for remote access to work. You can check by running ``pacemakerd --features``. If the output contains **pam**, remote access is supported. *(since 3.0.0; before 3.0.0, in a build without PAM support, all remote connections are accepted without any authentication)* .. rubric:: Footnotes .. [#] For a list, see "Configuration Tools" at https://clusterlabs.org/components.html diff --git a/doc/sphinx/Pacemaker_Administration/pcs-crmsh.rst b/doc/sphinx/Pacemaker_Administration/pcs-crmsh.rst index d0718dcfeb..8baac83f4b 100644 --- a/doc/sphinx/Pacemaker_Administration/pcs-crmsh.rst +++ b/doc/sphinx/Pacemaker_Administration/pcs-crmsh.rst @@ -1,444 +1,444 @@ Quick Comparison of pcs and crm shell ------------------------------------- ``pcs`` and ``crm shell`` are two popular higher-level command-line interfaces to Pacemaker. Each has its own syntax; this chapter gives a quick comparion of how to accomplish the same tasks using either one. Some examples also show the equivalent command using low-level Pacemaker command-line tools. These examples show the simplest syntax; see the respective man pages for all possible options. Show Cluster Configuration and Status ##################################### .. topic:: Show Configuration (Raw XML) .. code-block:: none crmsh # crm configure show xml pcs # pcs cluster cib pacemaker # cibadmin -Q .. topic:: Show Configuration (Human-friendly) .. code-block:: none crmsh # crm configure show pcs # pcs config .. topic:: Show Cluster Status .. code-block:: none crmsh # crm status pcs # pcs status pacemaker # crm_mon -1 Manage Nodes ############ .. topic:: Put node "pcmk-1" in standby mode .. code-block:: none crmsh # crm node standby pcmk-1 pcs-0.9 # pcs cluster standby pcmk-1 pcs-0.10 # pcs node standby pcmk-1 pacemaker # crm_standby -N pcmk-1 -v on .. topic:: Remove node "pcmk-1" from standby mode .. code-block:: none crmsh # crm node online pcmk-1 pcs-0.9 # pcs cluster unstandby pcmk-1 pcs-0.10 # pcs node unstandby pcmk-1 pacemaker # crm_standby -N pcmk-1 -v off Manage Cluster Properties ######################### -.. topic:: Set the "stonith-enabled" cluster property to "false" +.. topic:: Set the "fencing-enabled" cluster property to "false" .. code-block:: none - crmsh # crm configure property stonith-enabled=false - pcs # pcs property set stonith-enabled=false - pacemaker # crm_attribute -n stonith-enabled -v false + crmsh # crm configure property fencing-enabled=false + pcs # pcs property set fencing-enabled=false + pacemaker # crm_attribute -n fencing-enabled -v false Show Resource Agent Information ############################### .. topic:: List Resource Agent (RA) Classes .. code-block:: none crmsh # crm ra classes pcs # pcs resource standards pacmaker # crm_resource --list-standards .. topic:: List Available Resource Agents (RAs) by Standard .. code-block:: none crmsh # crm ra list ocf pcs # pcs resource agents ocf pacemaker # crm_resource --list-agents ocf .. topic:: List Available Resource Agents (RAs) by OCF Provider .. code-block:: none crmsh # crm ra list ocf pacemaker pcs # pcs resource agents ocf:pacemaker pacemaker # crm_resource --list-agents ocf:pacemaker .. topic:: List Available Resource Agent Parameters .. code-block:: none crmsh # crm ra info IPaddr2 pcs # pcs resource describe IPaddr2 pacemaker # crm_resource --show-metadata ocf:heartbeat:IPaddr2 You can also use the full ``class:provider:type`` format with crmsh and pcs if multiple RAs with the same name are available. .. topic:: Show Available Fence Agent Parameters .. code-block:: none crmsh # crm ra info stonith:fence_ipmilan pcs # pcs stonith describe fence_ipmilan Manage Resources ################ .. topic:: Create a Resource .. code-block:: none crmsh # crm configure primitive ClusterIP IPaddr2 params ip=192.168.122.120 cidr_netmask=24 pcs # pcs resource create ClusterIP IPaddr2 ip=192.168.122.120 cidr_netmask=24 Both crmsh and pcs determine the standard and provider (``ocf:heartbeat``) automatically since ``IPaddr2`` is unique, and automatically create operations (including monitor) based on the agent's meta-data. .. topic:: Show Configuration of All Resources .. code-block:: none crmsh # crm configure show pcs-0.9 # pcs resource show --full pcs-0.10 # pcs resource config .. topic:: Show Configuration of One Resource .. code-block:: none crmsh # crm configure show ClusterIP pcs-0.9 # pcs resource show ClusterIP pcs-0.10 # pcs resource config ClusterIP .. topic:: Show Configuration of Fencing Resources .. code-block:: none crmsh # crm resource status pcs-0.9 # pcs stonith show --full pcs-0.10 # pcs stonith config .. topic:: Start a Resource .. code-block:: none crmsh # crm resource start ClusterIP pcs # pcs resource enable ClusterIP pacemaker # crm_resource -r ClusterIP --set-parameter target-role --meta -v Started .. topic:: Stop a Resource .. code-block:: none crmsh # crm resource stop ClusterIP pcs # pcs resource disable ClusterIP pacemaker # crm_resource -r ClusterIP --set-parameter target-role --meta -v Stopped .. topic:: Remove a Resource .. code-block:: none crmsh # crm configure delete ClusterIP pcs # pcs resource delete ClusterIP .. topic:: Modify a Resource's Instance Parameters .. code-block:: none crmsh # crm resource param ClusterIP set clusterip_hash=sourceip pcs # pcs resource update ClusterIP clusterip_hash=sourceip pacemaker # crm_resource -r ClusterIP --set-parameter clusterip_hash -v sourceip crmsh also has an `edit` command which edits the simplified CIB syntax (same commands as the command line) via a configurable text editor. .. topic:: Modify a Resource's Instance Parameters Interactively .. code-block:: none crmsh # crm configure edit ClusterIP Using the interactive shell mode of crmsh, multiple changes can be edited and verified before committing to the live configuration: .. topic:: Make Multiple Configuration Changes Interactively .. code-block:: none crmsh # crm configure crmsh # edit crmsh # verify crmsh # commit .. topic:: Delete a Resource's Instance Parameters .. code-block:: none crmsh # crm resource param ClusterIP delete nic pcs # pcs resource update ClusterIP nic= pacemaker # crm_resource -r ClusterIP --delete-parameter nic .. topic:: List Current Resource Defaults .. code-block:: none crmsh # crm configure show type:rsc_defaults pcs # pcs resource defaults pacemaker # cibadmin -Q --scope rsc_defaults .. topic:: Set Resource Defaults .. code-block:: none crmsh # crm configure rsc_defaults resource-stickiness=100 pcs # pcs resource defaults resource-stickiness=100 .. topic:: List Current Operation Defaults .. code-block:: none crmsh # crm configure show type:op_defaults pcs # pcs resource op defaults pacemaker # cibadmin -Q --scope op_defaults .. topic:: Set Operation Defaults .. code-block:: none crmsh # crm configure op_defaults timeout=240s pcs # pcs resource op defaults timeout=240s .. topic:: Enable Resource Agent Tracing for a Resource .. code-block:: none crmsh # crm resource trace Website .. topic:: Clear Fail Counts for a Resource .. code-block:: none crmsh # crm resource cleanup Website pcs # pcs resource cleanup Website pacemaker # crm_resource --cleanup -r Website .. topic:: Create a Clone Resource .. code-block:: none crmsh # crm configure clone WebIP ClusterIP meta globally-unique=true clone-max=2 clone-node-max=2 pcs # pcs resource clone ClusterIP globally-unique=true clone-max=2 clone-node-max=2 .. topic:: Create a Promotable Clone Resource .. code-block:: none crmsh # crm configure ms WebDataClone WebData \ meta master-max=1 master-node-max=1 \ clone-max=2 clone-node-max=1 notify=true crmsh # crm configure clone WebDataClone WebData \ meta promotable=true \ promoted-max=1 promoted-node-max=1 \ clone-max=2 clone-node-max=1 notify=true pcs-0.9 # pcs resource master WebDataClone WebData \ master-max=1 master-node-max=1 \ clone-max=2 clone-node-max=1 notify=true pcs-0.10 # pcs resource promotable WebData WebDataClone \ promoted-max=1 promoted-node-max=1 \ clone-max=2 clone-node-max=1 notify=true crmsh supports both ways ('configure ms' is deprecated) to configure promotable clone since crmsh 4.4.0. pcs will generate the clone name automatically if it is omitted from the command line. Manage Constraints ################## .. topic:: Create a Colocation Constraint .. code-block:: none crmsh # crm configure colocation website-with-ip INFINITY: WebSite ClusterIP pcs # pcs constraint colocation add ClusterIP with WebSite INFINITY .. topic:: Create a Colocation Constraint Based on Role .. code-block:: none crmsh # crm configure colocation another-ip-with-website inf: AnotherIP WebSite:Master pcs # pcs constraint colocation add Started AnotherIP with Promoted WebSite INFINITY .. topic:: Create an Ordering Constraint .. code-block:: none crmsh # crm configure order apache-after-ip mandatory: ClusterIP WebSite pcs # pcs constraint order ClusterIP then WebSite .. topic:: Create an Ordering Constraint Based on Role .. code-block:: none crmsh # crm configure order ip-after-website Mandatory: WebSite:Master AnotherIP pcs # pcs constraint order promote WebSite then start AnotherIP .. topic:: Create a Location Constraint .. code-block:: none crmsh # crm configure location prefer-pcmk-1 WebSite 50: pcmk-1 pcs # pcs constraint location WebSite prefers pcmk-1=50 .. topic:: Create a Location Constraint Based on Role .. code-block:: none crmsh # crm configure location prefer-pcmk-1 WebSite rule role=Master 50: \#uname eq pcmk-1 pcs # pcs constraint location WebSite rule role=Promoted 50 \#uname eq pcmk-1 .. topic:: Move a Resource to a Specific Node (by Creating a Location Constraint) .. code-block:: none crmsh # crm resource move WebSite pcmk-1 pcs # pcs resource move WebSite pcmk-1 pacemaker # crm_resource -r WebSite --move -N pcmk-1 .. topic:: Move a Resource Away from Its Current Node (by Creating a Location Constraint) .. code-block:: none crmsh # crm resource ban Website pcmk-2 pcs # pcs resource ban Website pcmk-2 pacemaker # crm_resource -r WebSite --move .. topic:: Remove any Constraints Created by Moving a Resource .. code-block:: none crmsh # crm resource unmove WebSite pcs # pcs resource clear WebSite pacemaker # crm_resource -r WebSite --clear Advanced Configuration ###################### Manipulate Configuration Elements by Type _________________________________________ .. topic:: List Constraints with IDs .. code-block:: none pcs # pcs constraint list --full .. topic:: Remove Constraint by ID .. code-block:: none pcs # pcs constraint remove cli-ban-Website-on-pcmk-1 crmsh # crm configure remove cli-ban-Website-on-pcmk-1 crmsh's `show` and `edit` commands can be used to manage resources and constraints by type: .. topic:: Show Configuration Elements .. code-block:: none crmsh # crm configure show type:primitive crmsh # crm configure edit type:colocation Batch Changes _____________ .. topic:: Make Multiple Changes and Apply Together .. code-block:: none crmsh # crm crmsh # cib new drbd_cfg crmsh # configure primitive WebData ocf:linbit:drbd params drbd_resource=wwwdata \ op monitor interval=60s crmsh # configure ms WebDataClone WebData meta master-max=1 master-node-max=1 \ clone-max=2 clone-node-max=1 notify=true crmsh # cib commit drbd_cfg crmsh # quit pcs # pcs cluster cib drbd_cfg pcs # pcs -f drbd_cfg resource create WebData ocf:linbit:drbd drbd_resource=wwwdata \ op monitor interval=60s pcs-0.9 # pcs -f drbd_cfg resource master WebDataClone WebData \ master-max=1 master-node-max=1 clone-max=2 clone-node-max=1 notify=true pcs-0.10 # pcs -f drbd_cfg resource promotable WebData WebDataClone \ promoted-max=1 promoted-node-max=1 clone-max=2 clone-node-max=1 notify=true pcs # pcs cluster cib-push drbd_cfg Template Creation _________________ .. topic:: Create Resource Template Based on Existing Primitives of Same Type .. code-block:: none crmsh # crm configure assist template ClusterIP AdminIP Log Analysis ____________ .. topic:: Show Information About Recent Cluster Events .. code-block:: none crmsh # crm history crmsh # peinputs crmsh # transition pe-input-10 crmsh # transition log pe-input-10 Configuration Scripts _____________________ .. topic:: Script Multiple-step Cluster Configurations .. code-block:: none crmsh # crm script show apache crmsh # crm script run apache \ id=WebSite \ install=true \ virtual-ip:ip=192.168.0.15 \ database:id=WebData \ database:install=true diff --git a/doc/sphinx/Pacemaker_Administration/tools.rst b/doc/sphinx/Pacemaker_Administration/tools.rst index 7911c335bf..13a4534075 100644 --- a/doc/sphinx/Pacemaker_Administration/tools.rst +++ b/doc/sphinx/Pacemaker_Administration/tools.rst @@ -1,576 +1,576 @@ .. index:: command-line tool Using Pacemaker Command-Line Tools ---------------------------------- .. index:: single: command-line tool; output format .. _cmdline_output: Controlling Command Line Output ############################### Some of the pacemaker command line utilities have been converted to a new output system. Among these tools are ``crm_mon`` and ``stonith_admin``. This is an ongoing project, and more tools will be converted over time. This system lets you control the formatting of output with ``--output-as=`` and the destination of output with ``--output-to=``. The available formats vary by tool, but at least plain text and XML are supported by all tools that use the new system. The default format is plain text. The default destination is stdout but can be redirected to any file. Some formats support command line options for changing the style of the output. For instance: .. code-block:: none # crm_mon --help-output Usage: crm_mon [OPTION?] Provides a summary of cluster's current state. Outputs varying levels of detail in a number of different formats. Output Options: --output-as=FORMAT Specify output format as one of: console (default), html, text, xml --output-to=DEST Specify file name for output (or "-" for stdout) --html-cgi Add text needed to use output in a CGI program --html-stylesheet=URI Link to an external CSS stylesheet --html-title=TITLE Page title .. index:: single: crm_mon single: command-line tool; crm_mon .. _crm_mon: Monitor a Cluster with crm_mon ############################## The ``crm_mon`` utility displays the current state of an active cluster. It can show the cluster status organized by node or by resource, and can be used in either single-shot or dynamically updating mode. It can also display operations performed and information about failures. Using this tool, you can examine the state of the cluster for irregularities, and see how it responds when you cause or simulate failures. See the manual page or the output of ``crm_mon --help`` for a full description of its many options. .. topic:: Sample output from crm_mon -1 .. code-block:: none Cluster Summary: * Stack: corosync * Current DC: node2 (version 2.0.0-1) - partition with quorum * Last updated: Mon Jan 29 12:18:42 2018 * Last change: Mon Jan 29 12:18:40 2018 by root via crm_attribute on node3 * 5 nodes configured * 2 resources configured Node List: * Online: [ node1 node2 node3 node4 node5 ] * Active resources: * Fencing (stonith:fence_xvm): Started node1 * IP (ocf:heartbeat:IPaddr2): Started node2 .. topic:: Sample output from crm_mon -n -1 .. code-block:: none Cluster Summary: * Stack: corosync * Current DC: node2 (version 2.0.0-1) - partition with quorum * Last updated: Mon Jan 29 12:21:48 2018 * Last change: Mon Jan 29 12:18:40 2018 by root via crm_attribute on node3 * 5 nodes configured * 2 resources configured * Node List: * Node node1: online * Fencing (stonith:fence_xvm): Started * Node node2: online * IP (ocf:heartbeat:IPaddr2): Started * Node node3: online * Node node4: online * Node node5: online As mentioned in an earlier chapter, the DC is the node is where decisions are made. The cluster elects a node to be DC as needed. The only significance of the choice of DC to an administrator is the fact that its logs will have the most information about why decisions were made. .. index:: pair: crm_mon; CSS .. _crm_mon_css: Styling crm_mon HTML output ___________________________ Various parts of ``crm_mon``'s HTML output have a CSS class associated with them. Not everything does, but some of the most interesting portions do. In the following example, the status of each node has an ``online`` class and the details of each resource have an ``rsc-ok`` class. .. code-block:: html

Node List

  • Node: cluster01 online
    • ping (ocf::pacemaker:ping): Started
  • Node: cluster02 online
    • ping (ocf::pacemaker:ping): Started
By default, a stylesheet for styling these classes is included in the head of the HTML output. The relevant portions of this stylesheet that would be used in the above example is: .. code-block:: css If you want to override some or all of the styling, simply create your own stylesheet, place it on a web server, and pass ``--html-stylesheet=`` to ``crm_mon``. The link is added after the default stylesheet, so your changes take precedence. You don't need to duplicate the entire default. Only include what you want to change. .. index:: single: cibadmin single: command-line tool; cibadmin .. _cibadmin: Edit the CIB XML with cibadmin ############################## The most flexible tool for modifying the configuration is Pacemaker's ``cibadmin`` command. With ``cibadmin``, you can query, add, remove, update or replace any part of the configuration. All changes take effect immediately, so there is no need to perform a reload-like operation. The simplest way of using ``cibadmin`` is to use it to save the current configuration to a temporary file, edit that file with your favorite text or XML editor, and then upload the revised configuration. .. topic:: Safely using an editor to modify the cluster configuration .. code-block:: none # cibadmin --query > tmp.xml # vi tmp.xml # cibadmin --replace --xml-file tmp.xml Some of the better XML editors can make use of a RELAX NG schema to help make sure any changes you make are valid. The schema describing the configuration can be found in ``pacemaker.rng``, which may be deployed in a location such as ``/usr/share/pacemaker`` depending on your operating system distribution and how you installed the software. If you want to modify just one section of the configuration, you can query and replace just that section to avoid modifying any others. .. topic:: Safely using an editor to modify only the resources section .. code-block:: none # cibadmin --query --scope resources > tmp.xml # vi tmp.xml # cibadmin --replace --scope resources --xml-file tmp.xml To quickly delete a part of the configuration, identify the object you wish to delete by XML tag and id. For example, you might search the CIB for all STONITH-related configuration: .. topic:: Searching for STONITH-related configuration items .. code-block:: none # cibadmin --query | grep stonith - - + + If you wanted to delete the ``primitive`` tag with id ``child_DoFencing``, you would run: .. code-block:: none # cibadmin --delete --xml-text '' See the cibadmin man page for more options. .. warning:: Never edit the live ``cib.xml`` file directly. Pacemaker will detect such changes and refuse to use the configuration. .. index:: single: crm_shadow single: command-line tool; crm_shadow .. _crm_shadow: Batch Configuration Changes with crm_shadow ########################################### Often, it is desirable to preview the effects of a series of configuration changes before updating the live configuration all at once. For this purpose, ``crm_shadow`` creates a "shadow" copy of the configuration and arranges for all the command-line tools to use it. To begin, simply invoke ``crm_shadow --create`` with a name of your choice, and follow the simple on-screen instructions. Shadow copies are identified with a name to make it possible to have more than one. .. warning:: Read this section and the on-screen instructions carefully; failure to do so could result in destroying the cluster's active configuration! .. topic:: Creating and displaying the active sandbox .. code-block:: none # crm_shadow --create test Setting up shadow instance Type Ctrl-D to exit the crm_shadow shell shadow[test]: shadow[test] # crm_shadow --which test From this point on, all cluster commands will automatically use the shadow copy instead of talking to the cluster's active configuration. Once you have finished experimenting, you can either make the changes active via the ``--commit`` option, or discard them using the ``--delete`` option. Again, be sure to follow the on-screen instructions carefully! For a full list of ``crm_shadow`` options and commands, invoke it with the ``--help`` option. .. topic:: Use sandbox to make multiple changes all at once, discard them, and verify real configuration is untouched .. code-block:: none shadow[test] # crm_failcount -r rsc_c001n01 -G scope=status name=fail-count-rsc_c001n01 value=0 shadow[test] # crm_standby --node c001n02 -v on shadow[test] # crm_standby --node c001n02 -G scope=nodes name=standby value=on shadow[test] # cibadmin --erase --force shadow[test] # cibadmin --query shadow[test] # crm_shadow --delete test --force Now type Ctrl-D to exit the crm_shadow shell shadow[test] # exit # crm_shadow --which No active shadow configuration defined # cibadmin -Q - + See the next section, :ref:`crm_simulate`, for how to test your changes before committing them to the live cluster. .. index:: single: crm_simulate single: command-line tool; crm_simulate .. _crm_simulate: Simulate Cluster Activity with crm_simulate ########################################### The command-line tool `crm_simulate` shows the results of the same logic the cluster itself uses to respond to a particular cluster configuration and status. As always, the man page is the primary documentation, and should be consulted for further details. This section aims for a better conceptual explanation and practical examples. Replaying cluster decision-making logic _______________________________________ At any given time, one node in a Pacemaker cluster will be elected DC, and that node will run Pacemaker's scheduler to make decisions. Each time decisions need to be made (a "transition"), the DC will have log messages like "Calculated transition ... saving inputs in ..." with a file name. You can grab the named file and replay the cluster logic to see why particular decisions were made. The file contains the live cluster configuration at that moment, so you can also look at it directly to see the value of node attributes, etc., at that time. The simplest usage is (replacing $FILENAME with the actual file name): .. topic:: Simulate cluster response to a given CIB .. code-block:: none # crm_simulate --simulate --xml-file $FILENAME That will show the cluster state when the process started, the actions that need to be taken ("Transition Summary"), and the resulting cluster state if the actions succeed. Most actions will have a brief description of why they were required. The transition inputs may be compressed. ``crm_simulate`` can handle these compressed files directly, though if you want to edit the file, you'll need to uncompress it first. You can do the same simulation for the live cluster configuration at the current moment. This is useful mainly when using ``crm_shadow`` to create a sandbox version of the CIB; the ``--live-check`` option will use the shadow CIB if one is in effect. .. topic:: Simulate cluster response to current live CIB or shadow CIB .. code-block:: none # crm_simulate --simulate --live-check Why decisions were made _______________________ To get further insight into the "why", it gets user-unfriendly very quickly. If you add the ``--show-scores`` option, you will also see all the scores that went into the decision-making. The node with the highest cumulative score for a resource will run it. You can look for ``-INFINITY`` scores in particular to see where complete bans came into effect. You can also add ``-VVVV`` to get more detailed messages about what's happening under the hood. You can add up to two more V's even, but that's usually useful only if you're a masochist or tracing through the source code. Visualizing the action sequence _______________________________ Another handy feature is the ability to generate a visual graph of the actions needed, using the ``--save-dotfile`` option. This relies on the separate Graphviz [#]_ project. .. topic:: Generate a visual graph of cluster actions from a saved CIB .. code-block:: none # crm_simulate --simulate --xml-file $FILENAME --save-dotfile $FILENAME.dot # dot $FILENAME.dot -Tsvg > $FILENAME.svg ``$FILENAME.dot`` will contain a GraphViz representation of the cluster's response to your changes, including all actions with their ordering dependencies. ``$FILENAME.svg`` will be the same information in a standard graphical format that you can view in your browser or other app of choice. You could, of course, use other ``dot`` options to generate other formats. How to interpret the graphical output: * Bubbles indicate actions, and arrows indicate ordering dependencies * Resource actions have text of the form ``__ `` indicating that the specified action will be executed for the specified resource on the specified node, once if interval is 0 or at specified recurring interval otherwise * Actions with black text will be sent to the executor (that is, the appropriate agent will be invoked) * Actions with orange text are "pseudo" actions that the cluster uses internally for ordering but require no real activity * Actions with a solid green border are part of the transition (that is, the cluster will attempt to execute them in the given order -- though a transition can be interrupted by action failure or new events) * Dashed arrows indicate dependencies that are not present in the transition graph * Actions with a dashed border will not be executed. If the dashed border is blue, the cluster does not feel the action needs to be executed. If the dashed border is red, the cluster would like to execute the action but cannot. Any actions depending on an action with a dashed border will not be able to execute. * Loops should not happen, and should be reported as a bug if found. .. topic:: Small Cluster Transition .. image:: ../shared/images/Policy-Engine-small.png :alt: An example transition graph as represented by Graphviz :align: center In the above example, it appears that a new node, ``pcmk-2``, has come online and that the cluster is checking to make sure ``rsc1``, ``rsc2`` and ``rsc3`` are not already running there (indicated by the ``rscN_monitor_0`` entries). Once it did that, and assuming the resources were not active there, it would have liked to stop ``rsc1`` and ``rsc2`` on ``pcmk-1`` and move them to ``pcmk-2``. However, there appears to be some problem and the cluster cannot or is not permitted to perform the stop actions which implies it also cannot perform the start actions. For some reason, the cluster does not want to start ``rsc3`` anywhere. .. topic:: Complex Cluster Transition .. image:: ../shared/images/Policy-Engine-big.png :alt: Complex transition graph that you're not expected to be able to read :align: center What-if scenarios _________________ You can make changes to the saved or shadow CIB and simulate it again, to see how Pacemaker would react differently. You can edit the XML by hand, use command-line tools such as ``cibadmin`` with either a shadow CIB or the ``CIB_file`` environment variable set to the filename, or use higher-level tool support (see the man pages of the specific tool you're using for how to perform actions on a saved CIB file rather than the live CIB). You can also inject node failures and/or action failures into the simulation; see the ``crm_simulate`` man page for more details. This capability is useful when using a shadow CIB to edit the configuration. Before committing the changes to the live cluster with ``crm_shadow --commit``, you can use ``crm_simulate`` to see how the cluster will react to the changes. .. _crm_attribute: .. index:: single: attrd_updater single: command-line tool; attrd_updater single: crm_attribute single: command-line tool; crm_attribute Manage Node Attributes, Cluster Options and Defaults with crm_attribute and attrd_updater ######################################################################################### ``crm_attribute`` and ``attrd_updater`` are confusingly similar tools with subtle differences. ``attrd_updater`` can query and update node attributes. ``crm_attribute`` can query and update not only node attributes, but also cluster options, resource defaults, and operation defaults. To understand the differences, it helps to understand the various types of node attribute. .. list-table:: **Types of Node Attributes** :widths: 20 16 16 16 16 16 :header-rows: 1 * - Type - Recorded in CIB? - Recorded in attribute manager memory? - Survive full cluster restart? - Manageable by by crm_attribute? - Manageable by attrd_updater? * - permanent - yes - no - yes - yes - no * - transient - yes - yes - no - yes - yes * - private - no - yes - no - no - yes As you can see from the table above, ``crm_attribute`` can manage permanent and transient node attributes, while ``attrd_updater`` can manage transient and private node attributes. The difference between the two tools lies mainly in *how* they update node attributes: ``attrd_updater`` always contacts the Pacemaker attribute manager directly, while ``crm_attribute`` will contact the attribute manager only for transient node attributes, and will instead modify the CIB directly for permanent node attributes (and for transient node attributes when unable to contact the attribute manager). By contacting the attribute manager directly, ``attrd_updater`` can change an attribute's "dampening" (whether changes are immediately flushed to the CIB or after a specified amount of time, to minimize disk writes for frequent changes), set private node attributes (which are never written to the CIB), and set attributes for nodes that don't yet exist. By modifying the CIB directly, ``crm_attribute`` can set permanent node attributes (which are only in the CIB and not managed by the attribute manager), and can be used with saved CIB files and shadow CIBs. However a transient node attribute is set, it is synchronized between the CIB and the attribute manager, on all nodes. .. index:: single: crm_failcount single: command-line tool; crm_failcount single: crm_node single: command-line tool; crm_node single: crm_report single: command-line tool; crm_report single: crm_standby single: command-line tool; crm_standby single: crm_verify single: command-line tool; crm_verify single: stonith_admin single: command-line tool; stonith_admin Other Commonly Used Tools ######################### Other command-line tools include: * ``crm_failcount``: query or delete resource fail counts * ``crm_node``: manage cluster nodes * ``crm_report``: generate a detailed cluster report for bug submissions * ``crm_resource``: manage cluster resources * ``crm_standby``: manage standby status of nodes * ``crm_verify``: validate a CIB * ``stonith_admin``: manage fencing devices See the manual pages for details. .. rubric:: Footnotes .. [#] Graph visualization software. See http://www.graphviz.org/ for details. diff --git a/doc/sphinx/Pacemaker_Administration/upgrading.rst b/doc/sphinx/Pacemaker_Administration/upgrading.rst index 9d87bca571..3dd46dafbe 100644 --- a/doc/sphinx/Pacemaker_Administration/upgrading.rst +++ b/doc/sphinx/Pacemaker_Administration/upgrading.rst @@ -1,579 +1,579 @@ .. index:: upgrade Upgrading a Pacemaker Cluster ----------------------------- .. index:: version Pacemaker Versioning #################### Pacemaker has an overall release version, plus separate version numbers for certain internal components. .. index:: single: version; release * **Pacemaker release version:** This version consists of three numbers (*x.y.z*). The major version number (the *x* in *x.y.z*) increases when at least some rolling upgrades are not possible from the previous major version. For example, a rolling upgrade from 1.0.8 to 1.1.15 should always be supported, but a rolling upgrade from 1.0.8 to 2.0.0 may not be possible. The minor version (the *y* in *x.y.z*) increases when there are significant changes in cluster default behavior, tool behavior, and/or the API interface (for software that utilizes Pacemaker libraries). The main benefit is to alert you to pay closer attention to the release notes, to see if you might be affected. The release counter (the *z* in *x.y.z*) is increased with all public releases of Pacemaker, which typically include both bug fixes and new features. .. index:: single: feature set single: version; feature set * **CRM feature set:** This version number applies to the communication between full cluster nodes, and is used to avoid problems in mixed-version clusters. The major version number increases when nodes with different versions would not work (rolling upgrades are not allowed). The minor version number increases when mixed-version clusters are allowed only during rolling upgrades. The minor-minor version number is ignored, but allows resource agents to detect cluster support for various features. [#]_ Pacemaker ensures that the longest-running node is the cluster's DC. This ensures new features are not enabled until all nodes are upgraded to support them. .. index:: single: version; Pacemaker Remote protocol * **Pacemaker Remote protocol version:** This version applies to communication between a Pacemaker Remote node and the cluster. It increases when an older cluster node would have problems hosting the connection to a newer Pacemaker Remote node. To avoid these problems, Pacemaker Remote nodes will accept connections only from cluster nodes with the same or newer Pacemaker Remote protocol version. Unlike with CRM feature set differences between full cluster nodes, mixed Pacemaker Remote protocol versions between Pacemaker Remote nodes and full cluster nodes are fine, as long as the Pacemaker Remote nodes have the older version. This can be useful, for example, to host a legacy application in an older operating system version used as a Pacemaker Remote node. .. index:: single: version; XML schema * **XML schema version:** Pacemaker’s configuration syntax — what's allowed in the Configuration Information Base (CIB) — has its own version. This allows the configuration syntax to evolve over time while still allowing clusters with older configurations to work without change. .. index:: single: upgrade; methods Upgrading Cluster Software ########################## There are three approaches to upgrading a cluster, each with advantages and disadvantages. .. list-table:: **Upgrade Methods** :widths: 16 14 14 14 14 14 14 :header-rows: 1 * - Method - Available between all versions - Can be used with Pacemaker Remote nodes - Service outage during upgrade - Service recovery during upgrade - Exercises failover logic - Allows change of messaging layer [#]_ * - Complete cluster shutdown - yes - yes - always - N/A - no - yes * - Rolling (node by node) - no - yes - always [#]_ - yes - yes - no * - Detach and reattach - yes - no - only due to failure - no - no - yes .. index:: single: upgrade; shutdown Complete Cluster Shutdown _________________________ In this scenario, one shuts down all cluster nodes and resources, then upgrades all the nodes before restarting the cluster. #. On each node: a. Shutdown the cluster software (pacemaker and the messaging layer). #. Upgrade the Pacemaker software. This may also include upgrading the messaging layer and/or the underlying operating system. #. Check the configuration with the ``crm_verify`` tool. #. On each node: a. Start the cluster software. Currently, only Corosync version 2 and greater is supported as the cluster layer, but if another stack is supported in the future, the stack does not need to be the same one before the upgrade. One variation of this approach is to build a new cluster on new hosts. This allows the new version to be tested beforehand, and minimizes downtime by having the new nodes ready to be placed in production as soon as the old nodes are shut down. .. index:: single: upgrade; rolling upgrade Rolling (node by node) ______________________ In this scenario, each node is removed from the cluster, upgraded, and then brought back online, until all nodes are running the newest version. Special considerations when planning a rolling upgrade: * If you plan to upgrade other cluster software -- such as the messaging layer -- at the same time, consult that software's documentation for its compatibility with a rolling upgrade. * If the major version number is changing in the Pacemaker version you are upgrading to, a rolling upgrade may not be possible. Read the new version's release notes (as well the information here) for what limitations may exist. * If the CRM feature set is changing in the Pacemaker version you are upgrading to, you should run a mixed-version cluster only during a small rolling upgrade window. If one of the older nodes drops out of the cluster for any reason, it will not be able to rejoin until it is upgraded. * If the Pacemaker Remote protocol version is changing, all cluster nodes should be upgraded before upgrading any Pacemaker Remote nodes. See the `Pacemaker release calendar `_ on the ClusterLabs wiki to figure out whether the CRM feature set and/or Pacemaker Remote protocol version changed between the Pacemaker release versions in your rolling upgrade. To perform a rolling upgrade, on each node in turn: #. Put the node into standby mode, and wait for any active resources to be moved cleanly to another node. (This step is optional, but allows you to deal with any resource issues before the upgrade.) #. Shut down Pacemaker or ``pacemaker-remoted``. #. If a cluster node, shut down the messaging layer. #. Upgrade the Pacemaker software. This may also include upgrading the messaging layer and/or the underlying operating system. #. If this is the first node to be upgraded, check the configuration with the ``crm_verify`` tool. #. If a cluster node, start the messaging layer. This must be the same messaging layer (currently only Corosync version 2 and greater is supported) that the rest of the cluster is using. #. Start Pacemaker or ``pacemaker-remoted``. .. note:: Even if a rolling upgrade from the current version of the cluster to the newest version is not directly possible, it may be possible to perform a rolling upgrade in multiple steps, by upgrading to an intermediate version first. The following table lists compatible versions for all other nodes in the cluster when upgrading a cluster node. .. list-table:: **Version Compatibility for Cluster Nodes** :class: longtable :widths: 50 50 :header-rows: 1 * - Version Being Installed - Minimum Compatible Version * - Pacemaker 3.y.z - Pacemaker 2.0.0 * - Pacemaker 2.y.z - Pacemaker 1.1.11 [#]_ * - Pacemaker 1.y.z - Pacemaker 1.0.0 * - Pacemaker 0.6.z to 0.7.z - Pacemaker 0.6.0 When upgrading a Pacemaker Remote node, all cluster nodes must be running at least the minimum version listed in the table below. .. list-table:: **Cluster Node Version Compatibility for Pacemaker Remote Nodes** :class: longtable :widths: 50 50 :header-rows: 1 * - Pacemaker Remote Version - Minimum Cluster Node Version * - Pacemaker 3.y.z - Pacemaker 2.0.0 * - Pacemaker 1.1.9 to 2.1.z - Pacemaker 1.1.9 [#]_ .. index:: single: upgrade; detach and reattach Detach and Reattach ___________________ The reattach method is a variant of a complete cluster shutdown, where the resources are left active and get re-detected when the cluster is restarted. This method may not be used if the cluster contains any Pacemaker Remote nodes. #. Tell the cluster to stop managing services. This is required to allow the services to remain active after the cluster shuts down. .. code-block:: none # crm_attribute --name maintenance-mode --update true #. On each node, shutdown the cluster software (pacemaker and the messaging layer), and upgrade the Pacemaker software. This may also include upgrading the messaging layer. While the underlying operating system may be upgraded at the same time, that will be more likely to cause outages in the detached services (certainly, if a reboot is required). #. Check the configuration with the ``crm_verify`` tool. #. On each node, start the cluster software. Currently, only Corosync version 2 and greater is supported as the cluster layer, but if another stack is supported in the future, the stack does not need to be the same one before the upgrade. #. Verify that the cluster re-detected all resources correctly. #. Allow the cluster to resume managing resources again: .. code-block:: none # crm_attribute --name maintenance-mode --delete .. note:: While the goal of the detach-and-reattach method is to avoid disturbing running services, resources may still move after the upgrade if any resource's location is governed by a rule based on transient node attributes. Transient node attributes are erased when the node leaves the cluster. A common example is using the ``ocf:pacemaker:ping`` resource to set a node attribute used to locate other resources. .. index:: pair: upgrade; CIB Upgrading the Configuration ########################### The CIB schema version can change from one Pacemaker version to another. After cluster software is upgraded, the cluster will continue to use the older schema version that it was previously using. This can be useful, for example, when administrators have written tools that modify the configuration, and are based on the older syntax. [#]_ However, when using an older syntax, new features may be unavailable, and there is a performance impact, since the cluster must do a non-persistent configuration upgrade before each transition. So while using the old syntax is possible, it is not advisable to continue using it indefinitely. Even if you wish to continue using the old syntax, it is a good idea to follow the upgrade procedure outlined below, except for the last step, to ensure that the new software has no problems with your existing configuration (since it will perform much the same task internally). If you are brave, it is sufficient simply to run ``cibadmin --upgrade``. A more cautious approach would proceed like this: #. Create a shadow copy of the configuration. The later commands will automatically operate on this copy, rather than the live configuration. .. code-block:: none # crm_shadow --create shadow .. index:: single: configuration; verify #. Verify the configuration is valid with the new software (which may be stricter about syntax mistakes, or may have dropped support for deprecated features): .. code-block:: none # crm_verify --live-check #. Fix any errors or warnings. #. Perform the upgrade: .. code-block:: none # cibadmin --upgrade #. If this step fails, there are three main possibilities: a. The configuration was not valid to start with (did you do steps 2 and 3?). #. The transformation failed; `report a bug `_. #. The transformation was successful but produced an invalid result. If the result of the transformation is invalid, you may see a number of errors from the validation library. If these are not helpful, try the manual upgrade procedure described below. #. Check the changes: .. code-block:: none # crm_shadow --diff If at this point there is anything about the upgrade that you wish to fine-tune (for example, to change some of the automatic IDs), now is the time to do so: .. code-block:: none # crm_shadow --edit This will open the configuration in your favorite editor (whichever is specified by the standard ``$EDITOR`` environment variable). #. Preview how the cluster will react: .. code-block:: none # crm_simulate --live-check --save-dotfile shadow.dot -S # dot -Tsvg shadow.dot -o shadow.svg You can then view shadow.svg with any compatible image viewer or web browser. Verify that either no resource actions will occur or that you are happy with any that are scheduled. If the output contains actions you do not expect (possibly due to changes to the score calculations), you may need to make further manual changes. See :ref:`crm_simulate` for further details on how to interpret the output of ``crm_simulate`` and ``dot``. #. Upload the changes: .. code-block:: none # crm_shadow --commit shadow --force In the unlikely event this step fails, please report a bug. .. note:: It is also possible to perform the configuration upgrade steps manually: #. Locate the ``upgrade*.xsl`` conversion scripts provided with the source code. These will often be installed in a location such as ``/usr/share/pacemaker``, or may be obtained from the `source repository `_. #. Run the conversion scripts that apply to your older version, for example: .. code-block:: none # xsltproc /path/to/upgrade06.xsl config06.xml > config10.xml #. Locate the ``pacemaker.rng`` script (from the same location as the xsl files). #. Check the XML validity: .. code-block:: none # xmllint --relaxng /path/to/pacemaker.rng config10.xml The advantage of this method is that it can be performed without the cluster running, and any validation errors are often more informative. What Changed in 2.1 ################### The Pacemaker 2.1 release is fully backward-compatible in both the CIB XML and the C API. Highlights: * Pacemaker now supports the **OCF Resource Agent API version 1.1**. Most notably, the ``Master`` and ``Slave`` role names have been renamed to ``Promoted`` and ``Unpromoted``. * Pacemaker now supports colocations where the dependent resource does not affect the primary resource's placement (via a new ``influence`` colocation constraint option and ``critical`` resource meta-attribute). This is intended for cases where a less-important resource must be colocated with an essential resource, but it is preferred to leave the less-important resource stopped if it fails, rather than move both resources. * If Pacemaker is built with libqb 2.0 or later, the detail log will use **millisecond-resolution timestamps**. * In addition to crm_mon and stonith_admin, the crmadmin, crm_resource, crm_simulate, and crm_verify commands now support the ``--output-as`` and ``--output-to`` options, including **XML output** (which scripts and higher-level tools are strongly recommended to use instead of trying to parse the text output, which may change from release to release). For a detailed list of changes, see the release notes and `Pacemaker 2.1 Changes `_ on the ClusterLabs wiki. What Changed in 2.0 ################### The main goal of the 2.0 release was to remove support for deprecated syntax, along with some small changes in default configuration behavior and tool behavior. Highlights: * Only Corosync version 2 and greater is now supported as the underlying cluster layer. Support for Heartbeat and Corosync 1 (including CMAN) is removed. * The Pacemaker detail log file is now stored in ``/var/log/pacemaker/pacemaker.log`` by default. * The record-pending cluster property now defaults to true, which allows status tools such as crm_mon to show operations that are in progress. * Support for a number of deprecated build options, environment variables, and configuration settings has been removed. * The ``master`` tag has been deprecated in favor of using the ``clone`` tag with the new ``promotable`` meta-attribute set to ``true``. "Master/slave" clone resources are now referred to as "promotable" clone resources. * The public API for Pacemaker libraries that software applications can use has changed significantly. For a detailed list of changes, see the release notes and `Pacemaker 2.0 Changes `_ on the ClusterLabs wiki. What Changed in 1.0 ################### New ___ * Failure timeouts. * New section for resource and operation defaults. * Tool for making offline configuration changes. * ``Rules``, ``instance_attributes``, ``meta_attributes`` and sets of operations can be defined once and referenced in multiple places. * The CIB now accepts XPath-based create/modify/delete operations. See ``cibadmin --help``. * Multi-dimensional colocation and ordering constraints. * The ability to connect to the CIB from non-cluster machines. * Allow recurring actions to be triggered at known times. Changed _______ * Syntax * All resource and cluster options now use dashes (-) instead of underscores (_) * ``master_slave`` was renamed to ``master`` * The ``attributes`` container tag was removed * The operation field ``pre-req`` has been renamed ``requires`` * All operations must have an ``interval``, ``start``/``stop`` must have it set to zero -* The ``stonith-enabled`` option now defaults to true. -* The cluster will refuse to start resources if ``stonith-enabled`` is true (or +* The ``fencing-enabled`` option now defaults to true. +* The cluster will refuse to start resources if ``fencing-enabled`` is true (or unset) and no STONITH resources have been defined * The attributes of colocation and ordering constraints were renamed for clarity. * ``resource-failure-stickiness`` has been replaced by ``migration-threshold``. * The parameters for command-line tools have been made consistent * Switched to 'RelaxNG' schema validation and 'libxml2' parser * id fields are now XML IDs which have the following limitations: * id's cannot contain colons (:) * id's cannot begin with a number * id's must be globally unique (not just unique for that tag) * Some fields (such as those in constraints that refer to resources) are IDREFs. This means that they must reference existing resources or objects in order for the configuration to be valid. Removing an object which is referenced elsewhere will therefore fail. * The CIB representation, from which a MD5 digest is calculated to verify CIBs on the nodes, has changed. This means that every CIB update will require a full refresh on any upgraded nodes until the cluster is fully upgraded to 1.0. This will result in significant performance degradation and it is therefore highly inadvisable to run a mixed 1.0/0.6 cluster for any longer than absolutely necessary. * Ping node information no longer needs to be added to ``ha.cf``. Simply include the lists of hosts in your ping resource(s). Removed _______ * Syntax * It is no longer possible to set resource meta options as top-level attributes. Use meta-attributes instead. * Resource and operation defaults are no longer read from ``crm_config``. .. rubric:: Footnotes .. [#] Before CRM feature set 3.1.0 (Pacemaker 2.0.0), the minor-minor version number was treated the same as the minor version. .. [#] Currently, Corosync version 2 and greater is the only supported cluster stack, but other stacks have been supported by past versions, and may be supported by future versions. .. [#] Any active resources will be moved off the node being upgraded, so there will be at least a brief outage unless all resources can be migrated "live". .. [#] Rolling upgrades from Pacemaker 1.1.z to 2.y.z are possible only if the cluster uses corosync version 2 or greater as its messaging layer, and the Cluster Information Base (CIB) uses schema 1.0 or higher in its ``validate-with`` property. .. [#] Pacemaker Remote versions 1.1.15 through 1.1.17 require cluster nodes to be at least version 1.1.15. Version 1.1.15 introduced an accidental remote protocol version bump, breaking rolling upgrade compatibility with older versions. This was fixed in 1.1.18. .. [#] As of Pacemaker 2.0.0, only schema versions pacemaker-1.0 and higher are supported (excluding pacemaker-1.1, which was a special case). diff --git a/doc/sphinx/Pacemaker_Development/components.rst b/doc/sphinx/Pacemaker_Development/components.rst index 3d1579ee76..066f1345e1 100644 --- a/doc/sphinx/Pacemaker_Development/components.rst +++ b/doc/sphinx/Pacemaker_Development/components.rst @@ -1,514 +1,514 @@ Coding Particular Pacemaker Components -------------------------------------- The Pacemaker code can be intricate and difficult to follow. This chapter has some high-level descriptions of how individual components work. .. index:: single: controller single: pacemaker-controld Controller ########## ``pacemaker-controld`` is the Pacemaker daemon that utilizes the other daemons to orchestrate actions that need to be taken in the cluster. It receives CIB change notifications from the CIB manager, passes the new CIB to the scheduler to determine whether anything needs to be done, uses the executor and fencer to execute any actions required, and sets failure counts (among other things) via the attribute manager. As might be expected, it has the most code of any of the daemons. .. index:: single: join Join sequence _____________ Most daemons track their cluster peers using Corosync's membership and :term:`CPG` only. The controller additionally requires peers to `join`, which ensures they are ready to be assigned tasks. Joining proceeds through a series of phases referred to as the `join sequence` or `join process`. A node's current join phase is tracked by the ``user_data`` member of ``pcmk__node_status_t`` (used in the peer cache). It is an ``enum controld_join_phase`` that (ideally) progresses from the DC's point of view as follows: * The node initially starts at ``controld_join_none`` * The DC sends the node a `join offer` (``CRM_OP_JOIN_OFFER``), and the node proceeds to ``controld_join_welcomed``. This can happen in three ways: * The joining node will send a `join announce` (``CRM_OP_JOIN_ANNOUNCE``) at its controller startup, and the DC will reply to that with a join offer. * When the DC's peer status callback notices that the node has joined the messaging layer, it registers ``I_NODE_JOIN`` (which leads to ``A_DC_JOIN_OFFER_ONE`` -> ``do_dc_join_offer_one()`` -> ``join_make_offer()``). * After certain events (notably a new DC being elected), the DC will send all nodes join offers (via A_DC_JOIN_OFFER_ALL -> ``do_dc_join_offer_all()``). These can overlap. The DC can send a join offer and the node can send a join announce at nearly the same time, so the node responds to the original join offer while the DC responds to the join announce with a new join offer. The situation resolves itself after looping a bit. * The node responds to join offers with a `join request` (``CRM_OP_JOIN_REQUEST``, via ``do_cl_join_offer_respond()`` and ``join_query_callback()``). When the DC receives the request, the node proceeds to ``controld_join_integrated`` (via ``do_dc_join_filter_offer()``). * As each node is integrated, the current best CIB is sync'ed to each integrated node via ``do_dc_join_finalize()``. As each integrated node's CIB sync succeeds, the DC acks the node's join request (``CRM_OP_JOIN_ACKNAK``) and the node proceeds to ``controld_join_finalized`` (via ``finalize_sync_callback()`` + ``finalize_join_for()``). * Each node confirms the finalization ack (``CRM_OP_JOIN_CONFIRM`` via ``do_cl_join_finalize_respond()``), including its current resource operation history (via ``controld_query_executor_state()``). Once the DC receives this confirmation, the node proceeds to ``controld_join_confirmed`` via ``do_dc_join_ack()``. Once all nodes are confirmed, the DC calls ``do_dc_join_final()``, which checks for quorum and responds appropriately. When peers are lost, their join phase is reset to none (in various places). ``crm_update_peer_join()`` updates a node's join phase. The DC increments the global ``current_join_id`` for each joining round, and rejects any (older) replies that don't match. .. index:: single: fencer single: pacemaker-fenced Fencer ###### ``pacemaker-fenced`` is the Pacemaker daemon that handles fencing requests. In the broadest terms, fencing works like this: #. The initiator (an external program such as ``stonith_admin``, or the cluster itself via the controller) asks the local fencer, "Hey, could you please fence this node?" #. The local fencer asks all the fencers in the cluster (including itself), "Hey, what fencing devices do you have access to that can fence this node?" #. Each fencer in the cluster replies with a list of available devices that it knows about. #. Once the original fencer gets all the replies, it asks the most appropriate fencer peer to actually carry out the fencing. It may send out more than one such request if the target node must be fenced with multiple devices. #. The chosen fencer(s) call the appropriate fencing resource agent(s) to do the fencing, then reply to the original fencer with the result. #. The original fencer broadcasts the result to all fencers. #. Each fencer sends the result to each of its local clients (including, at some point, the initiator). A more detailed description follows. .. index:: single: libstonithd Initiating a fencing request ____________________________ A fencing request can be initiated by the cluster or externally, using the libstonithd API. * The cluster always initiates fencing via ``daemons/controld/controld_fencing.c:te_fence_node()`` (which calls the ``fence()`` API method). This occurs when a transition graph synapse contains a ``CRM_OP_FENCE`` XML operation. * The main external clients are ``stonith_admin`` and ``cts-fence-helper``. The ``DLM`` project also uses Pacemaker for fencing. Highlights of the fencing API: * ``stonith_api_new()`` creates and returns a new ``stonith_t`` object, whose ``cmds`` member has methods for connect, disconnect, fence, etc. * the ``fence()`` method creates and sends a ``STONITH_OP_FENCE XML`` request with the desired action and target node. Callers do not have to choose or even have any knowledge about particular fencing devices. Fencing queries _______________ The function calls for a fencing request go something like this: The local fencer receives the client's request via an :term:`IPC` or messaging layer callback, which calls * ``stonith_command()``, which (for requests) calls * ``handle_request()``, which (for ``STONITH_OP_FENCE`` from a client) calls * ``initiate_remote_stonith_op()``, which creates a ``STONITH_OP_QUERY`` XML request with the target, desired action, timeout, etc. then broadcasts the operation to the cluster group (i.e. all fencer instances) and starts a timer. The query is broadcast because (1) location constraints - might prevent the local node from accessing the stonith device directly, + might prevent the local node from accessing the fencing device directly, and (2) even if the local node does have direct access, another node might be preferred to carry out the fencing. Each fencer receives the original fencer's ``STONITH_OP_QUERY`` broadcast request via IPC or messaging layer callback, which calls: * ``stonith_command()``, which (for requests) calls * ``handle_request()``, which (for ``STONITH_OP_QUERY`` from a peer) calls * ``stonith_query()``, which calls * ``get_capable_devices()`` with ``stonith_query_capable_device_cb()`` to add device information to an XML reply and send it. (A message is considered a reply if it contains ``T_STONITH_REPLY``, which is only set by fencer peers, not clients.) The original fencer receives all peers' ``STONITH_OP_QUERY`` replies via IPC or messaging layer callback, which calls: * ``stonith_command()``, which (for replies) calls * ``handle_reply()`` which (for ``STONITH_OP_QUERY``) calls * ``process_remote_stonith_query()``, which allocates a new query result structure, parses device information into it, and adds it to the operation object. It increments the number of replies received for this operation, and compares it against the expected number of replies (i.e. the number of active peers), and if this is the last expected reply, calls * ``request_peer_fencing()``, which calculates the timeout and sends ``STONITH_OP_FENCE`` request(s) to carry out the fencing. If the target node has a fencing "topology" (which allows specifications such as "this node can be fenced either with device A, or devices B and C in combination"), it will choose the device(s), and send out as many requests as needed. If it chooses a device, it will choose the peer; a peer is preferred if it has "verified" access to the desired device, meaning that it has the device "running" on it and thus has a monitor operation ensuring reachability. Fencing operations __________________ Each ``STONITH_OP_FENCE`` request goes something like this: The chosen peer fencer receives the ``STONITH_OP_FENCE`` request via :term:`IPC` or messaging layer callback, which calls: * ``stonith_command()``, which (for requests) calls * ``handle_request()``, which (for ``STONITH_OP_FENCE`` from a peer) calls * ``stonith_fence()``, which calls * ``schedule_stonith_command()`` (using supplied device if ``F_STONITH_DEVICE`` was set, otherwise the highest-priority capable device obtained via ``get_capable_devices()`` with ``stonith_fence_get_devices_cb()``), which adds the operation to the device's pending operations list and triggers processing. The chosen peer fencer's mainloop is triggered and calls * ``stonith_device_dispatch()``, which calls * ``stonith_device_execute()``, which pops off the next item from the device's pending operations list. If acting as the (internally implemented) watchdog agent, it panics the node, otherwise it calls * ``stonith_action_create()`` and ``stonith_action_execute_async()`` to call the fencing agent. The chosen peer fencer's mainloop is triggered again once the fencing agent returns, and calls * ``stonith_action_async_done()`` which adds the results to an action object then calls its * done callback (``st_child_done()``), which calls ``schedule_stonith_command()`` for a new device if there are further required actions to execute or if the original action failed, then builds and sends an XML reply to the original fencer (via ``send_async_reply()``), then checks whether any pending actions are the same as the one just executed and merges them if so. Fencing replies _______________ The original fencer receives the ``STONITH_OP_FENCE`` reply via :term:`IPC` or messaging layer callback, which calls: * ``stonith_command()``, which (for replies) calls * ``handle_reply()``, which calls * ``fenced_process_fencing_reply()``, which calls either ``request_peer_fencing()`` (to retry a failed operation, or try the next device in a topology if appropriate, which issues a new ``STONITH_OP_FENCE`` request, proceeding as before) or ``finalize_op()`` (if the operation is definitively failed or successful). * ``finalize_op()`` broadcasts the result to all peers. Finally, all peers receive the broadcast result and call * ``finalize_op()``, which sends the result to all local clients. .. index:: single: fence history Fencing History _______________ The fencer keeps a running history of all fencing operations. The bulk of the relevant code is in `fenced_history.c` and ensures the history is synchronized across all nodes even if a node leaves and rejoins the cluster. In libstonithd, this information is represented by `stonith_history_t` and is queryable by the `stonith_api_operations_t:history()` method. `crm_mon` and `stonith_admin` use this API to display the history. .. index:: single: scheduler single: pacemaker-schedulerd single: libcrmcommon single: libpe_status single: libpacemaker Scheduler ######### ``pacemaker-schedulerd`` is the Pacemaker daemon that runs the Pacemaker scheduler for the controller, but "the scheduler" in general refers to related library code in various files in ``libcrmcommon``, ``libpe_status``, and ``libpacemaker``. The purpose of the scheduler is to take a CIB as input and generate a transition graph (list of actions that need to be taken) as output. The controller invokes the scheduler by contacting the scheduler daemon via local :term:`IPC`. Tools such as ``crm_simulate``, ``crm_mon``, and ``crm_resource`` can also invoke the scheduler, but do so by calling the library functions directly. This allows them to run using a ``CIB_file`` without the cluster needing to be active. The main entry point for the scheduler code is ``lib/pacemaker/pcmk_scheduler.c:pcmk__schedule_actions()``. It sets defaults and calls a series of functions for the scheduling. Some key steps: * ``unpack_cib()`` parses most of the CIB XML into data structures, and determines the current cluster status. * ``apply_node_criteria()`` applies factors that make resources prefer certain nodes, such as shutdown locks, location constraints, and stickiness. * ``pcmk__create_internal_constraints()`` creates internal constraints, such as the implicit ordering for group members, or start actions being implicitly ordered before promote actions. * ``pcmk__handle_rsc_config_changes()`` processes resource history entries in the CIB status section. This is used to decide whether certain actions need to be done, such as deleting removed resources, forcing a restart when a resource definition changes, etc. * ``assign_resources()`` :term:`assigns ` resources to nodes. * ``schedule_resource_actions()`` schedules resource-specific actions (which might or might not end up in the final graph). * ``pcmk__apply_orderings()`` processes ordering constraints in order to modify action attributes such as optional or required. * ``pcmk__create_graph()`` creates the transition graph. Challenges __________ Working with the scheduler is difficult. Challenges include: * It is far too much code to keep more than a small portion in your head at one time. * Small changes can have large (and unexpected) effects. This is why we have a large number of regression tests (``cts/cts-scheduler``), which should be run after making code changes. * It produces an insane amount of log messages at debug and trace levels. You can put resource ID(s) in the ``PCMK_trace_tags`` environment variable to enable trace-level messages only when related to specific resources. * Different parts of the main ``pcmk_scheduler_t`` structure are finalized at different points in the scheduling process, so you have to keep in mind whether information you're using at one point of the code can possibly change later. For example, data unpacked from the CIB can safely be used anytime after ``unpack_cib(),`` but actions may become optional or required anytime before ``pcmk__create_graph()``. There's no easy way to deal with this. .. index:: single: pcmk_scheduler_t The Scheduler Object ____________________ The main data object for the scheduler is ``pcmk_scheduler_t``, which contains all information needed about nodes, resources, constraints, etc., both as the raw CIB XML and parsed into more usable data structures, plus the resulting transition graph XML. The variable name is usually ``scheduler``. .. index:: single: pcmk_resource_t Resources _________ ``pcmk_resource_t`` is the data object representing cluster resources. It has a couple of public members for backward compatibility reasons, but most of the implementation is in the internal ``pcmk__resource_private_t`` type. A resource has a variant: :term:`primitive`, group, clone, or :term:`bundle`. The private resource object has members for two sets of methods, ``pcmk__rsc_methods_t`` from ``libcrmcommon``, and ``pcmk__assignment_methods_t`` whose implementation is internal to ``libpacemaker``. The actual functions vary by variant. The resource methods have basic capabilities such as unpacking the resource XML, and determining the current or planned location of the resource. The :term:`assignment ` methods have more obscure capabilities needed for scheduling, such as processing location and ordering constraints. For example, ``pcmk__create_internal_constraints()`` simply calls the ``internal_constraints()`` method for each top-level resource in the cluster. .. index:: single: pcmk_node_t Nodes _____ :term:`Assignment ` of resources to nodes is done by choosing the node with the highest :term:`score` for a given resource. The scheduler does a bunch of processing to generate the scores, then the actual assignment is straightforward. The scheduler node implementation is a little confusing. ``pcmk_node_t`` (``struct pcmk__scored_node``) is the primary object used. It contains two sub-structs, ``pcmk__node_private_t *priv`` (which is internal) and ``struct pcmk__node_details *details`` (which is public for backward compatibility reasons), that contain all node information that is independent of resource assignment (the node name, etc.). It contains one other (internal) sub-struct, ``struct pcmk__node_assignment *assign``, which contains information particular to a specific resource being assigned. Node lists are frequently used. For example, ``pcmk_scheduler_t`` has a ``nodes`` member which is a list of all nodes in the cluster, and the internal resource object has an ``active_nodes`` member which is a list of all nodes on which the resource is (or might be) active. Only the scheduler's ``nodes`` list has the full, original node instances. All other node lists have shallow copies created by ``pe__copy_node()``, which share ``details`` and ``priv`` from the main list (but can differ in their ``assign`` member). .. index:: single: pcmk_action_t single: pcmk__action_flags Actions _______ ``pcmk_action_t`` is the data object representing actions that might need to be taken. These could be resource actions, cluster-wide actions such as fencing a node, or "pseudo-actions" which are abstractions used as convenient points for ordering other actions against. Its (internal) implementation has a ``flags`` member which is a bitmask of ``enum pcmk__action_flags``. The most important of these are ``pcmk__action_runnable`` (if not set, the action is "blocked" and cannot be added to the transition graph) and ``pcmk__action_optional`` (actions with this set will not be added to the transition graph; actions often start out as optional, and may become required later). .. index:: single: pcmk__colocation_t Colocations ___________ ``pcmk__colocation_t`` is the data object representing colocations. Colocation constraints come into play in these parts of the scheduler code: * When sorting resources for :term:`assignment `, so resources with highest node :term:`score` are assigned first (see ``cmp_resources()``) * When updating node scores for resource assigment or promotion priority * When assigning resources, so any resources to be colocated with can be assigned first, and so colocations affect where the resource is assigned * When choosing roles for promotable clone instances, so colocations involving a specific role can affect which instances are promoted The resource assignment functions have several methods related to colocations: * ``apply_coloc_score():`` This applies a colocation's score to either the dependent's allowed node scores (if called while resources are being assigned) or the dependent's priority (if called while choosing promotable instance roles). It can behave differently depending on whether it is being called as the :term:`primary's ` method or as the :term:`dependent's ` method. * ``add_colocated_node_scores():`` This updates a table of nodes for a given colocation attribute and score. It goes through colocations involving a given resource, and updates the scores of the nodes in the table with the best scores of nodes that match up according to the colocation criteria. * ``colocated_resources():`` This generates a list of all resources involved in mandatory colocations (directly or indirectly via colocation chains) with a given resource. .. index:: single: pcmk__action_relation_t single: action; relation Action Relations ________________ Ordering constraints are simple in concept, but they are one of the most important, powerful, and difficult to follow aspects of the scheduler code. ``pcmk__action_relation_t`` is the data object representing an ordering, better thought of as a relationship between two actions, since the relation can be more complex than just "this one runs after that one". For a relation "A then B", the code generally refers to A as "first" or "before", and B as "then" or "after". Much of the power comes from ``enum pcmk__action_relation_flags``, which are flags that determine how a relation behaves. There are many obscure flags with big effects. A few examples: * ``pcmk__ar_none`` means the relation is disabled and will be ignored. The value is 0, meaning no flags set, so it must be compared with equality rather than ``pcmk_is_set()``. * ``pcmk__ar_ordered`` without any other flags set means the relation does not make either action required, so it applies only if they both become required for other reasons. * ``pcmk__ar_then_implies_first`` means that if action B becomes required for any reason, then action A will become required as well. Adding a New Scheduler Regression Test ______________________________________ #. Choose a test name. #. Copy the uncompressed input CIB to cts/scheduler/xml/TESTNAME.xml. It's helpful to add an XML comment at the top describing the essential features of the test (which configuration and status scenarios are being tested). #. Edit ``cts/cts-scheduler.in`` and add the test name and description to the ``TESTS`` array. #. Run ``cts/cts-scheduler --update --run TESTNAME`` to generate the expected transition graph, scores, etc. Look over the generated files to make sure they are as expected. #. Commit your changes. diff --git a/doc/sphinx/Pacemaker_Explained/acls.rst b/doc/sphinx/Pacemaker_Explained/acls.rst index 1ceff36d9e..71691cdd8b 100644 --- a/doc/sphinx/Pacemaker_Explained/acls.rst +++ b/doc/sphinx/Pacemaker_Explained/acls.rst @@ -1,476 +1,476 @@ .. index:: single: Access Control List (ACL) .. _acl: Access Control Lists (ACLs) --------------------------- By default, the ``root`` user or any user in the |CRM_DAEMON_GROUP| group can modify Pacemaker's CIB without restriction. Pacemaker offers *access control lists (ACLs)* to provide more fine-grained authorization. .. important:: Being able to modify the CIB's resource section allows a user to run any executable file as root, by configuring it as an LSB resource with a full path. ACL Prerequisites ################# In order to use ACLs: * The ``enable-acl`` :ref:`cluster option ` must be set to true. * Desired users must have user accounts in the |CRM_DAEMON_GROUP| group on all cluster nodes in the cluster. * If your CIB was created before Pacemaker 1.1.12, it might need to be updated to the current schema (using ``cibadmin --upgrade`` or a higher-level tool equivalent) in order to use the syntax documented here. * Prior to the 2.1.0 release, the Pacemaker software had to have been built with ACL support. If you are using an older release, your installation supports ACLs only if the output of the command ``pacemakerd --features`` contains ``acls``. In newer versions, ACLs are always enabled. .. important:: ``enable-acl`` should be set either by the root user, or as part of a batch of CIB changes including roles and users. Otherwise, the user setting it might lock themselves out from making any further changes. .. index:: single: Access Control List (ACL); acls pair: acls; XML element ACL Configuration ################# ACLs are specified within an ``acls`` element of the CIB. The ``acls`` element may contain any number of ``acl_role``, ``acl_target``, and ``acl_group`` elements. .. index:: single: Access Control List (ACL); acl_role pair: acl_role; XML element ACL Roles ######### An ACL *role* is a collection of permissions allowing or denying access to particular portions of the CIB. A role is configured with an ``acl_role`` element in the CIB ``acls`` section. .. table:: **Properties of an acl_role Element** :widths: 25 75 +------------------+-----------------------------------------------------------+ | Attribute | Description | +==================+===========================================================+ | id | .. index:: | | | single: acl_role; id (attribute) | | | single: id; acl_role attribute | | | single: attribute; id (acl_role) | | | | | | A unique name for the role *(required)* | +------------------+-----------------------------------------------------------+ | description | .. index:: | | | single: acl_role; description (attribute) | | | single: description; acl_role attribute | | | single: attribute; description (acl_role) | | | | | | Arbitrary text for user's use (ignored by Pacemaker) | +------------------+-----------------------------------------------------------+ An ``acl_role`` element may contain any number of ``acl_permission`` elements. .. index:: single: Access Control List (ACL); acl_permission pair: acl_permission; XML element .. table:: **Properties of an acl_permission Element** :widths: 25 75 +------------------+-----------------------------------------------------------+ | Attribute | Description | +==================+===========================================================+ | id | .. index:: | | | single: acl_permission; id (attribute) | | | single: id; acl_permission attribute | | | single: attribute; id (acl_permission) | | | | | | A unique name for the permission *(required)* | +------------------+-----------------------------------------------------------+ | description | .. index:: | | | single: acl_permission; description (attribute) | | | single: description; acl_permission attribute | | | single: attribute; description (acl_permission) | | | | | | Arbitrary text for user's use (ignored by Pacemaker) | +------------------+-----------------------------------------------------------+ | kind | .. index:: | | | single: acl_permission; kind (attribute) | | | single: kind; acl_permission attribute | | | single: attribute; kind (acl_permission) | | | | | | The access being granted. Allowed values are ``read``, | | | ``write``, and ``deny``. A value of ``write`` grants both | | | read and write access. | +------------------+-----------------------------------------------------------+ | object-type | .. index:: | | | single: acl_permission; object-type (attribute) | | | single: object-type; acl_permission attribute | | | single: attribute; object-type (acl_permission) | | | | | | The name of an XML element in the CIB to which the | | | permission applies. (Exactly one of ``object-type``, | | | ``xpath``, and ``reference`` must be specified for a | | | permission.) | +------------------+-----------------------------------------------------------+ | attribute | .. index:: | | | single: acl_permission; attribute (attribute) | | | single: attribute; acl_permission attribute | | | single: attribute; attribute (acl_permission) | | | | | | If specified, the permission applies only to | | | ``object-type`` elements that have this attribute set (to | | | any value). If not specified, the permission applies to | | | all ``object-type`` elements. May only be used with | | | ``object-type``. | +------------------+-----------------------------------------------------------+ | reference | .. index:: | | | single: acl_permission; reference (attribute) | | | single: reference; acl_permission attribute | | | single: attribute; reference (acl_permission) | | | | | | The ID of an XML element in the CIB to which the | | | permission applies. (Exactly one of ``object-type``, | | | ``xpath``, and ``reference`` must be specified for a | | | permission.) | +------------------+-----------------------------------------------------------+ | xpath | .. index:: | | | single: acl_permission; xpath (attribute) | | | single: xpath; acl_permission attribute | | | single: attribute; xpath (acl_permission) | | | | | | An `XPath `_ | | | specification selecting an XML element in the CIB to | | | which the permission applies. Attributes may be specified | | | in the XPath to select particular elements, but the | | | permissions apply to the entire element. (Exactly one of | | | ``object-type``, ``xpath``, and ``reference`` must be | | | specified for a permission.) | +------------------+-----------------------------------------------------------+ .. important:: * Permissions are applied to the selected XML element's entire XML subtree (all elements enclosed within it). * Write permission grants the ability to create, modify, or remove the element and its subtree, and also the ability to create any "scaffolding" elements (enclosing elements that do not have attributes other than an ID). * Permissions for more specific matches (more deeply nested elements) take precedence over more general ones. * If multiple permissions are configured for the same match (for example, in different roles applied to the same user), any ``deny`` permission takes precedence, then ``write``, then lastly ``read``. ACL Targets and Groups ###################### ACL targets correspond to user accounts on the system. .. index:: single: Access Control List (ACL); acl_target pair: acl_target; XML element .. table:: **Properties of an acl_target Element** :widths: 25 75 +------------------+-----------------------------------------------------------+ | Attribute | Description | +==================+===========================================================+ | id | .. index:: | | | single: acl_target; id (attribute) | | | single: id; acl_target attribute | | | single: attribute; id (acl_target) | | | | | | A unique identifier for the target (if ``name`` is not | | | specified, this must be the name of the user account) | | | *(required)* | +------------------+-----------------------------------------------------------+ | name | .. index:: | | | single: acl_target; name (attribute) | | | single: name; acl_target attribute | | | single: attribute; name (acl_target) | | | | | | If specified, the user account name (this allows you to | | | specify a user name that is already used as the ``id`` | | | for some other configuration element) *(since 2.1.5)* | +------------------+-----------------------------------------------------------+ ACL groups correspond to groups on the system. Any role configured for these groups apply to all users in that group *(since 2.1.5)*. .. index:: single: Access Control List (ACL); acl_group pair: acl_group; XML element .. table:: **Properties of an acl_group Element** :widths: 25 75 +------------------+-----------------------------------------------------------+ | Attribute | Description | +==================+===========================================================+ | id | .. index:: | | | single: acl_group; id (attribute) | | | single: id; acl_group attribute | | | single: attribute; id (acl_group) | | | | | | A unique identifier for the group (if ``name`` is not | | | specified, this must be the group name) *(required)* | +------------------+-----------------------------------------------------------+ | name | .. index:: | | | single: acl_group; name (attribute) | | | single: name; acl_group attribute | | | single: attribute; name (acl_group) | | | | | | If specified, the group name (this allows you to specify | | | a group name that is already used as the ``id`` for some | | | other configuration element) | +------------------+-----------------------------------------------------------+ Each ``acl_target`` and ``acl_group`` element may contain any number of ``role`` elements. .. note:: If the system users and groups are defined by some network service (such as LDAP), the cluster itself will be unaffected by outages in the service, but affected users and groups will not be able to make changes to the CIB. .. index:: single: Access Control List (ACL); role pair: role; XML element .. table:: **Properties of a role Element** :widths: 25 75 +------------------+-----------------------------------------------------------+ | Attribute | Description | +==================+===========================================================+ | id | .. index:: | | | single: role; id (attribute) | | | single: id; role attribute | | | single: attribute; id (role) | | | | | | The ``id`` of an ``acl_role`` element that specifies | | | permissions granted to the enclosing target or group. | +------------------+-----------------------------------------------------------+ .. important:: The ``root`` and |CRM_DAEMON_USER| user accounts always have full access to the CIB, regardless of ACLs. For all other user accounts, when ``enable-acl`` is true, permission to all parts of the CIB is denied by default (permissions must be explicitly granted). ACLs and Pacemaker Remote Nodes ############################### ACLs apply differently on Pacemaker Remote nodes, which are assumed to be special-purpose hosts without typical user accounts. Instead, CIB modifications coming from a Pacemaker Remote node use the node's name as the ACL user name, and ``pacemaker-remote`` as the role. ACL Examples ############ .. code-block:: xml In the above example, the user ``alice`` has the minimal permissions necessary to run basic Pacemaker CLI tools, including using ``crm_mon`` to view the cluster status, without being able to modify anything. The user ``bob`` can view the entire configuration and status of the cluster, but not make any changes. The user ``carol`` can read everything, and change selected cluster properties as well as resource roles and location constraints. Finally, ``dave`` has full read and write access to the entire CIB. Looking at the ``minimal`` role in more depth, it is designed to allow read access to the ``cib`` tag itself, while denying access to particular portions of its subtree (which is the entire CIB). This is because the DC node is indicated in the ``cib`` tag, so ``crm_mon`` will not be able to report the DC otherwise. However, this does change the security model to allow by default, since any portions of the CIB not explicitly denied will be readable. The ``cib`` read access could be removed and replaced with read access to just the ``crm_config`` and ``status`` sections, for a safer approach at the cost of not seeing the DC in status output. For a simpler configuration, the ``minimal`` role allows read access to the entire ``crm_config`` section, which contains cluster properties. It would be possible to allow read access to specific properties instead (such as -``stonith-enabled``, ``dc-uuid``, ``have-quorum``, and ``cluster-name``) to +``fencing-enabled``, ``dc-uuid``, ``have-quorum``, and ``cluster-name``) to restrict access further while still allowing status output, but cluster properties are unlikely to be considered sensitive. ACL Limitations ############### Actions performed via IPC rather than the CIB _____________________________________________ ACLs apply *only* to the CIB. That means ACLs apply to command-line tools that operate by reading or writing the CIB, such as ``crm_attribute`` when managing permanent node attributes, ``crm_mon``, and ``cibadmin``. However, command-line tools that communicate directly with Pacemaker daemons via IPC are not affected by ACLs. For example, users in the |CRM_DAEMON_GROUP| group may still do the following, regardless of ACLs: * Query transient node attribute values using ``crm_attribute`` and ``attrd_updater``. * Query basic node information using ``crm_node``. * Erase resource operation history using ``crm_resource``. * Query fencing configuration information, and execute fencing against nodes, using ``stonith_admin``. ACLs and Pacemaker Remote _________________________ ACLs apply to commands run on Pacemaker Remote nodes using the Pacemaker Remote node's name as the ACL user name. The idea is that Pacemaker Remote nodes (especially virtual machines and containers) are likely to be purpose-built and have different user accounts from full cluster nodes. diff --git a/doc/sphinx/Pacemaker_Explained/ap-samples.rst b/doc/sphinx/Pacemaker_Explained/ap-samples.rst index e618ef9314..739d04a5a9 100644 --- a/doc/sphinx/Pacemaker_Explained/ap-samples.rst +++ b/doc/sphinx/Pacemaker_Explained/ap-samples.rst @@ -1,148 +1,148 @@ Sample Configurations --------------------- Empty ##### .. topic:: An Empty Configuration .. code-block:: xml Simple ###### .. topic:: A simple configuration with two nodes, some cluster options and a resource .. code-block:: xml - + In the above example, we have one resource (an IP address) that we check every five minutes and will run on host ``c001n01`` until either the resource fails 10 times or the host shuts down. Advanced Configuration ###################### .. topic:: An advanced configuration with groups, clones and STONITH .. code-block:: xml - + - - - + + + - + - + - - + + diff --git a/doc/sphinx/Pacemaker_Explained/cluster-options.rst b/doc/sphinx/Pacemaker_Explained/cluster-options.rst index 83f8a05a1c..00e1c3f00a 100644 --- a/doc/sphinx/Pacemaker_Explained/cluster-options.rst +++ b/doc/sphinx/Pacemaker_Explained/cluster-options.rst @@ -1,936 +1,936 @@ Cluster-Wide Configuration -------------------------- .. index:: pair: XML element; cib pair: XML element; configuration Configuration Layout #################### The cluster is defined by the Cluster Information Base (CIB), which uses XML notation. The simplest CIB, an empty one, looks like this: .. topic:: An empty configuration .. code-block:: xml The empty configuration above contains the major sections that make up a CIB: * ``cib``: The entire CIB is enclosed with a ``cib`` element. Certain fundamental settings are defined as attributes of this element. * ``configuration``: This section -- the primary focus of this document -- contains traditional configuration information such as what resources the cluster serves and the relationships among them. * ``crm_config``: cluster-wide configuration options * ``nodes``: the machines that host the cluster * ``resources``: the services run by the cluster * ``constraints``: indications of how resources should be placed * ``status``: This section contains the history of each resource on each node. Based on this data, the cluster can construct the complete current state of the cluster. The authoritative source for this section is the local executor (pacemaker-execd process) on each cluster node, and the cluster will occasionally repopulate the entire section. For this reason, it is never written to disk, and administrators are advised against modifying it in any way. In this document, configuration settings will be described as properties or options based on how they are defined in the CIB: * Properties are XML attributes of an XML element. * Options are name-value pairs expressed as ``nvpair`` child elements of an XML element. Normally, you will use command-line tools that abstract the XML, so the distinction will be unimportant; both properties and options are cluster settings you can tweak. Options can appear within four types of enclosing elements: * ``cluster_property_set`` * ``instance_attributes`` * ``meta_attributes`` * ``utilization`` We will refer to a set of options and its enclosing element as a *block*. .. list-table:: **Properties of an Option Block's Enclosing Element** :class: longtable :widths: 15 15 15 55 :header-rows: 1 * - Name - Type - Default - Description * - .. _option_block_id: .. index:: pair: id; cluster_property_set pair: id; instance_attributes pair: id; meta_attributes pair: id; utilization single: attribute; id (cluster_property_set) single: attribute; id (instance_attributes) single: attribute; id (meta_attributes) single: attribute; id (utilization) id - :ref:`id ` - - A unique name for the block (required) * - .. _option_block_score: .. index:: pair: score; cluster_property_set pair: score; instance_attributes pair: score; meta_attributes pair: score; utilization single: attribute; score (cluster_property_set) single: attribute; score (instance_attributes) single: attribute; score (meta_attributes) single: attribute; score (utilization) score - :ref:`score ` - 0 - Priority with which to process the block Each block may optionally contain a :ref:`rule `. .. _option_precedence: Option Precedence ################# This subsection describes the precedence of options within a set of blocks and within a single block. Options are processed as follows: * All option blocks of a given type are processed in order of their ``score`` attribute, from highest to lowest. For ``cluster_property_set``, if there is a block whose enclosing element has ``id="cib-bootstrap-options"``, then that block is always processed first regardless of score. * If a block contains a rule that evaluates to false, that block is skipped. * Within a block, options are processed in order from first to last. * The first value found for a given option is applied, and the rest are ignored. Note that this means it is pointless to configure the same option twice in a single block, because occurrences after the first one would be ignored. For example, in the following configuration snippet, the ``no-quorum-policy`` value ``demote`` is applied. ``property-set2`` has a higher score than ``property-set1``, so it's processed first. There are no rules in this snippet, so both sets are processed. Within ``property-set2``, the value ``demote`` appears first, so the later value ``freeze`` is ignored. We've already found a value for ``no-quorum-policy`` before we begin processing ``property-set1``, so its value ``stop`` is ignored. .. code-block:: xml CIB Properties ############## Certain settings are defined by CIB properties (that is, attributes of the ``cib`` tag) rather than with the rest of the cluster configuration in the ``configuration`` section. The reason is simply a matter of parsing. These options are used by the configuration database which is, by design, mostly ignorant of the content it holds. So the decision was made to place them in an easy-to-find location. .. list-table:: **CIB Properties** :class: longtable :widths: 20 15 10 55 :header-rows: 1 * - Name - Type - Default - Description * - .. _admin_epoch: .. index:: pair: admin_epoch; cib admin_epoch - :ref:`nonnegative integer ` - 0 - When a node joins the cluster, the cluster asks the node with the highest (``admin_epoch``, ``epoch``, ``num_updates``) tuple to replace the configuration on all the nodes -- which makes setting them correctly very important. ``admin_epoch`` is never modified by the cluster; you can use this to make the configurations on any inactive nodes obsolete. * - .. _epoch: .. index:: pair: epoch; cib epoch - :ref:`nonnegative integer ` - 0 - The cluster increments this every time the CIB's configuration section is updated. * - .. _num_updates: .. index:: pair: num_updates; cib num_updates - :ref:`nonnegative integer ` - 0 - The cluster increments this every time the CIB's configuration or status sections are updated, and resets it to 0 when epoch changes. * - .. _validate_with: .. index:: pair: validate-with; cib validate-with - :ref:`enumeration ` - - Determines the type of XML validation that will be done on the configuration. Allowed values are ``none`` (in which case the cluster will not require that updates conform to expected syntax) and the base names of schema files installed on the local machine (for example, "pacemaker-3.9") * - .. _remote_tls_port: .. index:: pair: remote-tls-port; cib remote-tls-port - :ref:`port ` - - If set, the CIB manager will listen for anonymously encrypted remote connections on this port, to allow CIB administration from hosts not in the cluster. No key is used, so this should be used only on a protected network where man-in-the-middle attacks can be avoided. * - .. _remote_clear_port: .. index:: pair: remote-clear-port; cib remote-clear-port - :ref:`port ` - - If set to a TCP port number, the CIB manager will listen for remote connections on this port, to allow for CIB administration from hosts not in the cluster. No encryption is used, so this should be used only on a protected network. * - .. _cib_last_written: .. index:: pair: cib-last-written; cib cib-last-written - :ref:`date/time ` - - Indicates when the configuration was last written to disk. Maintained by the cluster; for informational purposes only. * - .. _have_quorum: .. index:: pair: have-quorum; cib have-quorum - :ref:`boolean ` - - Indicates whether the cluster has quorum. If false, the cluster's response is determined by ``no-quorum-policy`` (see below). Maintained by the cluster. * - .. _dc_uuid: .. index:: pair: dc-uuid; cib dc-uuid - :ref:`text ` - - Node ID of the cluster's current designated controller (DC). Used and maintained by the cluster. * - .. _execution_date: .. index:: pair: execution-date; cib execution-date - :ref:`epoch time ` - - Time to use when evaluating rules. .. _cluster_options: Cluster Options ############### Cluster options, as you might expect, control how the cluster behaves when confronted with various situations. They are grouped into sets within the ``crm_config`` section. In advanced configurations, there may be more than one set. (This will be described later in the chapter on :ref:`rules` where we will show how to have the cluster use different sets of options during working hours than during weekends.) For now, we will describe the simple case where each option is present at most once. You can obtain an up-to-date list of cluster options, including their default values, by running the ``man pacemaker-schedulerd`` and ``man pacemaker-controld`` commands. .. list-table:: **Cluster Options** :class: longtable :widths: 25 13 12 50 :header-rows: 1 * - Name - Type - Default - Description * - .. _cluster_name: .. index:: pair: cluster option; cluster-name cluster-name - :ref:`text ` - - An (optional) name for the cluster as a whole. This is mostly for users' convenience for use as desired in administration, but can be used in the Pacemaker configuration in :ref:`rules` (as the ``#cluster-name`` :ref:`node attribute `). It may also be used by higher-level tools when displaying cluster information, and by certain resource agents (for example, the ``ocf:heartbeat:GFS2`` agent stores the cluster name in filesystem meta-data). * - .. _dc_version: .. index:: pair: cluster option; dc-version dc-version - :ref:`version ` - *detected* - Version of Pacemaker on the cluster's designated controller (DC). Maintained by the cluster, and intended for diagnostic purposes. * - .. _cluster_infrastructure: .. index:: pair: cluster option; cluster-infrastructure cluster-infrastructure - :ref:`text ` - *detected* - The messaging layer with which Pacemaker is currently running. Maintained by the cluster, and intended for informational and diagnostic purposes. * - .. _no_quorum_policy: .. index:: pair: cluster option; no-quorum-policy no-quorum-policy - :ref:`enumeration ` - stop - What to do when the cluster does not have quorum. Allowed values: * ``ignore:`` continue all resource management * ``freeze:`` continue resource management, but don't recover resources from nodes not in the affected partition * ``stop:`` stop all resources in the affected cluster partition * ``demote:`` demote promotable resources and stop all other resources in the affected cluster partition *(since 2.0.5)* * ``fence:`` fence all nodes in the affected cluster partition *(since 2.1.9)* * ``suicide:`` same as ``fence`` *(deprecated since 2.1.9)* * - .. _batch_limit: .. index:: pair: cluster option; batch-limit batch-limit - :ref:`integer ` - 0 - The maximum number of actions that the cluster may execute in parallel across all nodes. The ideal value will depend on the speed and load of your network and cluster nodes. If zero, the cluster will impose a dynamically calculated limit only when any node has high load. If -1, the cluster will not impose any limit. * - .. _migration_limit: .. index:: pair: cluster option; migration-limit migration-limit - :ref:`integer ` - -1 - The number of :ref:`live migration ` actions that the cluster is allowed to execute in parallel on a node. A value of -1 means unlimited. * - .. _load_threshold: .. index:: pair: cluster option; load-threshold load-threshold - :ref:`percentage ` - 80% - Maximum amount of system load that should be used by cluster nodes. The cluster will slow down its recovery process when the amount of system resources used (currently CPU) approaches this limit. * - .. _node_action_limit: .. index:: pair: cluster option; node-action-limit node-action-limit - :ref:`integer ` - 0 - Maximum number of jobs that can be scheduled per node. If nonpositive or invalid, double the number of cores is used as the maximum number of jobs per node. :ref:`PCMK_node_action_limit ` overrides this option on a per-node basis. * - .. _symmetric_cluster: .. index:: pair: cluster option; symmetric-cluster symmetric-cluster - :ref:`boolean ` - true - If true, resources can run on any node by default. If false, a resource is allowed to run on a node only if a :ref:`location constraint ` enables it. * - .. _stop_all_resources: .. index:: pair: cluster option; stop-all-resources stop-all-resources - :ref:`boolean ` - false - Whether all resources should be disallowed from running (can be useful during maintenance or troubleshooting) * - .. _stop_removed_resources: .. index:: pair: cluster option; stop-removed-resources stop-removed-resources - :ref:`boolean ` - true - Whether resources that have been deleted from the configuration should be stopped. This value takes precedence over :ref:`is-managed ` (that is, even unmanaged resources will be stopped when removed if this value is ``true``). * - .. _stop_removed_actions: .. index:: pair: cluster option; stop-removed-actions stop-removed-actions - :ref:`boolean ` - true - Whether recurring :ref:`operations ` that have been deleted from the configuration should be cancelled * - .. _start_failure_is_fatal: .. index:: pair: cluster option; start-failure-is-fatal start-failure-is-fatal - :ref:`boolean ` - true - Whether a failure to start a resource on a particular node prevents further start attempts on that node. If ``false``, the cluster will decide whether the node is still eligible based on the resource's current failure count and ``migration-threshold``. * - .. _enable_startup_probes: .. index:: pair: cluster option; enable-startup-probes enable-startup-probes - :ref:`boolean ` - true - Whether the cluster should check the pre-existing state of resources when the cluster starts * - .. _maintenance_mode: .. index:: pair: cluster option; maintenance-mode maintenance-mode - :ref:`boolean ` - false - If true, the cluster will not start or stop any resource in the cluster, and any recurring operations (expect those specifying ``role`` as ``Stopped``) will be paused. If true, this overrides the :ref:`maintenance ` node attribute, :ref:`is-managed ` and :ref:`maintenance ` resource meta-attributes, and :ref:`enabled ` operation meta-attribute. - * - .. _stonith_enabled: + * - .. _fencing_enabled: .. index:: - pair: cluster option; stonith-enabled + pair: cluster option; fencing-enabled - stonith-enabled + fencing-enabled - :ref:`boolean ` - true - Whether the cluster is allowed to fence nodes (for example, failed nodes and nodes with resources that can't be stopped). If true, at least one fence device must be configured before resources are allowed to run. If false, unresponsive nodes are immediately assumed to be running no resources, and resource recovery on online nodes starts without any further protection (which can mean *data loss* if the unresponsive node still accesses shared storage, for example). See also the :ref:`requires ` resource meta-attribute. This option applies only to fencing scheduled by the cluster, not to requests initiated externally (such as with the ``stonith_admin`` command-line tool). - * - .. _stonith_action: + * - .. _fencing_action: .. index:: - pair: cluster option; stonith-action + pair: cluster option; fencing-action - stonith-action + fencing-action - :ref:`enumeration ` - reboot - Action the cluster should send to the fence agent when a node must be fenced. Allowed values are ``reboot`` and ``off``. - * - .. _stonith_timeout: + * - .. _fencing_timeout: .. index:: - pair: cluster option; stonith-timeout + pair: cluster option; fencing-timeout - stonith-timeout + fencing-timeout - :ref:`duration ` - 60s - How long to wait for ``on``, ``off``, and ``reboot`` fence actions to complete by default. - * - .. _stonith_max_attempts: + * - .. _fencing_max_attempts: .. index:: - pair: cluster option; stonith-max-attempts + pair: cluster option; fencing-max-attempts - stonith-max-attempts + fencing-max-attempts - :ref:`score ` - 10 - How many times fencing can fail for a target before the cluster will no longer immediately re-attempt it. Any value below 1 will be ignored, and the default will be used instead. * - .. _have_watchdog: .. index:: pair: cluster option; have-watchdog have-watchdog - :ref:`boolean ` - *detected* - Whether watchdog integration is enabled. This is set automatically by the cluster according to whether SBD is detected to be in use. User-configured values are ignored. The value `true` is meaningful if diskless SBD is used and - :ref:`stonith-watchdog-timeout ` is nonzero. In + :ref:`fencing-watchdog-timeout ` is nonzero. In that case, if fencing is required, watchdog-based self-fencing will be performed via SBD without requiring a fencing resource explicitly configured. - * - .. _stonith_watchdog_timeout: + * - .. _fencing_watchdog_timeout: .. index:: - pair: cluster option; stonith-watchdog-timeout + pair: cluster option; fencing-watchdog-timeout - stonith-watchdog-timeout + fencing-watchdog-timeout - :ref:`timeout ` - 0 - If nonzero, and the cluster detects ``have-watchdog`` as ``true``, then watchdog-based self-fencing will be performed via SBD when fencing is required. If this is set to a positive value, lost nodes are assumed to achieve self-fencing within this much time. This does not require a fencing resource to be explicitly configured, though a fence_watchdog resource can be configured, to limit use to specific nodes. If this is set to 0 (the default), the cluster will never assume watchdog-based self-fencing. If this is set to a negative value, the cluster will use twice the local value of the ``SBD_WATCHDOG_TIMEOUT`` environment variable if that is positive, or otherwise treat this as 0. **Warning:** When used, this timeout must be larger than ``SBD_WATCHDOG_TIMEOUT`` on all nodes that use watchdog-based SBD, and Pacemaker will refuse to start on any of those nodes where this is not true for the local value or SBD is not active. When this is set to a negative value, ``SBD_WATCHDOG_TIMEOUT`` must be set to the same value on all nodes that use SBD, otherwise data corruption or loss could occur. * - .. _concurrent-fencing: .. index:: pair: cluster option; concurrent-fencing concurrent-fencing - :ref:`boolean ` - false - Whether the cluster is allowed to initiate multiple fence actions concurrently. Fence actions initiated externally, such as via the ``stonith_admin`` tool or an application such as DLM, or by the fencer itself such as recurring device monitors and ``status`` and ``list`` commands, are not limited by this option. - * - .. _fence_reaction: + * - .. _fencing_reaction: .. index:: - pair: cluster option; fence-reaction + pair: cluster option; fencing-reaction - fence-reaction + fencing-reaction - :ref:`enumeration ` - stop - How should a cluster node react if notified of its own fencing? A cluster node may receive notification of a "succeeded" fencing that targeted it if fencing is misconfigured, or if fabric fencing is in use that doesn't cut cluster communication. Allowed values are ``stop`` to attempt to immediately stop Pacemaker and stay stopped, or ``panic`` to attempt to immediately reboot the local node, falling back to stop on failure. The default is likely to be changed to ``panic`` in a future release. *(since 2.0.3)* * - .. _priority_fencing_delay: .. index:: pair: cluster option; priority-fencing-delay priority-fencing-delay - :ref:`duration ` - 0 - Apply this delay to any fencing targeting the lost nodes with the highest total resource priority in case we don't have the majority of the nodes in our cluster partition, so that the more significant nodes potentially win any fencing match (especially meaningful in a split-brain of a 2-node cluster). A promoted resource instance takes the resource's priority plus 1 if the resource's priority is not 0. Any static or random delays introduced by ``pcmk_delay_base`` and ``pcmk_delay_max`` configured for the corresponding fencing resources will be added to this delay. This delay should be significantly greater than (safely twice) the maximum delay from those parameters. *(since 2.0.4)* * - .. _node_pending_timeout: .. index:: pair: cluster option; node-pending-timeout node-pending-timeout - :ref:`duration ` - 0 - Fence nodes that do not join the controller process group within this much time after joining the cluster, to allow the cluster to continue managing resources. A value of 0 means never fence pending nodes. Setting the value to 2h means fence nodes after 2 hours. *(since 2.1.7)* * - .. _cluster_delay: .. index:: pair: cluster option; cluster-delay cluster-delay - :ref:`duration ` - 60s - If the DC requires an action to be executed on another node, it will consider the action failed if it does not get a response from the other node within this time (beyond the action's own timeout). The ideal value will depend on the speed and load of your network and cluster nodes. * - .. _dc_deadtime: .. index:: pair: cluster option; dc-deadtime dc-deadtime - :ref:`duration ` - 20s - How long to wait for a response from other nodes when electing a DC. The ideal value will depend on the speed and load of your network and cluster nodes. * - .. _cluster_ipc_limit: .. index:: pair: cluster option; cluster-ipc-limit cluster-ipc-limit - :ref:`nonnegative integer ` - 500 - The maximum IPC message backlog before one cluster daemon will disconnect another. This is of use in large clusters, for which a good value is the number of resources in the cluster multiplied by the number of nodes. The default of 500 is also the minimum. Raise this if you see "Evicting client" log messages for cluster daemon process IDs. * - .. _pe_error_series_max: .. index:: pair: cluster option; pe-error-series-max pe-error-series-max - :ref:`integer ` - -1 - The number of scheduler inputs resulting in errors to save. These inputs can be helpful during troubleshooting and when reporting issues. A negative value means save all inputs, and 0 means save none. * - .. _pe_warn_series_max: .. index:: pair: cluster option; pe-warn-series-max pe-warn-series-max - :ref:`integer ` - 5000 - The number of scheduler inputs resulting in warnings to save. These inputs can be helpful during troubleshooting and when reporting issues. A negative value means save all inputs, and 0 means save none. * - .. _pe_input_series_max: .. index:: pair: cluster option; pe-input-series-max pe-input-series-max - :ref:`integer ` - 4000 - The number of "normal" scheduler inputs to save. These inputs can be helpful during troubleshooting and when reporting issues. A negative value means save all inputs, and 0 means save none. * - .. _enable_acl: .. index:: pair: cluster option; enable-acl enable-acl - :ref:`boolean ` - false - Whether :ref:`access control lists ` should be used to authorize CIB modifications * - .. _placement_strategy: .. index:: pair: cluster option; placement-strategy placement-strategy - :ref:`enumeration ` - default - How the cluster should assign resources to nodes (see :ref:`utilization`). Allowed values are ``default``, ``utilization``, ``balanced``, and ``minimal``. * - .. _node_health_strategy: .. index:: pair: cluster option; node-health-strategy node-health-strategy - :ref:`enumeration ` - none - How the cluster should react to :ref:`node health ` attributes. Allowed values are ``none``, ``migrate-on-red``, ``only-green``, ``progressive``, and ``custom``. * - .. _node_health_base: .. index:: pair: cluster option; node-health-base node-health-base - :ref:`score ` - 0 - The base health score assigned to a node. Only used when ``node-health-strategy`` is ``progressive``. * - .. _node_health_green: .. index:: pair: cluster option; node-health-green node-health-green - :ref:`score ` - 0 - The score to use for a node health attribute whose value is ``green``. Only used when ``node-health-strategy`` is ``progressive`` or ``custom``. * - .. _node_health_yellow: .. index:: pair: cluster option; node-health-yellow node-health-yellow - :ref:`score ` - 0 - The score to use for a node health attribute whose value is ``yellow``. Only used when ``node-health-strategy`` is ``progressive`` or ``custom``. * - .. _node_health_red: .. index:: pair: cluster option; node-health-red node-health-red - :ref:`score ` - -INFINITY - The score to use for a node health attribute whose value is ``red``. Only used when ``node-health-strategy`` is ``progressive`` or ``custom``. * - .. _cluster_recheck_interval: .. index:: pair: cluster option; cluster-recheck-interval cluster-recheck-interval - :ref:`duration ` - 15min - Pacemaker is primarily event-driven, and looks ahead to know when to recheck the cluster for failure-timeout settings and most time-based rules *(since 2.0.3)*. However, it will also recheck the cluster after this amount of inactivity. This has three main effects: * :ref:`Rules ` using ``date_spec`` are guaranteed to be checked only this often. * If :ref:`fencing ` fails enough to reach - :ref:`stonith-max-attempts `, attempts will + :ref:`fencing-max-attempts `, attempts will begin again after at most this time. * It serves as a fail-safe in case of certain scheduler bugs. If the scheduler incorrectly determines only some of the actions needed to react to a particular event, it will often correctly determine the rest after at most this time. A value of 0 disables this polling. * - .. _shutdown_lock: .. index:: pair: cluster option; shutdown-lock shutdown-lock - :ref:`boolean ` - false - The default of false allows active resources to be recovered elsewhere when their node is cleanly shut down, which is what the vast majority of users will want. However, some users prefer to make resources highly available only for failures, with no recovery for clean shutdowns. If this option is true, resources active on a node when it is cleanly shut down are kept "locked" to that node (not allowed to run elsewhere) until they start again on that node after it rejoins (or for at most ``shutdown-lock-limit``, if set). Stonith resources and Pacemaker Remote connections are never locked. Clone and bundle instances and the promoted role of promotable clones are currently never locked, though support could be added in a future release. Locks may be manually cleared using the ``--refresh`` option of ``crm_resource`` (both the resource and node must be specified; this works with remote nodes if their connection resource's ``target-role`` is set to ``Stopped``, but not if Pacemaker Remote is stopped on the remote node without disabling the connection resource). *(since 2.0.4)* * - .. _shutdown_lock_limit: .. index:: pair: cluster option; shutdown-lock-limit shutdown-lock-limit - :ref:`duration ` - 0 - If ``shutdown-lock`` is true, and this is set to a nonzero time duration, locked resources will be allowed to start after this much time has passed since the node shutdown was initiated, even if the node has not rejoined. (This works with remote nodes only if their connection resource's ``target-role`` is set to ``Stopped``.) *(since 2.0.4)* * - .. _startup_fencing: .. index:: pair: cluster option; startup-fencing startup-fencing - :ref:`boolean ` - true - *Advanced Use Only:* Whether the cluster should fence unseen nodes at start-up. Setting this to false is unsafe, because the unseen nodes could be active and running resources but unreachable. ``dc-deadtime`` acts as a grace period before this fencing, since a DC must be elected to schedule fencing. * - .. _election_timeout: .. index:: pair: cluster option; election-timeout election-timeout - :ref:`duration ` - 2min - *Advanced Use Only:* If a winner is not declared within this much time of starting an election, the node that initiated the election will declare itself the winner. * - .. _shutdown_escalation: .. index:: pair: cluster option; shutdown-escalation shutdown-escalation - :ref:`duration ` - 20min - *Advanced Use Only:* The controller will exit immediately if a shutdown does not complete within this much time. * - .. _join_integration_timeout: .. index:: pair: cluster option; join-integration-timeout join-integration-timeout - :ref:`duration ` - 3min - *Advanced Use Only:* If you need to adjust this value, it probably indicates the presence of a bug. * - .. _join_finalization_timeout: .. index:: pair: cluster option; join-finalization-timeout join-finalization-timeout - :ref:`duration ` - 30min - *Advanced Use Only:* If you need to adjust this value, it probably indicates the presence of a bug. * - .. _transition_delay: .. index:: pair: cluster option; transition-delay transition-delay - :ref:`duration ` - 0s - *Advanced Use Only:* Delay cluster recovery for the configured interval to allow for additional or related events to occur. This can be useful if your configuration is sensitive to the order in which ping updates arrive. Enabling this option will slow down cluster recovery under all conditions. diff --git a/doc/sphinx/Pacemaker_Explained/fencing.rst b/doc/sphinx/Pacemaker_Explained/fencing.rst index 6ae836c258..6c60632879 100644 --- a/doc/sphinx/Pacemaker_Explained/fencing.rst +++ b/doc/sphinx/Pacemaker_Explained/fencing.rst @@ -1,1283 +1,1283 @@ .. index:: single: fencing single: STONITH .. _fencing: Fencing ------- What Is Fencing? ################ *Fencing* is the ability to make a node unable to run resources, even when that node is unresponsive to cluster commands. Fencing is also known as *STONITH*, an acronym for "Shoot The Other Node In The Head", since the most common fencing method is cutting power to the node. Another method is "fabric fencing", cutting the node's access to some capability required to run resources (such as network access or a shared disk). .. index:: single: fencing; why necessary Why Is Fencing Necessary? ######################### Fencing protects your data from being corrupted by malfunctioning nodes or unintentional concurrent access to shared resources. Fencing protects against the "split brain" failure scenario, where cluster nodes have lost the ability to reliably communicate with each other but are still able to run resources. If the cluster just assumed that uncommunicative nodes were down, then multiple instances of a resource could be started on different nodes. The effect of split brain depends on the resource type. For example, an IP address brought up on two hosts on a network will cause packets to randomly be sent to one or the other host, rendering the IP useless. For a database or clustered file system, the effect could be much more severe, causing data corruption or divergence. Fencing is also used when a resource cannot otherwise be stopped. If a resource fails to stop on a node, it cannot be started on a different node without risking the same type of conflict as split-brain. Fencing the original node ensures the resource can be safely started elsewhere. Users may also configure the ``on-fail`` property of :ref:`operation` or the ``loss-policy`` property of :ref:`ticket constraints ` to ``fence``, in which case the cluster will fence the resource's node if the operation fails or the ticket is lost. .. index:: single: fencing; device Fence Devices ############# A *fence device* or *fencing device* is a special type of resource that provides the means to fence a node. Examples of fencing devices include intelligent power switches and IPMI devices that accept SNMP commands to cut power to a node, and iSCSI controllers that allow SCSI reservations to be used to cut a node's access to a shared disk. Since fencing devices will be used to recover from loss of networking connectivity to other nodes, it is essential that they do not rely on the same network as the cluster itself, otherwise that network becomes a single point of failure. Since loss of a node due to power outage is indistinguishable from loss of network connectivity to that node, it is also essential that at least one fence device for a node does not share power with that node. For example, an on-board IPMI controller that shares power with its host should not be used as the sole fencing device for that host. Since fencing is used to isolate malfunctioning nodes, no fence device should rely on its target functioning properly. This includes, for example, devices that ssh into a node and issue a shutdown command (such devices might be suitable for testing, but never for production). .. index:: single: fencing; agent Fence Agents ############ A *fence agent* or *fencing agent* is a ``stonith``-class resource agent. The fence agent standard provides commands (such as ``off`` and ``reboot``) that the cluster can use to fence nodes. As with other resource agent classes, this allows a layer of abstraction so that Pacemaker doesn't need any knowledge about specific fencing technologies -- that knowledge is isolated in the agent. Pacemaker supports two fence agent standards, both inherited from no-longer-active projects: * Red Hat Cluster Suite (RHCS) style: These are typically installed in ``/usr/sbin`` with names starting with ``fence_``. * Linux-HA style: These typically have names starting with ``external/``. Pacemaker can support these agents using the **fence_legacy** RHCS-style agent as a wrapper, *if* support was enabled when Pacemaker was built, which requires the ``cluster-glue`` library. When a Fence Device Can Be Used ############################### Fencing devices do not actually "run" like most services. Typically, they just provide an interface for sending commands to an external device. Additionally, fencing may be initiated by Pacemaker, by other cluster-aware software such as DRBD or DLM, or manually by an administrator, at any point in the cluster life cycle, including before any resources have been started. To accommodate this, Pacemaker does not require the fence device resource to be "started" in order to be used. Whether a fence device is started or not determines whether a node runs any recurring monitor for the device, and gives the node a slight preference for being chosen to execute fencing using that device. By default, any node can execute any fencing device. If a fence device is disabled by setting its ``target-role`` to ``Stopped``, then no node can use that device. If a location constraint with a negative score prevents a specific node from "running" a fence device, then that node will never be chosen to execute fencing using the device. A node may fence itself, but the cluster will choose that only if no other nodes can do the fencing. A common configuration scenario is to have one fence device per target node. In such a case, users often configure anti-location constraints so that the target node does not monitor its own device. Limitations of Fencing Resources ################################ Fencing resources have certain limitations that other resource classes don't: * They may have only one set of meta-attributes and one set of instance attributes. * If :ref:`rules` are used to determine fencing resource options, these might be evaluated only when first read, meaning that later changes to the rules will have no effect. Therefore, it is better to avoid confusion and not use rules at all with fencing resources. These limitations could be revisited if there is sufficient user demand. .. index:: single: fencing; special instance attributes Special Meta-Attributes for Fencing Resources ############################################# The table below lists special resource meta-attributes that may be set for any fencing resource. .. list-table:: **Additional Properties of Fencing Resources** :widths: 10 10 10 70 :header-rows: 1 * - Field - Type - Default - Description * - provides - string - - .. index:: single: provides Any special capability provided by the fence device. Currently, only one such capability is meaningful: :ref:`unfencing `. .. _fencing-attributes: Special Instance Attributes for Fencing Resources ################################################# The table below lists special instance attributes that may be set for any fencing resource (*not* meta-attributes, even though they are interpreted by Pacemaker rather than the fence agent). These are also listed in the man page for ``pacemaker-fenced``. .. list-table:: **Additional Properties of Fencing Resources** :class: longtable :widths: 22 10 20 48 :header-rows: 1 * - Name - Type - Default - Description * - .. _primitive_stonith_timeout: .. index:: single: stonith-timeout (primitive instance attribute) stonith-timeout - :ref:`timeout ` - - This is not used by Pacemaker (see the ``pcmk_reboot_timeout``, ``pcmk_off_timeout``, etc., properties instead), but it may be used by Linux-HA fence agents. * - .. _pcmk_host_map: .. index:: single: pcmk_host_map pcmk_host_map - :ref:`text ` - - A mapping of node names to ports for devices that do not understand the node names. For example, ``node1:1;node2:2,3`` tells the cluster to use port 1 for ``node1`` and ports 2 and 3 for ``node2``. If ``pcmk_host_check`` is explicitly set to ``static-list``, either this or ``pcmk_host_list`` must be set. The port portion of the map may contain special characters such as spaces if preceded by a backslash *(since 2.1.2)*. * - .. _pcmk_host_list: .. index:: single: pcmk_host_list pcmk_host_list - :ref:`text ` - - Comma-separated list of nodes that can be targeted by this device (for example, ``node1,node2,node3``). If pcmk_host_check is ``static-list``, either this or ``pcmk_host_map`` must be set. * - .. _pcmk_host_check: .. index:: single: pcmk_host_check pcmk_host_check - :ref:`text ` - See :ref:`pcmk_host_check_default` - The method Pacemaker should use to determine which nodes can be targeted by this device. Allowed values: * ``static-list:`` targets are listed in the ``pcmk_host_list`` or ``pcmk_host_map`` attribute * ``dynamic-list:`` query the device via the agent's ``list`` action * ``status:`` query the device via the agent's ``status`` action * ``none:`` assume the device can fence any node * - .. _pcmk_delay_max: .. index:: single: pcmk_delay_max pcmk_delay_max - :ref:`duration ` - 0s - Enable a delay of no more than the time specified before executing fencing actions. Pacemaker derives the overall delay by taking the value of pcmk_delay_base and adding a random delay value such that the sum is kept below this maximum. This is sometimes used in two-node clusters to ensure that the nodes don't fence each other at the same time. * - .. _pcmk_delay_base: .. index:: single: pcmk_delay_base pcmk_delay_base - :ref:`text ` - 0s - Enable a static delay before executing fencing actions. This can be used, for example, in two-node clusters to ensure that the nodes don't fence each other, by having separate fencing resources with different values. The node that is fenced with the shorter delay will lose a fencing race. The overall delay introduced by pacemaker is derived from this value plus a random delay such that the sum is kept below the maximum delay. A single device can have different delays per node using a host map *(since 2.1.2)*, for example ``node1:0s;node2:5s.`` * - .. _pcmk_action_limit: .. index:: single: pcmk_action_limit pcmk_action_limit - :ref:`integer ` - 1 - The maximum number of actions that can be performed in parallel on this device. A value of -1 means unlimited. Node fencing actions initiated by the cluster (as opposed to an administrator running the ``stonith_admin`` tool or the fencer running recurring device monitors and ``status`` and ``list`` commands) are additionally subject to the ``concurrent-fencing`` cluster property. * - .. _pcmk_host_argument: .. index:: single: pcmk_host_argument pcmk_host_argument - :ref:`text ` - ``port`` if the fence agent metadata advertises support for it, otherwise ``plug`` if supported, otherwise ``none`` - *Advanced use only.* Which parameter should be supplied to the fence agent to identify the node to be fenced. A value of ``none`` tells the cluster not to supply any additional parameters. * - .. _pcmk_reboot_action: .. index:: single: pcmk_reboot_action pcmk_reboot_action - :ref:`text ` - ``reboot`` - *Advanced use only.* The command to send to the resource agent in order to reboot a node. Some devices do not support the standard commands or may provide additional ones. Use this to specify an alternate, device-specific command. * - .. _pcmk_reboot_timeout: .. index:: single: pcmk_reboot_timeout pcmk_reboot_timeout - :ref:`timeout ` - 60s - *Advanced use only.* Specify an alternate timeout (in seconds) to use - for ``reboot`` actions instead of the value of ``stonith-timeout``. Some + for ``reboot`` actions instead of the value of ``fencing-timeout``. Some devices need much more or less time to complete than normal. Use this to specify an alternate, device-specific timeout. * - .. _pcmk_reboot_retries: .. index:: single: pcmk_reboot_retries pcmk_reboot_retries - :ref:`integer ` - 2 - *Advanced use only.* The maximum number of times to retry the ``reboot`` command within the timeout period. Some devices do not support multiple connections, and operations may fail if the device is busy with another task, so Pacemaker will automatically retry the operation, if there is time remaining. Use this option to alter the number of times Pacemaker retries before giving up. * - .. _pcmk_off_action: .. index:: single: pcmk_off_action pcmk_off_action - :ref:`text ` - ``off`` - *Advanced use only.* The command to send to the resource agent in order to shut down a node. Some devices do not support the standard commands or may provide additional ones. Use this to specify an alternate, device-specific command. * - .. _pcmk_off_timeout: .. index:: single: pcmk_off_timeout pcmk_off_timeout - :ref:`timeout ` - 60s - *Advanced use only.* Specify an alternate timeout (in seconds) to use - for ``off`` actions instead of the value of ``stonith-timeout``. Some + for ``off`` actions instead of the value of ``fencing-timeout``. Some devices need much more or less time to complete than normal. Use this to specify an alternate, device-specific timeout. * - .. _pcmk_off_retries: .. index:: single: pcmk_off_retries pcmk_off_retries - :ref:`integer ` - 2 - *Advanced use only.* The maximum number of times to retry the ``off`` command within the timeout period. Some devices do not support multiple connections, and operations may fail if the device is busy with another task, so Pacemaker will automatically retry the operation, if there is time remaining. Use this option to alter the number of times Pacemaker retries before giving up. * - .. _pcmk_list_action: .. index:: single: pcmk_list_action pcmk_list_action - :ref:`text ` - ``list`` - *Advanced use only.* The command to send to the resource agent in order to list nodes. Some devices do not support the standard commands or may provide additional ones. Use this to specify an alternate, device-specific command. * - .. _pcmk_list_timeout: .. index:: single: pcmk_list_timeout pcmk_list_timeout - :ref:`timeout ` - 60s - *Advanced use only.* Specify an alternate timeout (in seconds) to use - for ``list`` actions instead of the value of ``stonith-timeout``. Some + for ``list`` actions instead of the value of ``fencing-timeout``. Some devices need much more or less time to complete than normal. Use this to specify an alternate, device-specific timeout. * - .. _pcmk_list_retries: .. index:: single: pcmk_list_retries pcmk_list_retries - :ref:`integer ` - 2 - *Advanced use only.* The maximum number of times to retry the ``list`` command within the timeout period. Some devices do not support multiple connections, and operations may fail if the device is busy with another task, so Pacemaker will automatically retry the operation, if there is time remaining. Use this option to alter the number of times Pacemaker retries before giving up. * - .. _pcmk_monitor_action: .. index:: single: pcmk_monitor_action pcmk_monitor_action - :ref:`text ` - ``monitor`` - *Advanced use only.* The command to send to the resource agent in order to report extended status. Some devices do not support the standard commands or may provide additional ones. Use this to specify an alternate, device-specific command. * - .. _pcmk_monitor_timeout: .. index:: single: pcmk_monitor_timeout pcmk_monitor_timeout - :ref:`timeout ` - 60s - *Advanced use only.* Specify an alternate timeout (in seconds) to use - for ``monitor`` actions instead of the value of ``stonith-timeout``. Some + for ``monitor`` actions instead of the value of ``fencing-timeout``. Some devices need much more or less time to complete than normal. Use this to specify an alternate, device-specific timeout. * - .. _pcmk_monitor_retries: .. index:: single: pcmk_monitor_retries pcmk_monitor_retries - :ref:`integer ` - 2 - *Advanced use only.* The maximum number of times to retry the ``monitor`` command within the timeout period. Some devices do not support multiple connections, and operations may fail if the device is busy with another task, so Pacemaker will automatically retry the operation, if there is time remaining. Use this option to alter the number of times Pacemaker retries before giving up. * - .. _pcmk_status_action: .. index:: single: pcmk_status_action pcmk_status_action - :ref:`text ` - ``status`` - *Advanced use only.* The command to send to the resource agent in order to report status. Some devices do not support the standard commands or may provide additional ones. Use this to specify an alternate, device-specific command. * - .. _pcmk_status_timeout: .. index:: single: pcmk_status_timeout pcmk_status_timeout - :ref:`timeout ` - 60s - *Advanced use only.* Specify an alternate timeout (in seconds) to use - for ``status`` actions instead of the value of ``stonith-timeout``. Some + for ``status`` actions instead of the value of ``fencing-timeout``. Some devices need much more or less time to complete than normal. Use this to specify an alternate, device-specific timeout. * - .. _pcmk_status_retries: .. index:: single: pcmk_status_retries pcmk_status_retries - :ref:`integer ` - 2 - *Advanced use only.* The maximum number of times to retry the ``status`` command within the timeout period. Some devices do not support multiple connections, and operations may fail if the device is busy with another task, so Pacemaker will automatically retry the operation, if there is time remaining. Use this option to alter the number of times Pacemaker retries before giving up. .. _pcmk_host_check_default: Default Check Type ################## If the user does not explicitly configure ``pcmk_host_check`` for a fence device, a default value appropriate to other configured parameters will be used: * If either ``pcmk_host_list`` or ``pcmk_host_map`` is configured, ``static-list`` will be used; * otherwise, if the fence device supports the ``list`` action, and the first attempt at using ``list`` succeeds, ``dynamic-list`` will be used; * otherwise, if the fence device supports the ``status`` action, ``status`` will be used; * otherwise, ``none`` will be used. .. index:: single: unfencing single: fencing; unfencing .. _unfencing: Unfencing ######### With fabric fencing (such as cutting network or shared disk access rather than power), it is expected that the cluster will fence the node, and then a system administrator must manually investigate what went wrong, correct any issues found, then reboot (or restart the cluster services on) the node. Once the node reboots and rejoins the cluster, some fabric fencing devices require an explicit command to restore the node's access. This capability is called *unfencing* and is typically implemented as the fence agent's ``on`` command. If any cluster resource has ``requires`` set to ``unfencing``, then that resource will not be probed or started on a node until that node has been unfenced. Fencing and Quorum ################## In general, a cluster partition may execute fencing only if the partition has -quorum, and the ``stonith-enabled`` cluster property is set to true. However, +quorum, and the ``fencing-enabled`` cluster property is set to true. However, there are exceptions: * The requirements apply only to fencing initiated by Pacemaker. If an administrator initiates fencing using the ``stonith_admin`` command, or an external application such as DLM initiates fencing using Pacemaker's C API, the requirements do not apply. * A cluster partition without quorum is allowed to fence any active member of that partition. As a corollary, this allows a ``no-quorum-policy`` of ``suicide`` to work. * If the ``no-quorum-policy`` cluster property is set to ``ignore``, then quorum is not required to execute fencing of any node. Fencing Timeouts ################ Fencing timeouts are complicated, since a single fencing operation can involve many steps, each of which may have a separate timeout. Fencing may be initiated in one of several ways: * An administrator may initiate fencing using the ``stonith_admin`` tool, which has a ``--timeout`` option (defaulting to 2 minutes) that will be used as the fence operation timeout. * An external application such as DLM may initiate fencing using the Pacemaker C API. The application will specify the fence operation timeout in this case, which might or might not be configurable by the user. * The cluster may initiate fencing itself. In this case, the - ``stonith-timeout`` cluster property (defaulting to 1 minute) will be used as + ``fencing-timeout`` cluster property (defaulting to 1 minute) will be used as the fence operation timeout. However fencing is initiated, the initiator contacts Pacemaker's fencer (``pacemaker-fenced``) to request fencing. This connection and request has its own timeout, separate from the fencing operation timeout, but usually happens very quickly. The fencer will contact all fencers in the cluster to ask what devices they have available to fence the target node. The fence operation timeout will be used as the timeout for each of these queries. Once a fencing device has been selected, the fencer will check whether any action-specific timeout has been configured for the device, to use instead of -the fence operation timeout. For example, if ``stonith-timeout`` is 60 seconds, +the fence operation timeout. For example, if ``fencing-timeout`` is 60 seconds, but the fencing device has ``pcmk_reboot_timeout`` configured as 90 seconds, then a timeout of 90 seconds will be used for reboot actions using that device. A device may have retries configured, in which case the timeout applies across all attempts. For example, if a device has ``pcmk_reboot_retries`` configured as 2, and the first reboot attempt fails, the second attempt will only have whatever time is remaining in the action timeout after subtracting how much time the first attempt used. This means that if the first attempt fails due to using the entire timeout, no further attempts will be made. There is currently no way to configure a per-attempt timeout. If more than one device is required to fence a target, whether due to failure of the first device or a fencing topology with multiple devices configured for the target, each device will have its own separate action timeout. For all of the above timeouts, the fencer will generally multiply the configured value by 1.2 to get an actual value to use, to account for time needed by the fencer's own processing. Separate from the fencer's timeouts, some fence agents have internal timeouts for individual steps of their fencing process. These agents often have parameters to configure these timeouts, such as ``login-timeout``, ``shell-timeout``, or ``power-timeout``. Many such agents also have a ``disable-timeout`` parameter to ignore their internal timeouts and just let Pacemaker handle the timeout. This causes a difference in retry behavior. If ``disable-timeout`` is not set, and the agent hits one of its internal timeouts, it will report that as a failure to Pacemaker, which can then retry. If ``disable-timeout`` is set, and Pacemaker hits a timeout for the agent, then there will be no time remaining, and no retry will be done. Fence Devices Dependent on Other Resources ########################################## In some cases, a fence device may require some other cluster resource (such as an IP address) to be active in order to function properly. This is obviously undesirable in general: fencing may be required when the depended-on resource is not active, or fencing may be required because the node running the depended-on resource is no longer responding. However, this may be acceptable under certain conditions: * The dependent fence device should not be able to target any node that is allowed to run the depended-on resource. * The depended-on resource should not be disabled during production operation. * The ``concurrent-fencing`` cluster property should be set to ``true``. Otherwise, if both the node running the depended-on resource and some node targeted by the dependent fence device need to be fenced, the fencing of the node running the depended-on resource might be ordered first, making the second fencing impossible and blocking further recovery. With concurrent fencing, the dependent fence device might fail at first due to the depended-on resource being unavailable, but it will be retried and eventually succeed once the resource is brought back up. Even under those conditions, there is one unlikely problem scenario. The DC always schedules fencing of itself after any other fencing needed, to avoid unnecessary repeated DC elections. If the dependent fence device targets the DC, and both the DC and a different node running the depended-on resource need to be fenced, the DC fencing will always fail and block further recovery. Note, however, that losing a DC node entirely causes some other node to become DC and schedule the fencing, so this is only a risk when a stop or other operation with ``on-fail`` set to ``fencing`` fails on the DC. .. index:: single: fencing; configuration Configuring Fencing ################### Higher-level tools can provide simpler interfaces to this process, but using Pacemaker command-line tools, this is how you could configure a fence device. #. Find the correct driver: .. code-block:: none # stonith_admin --list-installed .. note:: You may have to install packages to make fence agents available on your host. Searching your available packages for ``fence-`` is usually helpful. Ensure the packages providing the fence agents you require are installed on every cluster node. #. Find the required parameters associated with the device (replacing ``$AGENT_NAME`` with the name obtained from the previous step): .. code-block:: none # stonith_admin --metadata --agent $AGENT_NAME -#. Create a file called ``stonith.xml`` containing a primitive resource +#. Create a file called ``fencing.xml`` containing a primitive resource with a class of ``stonith``, a type equal to the agent name obtained earlier, and a parameter for each of the values returned in the previous step. #. If the device does not know how to fence nodes based on their uname, you may also need to set the special ``pcmk_host_map`` parameter. See :ref:`fencing-attributes` for details. #. If the device does not support the ``list`` command, you may also need to set the special ``pcmk_host_list`` and/or ``pcmk_host_check`` parameters. See :ref:`fencing-attributes` for details. #. If the device does not expect the target to be specified with the ``port`` parameter, you may also need to set the special ``pcmk_host_argument`` parameter. See :ref:`fencing-attributes` for details. #. Upload it into the CIB using cibadmin: .. code-block:: none - # cibadmin --create --scope resources --xml-file stonith.xml + # cibadmin --create --scope resources --xml-file fencing.xml -#. Set ``stonith-enabled`` to true: +#. Set ``fencing-enabled`` to true: .. code-block:: none - # crm_attribute --type crm_config --name stonith-enabled --update true + # crm_attribute --type crm_config --name fencing-enabled --update true -#. Once the stonith resource is running, you can test it by executing the +#. Once the fencing resource is running, you can test it by executing the following, replacing ``$NODE_NAME`` with the name of the node to fence (although you might want to stop the cluster on that machine first): .. code-block:: none # stonith_admin --reboot $NODE_NAME Example Fencing Configuration _____________________________ For this example, we assume we have a cluster node, ``pcmk-1``, whose IPMI controller is reachable at the IP address 192.0.2.1. The IPMI controller uses the username ``testuser`` and the password ``abc123``. #. Looking at what's installed, we may see a variety of available agents: .. code-block:: none # stonith_admin --list-installed .. code-block:: none (... some output omitted ...) fence_idrac fence_ilo3 fence_ilo4 fence_ilo5 fence_imm fence_ipmilan (... some output omitted ...) Perhaps after some reading some man pages and doing some Internet searches, we might decide ``fence_ipmilan`` is our best choice. #. Next, we would check what parameters ``fence_ipmilan`` provides: .. code-block:: none # stonith_admin --metadata -a fence_ipmilan .. code-block:: xml fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. Fencing action IPMI Lan Auth type. Ciphersuite to use (same as ipmitool -C parameter) Hexadecimal-encoded Kg key for IPMIv2 authentication IP address or hostname of fencing device IP address or hostname of fencing device TCP/UDP port to use for connection with device Use Lanplus to improve security of connection Login name Method to fence Login password or passphrase Script to run to retrieve password Login password or passphrase Script to run to retrieve password IP address or hostname of fencing device (together with --port-as-ip) IP address or hostname of fencing device (together with --port-as-ip) Privilege level on IPMI device Bridge IPMI requests to the remote target address Login name Disable logging to stderr. Does not affect --verbose or --debug-file or logging to syslog. Verbose mode Write debug information to given file Write debug information to given file Display version information and exit Display help and exit Wait X seconds before fencing is started Path to ipmitool binary Wait X seconds for cmd prompt after login Make "port/plug" to be an alias to IP address Test X seconds for status change after ON/OFF Wait X seconds after issuing ON/OFF Wait X seconds for cmd prompt after issuing command Count of attempts to retry power on Use sudo (without password) when calling 3rd party software Use sudo (without password) when calling 3rd party software Path to sudo binary Once we've decided what parameter values we think we need, it is a good idea to run the fence agent's status action manually, to verify that our values work correctly: .. code-block:: none # fence_ipmilan --lanplus -a 192.0.2.1 -l testuser -p abc123 -o status Chassis Power is on #. Based on that, we might create a fencing resource configuration like this in - ``stonith.xml`` (or any file name, just use the same name with ``cibadmin`` + ``fencing.xml`` (or any file name, just use the same name with ``cibadmin`` later): .. code-block:: xml .. note:: Even though the man page shows that the ``action`` parameter is supported, we do not provide that in the resource configuration. Pacemaker will supply an appropriate action whenever the fence device must be used. #. In this case, we don't need to configure ``pcmk_host_map`` because ``fence_ipmilan`` ignores the target node name and instead uses its ``ip`` parameter to know how to contact the IPMI controller. #. We do need to let Pacemaker know which cluster node can be fenced by this device, since ``fence_ipmilan`` doesn't support the ``list`` action. Add a line like this to the agent's instance attributes: .. code-block:: xml #. We don't need to configure ``pcmk_host_argument`` since ``ip`` is all the fence agent needs (it ignores the target name). #. Make the configuration active: .. code-block:: none - # cibadmin --create --scope resources --xml-file stonith.xml + # cibadmin --create --scope resources --xml-file fencing.xml -#. Set ``stonith-enabled`` to true (this only has to be done once): +#. Set ``fencing-enabled`` to true (this only has to be done once): .. code-block:: none - # crm_attribute --type crm_config --name stonith-enabled --update true + # crm_attribute --type crm_config --name fencing-enabled --update true #. Since our cluster is still in testing, we can reboot ``pcmk-1`` without bothering anyone, so we'll test our fencing configuration by running this from one of the other cluster nodes: .. code-block:: none # stonith_admin --reboot pcmk-1 Then we will verify that the node did, in fact, reboot. We can repeat that process to create a separate fencing resource for each node. With some other fence device types, a single fencing resource is able to be used for all nodes. In fact, we could do that with ``fence_ipmilan``, using the ``port-as-ip`` parameter along with ``pcmk_host_map``. Either approach is fine. .. index:: single: fencing; topology single: fencing-topology single: fencing-level Fencing Topologies ################## Pacemaker supports fencing nodes with multiple devices through a feature called *fencing topologies*. Fencing topologies may be used to provide alternative devices in case one fails, or to require multiple devices to all be executed successfully in order to consider the node successfully fenced, or even a combination of the two. Create the individual devices as you normally would, then define one or more ``fencing-level`` entries in the ``fencing-topology`` section of the configuration. * Each fencing level is attempted in order of ascending ``index``. Allowed values are 1 through 9. * If a device fails, processing terminates for the current level. No further devices in that level are exercised, and the next level is attempted instead. * If the operation succeeds for all the listed devices in a level, the level is deemed to have passed. * The operation is finished when a level has passed (success), or all levels have been attempted (failed). * If the operation failed, the next step is determined by the scheduler and/or the controller. Some possible uses of topologies include: * Try on-board IPMI, then an intelligent power switch if that fails * Try fabric fencing of both disk and network, then fall back to power fencing if either fails * Wait up to a certain time for a kernel dump to complete, then cut power to the node .. list-table:: **Attributes of a fencing-level Element** :class: longtable :widths: 25 75 :header-rows: 1 * - Attribute - Description * - id - .. index:: pair: fencing-level; id A unique name for this element (required) * - target - .. index:: pair: fencing-level; target The name of a single node to which this level applies * - target-pattern - .. index:: pair: fencing-level; target-pattern An extended regular expression (as defined in `POSIX `_) matching the names of nodes to which this level applies * - target-attribute - .. index:: pair: fencing-level; target-attribute The name of a node attribute that is set (to ``target-value``) for nodes to which this level applies * - target-value - .. index:: pair: fencing-level; target-value The node attribute value (of ``target-attribute``) that is set for nodes to which this level applies * - index - .. index:: pair: fencing-level; index The order in which to attempt the levels. Levels are attempted in ascending order *until one succeeds*. Valid values are 1 through 9. * - devices - .. index:: pair: fencing-level; devices A comma-separated list of devices that must all be tried for this level .. note:: **Fencing topology with different devices for different nodes** .. code-block:: xml ... ... Example Dual-Layer, Dual-Device Fencing Topologies __________________________________________________ The following example illustrates an advanced use of ``fencing-topology`` in a cluster with the following properties: * 2 nodes (prod-mysql1 and prod-mysql2) * the nodes have IPMI controllers reachable at 192.0.2.1 and 192.0.2.2 * the nodes each have two independent Power Supply Units (PSUs) connected to two independent Power Distribution Units (PDUs) reachable at 198.51.100.1 (port 10 and port 11) and 203.0.113.1 (port 10 and port 11) * fencing via the IPMI controller uses the ``fence_ipmilan`` agent (1 fence device per controller, with each device targeting a separate node) * fencing via the PDUs uses the ``fence_apc_snmp`` agent (1 fence device per PDU, with both devices targeting both nodes) * a random delay is used to lessen the chance of a "death match" * fencing topology is set to try IPMI fencing first then dual PDU fencing if that fails In a node failure scenario, Pacemaker will first select ``fence_ipmilan`` to try to kill the faulty node. Using the fencing topology, if that method fails, it will then move on to selecting ``fence_apc_snmp`` twice (once for the first PDU, then again for the second PDU). The fence action is considered successful only if both PDUs report the required status. If any of them fails, fencing loops back to the first fencing method, ``fence_ipmilan``, and so on, until the node is fenced or the fencing action is cancelled. .. note:: **First fencing method: single IPMI device per target** Each cluster node has it own dedicated IPMI controller that can be contacted for fencing using the following primitives: .. code-block:: xml .. note:: **Second fencing method: dual PDU devices** Each cluster node also has 2 distinct power supplies controlled by 2 distinct PDUs: * Node 1: PDU 1 port 10 and PDU 2 port 10 * Node 2: PDU 1 port 11 and PDU 2 port 11 The matching fencing agents are configured as follows: .. code-block:: xml .. note:: **Fencing topology** Now that all the fencing resources are defined, it's time to create the right topology. We want to first fence using IPMI and if that does not work, fence both PDUs to effectively and surely kill the node. .. code-block:: xml In ``fencing-topology``, the lowest ``index`` value for a target determines its first fencing method. Remapping Reboots ################# -When the cluster needs to reboot a node, whether because ``stonith-action`` is +When the cluster needs to reboot a node, whether because ``fencing-action`` is ``reboot`` or because a reboot was requested externally (such as by ``stonith_admin --reboot``), it will remap that to other commands in two cases: * If the chosen fencing device does not support the ``reboot`` command, the cluster will ask it to perform ``off`` instead. * If a fencing topology level with multiple devices must be executed, the cluster will ask all the devices to perform ``off``, then ask the devices to perform ``on``. To understand the second case, consider the example of a node with redundant power supplies connected to intelligent power switches. Rebooting one switch and then the other would have no effect on the node. Turning both switches off, and then on, actually reboots the node. In such a case, the fencing operation will be treated as successful as long as the ``off`` commands succeed, because then it is safe for the cluster to recover any resources that were on the node. Timeouts and errors in the ``on`` phase will be logged but ignored. When a reboot operation is remapped, any action-specific timeout for the remapped action will be used (for example, ``pcmk_off_timeout`` will be used when executing the ``off`` command, not ``pcmk_reboot_timeout``). diff --git a/doc/sphinx/Pacemaker_Explained/local-options.rst b/doc/sphinx/Pacemaker_Explained/local-options.rst index ea754be539..0a763530d1 100644 --- a/doc/sphinx/Pacemaker_Explained/local-options.rst +++ b/doc/sphinx/Pacemaker_Explained/local-options.rst @@ -1,780 +1,780 @@ Host-Local Configuration ------------------------ .. index:: pair: XML element; configuration .. note:: Directory and file paths below may differ on your system depending on your Pacemaker build settings. Check your Pacemaker configuration file to find the correct paths. Configuration Value Types ######################### Throughout this document, configuration values will be designated as having one of the following types: .. list-table:: **Configuration Value Types** :class: longtable :widths: 25 75 :header-rows: 1 * - Type - Description * - .. _boolean: .. index:: pair: type; boolean boolean - Case-insensitive text value where ``1``, ``yes``, ``y``, ``on``, and ``true`` evaluate as true and ``0``, ``no``, ``n``, ``off``, ``false``, and unset evaluate as false * - .. _date_time: .. index:: pair: type; date/time date/time - Textual timestamp like ``Sat Dec 21 11:47:45 2013`` * - .. _duration: .. index:: pair: type; duration duration - A nonnegative time duration, specified either like a :ref:`timeout ` or an `ISO 8601 duration `_. A duration may be up to approximately 49 days but is intended for much smaller time periods. * - .. _enumeration: .. index:: pair: type; enumeration enumeration - Text that must be one of a set of defined values (which will be listed in the description) * - .. _epoch_time: .. index:: pair: type; epoch_time epoch_time - Time as the integer number of seconds since the Unix epoch, ``1970-01-01 00:00:00 +0000 (UTC)``. * - .. _id: .. index:: pair: type; id id - A text string starting with a letter or underbar, followed by any combination of letters, numbers, dashes, dots, and/or underbars; when used for a property named ``id``, the string must be unique across all ``id`` properties in the CIB * - .. _integer: .. index:: pair: type; integer integer - 32-bit signed integer value (-2,147,483,648 to 2,147,483,647) * - .. _iso8601: .. index:: pair: type; iso8601 ISO 8601 - An `ISO 8601 `_ date/time. * - .. _nonnegative_integer: .. index:: pair: type; nonnegative integer nonnegative integer - 32-bit nonnegative integer value (0 to 2,147,483,647) * - .. _percentage: .. index:: pair: type; percentage percentage - Floating-point number followed by an optional percent sign ('%') * - .. _port: .. index:: pair: type; port port - Integer TCP port number (0 to 65535) * - .. _range: .. index:: pair: type; range range - A range may be a single nonnegative integer or a dash-separated range of nonnegative integers. Either the first or last value may be omitted to leave the range open-ended. Examples: ``0``, ``3-``, ``-5``, ``4-6``. * - .. _score: .. index:: pair: type; score score - A Pacemaker score can be an integer between -1,000,000 and 1,000,000, or a string alias: ``INFINITY`` or ``+INFINITY`` is equivalent to 1,000,000, ``-INFINITY`` is equivalent to -1,000,000, and ``red``, ``yellow``, and ``green`` are equivalent to integers as described in :ref:`node-health`. * - .. _text: .. index:: pair: type; text text - A text string * - .. _timeout: .. index:: pair: type; timeout timeout - A time duration, specified as a bare number (in which case it is considered to be in seconds) or a number with a unit (``ms`` or ``msec`` for milliseconds, ``us`` or ``usec`` for microseconds, ``s`` or ``sec`` for seconds, ``m`` or ``min`` for minutes, ``h`` or ``hr`` for hours) optionally with whitespace before and/or after the number. * - .. _version: .. index:: pair: type; version version - Version number (any combination of alphanumeric characters, dots, and dashes, starting with a number). Scores ______ Scores are integral to how Pacemaker works. Practically everything from moving a resource to deciding which resource to stop in a degraded cluster is achieved by manipulating scores in some way. Scores are calculated per resource and node. Any node with a negative score for a resource can't run that resource. The cluster places a resource on the node with the highest score for it. Score addition and subtraction follow these rules: * Any value (including ``INFINITY``) - ``INFINITY`` = ``-INFINITY`` * ``INFINITY`` + any value other than ``-INFINITY`` = ``INFINITY`` .. note:: What if you want to use a score higher than 1,000,000? Typically this possibility arises when someone wants to base the score on some external metric that might go above 1,000,000. The short answer is you can't. The long answer is it is sometimes possible work around this limitation creatively. You may be able to set the score to some computed value based on the external metric rather than use the metric directly. For nodes, you can store the metric as a node attribute, and query the attribute when computing the score (possibly as part of a custom resource agent). Local Options ############# Most Pacemaker configuration is in the cluster-wide CIB, but some host-local configuration options either are needed at startup (before the CIB is read) or provide per-host overrides of cluster-wide options. These options are configured as environment variables set when Pacemaker is started, in the format ``=""``. These are typically set in a file whose location varies by OS (most commonly ``/etc/sysconfig/pacemaker`` or ``/etc/default/pacemaker``; this documentation was generated on a system using |PCMK_CONFIG_FILE|). .. list-table:: **Local Options** :class: longtable :widths: 25 15 10 50 :header-rows: 1 * - Name - Type - Default - Description * - .. _cib_pam_service: .. index:: pair: node option; CIB_pam_service CIB_pam_service - :ref:`text ` - login - PAM service to use for remote CIB client authentication (passed to ``pam_start``). * - .. _pcmk_logfacility: .. index:: pair: node option; PCMK_logfacility PCMK_logfacility - :ref:`enumeration ` - daemon - Enable logging via the system log or journal, using the specified log facility. Messages sent here are of value to all Pacemaker administrators. This can be disabled using ``none``, but that is not recommended. Allowed values: * ``none`` * ``daemon`` * ``user`` * ``local0`` * ``local1`` * ``local2`` * ``local3`` * ``local4`` * ``local5`` * ``local6`` * ``local7`` * - .. _pcmk_logpriority: .. index:: pair: node option; PCMK_logpriority PCMK_logpriority - :ref:`enumeration ` - notice - Unless system logging is disabled using ``PCMK_logfacility=none``, messages of the specified log severity and higher will be sent to the system log. The default is appropriate for most installations. Allowed values: * ``emerg`` * ``alert`` * ``crit`` * ``error`` * ``warning`` * ``notice`` * ``info`` * ``debug`` * - .. _pcmk_logfile: .. index:: pair: node option; PCMK_logfile PCMK_logfile - :ref:`text ` - |PCMK_LOG_FILE| - Unless set to ``none``, more detailed log messages will be sent to the specified file (in addition to the system log, if enabled). These messages may have extended information, and will include messages of info severity. This log is of more use to developers and advanced system administrators, and when reporting problems. Note: The default is |PCMK_CONTAINER_LOG_FILE| (inside the container) for bundled container nodes; this would typically be mapped to a different path on the host running the container. * - .. _pcmk_logfile_mode: .. index:: pair: node option; PCMK_logfile_mode PCMK_logfile_mode - :ref:`text ` - 0660 - Pacemaker will set the permissions on the detail log to this value (see ``chmod(1)``). * - .. _pcmk_debug: .. index:: pair: node option; PCMK_debug PCMK_debug - :ref:`enumeration ` - no - Whether to send debug severity messages to the detail log. This may be set for all subsystems (``yes`` or ``no``) or for specific (comma- separated) subsystems. Allowed subsystems are: * ``pacemakerd`` * ``pacemaker-attrd`` * ``pacemaker-based`` * ``pacemaker-controld`` * ``pacemaker-execd`` * ``pacemaker-fenced`` * ``pacemaker-schedulerd`` Example: ``PCMK_debug="pacemakerd,pacemaker-execd"`` * - .. _pcmk_stderr: .. index:: pair: node option; PCMK_stderr PCMK_stderr - :ref:`boolean ` - no - *Advanced Use Only:* Whether to send daemon log messages to stderr. This would be useful only during troubleshooting, when starting Pacemaker manually on the command line. Setting this option in the configuration file is pointless, since the file is not read when starting Pacemaker manually. However, it can be set directly as an environment variable on the command line. * - .. _pcmk_trace_functions: .. index:: pair: node option; PCMK_trace_functions PCMK_trace_functions - :ref:`text ` - - *Advanced Use Only:* Send debug and trace severity messages from these (comma-separated) source code functions to the detail log. Example: ``PCMK_trace_functions="func1,func2"`` * - .. _pcmk_trace_files: .. index:: pair: node option; PCMK_trace_files PCMK_trace_files - :ref:`text ` - - *Advanced Use Only:* Send debug and trace severity messages from all functions in these (comma-separated) source file names to the detail log. Example: ``PCMK_trace_files="file1.c,file2.c"`` * - .. _pcmk_trace_formats: .. index:: pair: node option; PCMK_trace_formats PCMK_trace_formats - :ref:`text ` - - *Advanced Use Only:* Send trace severity messages that are generated by these (comma-separated) format strings in the source code to the detail log. Example: ``PCMK_trace_formats="Error: %s (%d)"`` * - .. _pcmk_trace_tags: .. index:: pair: node option; PCMK_trace_tags PCMK_trace_tags - :ref:`text ` - - *Advanced Use Only:* Send debug and trace severity messages related to these (comma-separated) resource IDs to the detail log. Example: ``PCMK_trace_tags="client-ip,dbfs"`` * - .. _pcmk_blackbox: .. index:: pair: node option; PCMK_blackbox PCMK_blackbox - :ref:`enumeration ` - no - *Advanced Use Only:* Enable blackbox logging globally (``yes`` or ``no``) or by subsystem. A blackbox contains a rolling buffer of all logs (of all severities). Blackboxes are stored under |CRM_BLACKBOX_DIR| by default, by default, and their contents can be viewed using the ``qb-blackbox(8)`` command. The blackbox recorder can be enabled at start using this variable, or at runtime by sending a Pacemaker subsystem daemon process a ``SIGUSR1`` or ``SIGTRAP`` signal, and disabled by sending ``SIGUSR2`` (see ``kill(1)``). The blackbox will be written after a crash, assertion failure, or ``SIGTRAP`` signal. See :ref:`PCMK_debug ` for allowed subsystems. Example: ``PCMK_blackbox="pacemakerd,pacemaker-execd"`` * - .. _pcmk_trace_blackbox: .. index:: pair: node option; PCMK_trace_blackbox PCMK_trace_blackbox - :ref:`enumeration ` - - *Advanced Use Only:* Write a blackbox whenever the message at the specified function and line is logged. Multiple entries may be comma- separated. Example: ``PCMK_trace_blackbox="remote.c:144,remote.c:149"`` * - .. _pcmk_node_start_state: .. index:: pair: node option; PCMK_node_start_state PCMK_node_start_state - :ref:`enumeration ` - default - By default, the local host will join the cluster in an online or standby state when Pacemaker first starts depending on whether it was previously put into standby mode. If this variable is set to ``standby`` or ``online``, it will force the local host to join in the specified state. * - .. _pcmk_node_action_limit: .. index:: pair: node option; PCMK_node_action_limit PCMK_node_action_limit - :ref:`nonnegative integer ` - - If set, this overrides the :ref:`node-action-limit ` cluster option on this node to specify the maximum number of jobs that can be scheduled on this node (or 0 to use twice the number of CPU cores). * - .. _pcmk_fail_fast: .. index:: pair: node option; PCMK_fail_fast PCMK_fail_fast - :ref:`boolean ` - no - By default, if a Pacemaker subsystem crashes, the main ``pacemakerd`` process will attempt to restart it. If this variable is set to ``yes``, ``pacemakerd`` will panic the local host instead. * - .. _pcmk_panic_action: .. index:: pair: node option; PCMK_panic_action PCMK_panic_action - :ref:`enumeration ` - reboot - Pacemaker will panic the local host under certain conditions. By default, this means rebooting the host. This variable can change that behavior: if ``crash``, trigger a kernel crash (useful if you want a kernel dump to investigate); if ``sync-reboot`` or ``sync-crash``, synchronize filesystems before rebooting the host or triggering a kernel crash. The sync values are more likely to preserve log messages, but with the risk that the host may be left active if the synchronization hangs. * - .. _pcmk_remote_address: .. index:: pair: node option; PCMK_remote_address PCMK_remote_address - :ref:`text ` - - By default, if the :ref:`Pacemaker Remote ` service is run on the local node, it will listen for connections on all IP addresses. This may be set to one address to listen on instead, as a resolvable hostname or as a numeric IPv4 or IPv6 address. When resolving names or listening on all addresses, IPv6 will be preferred if available. When listening on an IPv6 address, IPv4 clients will be supported via IPv4-mapped IPv6 addresses. Example: ``PCMK_remote_address="192.0.2.1"`` * - .. _pcmk_remote_port: .. index:: pair: node option; PCMK_remote_port PCMK_remote_port - :ref:`port ` - 3121 - Use this TCP port number for :ref:`Pacemaker Remote ` node connections. This value must be the same on all nodes. * - .. _pcmk_ca_file: .. index:: pair: node option; PCMK_ca_file PCMK_ca_file - :ref:`text ` - - The location of a file containing trusted Certificate Authorities, used to verify client or server certificates. This file must be in PEM format and must be readable by Pacemaker daemons (that is, it must allow read permissions to either the |CRM_DAEMON_USER| user or the |CRM_DAEMON_GROUP| group). If set, along with :ref:`PCMK_key_file ` and :ref:`PCMK_cert_file `, X509 authentication will be enabled for :ref:`Pacemaker Remote ` and remote CIB connections. Example: ``PCMK_ca_file="/etc/pacemaker/ca.cert.pem"`` * - .. _pcmk_cert_file: .. index:: pair: node option; PCMK_cert_file PCMK_cert_file - :ref:`text ` - - The location of a file containing the signed certificate for the server side of the connection. This file must be in PEM format and must be readable by Pacemaker daemons (that is, it must allow read permissions to either the |CRM_DAEMON_USER| user or the |CRM_DAEMON_GROUP| group). If set, along with :ref:`PCMK_ca_file ` and :ref:`PCMK_key_file `, X509 authentication will be enabled for :ref:`Pacemaker Remote ` and remote CIB connections. Example: ``PCMK_cert_file="/etc/pacemaker/server.cert.pem"`` * - .. _pcmk_crl_file: .. index:: pair: node option; PCMK_crl_file PCMK_crl_file - :ref:`text ` - - The location of a Certificate Revocation List file, in PEM format. This setting is optional for X509 authentication. Example: ``PCMK_cr1_file="/etc/pacemaker/crl.pem"`` * - .. _pcmk_key_file: .. index:: pair: node option; PCMK_key_file PCMK_key_file - :ref:`text ` - - The location of a file containing the private key for the matching :ref:`PCMK_cert_file `, in PEM format. This file must be readble by Pacemaker daemons (that is, it must allow read permissions to either the |CRM_DAEMON_USER| user or the |CRM_DAEMON_GROUP| group). If set, along with :ref:`PCMK_ca_file ` and :ref:`PCMK_cert_file `, X509 authentication will be enabled for :ref:`Pacemaker Remote ` and remote CIB connections. Example: ``PCMK_key_file="/etc/pacemaker/server.key.pem"`` * - .. _pcmk_authkey_location: .. index:: pair: node option; PCMK_authkey_location PCMK_authkey_location - :ref:`text ` - |PCMK_AUTHKEY_FILE| - As an alternative to using X509 authentication for :ref:`Pacemaker Remote ` connections, use the contents of this file as the authorization key. This file must be readable by Pacemaker daemons (that is, it must allow read permissions to either the |CRM_DAEMON_USER| user or the |CRM_DAEMON_GROUP| group), and its contents must be identical on all nodes. This is an alternative to using X509 certificates. * - .. _pcmk_remote_pid1: .. index:: pair: node option; PCMK_remote_pid1 PCMK_remote_pid1 - :ref:`enumeration ` - default - *Advanced Use Only:* When a bundle resource's ``run-command`` option is left to default, :ref:`Pacemaker Remote ` runs as PID 1 in the bundle's containers. When it does so, it loads environment variables from the container's |PCMK_INIT_ENV_FILE| and performs the PID 1 responsibility of reaping dead subprocesses. This option controls whether those actions are performed when Pacemaker Remote is not running as PID 1. It is intended primarily for developer testing but can be useful when ``run-command`` is set to a separate, custom PID 1 process that launches Pacemaker Remote. * ``full``: Pacemaker Remote loads environment variables from |PCMK_INIT_ENV_FILE| and reaps dead subprocesses. * ``vars``: Pacemaker Remote loads environment variables from |PCMK_INIT_ENV_FILE| but does not reap dead subprocesses. * ``default``: Pacemaker Remote performs neither action. If Pacemaker Remote is running as PID 1, this option is ignored, and the behavior is the same as for ``full``. * - .. _pcmk_tls_priorities: .. index:: pair: node option; PCMK_tls_priorities PCMK_tls_priorities - :ref:`text ` - |PCMK__GNUTLS_PRIORITIES| - *Advanced Use Only:* These `GnuTLS cipher priorities `_ will be used for TLS connections (whether for :ref:`Pacemaker Remote ` connections or remote CIB access, when enabled). Pacemaker will append ``":+ANON-DH"`` for remote CIB access and ``":+DHE-PSK:+PSK"`` for Pacemaker Remote connections, as they are required for the respective functionality. Example: ``PCMK_tls_priorities="SECURE128:+SECURE192"`` * - .. _pcmk_dh_max_bits: .. index:: pair: node option; PCMK_dh_max_bits PCMK_dh_max_bits - :ref:`nonnegative integer ` - 0 (no maximum) - *Advanced Use Only:* Set an upper bound on the bit length of the prime number generated for Diffie-Hellman parameters needed by TLS connections. The default is no maximum. The server (:ref:`Pacemaker Remote ` daemon, or CIB manager configured to accept remote clients) will use this value to provide a ceiling for the value recommended by the GnuTLS library. The library will only accept a limited number of specific values, which vary by library version, so setting these is recommended only when required for compatibility with specific client versions. Clients do not use ``PCMK_dh_max_bits``. * - .. _pcmk_ipc_type: .. index:: pair: node option; PCMK_ipc_type PCMK_ipc_type - :ref:`enumeration ` - shared-mem - *Advanced Use Only:* Force use of a particular IPC method. Allowed values: * ``shared-mem`` * ``socket`` * ``posix`` * ``sysv`` * - .. _pcmk_cluster_type: .. index:: pair: node option; PCMK_cluster_type PCMK_cluster_type - :ref:`enumeration ` - corosync - *Advanced Use Only:* Specify the cluster layer to be used. If unset, Pacemaker will detect and use a supported cluster layer, if available. Currently, ``"corosync"`` is the only supported cluster layer. If multiple layers are supported in the future, this will allow overriding Pacemaker's automatic detection to select a specific one. * - .. _pcmk_schema_directory: .. index:: pair: node option; PCMK_schema_directory PCMK_schema_directory - :ref:`text ` - |PCMK_SCHEMA_DIR| - *Advanced Use Only:* Specify an alternate location for RNG schemas and XSL transforms. * - .. _pcmk_remote_schema_directory: .. index:: pair: node option; PCMK_remote_schema_directory PCMK_remote_schema_directory - :ref:`text ` - |PCMK__REMOTE_SCHEMA_DIR| - *Advanced Use Only:* Specify an alternate location on :ref:`Pacemaker Remote ` nodes for storing newer RNG schemas and XSL transforms fetched from the cluster. * - .. _pcmk_valgrind_enabled: .. index:: pair: node option; PCMK_valgrind_enabled PCMK_valgrind_enabled - :ref:`enumeration ` - no - *Advanced Use Only:* Whether subsystem daemons should be run under ``valgrind``. Allowed values are the same as for ``PCMK_debug``. * - .. _pcmk_callgrind_enabled: .. index:: pair: node option; PCMK_callgrind_enabled PCMK_callgrind_enabled - :ref:`enumeration ` - no - *Advanced Use Only:* Whether subsystem daemons should be run under ``valgrind`` with the ``callgrind`` tool enabled. Allowed values are the same as for ``PCMK_debug``. * - .. _sbd_sync_resource_startup: .. index:: pair: node option; SBD_SYNC_RESOURCE_STARTUP SBD_SYNC_RESOURCE_STARTUP - :ref:`boolean ` - - If true, ``pacemakerd`` waits for a ping from ``sbd`` during startup before starting other Pacemaker daemons, and during shutdown after stopping other Pacemaker daemons but before exiting. Default value is set based on the ``--with-sbd-sync-default`` configure script option. * - .. _sbd_watchdog_timeout: .. index:: pair: node option; SBD_WATCHDOG_TIMEOUT SBD_WATCHDOG_TIMEOUT - :ref:`duration ` - - - If the ``stonith-watchdog-timeout`` cluster property is set to a negative + - If the ``fencing-watchdog-timeout`` cluster property is set to a negative or invalid value, use double this value as the default if positive, or use 0 as the default otherwise. This value must be greater than the value - of ``stonith-watchdog-timeout`` if both are set. + of ``fencing-watchdog-timeout`` if both are set. * - .. _valgrind_opts: .. index:: pair: node option; VALGRIND_OPTS VALGRIND_OPTS - :ref:`text ` - - *Advanced Use Only:* Pass these options to valgrind, when enabled (see ``valgrind(1)``). ``"--vgdb=no"`` should usually be specified because ``pacemaker-execd`` can lower privileges when executing commands, which would otherwise leave a bunch of unremovable files in ``/tmp``. diff --git a/doc/sphinx/Pacemaker_Explained/operations.rst b/doc/sphinx/Pacemaker_Explained/operations.rst index 8a3c1a1955..358f41b8e5 100644 --- a/doc/sphinx/Pacemaker_Explained/operations.rst +++ b/doc/sphinx/Pacemaker_Explained/operations.rst @@ -1,701 +1,701 @@ .. index:: single: resource; action single: resource; operation .. _operation: Resource Operations ------------------- *Operations* are actions the cluster can perform on a resource by calling the resource agent. Resource agents must support certain common operations such as start, stop, and monitor, and may implement any others. Operations may be explicitly configured for two purposes: to override defaults for options (such as timeout) that the cluster will use whenever it initiates the operation, and to run an operation on a recurring basis (for example, to monitor the resource for failure). .. topic:: An OCF resource with a non-default start timeout .. code-block:: xml Pacemaker identifies operations by a combination of name and interval, so this combination must be unique for each resource. That is, you should not configure two operations for the same resource with the same name and interval. .. _operation_properties: Operation Properties #################### The ``id``, ``name``, ``interval``, and ``role`` operation properties may be specified only as XML attributes of the ``op`` element. Other operation properties may be specified in any of the following ways, from highest precedence to lowest: * directly in the ``op`` element as an XML attribute * in an ``nvpair`` element within a ``meta_attributes`` element within the ``op`` element * in an ``nvpair`` element within a ``meta_attributes`` element within :ref:`operation defaults ` If not specified, the default from the table below is used. .. list-table:: **Operation Properties** :class: longtable :widths: 17 13 30 40 :header-rows: 1 * - Name - Type - Default - Description * - .. _op_id: .. index:: pair: op; id single: id; action property single: action; property, id id - :ref:`id ` - - A unique identifier for the XML element *(required)* * - .. _op_name: .. index:: pair: op; name single: name; action property single: action; property, name name - :ref:`text ` - - An action name supported by the resource agent *(required)* * - .. _op_interval: .. index:: pair: op; interval single: interval; action property single: action; property, interval interval - :ref:`duration ` - 0 - If this is a positive value, Pacemaker will schedule recurring instances of this operation at the given interval (which makes sense only with :ref:`name ` set to :ref:`monitor `). If this is 0, Pacemaker will apply other properties configured for this operation to instances that are scheduled as needed during normal cluster operation. *(required)* * - .. _op_description: .. index:: pair: op; description single: description; action property single: action; property, description description - :ref:`text ` - - Arbitrary text for user's use (ignored by Pacemaker) * - .. _op_role: .. index:: pair: op; role single: role; action property single: action; property, role role - :ref:`enumeration ` - - If this is set, the operation configuration applies only on nodes where the cluster expects the resource to be in the specified role. This makes sense only for recurring monitors. Allowed values: ``Started``, ``Stopped``, and in the case of :ref:`promotable clone resources `, ``Unpromoted`` and ``Promoted``. * - .. _op_timeout: .. index:: pair: op; timeout single: timeout; action property single: action; property, timeout timeout - :ref:`timeout ` - 20s - If resource agent execution does not complete within this amount of time, the action will be considered failed. **Note:** timeouts for fencing agents are handled specially (see the :ref:`fencing` chapter). * - .. _op_on_fail: .. index:: pair: op; on-fail single: on-fail; action property single: action; property, on-fail on-fail - :ref:`enumeration ` - * If ``name`` is ``stop``: ``fence`` if - :ref:`stonith-enabled ` is true, otherwise ``block`` + :ref:`fencing-enabled ` is true, otherwise ``block`` * If ``name`` is ``demote``: ``on-fail`` of the ``monitor`` action with ``role`` set to ``Promoted``, if present, enabled, and configured to a value other than ``demote``, or ``restart`` otherwise * Otherwise: ``restart`` - How the cluster should respond to a failure of this action. Allowed values: * ``ignore:`` Pretend the resource did not fail * ``block:`` Do not perform any further operations on the resource * ``stop:`` Stop the resource and leave it stopped * ``demote:`` Demote the resource, without a full restart. This is valid only for ``promote`` actions, and for ``monitor`` actions with both a nonzero ``interval`` and ``role`` set to ``Promoted``; for any other action, a configuration error will be logged, and the default behavior will be used. *(since 2.0.5)* * ``restart:`` Stop the resource, and start it again if allowed (possibly on a different node) * ``fence:`` Fence the node on which the resource failed * ``standby:`` Put the node on which the resource failed in standby mode (forcing *all* resources away) * - .. _op_enabled: .. index:: pair: op; enabled single: enabled; action property single: action; property, enabled enabled - :ref:`boolean ` - true - If ``false``, ignore this operation definition. This does not suppress all actions of this type, but is typically used to pause a recurring monitor. This can complement the resource being unmanaged (:ref:`is-managed ` set to ``false``), which does not stop recurring operations. Maintenance mode, which does stop configured monitors, overrides this setting. * - .. _op_interval_origin: .. index:: pair: op; interval-origin single: interval-origin; action property single: action; property, interval-origin interval-origin - :ref:`ISO 8601 ` - - If set for a recurring action, the action will be scheduled for this time plus a multiple of the action's interval, rather than immediately after the resource gains the monitored role. For example, you might schedule an in-depth monitor to run once per day outside business hours, by setting this to the desired time (on any date) and setting ``interval`` to ``24h``. At most one of ``interval-origin`` and ``start-delay`` may be set. * - .. _op_start_delay: .. index:: pair: op; start-delay single: start-delay; action property single: action; property, start-delay start-delay - :ref:`duration ` - - If set, the cluster will wait this long before running the action (for the first time, if recurring). This is an advanced option that should generally be avoided. It can be useful for a recurring monitor if a resource agent incorrectly returns success from start before the service is actually ready, and the agent can't be corrected, or for a start action if a service takes a very long time to start, and you don't want to block the cluster from responding to other events during that time. If this delay is longer than 5 minutes, the cluster will pretend that the action succeeded when it is first scheduled for the purpose of other actions needed, then act on the result when it actually runs. At most one of ``interval-origin`` and ``start-delay`` may be set. * - .. _op_record_pending: .. index:: pair: op; record-pending single: record-pending; action property single: action; property, record-pending record-pending - :ref:`boolean ` - true - Operation results are always recorded when the operation completes (successful or not). If this is ``true``, operations will also be recorded when initiated, so that status output can indicate that the operation is in progress. *(deprecated since 3.0.0)* .. note:: Only one action can be configured for any given combination of ``name`` and ``interval``. .. note:: When ``on-fail`` is set to ``demote``, recovery from failure by a successful demote causes the cluster to recalculate whether and where a new instance should be promoted. The node with the failure is eligible, so if promotion scores have not changed, it will be promoted again. There is no direct equivalent of ``migration-threshold`` for the promoted role, but the same effect can be achieved with a location constraint using a :ref:`rule ` with a node attribute expression for the resource's fail count. For example, to immediately ban the promoted role from a node with any failed promote or promoted instance monitor: .. code-block:: xml This example assumes that there is a promotable clone of the ``my_primitive`` resource (note that the primitive name, not the clone name, is used in the rule), and that there is a recurring 10-second-interval monitor configured for the promoted role (fail count attributes specify the interval in milliseconds). .. _s-resource-monitoring: Monitoring Resources for Failure ################################ When Pacemaker first starts a resource, it runs one-time ``monitor`` operations (referred to as *probes*) to ensure the resource is running where it's supposed to be, and not running where it's not supposed to be. (This behavior can be affected by the ``resource-discovery`` location constraint property.) Other than those initial probes, Pacemaker will *not* (by default) check that the resource continues to stay healthy [#]_. You must configure ``monitor`` operations explicitly to perform these checks. .. topic:: An OCF resource with a recurring health check .. code-block:: xml By default, a ``monitor`` operation will ensure that the resource is running where it is supposed to. The ``target-role`` property can be used for further checking. For example, if a resource has one ``monitor`` operation with ``interval=10 role=Started`` and a second ``monitor`` operation with ``interval=11 role=Stopped``, the cluster will run the first monitor on any nodes it thinks *should* be running the resource, and the second monitor on any nodes that it thinks *should not* be running the resource (for the truly paranoid, who want to know when an administrator manually starts a service by mistake). .. note:: Currently, monitors with ``role=Stopped`` are not implemented for :ref:`clone ` resources. Custom Recurring Operations ########################### Typically, only ``monitor`` operations should be configured as recurring. However, it is possible to implement a custom action name in an OCF agent and then configure that as a recurring operation. This could be useful, for example, to run a report, rotate a log, or clean temporary files related to a particular service. Failures of custom recurring operations will be ignored by the cluster and will not be reported in cluster status *(since 3.0.0; previously, they would be treated like failed monitors)*. A fail count and last failure timestamp will be recorded as transient node attributes, and those node attributes will be erased by the ``crm_resource --cleanup`` command. .. _s-operation-defaults: Setting Global Defaults for Operations ###################################### You can change the global default values for operation properties in a given cluster. These are defined in an ``op_defaults`` section of the CIB's ``configuration`` section, and can be set with ``crm_attribute``. For example, .. code-block:: none # crm_attribute --type op_defaults --name timeout --update 20s would default each operation's ``timeout`` to 20 seconds. If an operation's definition also includes a value for ``timeout``, then that value would be used for that operation instead. When Implicit Operations Take a Long Time ######################################### The cluster will always perform a number of implicit operations: ``start``, ``stop`` and a non-recurring ``monitor`` operation used at startup to check whether the resource is already active. If one of these is taking too long, then you can create an entry for them and specify a longer timeout. .. topic:: An OCF resource with custom timeouts for its implicit actions .. code-block:: xml Multiple Monitor Operations ########################### Provided no two operations (for a single resource) have the same name and interval, you can have as many ``monitor`` operations as you like. In this way, you can do a superficial health check every minute and progressively more intense ones at higher intervals. To tell the resource agent what kind of check to perform, you need to provide each monitor with a different value for a common parameter. The OCF standard creates a special parameter called ``OCF_CHECK_LEVEL`` for this purpose and dictates that it is "made available to the resource agent without the normal ``OCF_RESKEY`` prefix". Whatever name you choose, you can specify it by adding an ``instance_attributes`` block to the ``op`` tag. It is up to each resource agent to look for the parameter and decide how to use it. .. topic:: An OCF resource with two recurring health checks, performing different levels of checks specified via ``OCF_CHECK_LEVEL``. .. code-block:: xml Disabling a Monitor Operation ############################# The easiest way to stop a recurring monitor is to just delete it. However, there can be times when you only want to disable it temporarily. In such cases, simply add ``enabled=false`` to the operation's definition. .. topic:: Example of an OCF resource with a disabled health check .. code-block:: xml This can be achieved from the command line by executing: .. code-block:: none # cibadmin --modify --xml-text '' Once you've done whatever you needed to do, you can then re-enable it with .. code-block:: none # cibadmin --modify --xml-text '' .. index:: single: resource; failure recovery single: operation; failure recovery .. _failure-handling: Handling Resource Failure ######################### By default, Pacemaker will attempt to recover failed resources by restarting them. However, failure recovery is highly configurable. .. index:: single: resource; failure count single: operation; failure count Failure Counts ______________ Pacemaker tracks resource failures for each combination of node, resource, and operation (start, stop, monitor, etc.). You can query the fail count for a particular node, resource, and/or operation using the ``crm_failcount`` command. For example, to see how many times the 10-second monitor for ``myrsc`` has failed on ``node1``, run: .. code-block:: none # crm_failcount --query -r myrsc -N node1 -n monitor -I 10s If you omit the node, ``crm_failcount`` will use the local node. If you omit the operation and interval, ``crm_failcount`` will display the sum of the fail counts for all operations on the resource. You can use ``crm_resource --cleanup`` or ``crm_failcount --delete`` to clear fail counts. For example, to clear the above monitor failures, run: .. code-block:: none # crm_resource --cleanup -r myrsc -N node1 -n monitor -I 10s If you omit the resource, ``crm_resource --cleanup`` will clear failures for all resources. If you omit the node, it will clear failures on all nodes. If you omit the operation and interval, it will clear the failures for all operations on the resource. .. note:: Even when cleaning up only a single operation, all failed operations will disappear from the status display. This allows us to trigger a re-check of the resource's current status. Higher-level tools may provide other commands for querying and clearing fail counts. The ``crm_mon`` tool shows the current cluster status, including any failed operations. To see the current fail counts for any failed resources, call ``crm_mon`` with the ``--failcounts`` option. This shows the fail counts per resource (that is, the sum of any operation fail counts for the resource). .. index:: single: migration-threshold; resource meta-attribute single: resource; migration-threshold Failure Response ________________ Normally, if a running resource fails, pacemaker will try to stop it and start it again. Pacemaker will choose the best location to start it each time, which may be the same node that it failed on. However, if a resource fails repeatedly, it is possible that there is an underlying problem on that node, and you might desire trying a different node in such a case. Pacemaker allows you to set your preference via the ``migration-threshold`` resource meta-attribute. [#]_ If you define ``migration-threshold`` to *N* for a resource, it will be banned from the original node after *N* failures there. .. note:: The ``migration-threshold`` is per *resource*, even though fail counts are tracked per *operation*. The operation fail counts are added together to compare against the ``migration-threshold``. By default, fail counts remain until manually cleared by an administrator using ``crm_resource --cleanup`` or ``crm_failcount --delete`` (hopefully after first fixing the failure's cause). It is possible to have fail counts expire automatically by setting the ``failure-timeout`` resource meta-attribute. .. important:: A successful operation does not clear past failures. If a recurring monitor operation fails once, succeeds many times, then fails again days later, its fail count is 2. Fail counts are cleared only by manual intervention or failure timeout. For example, setting ``migration-threshold`` to 2 and ``failure-timeout`` to ``60s`` would cause the resource to move to a new node after 2 failures, and allow it to move back (depending on stickiness and constraint scores) after one minute. .. note:: ``failure-timeout`` is measured since the most recent failure. That is, older failures do not individually time out and lower the fail count. Instead, all failures are timed out simultaneously (and the fail count is reset to 0) if there is no new failure for the timeout period. There are two exceptions to the migration threshold: when a resource either fails to start or fails to stop. If the cluster property ``start-failure-is-fatal`` is set to ``true`` (which is the default), start failures cause the fail count to be set to ``INFINITY`` and thus always cause the resource to move immediately. Stop failures are slightly different and crucial. If a resource fails to stop and fencing is enabled, then the cluster will fence the node in order to be able to start the resource elsewhere. If fencing is disabled, then the cluster has no way to continue and will not try to start the resource elsewhere, but will try to stop it again after any failure timeout or clearing. .. index:: single: reload single: reload-agent Reloading an Agent After a Definition Change ############################################ The cluster automatically detects changes to the configuration of active resources. The cluster's normal response is to stop the service (using the old definition) and start it again (with the new definition). This works, but some resource agents are smarter and can be told to use a new set of options without restarting. To take advantage of this capability, the resource agent must: * Implement the ``reload-agent`` action. What it should do depends completely on your application! .. note:: Resource agents may also implement a ``reload`` action to make the managed service reload its own *native* configuration. This is different from ``reload-agent``, which makes effective changes in the resource's *Pacemaker* configuration (specifically, the values of the agent's reloadable parameters). * Advertise the ``reload-agent`` operation in the ``actions`` section of its meta-data. * Set the ``reloadable`` attribute to 1 in the ``parameters`` section of its meta-data for any parameters eligible to be reloaded after a change. Once these requirements are satisfied, the cluster will automatically know to reload the resource (instead of restarting) when a reloadable parameter changes. .. note:: Metadata will not be re-read unless the resource needs to be started. If you edit the agent of an already active resource to set a parameter reloadable, the resource may restart the first time the parameter value changes. .. note:: If both a reloadable and non-reloadable parameter are changed simultaneously, the resource will be restarted. .. _live-migration: Migrating Resources ################### Normally, when the cluster needs to move a resource, it fully restarts the resource (that is, it stops the resource on the current node and starts it on the new node). However, some types of resources, such as many virtual machines, are able to move to another location without loss of state (often referred to as live migration or hot migration). In pacemaker, this is called live migration. Pacemaker can be configured to migrate a resource when moving it, rather than restarting it. Not all resources are able to migrate; see the :ref:`migration checklist ` below. Even those that can, won't do so in all situations. Conceptually, there are two requirements from which the other prerequisites follow: * The resource must be active and healthy at the old location; and * everything required for the resource to run must be available on both the old and new locations. The cluster is able to accommodate both *push* and *pull* migration models by requiring the resource agent to support two special actions: ``migrate_to`` (performed on the current location) and ``migrate_from`` (performed on the destination). In push migration, the process on the current location transfers the resource to the new location where is it later activated. In this scenario, most of the work would be done in the ``migrate_to`` action and, if anything, the activation would occur during ``migrate_from``. Conversely for pull, the ``migrate_to`` action is practically empty and ``migrate_from`` does most of the work, extracting the relevant resource state from the old location and activating it. There is no wrong or right way for a resource agent to implement migration, as long as it works. .. _migration_checklist: .. topic:: Migration Checklist * The resource may not be a clone. * The resource agent standard must be OCF. * The resource must not be in a failed or degraded state. * The resource agent must support ``migrate_to`` and ``migrate_from`` actions, and advertise them in its meta-data. * The resource must have the ``allow-migrate`` meta-attribute set to ``true`` (which is not the default). If an otherwise migratable resource depends on another resource via an ordering constraint, there are special situations in which it will be restarted rather than migrated. For example, if the resource depends on a clone, and at the time the resource needs to be moved, the clone has instances that are stopping and instances that are starting, then the resource will be restarted. The scheduler is not yet able to model this situation correctly and so takes the safer (if less optimal) path. Also, if a migratable resource depends on a non-migratable resource, and both need to be moved, the migratable resource will be restarted. .. rubric:: Footnotes .. [#] Currently, anyway. Automatic monitoring operations may be added in a future version of Pacemaker. .. [#] The naming of this option was perhaps unfortunate as it is easily confused with live migration, the process of moving a resource from one node to another without stopping it. Xen virtual guests are the most common example of resources that can be migrated in this manner. diff --git a/doc/sphinx/Pacemaker_Explained/resources.rst b/doc/sphinx/Pacemaker_Explained/resources.rst index 6d812fe6a6..ed3d64e57d 100644 --- a/doc/sphinx/Pacemaker_Explained/resources.rst +++ b/doc/sphinx/Pacemaker_Explained/resources.rst @@ -1,832 +1,832 @@ .. _resource: Resources --------- .. _s-resource-primitive: .. index:: single: resource A *resource* is a service managed by Pacemaker. The simplest type of resource, a *primitive*, is described in this chapter. More complex forms, such as groups and clones, are described in later chapters. Every primitive has a *resource agent* that provides Pacemaker a standardized interface for managing the service. This allows Pacemaker to be agnostic about the services it manages. Pacemaker doesn't need to understand how the service works because it relies on the resource agent to do the right thing when asked. Every resource has a *standard* (also called *class*) specifying the interface that its resource agent follows, and a *type* identifying the specific service being managed. .. _s-resource-supported: .. index:: single: resource; standard Resource Standards ################## Pacemaker can use resource agents complying with these standards, described in more detail below: * ocf * lsb * systemd * service * stonith Support for some standards is controlled by build options and so might not be available in any particular build of Pacemaker. The command ``crm_resource --list-standards`` will show which standards are supported by the local build. .. index:: single: resource; OCF single: OCF; resources single: Open Cluster Framework; resources Open Cluster Framework ______________________ The Open Cluster Framework (OCF) Resource Agent API is a ClusterLabs standard for managing services. It is the most preferred since it is specifically designed for use in a Pacemaker cluster. OCF agents are scripts that support a variety of actions including ``start``, ``stop``, and ``monitor``. They may accept parameters, making them more flexible than other standards. The number and purpose of parameters is left to the agent, which advertises them via the ``meta-data`` action. Unlike other standards, OCF agents have a *provider* as well as a standard and type. For more information, see the "Resource Agents" chapter of *Pacemaker Administration* and the `OCF standard `_. .. _s-resource-supported-systemd: .. index:: single: Resource; Systemd single: Systemd; resources Systemd _______ Most Linux distributions use `Systemd `_ for system initialization and service management. *Unit files* specify how to manage services and are usually provided by the distribution. Pacemaker can manage systemd units of type service, socket, mount, timer, or path. Simply create a resource with ``systemd`` as the resource standard and the unit file name as the resource type. Do *not* run ``systemctl enable`` on the unit. .. important:: Make sure that any systemd services to be controlled by the cluster are *not* enabled to start at boot. .. index:: single: resource; LSB single: LSB; resources single: Linux Standard Base; resources Linux Standard Base ___________________ *LSB* resource agents, also known as `SysV-style `_, are scripts that provide start, stop, and status actions for a service. They are provided by some operating system distributions. If a full path is not given, they are assumed to be located in a directory specified when your Pacemaker software was built (usually ``/etc/init.d``). In order to be used with Pacemaker, they must conform to the `LSB specification `_ as it relates to init scripts. .. warning:: Some LSB scripts do not fully comply with the standard. For details on how to check whether your script is LSB-compatible, see the "Resource Agents" chapter of `Pacemaker Administration`. Common problems include: * Not implementing the ``status`` action * Not observing the correct exit status codes * Starting a started resource returns an error * Stopping a stopped resource returns an error .. important:: Make sure the host is *not* configured to start any LSB services at boot that will be controlled by the cluster. .. index:: single: Resource; System Services single: System Service; resources System Services _______________ Since there is more than one type of system service (``systemd`` and ``lsb``), Pacemaker supports a special ``service`` alias which intelligently figures out which one applies to a given cluster node. This is particularly useful when the cluster contains a mix of ``systemd`` and ``lsb``. If the ``service`` standard is specified, Pacemaker will try to find the named service as an LSB init script, and if none exists, a systemd unit file. .. index:: single: Resource; STONITH single: STONITH; resources STONITH _______ The ``stonith`` standard is used for managing fencing devices, discussed later in :ref:`fencing`. .. _primitive-resource: Resource Properties ################### These values tell the cluster which resource agent to use for the resource, where to find that resource agent and what standards it conforms to. .. list-table:: **Properties of a Primitive Resource** :widths: 25 75 :header-rows: 1 * - Field - Description * - id - .. index:: single: id; resource single: resource; property, id Your name for the resource * - class - .. index:: single: class; resource single: resource; property, class The standard the resource agent conforms to. Allowed values: ``lsb``, ``ocf``, ``service``, ``stonith``, and ``systemd`` * - description - .. index:: single: description; resource single: resource; property, description Arbitrary text for user's use (ignored by Pacemaker) * - type - .. index:: single: type; resource single: resource; property, type The name of the Resource Agent you wish to use. E.g. ``IPaddr`` or ``Filesystem`` * - provider - .. index:: single: provider; resource single: resource; property, provider The OCF spec allows multiple vendors to supply the same resource agent. To use the OCF resource agents supplied by the Heartbeat project, you would specify ``heartbeat`` here. The XML definition of a resource can be queried with the **crm_resource** tool. For example: .. code-block:: none # crm_resource --resource Email --query-xml might produce: .. topic:: A system resource definition .. code-block:: xml .. note:: One of the main drawbacks to system services (lsb and systemd) is that they do not allow parameters .. topic:: An OCF resource definition .. code-block:: xml .. _resource_options: Resource Options ################ Resources have two types of options: *meta-attributes* and *instance attributes*. Meta-attributes apply to any type of resource, while instance attributes are specific to each resource agent. Resource Meta-Attributes ________________________ Meta-attributes are used by the cluster to decide how a resource should behave and can be easily set using the ``--meta`` option of the **crm_resource** command. .. list-table:: **Meta-Attributes of a Primitive Resource** :class: longtable :widths: 20 15 20 45 :header-rows: 1 * - Name - Type - Default - Description * - .. _meta_priority: .. index:: single: priority; resource option single: resource; option, priority priority - :ref:`score ` - 0 - If not all resources can be active, the cluster will stop lower-priority resources in order to keep higher-priority ones active. * - .. _meta_critical: .. index:: single: critical; resource option single: resource; option, critical critical - :ref:`boolean ` - true - Use this value as the default for ``influence`` in all :ref:`colocation constraints ` involving this resource, as well as in the implicit colocation constraints created if this resource is in a :ref:`group `. For details, see :ref:`s-coloc-influence`. *(since 2.1.0)* * - .. _meta_target_role: .. index:: single: target-role; resource option single: resource; option, target-role target-role - :ref:`enumeration ` - Started - What state should the cluster attempt to keep this resource in? Allowed values: * ``Stopped:`` Force the resource to be stopped * ``Started:`` Allow the resource to be started (and in the case of :ref:`promotable ` clone resources, promoted if appropriate) * ``Unpromoted:`` Allow the resource to be started, but only in the unpromoted role if the resource is :ref:`promotable ` * ``Promoted:`` Equivalent to ``Started`` * - .. _meta_is_managed: .. _is_managed: .. index:: single: is-managed; resource option single: resource; option, is-managed is-managed - :ref:`boolean ` - true - If false, the cluster will not start, stop, promote, or demote the resource on any node. Recurring actions for the resource are unaffected. Maintenance mode overrides this setting. * - .. _meta_maintenance: .. _rsc_maintenance: .. index:: single: maintenance; resource option single: resource; option, maintenance maintenance - :ref:`boolean ` - false - If true, the cluster will not start, stop, promote, or demote the resource on any node, and will pause any recurring monitors (except those specifying ``role`` as ``Stopped``). If true, the :ref:`maintenance-mode ` cluster option or :ref:`maintenance ` node attribute overrides this. * - .. _meta_resource_stickiness: .. _resource-stickiness: .. index:: single: resource-stickiness; resource option single: resource; option, resource-stickiness resource-stickiness - :ref:`score ` - 1 for individual clone instances, 0 for all other resources - A score that will be added to the current node when a resource is already active. This allows running resources to stay where they are, even if they would be placed elsewhere if they were being started from a stopped state. * - .. _meta_requires: .. _requires: .. index:: single: requires; resource option single: resource; option, requires requires - :ref:`enumeration ` - ``quorum`` for resources with a ``class`` of ``stonith``, otherwise ``unfencing`` if unfencing is active in the cluster, otherwise - ``fencing`` if ``stonith-enabled`` is true, otherwise ``quorum`` + ``fencing`` if ``fencing-enabled`` is true, otherwise ``quorum`` - Conditions under which the resource can be started. Allowed values: * ``nothing:`` The cluster can always start this resource. * ``quorum:`` The cluster can start this resource only if a majority of the configured nodes are active. * ``fencing:`` The cluster can start this resource only if a majority of the configured nodes are active *and* any failed or unknown nodes have been :ref:`fenced `. * ``unfencing:`` The cluster can only start this resource if a majority of the configured nodes are active *and* any failed or unknown nodes have been fenced *and* only on nodes that have been :ref:`unfenced `. * - .. _meta_migration_threshold: .. index:: single: migration-threshold; resource option single: resource; option, migration-threshold migration-threshold - :ref:`score ` - INFINITY - How many failures may occur for this resource on a node, before this node is marked ineligible to host this resource. A value of 0 indicates that this feature is disabled (the node will never be marked ineligible); by contrast, the cluster treats ``INFINITY`` (the default) as a very large but finite number. This option has an effect only if the failed operation specifies ``on-fail`` as ``restart`` (the default), and additionally for failed ``start`` operations, if the cluster property ``start-failure-is-fatal`` is ``false``. * - .. _meta_failure_timeout: .. index:: single: failure-timeout; resource option single: resource; option, failure-timeout failure-timeout - :ref:`duration ` - 0 - Ignore previously failed resource actions after this much time has passed without new failures (potentially allowing the resource back to the node on which it failed, if it previously reached its ``migration-threshold`` there). A value of 0 indicates that failures do not expire. **WARNING:** If this value is low, and pending cluster activity prevents the cluster from responding to a failure within that time, then the failure will be ignored completely and will not cause recovery of the resource, even if a recurring action continues to report failure. It should be at least greater than the longest :ref:`action timeout ` for all resources in the cluster. A value in hours or days is reasonable. * - .. _meta_multiple_active: .. index:: single: multiple-active; resource option single: resource; option, multiple-active multiple-active - :ref:`enumeration ` - stop_start - What should the cluster do if it ever finds the resource active on more than one node? Allowed values: * ``block``: mark the resource as unmanaged * ``stop_only``: stop all active instances and leave them that way * ``stop_start``: stop all active instances and start the resource in one location only * ``stop_unexpected``: stop all active instances except where the resource should be active (this should be used only when extra instances are not expected to disrupt existing instances, and the resource agent's monitor of an existing instance is capable of detecting any problems that could be caused; note that any resources ordered after this will still need to be restarted) *(since 2.1.3)* * - .. _meta_allow_migrate: .. index:: single: allow-migrate; resource option single: resource; option, allow-migrate allow-migrate - :ref:`boolean ` - true for ``ocf:pacemaker:remote`` resources, false otherwise - Whether the cluster should try to "live migrate" this resource when it needs to be moved (see :ref:`live-migration`) * - .. _meta_allow_unhealthy_nodes: .. index:: single: allow-unhealthy-nodes; resource option single: resource; option, allow-unhealthy-nodes allow-unhealthy-nodes - :ref:`boolean ` - false - Whether the resource should be able to run on a node even if the node's health score would otherwise prevent it (see :ref:`node-health`) *(since 2.1.3)* * - .. _meta_container_attribute_target: .. index:: single: container-attribute-target; resource option single: resource; option, container-attribute-target container-attribute-target - :ref:`enumeration ` - - Specific to bundle resources; see :ref:`s-bundle-attributes` As an example of setting resource options, if you performed the following commands on an LSB Email resource: .. code-block:: none # crm_resource --meta --resource Email --set-parameter priority --parameter-value 100 # crm_resource -m -r Email -p multiple-active -v block the resulting resource definition might be: .. topic:: An LSB resource with cluster options .. code-block:: xml In addition to the cluster-defined meta-attributes described above, you may also configure arbitrary meta-attributes of your own choosing. Most commonly, this would be done for use in :ref:`rules `. For example, an IT department might define a custom meta-attribute to indicate which company department each resource is intended for. To reduce the chance of name collisions with cluster-defined meta-attributes added in the future, it is recommended to use a unique, organization-specific prefix for such attributes. .. _s-resource-defaults: Setting Global Defaults for Resource Meta-Attributes ____________________________________________________ To set a default value for a resource option, add it to the ``rsc_defaults`` section with ``crm_attribute``. For example, .. code-block:: none # crm_attribute --type rsc_defaults --name is-managed --update false would prevent the cluster from starting or stopping any of the resources in the configuration (unless of course the individual resources were specifically enabled by having their ``is-managed`` set to ``true``). Resource Instance Attributes ____________________________ The resource agents of some resource standards (lsb and systemd *not* among them) can be given parameters which determine how they behave and which instance of a service they control. If your resource agent supports parameters, you can add them with the ``crm_resource`` command. For example, .. code-block:: none # crm_resource --resource Public-IP --set-parameter ip --parameter-value 192.0.2.2 would create an entry in the resource like this: .. topic:: An example OCF resource with instance attributes .. code-block:: xml For an OCF resource, the result would be an environment variable called ``OCF_RESKEY_ip`` with a value of ``192.0.2.2``. The list of instance attributes supported by an OCF resource agent can be found by calling the resource agent with the ``meta-data`` command. The output contains an XML description of all the supported attributes, their purpose and default values. .. topic:: Displaying the metadata for the Dummy resource agent template .. code-block:: none # export OCF_ROOT=/usr/lib/ocf # $OCF_ROOT/resource.d/pacemaker/Dummy meta-data .. code-block:: xml 1.1 This is a dummy OCF resource agent. It does absolutely nothing except keep track of whether it is running or not, and can be configured so that actions fail or take a long time. Its purpose is primarily for testing, and to serve as a template for resource agent writers. Example stateless resource agent Location to store the resource state in. State file Fake password field Password Fake attribute that can be changed to cause a reload Fake attribute that can be changed to cause a reload Number of seconds to sleep during operations. This can be used to test how the cluster reacts to operation timeouts. Operation sleep duration in seconds. Start, migrate_from, and reload-agent actions will return failure if running on the host specified here, but the resource will run successfully anyway (future monitor calls will find it running). This can be used to test on-fail=ignore. Report bogus start failure on specified host If this is set, the environment will be dumped to this file for every call. Environment dump file Pacemaker Remote Resources ########################## :ref:`Pacemaker Remote ` nodes are defined by resources. .. _remote_nodes: .. index:: single: node; remote single: Pacemaker Remote; remote node single: remote node Remote nodes ____________ A remote node is defined by a connection resource using the special, built-in **ocf:pacemaker:remote** resource agent. .. list-table:: **ocf:pacemaker:remote Instance Attributes** :class: longtable :widths: 25 10 15 50 :header-rows: 1 * - Name - Type - Default - Description * - .. _remote_server: .. index:: pair: remote node; server server - :ref:`text ` - resource ID - Hostname or IP address used to connect to the remote node. The remote executor on the remote node must be configured to accept connections on this address. * - .. _remote_port: .. index:: pair: remote node; port port - :ref:`port ` - 3121 - TCP port on the remote node used for its Pacemaker Remote connection. The remote executor on the remote node must be configured to listen on this port. * - .. _remote_reconnect_interval: .. index:: pair: remote node; reconnect_interval reconnect_interval - :ref:`duration ` - 0 - If positive, the cluster will attempt to reconnect to a remote node at this interval after an active connection has been lost. Otherwise, the cluster will attempt to reconnect immediately (after any fencing, if needed). .. _guest_nodes: .. index:: single: node; guest single: Pacemaker Remote; guest node single: guest node Guest Nodes ___________ When configuring a virtual machine as a guest node, the virtual machine is created using one of the usual resource agents for that purpose (for example, **ocf:heartbeat:VirtualDomain** or **ocf:heartbeat:Xen**), with additional meta-attributes. No restrictions are enforced on what agents may be used to create a guest node, but obviously the agent must create a distinct environment capable of running the remote executor and cluster resources. An additional requirement is that fencing the node hosting the guest node resource must be sufficient for ensuring the guest node is stopped. This means that not all hypervisors supported by **VirtualDomain** may be used to create guest nodes; if the guest can survive the hypervisor being fenced, it is unsuitable for use as a guest node. .. list-table:: **Guest Node Meta-Attributes** :class: longtable :widths: 25 10 20 45 :header-rows: 1 * - Name - Type - Default - Description * - .. _meta_remote_node: .. index:: single: remote-node; resource option single: resource; option, remote-node remote-node - :ref:`text ` - - If specified, this resource defines a guest node using this node name. The guest must be configured to run the remote executor when it is started. This value *must not* be the same as any resource or node ID. * - .. _meta_remote_addr: .. index:: single: remote-addr; resource option single: resource; option, remote-addr remote-addr - :ref:`text ` - value of ``remote-node`` - If ``remote-node`` is specified, the hostname or IP address used to connect to the guest. The remote executor on the guest must be configured to accept connections on this address. * - .. _meta_remote_port: .. index:: single: remote-port; resource option single: resource; option, remote-port remote-port - :ref:`port ` - 3121 - If ``remote-node`` is specified, the port on the guest used for its Pacemaker Remote connection. The remote executor on the guest must be configured to listen on this port. * - .. _meta_remote_connect_timeout: .. index:: single: remote-connect-timeout; resource option single: resource; option, remote-connect-timeout remote-connect-timeout - :ref:`timeout ` - 60s - If ``remote-node`` is specified, how long before a pending guest connection will time out. * - .. _meta_remote_allow_migrate: .. index:: single: remote-allow-migrate; resource option single: resource; option, remote-allow-migrate remote-allow-migrate - :ref:`boolean ` - true - If ``remote-node`` is specified, this acts as the ``allow-migrate`` meta-attribute for its implicitly created remote connection resource (``ocf:pacemaker:remote``). Removing Pacemaker Remote Nodes _______________________________ If the resource creating a remote node connection or guest node is removed from the configuration, status output may continue to show the affected node (as offline). If you want to get rid of that output, run the following command, replacing ``$NODE_NAME`` appropriately: .. code-block:: none # crm_node --force --remove $NODE_NAME .. WARNING:: Be absolutely sure that there are no references to the node's resource in the configuration before running the above command. diff --git a/doc/sphinx/Pacemaker_Explained/rules.rst b/doc/sphinx/Pacemaker_Explained/rules.rst index 35587d3066..327dee213f 100644 --- a/doc/sphinx/Pacemaker_Explained/rules.rst +++ b/doc/sphinx/Pacemaker_Explained/rules.rst @@ -1,1218 +1,1218 @@ .. index:: single: rule .. _rules: Rules ----- Rules make a configuration more dynamic, allowing values to depend on conditions such as time of day or the value of a node attribute. For example, rules can: * Set a higher value for :ref:`resource-stickiness ` during working hours to minimize downtime, and a lower value on weekends to allow resources to move to their most preferred locations when people aren't around * Automatically place the cluster into maintenance mode during a scheduled maintenance window * Restrict a particular department's resources to run on certain nodes, as determined by custom resource meta-attributes and node attributes .. index:: pair: rule; XML element pair: rule; options Rule Options ############ Each context that supports rules may contain a single ``rule`` element. .. list-table:: **Attributes of a rule Element** :class: longtable :widths: 15 15 10 60 :header-rows: 1 * - Name - Type - Default - Description * - .. _rule_id: .. index:: pair: rule; id id - :ref:`id ` - - A unique name for this element (required) * - .. _boolean_op: .. index:: pair: rule; boolean-op boolean-op - :ref:`enumeration ` - ``and`` - How to combine conditions if this rule contains more than one. Allowed values: * ``and``: the rule is satisfied only if all conditions are satisfied * ``or``: the rule is satisfied if any condition is satisfied .. _rule_conditions: .. index:: single: rule; conditions single: rule; contexts Rule Conditions and Contexts ############################ A ``rule`` element must contain one or more conditions. A condition is any of the following, which will be described in more detail later: * a :ref:`date/time expression ` * a :ref:`node attribute expression ` * a :ref:`resource type expression ` * an :ref:`operation type expression ` * another ``rule`` (allowing for complex combinations of conditions) Each type of condition is allowed only in certain contexts. Although any given context may contain only one ``rule`` element, that element may contain any number of conditions, including other ``rule`` elements. Rules may be used in the following contexts, which also will be described in more detail later: * a :ref:`location constraint ` * a :ref:`cluster_property_set ` element (within the ``crm_config`` element) * an :ref:`instance_attributes ` element (within an ``alert``, ``bundle``, ``clone``, ``group``, ``node``, ``op``, ``primitive``, ``recipient``, or ``template`` element) * a :ref:`meta_attributes ` element (within an ``alert``, ``bundle``, ``clone``, ``group``, ``op``, ``op_defaults``, ``primitive``, ``recipient``, ``rsc_defaults``, or ``template`` element) * a :ref:`utilization ` element (within a ``node``, ``primitive``, or ``template`` element) .. _date_expression: .. index:: single: rule; date/time expression pair: XML element; date_expression Date/Time Expressions ##################### The ``date_expression`` element configures a rule condition based on the current date and time. It is allowed in rules in any context. It may contain a ``date_spec`` or ``duration`` element depending on the ``operation`` as described below. .. list-table:: **Attributes of a date_expression Element** :class: longtable :widths: 15 15 20 50 :header-rows: 1 * - Name - Type - Default - Description * - .. _date_expression_id: .. index:: pair: date_expression; id id - :ref:`id ` - - A unique name for this element (required) * - .. _date_expression_start: .. index:: pair: date_expression; start start - :ref:`ISO 8601 ` - - The beginning of the desired time range. Meaningful with an ``operation`` of ``in_range`` or ``gt``. * - .. _date_expression_end: .. index:: pair: date_expression; end end - :ref:`ISO 8601 ` - - The end of the desired time range. Meaningful with an ``operation`` of ``in_range`` or ``lt``. * - .. _date_expression_operation: .. index:: pair: date_expression; operation operation - :ref:`enumeration ` - ``in_range`` - Specifies how to compare the current date/time against a desired time range. Allowed values: * ``gt:`` The expression is satisfied if the current date/time is after ``start`` (which is required) * ``lt:`` The expression is satisfied if the current date/time is before ``end`` (which is required) * ``in_range:`` The expression is satisfied if the current date/time is greater than or equal to ``start`` (if specified) and less than or equal to either ``end`` (if specified) or ``start`` plus the value of the :ref:`duration ` element (if one is contained in the ``date_expression``). At least one of ``start`` or ``end`` must be specified. If both ``end`` and ``duration`` are specified, ``duration`` is ignored. * ``date_spec:`` The expression is satisfied if the current date/time matches the specification given in the contained :ref:`date_spec ` element (which is required) .. _date_spec: .. index:: single: date specification pair: XML element; date_spec Date Specifications ___________________ A ``date_spec`` element is used within a ``date_expression`` to specify a combination of dates and times that satisfy the expression. .. list-table:: **Attributes of a date_spec Element** :class: longtable :widths: 15 15 10 60 :header-rows: 1 * - Name - Type - Default - Description * - .. _date_spec_id: .. index:: pair: date_spec; id id - :ref:`id ` - - A unique name for this element (required) * - .. _date_spec_seconds: .. index:: pair: date_spec; seconds seconds - :ref:`range ` - - If this is set, the expression is satisfied only if the current time's second is within this range. Allowed integers: 0 to 59. * - .. _date_spec_minutes: .. index:: pair: date_spec; minutes minutes - :ref:`range ` - - If this is set, the expression is satisfied only if the current time's minute is within this range. Allowed integers: 0 to 59. * - .. _date_spec_hours: .. index:: pair: date_spec; hours hours - :ref:`range ` - - If this is set, the expression is satisfied only if the current time's hour is within this range. Allowed integers: 0 to 23 where 0 is midnight and 23 is 11 p.m. * - .. _date_spec_monthdays: .. index:: pair: date_spec; monthdays monthdays - :ref:`range ` - - If this is set, the expression is satisfied only if the current date's day of the month is in this range. Allowed integers: 1 to 31. * - .. _date_spec_weekdays: .. index:: pair: date_spec; weekdays weekdays - :ref:`range ` - - If this is set, the expression is satisfied only if the current date's ordinal day of the week is in this range. Allowed integers: 1-7 (where 1 is Monday and 7 is Sunday). * - .. _date_spec_yeardays: .. index:: pair: date_spec; yeardays yeardays - :ref:`range ` - - If this is set, the expression is satisfied only if the current date's ordinal day of the year is in this range. Allowed integers: 1-366. * - .. _date_spec_months: .. index:: pair: date_spec; months months - :ref:`range ` - - If this is set, the expression is satisfied only if the current date's month is in this range. Allowed integers: 1-12 where 1 is January and 12 is December. * - .. _date_spec_weeks: .. index:: pair: date_spec; weeks weeks - :ref:`range ` - - If this is set, the expression is satisfied only if the current date's ordinal week of the year is in this range. Allowed integers: 1-53. * - .. _date_spec_years: .. index:: pair: date_spec; years years - :ref:`range ` - - If this is set, the expression is satisfied only if the current date's year according to the Gregorian calendar is in this range. * - .. _date_spec_weekyears: .. index:: pair: date_spec; weekyears weekyears - :ref:`range ` - - If this is set, the expression is satisfied only if the current date's year in which the week started (according to the ISO 8601 standard) is in this range. * - .. _date_spec_moon: .. index:: pair: date_spec; moon moon - :ref:`range ` - - If this is set, the expression is satisfied only if the current date's phase of the moon is in this range. Allowed values are 0 to 7 where 0 is the new moon and 4 is the full moon. *(deprecated since 2.1.6)* .. note:: Pacemaker can calculate when evaluation of a ``date_expression`` with an ``operation`` of ``gt``, ``lt``, or ``in_range`` will next change, and schedule a cluster re-check for that time. However, it does not do this for ``date_spec``. Instead, it evaluates the ``date_spec`` whenever a cluster re-check naturally happens via a cluster event or the ``cluster-recheck-interval`` cluster option. For example, if you have a ``date_spec`` enabling a resource from 9 a.m. to 5 p.m., and ``cluster-recheck-interval`` has been set to 5 minutes, then sometime between 9 a.m. and 9:05 a.m. the cluster would notice that it needs to start the resource, and sometime between 5 p.m. and 5:05 p.m. it would realize that it needs to stop the resource. The timing of the actual start and stop actions will further depend on factors such as any other actions the cluster may need to perform first, and the load of the machine. .. _duration_element: .. index:: single: duration pair: XML element; duration Durations _________ A ``duration`` element is used within a ``date_expression`` to calculate an ending value for ``in_range`` operations when ``end`` is not supplied. .. list-table:: **Attributes of a duration Element** :class: longtable :widths: 15 15 10 60 :header-rows: 1 * - Name - Type - Default - Description * - .. _duration_id: .. index:: pair: duration; id id - :ref:`id ` - - A unique name for this element (required) * - .. _duration_seconds: .. index:: pair: duration; seconds seconds - :ref:`integer ` - 0 - Number of seconds to add to the total duration * - .. _duration_minutes: .. index:: pair: duration; minutes minutes - :ref:`integer ` - 0 - Number of minutes to add to the total duration * - .. _duration_hours: .. index:: pair: duration; hours hours - :ref:`integer ` - 0 - Number of hours to add to the total duration * - .. _duration_days: .. index:: pair: duration; days days - :ref:`integer ` - 0 - Number of days to add to the total duration * - .. _duration_weeks: .. index:: pair: duration; weeks weeks - :ref:`integer ` - 0 - Number of weeks to add to the total duration * - .. _duration_months: .. index:: pair: duration; months months - :ref:`integer ` - 0 - Number of months to add to the total duration * - .. _duration_years: .. index:: pair: duration; years years - :ref:`integer ` - 0 - Number of years to add to the total duration Example Date/Time Expressions _____________________________ .. topic:: Satisfied if the current year is 2005 .. code-block:: xml or equivalently: .. code-block:: xml .. topic:: 9 a.m. to 5 p.m. Monday through Friday .. code-block:: xml Note that the ``16`` matches all the way through ``16:59:59``, because the numeric value of the hour still matches. .. topic:: 9 a.m. to 6 p.m. Monday through Friday, or anytime Saturday .. code-block:: xml .. topic:: 9 a.m. to 5 p.m. or 9 p.m. to 12 a.m. Monday through Friday .. code-block:: xml .. topic:: Mondays in March 2005 .. code-block:: xml .. note:: Because no time is specified with the above dates, 00:00:00 is implied. This means that the range includes all of 2005-03-01 but only the first second of 2005-04-01. You may wish to write ``end`` as ``"2005-03-31T23:59:59"`` to avoid confusion. .. index:: single: rule; node attribute expression single: node attribute; rule expression pair: XML element; expression .. _node_attribute_expressions: Node Attribute Expressions ########################## The ``expression`` element configures a rule condition based on the value of a node attribute. It is allowed in rules in location constraints and in ``instance_attributes`` elements within ``bundle``, ``clone``, ``group``, ``op``, ``primitive``, and ``template`` elements. .. list-table:: **Attributes of an expression Element** :class: longtable :widths: 15 15 30 40 :header-rows: 1 * - Name - Type - Default - Description * - .. _expression_id: .. index:: pair: expression; id id - :ref:`id ` - - A unique name for this element (required) * - .. _expression_attribute: .. index:: pair: expression; attribute attribute - :ref:`text ` - - Name of the node attribute to test (required) * - .. _expression_operation: .. index:: pair: expression; operation operation - :ref:`enumeration ` - - The comparison to perform (required). Allowed values: * ``defined:`` The expression is satisfied if the node has the named attribute * ``not_defined:`` The expression is satisfied if the node does not have the named attribute * ``lt:`` The expression is satisfied if the node attribute value is less than the reference value * ``gt:`` The expression is satisfied if the node attribute value is greater than the reference value * ``lte:`` The expression is satisfied if the node attribute value is less than or equal to the reference value * ``gte:`` The expression is satisfied if the node attribute value is greater than or equal to the reference value * ``eq:`` The expression is satisfied if the node attribute value is equal to the reference value * ``ne:`` The expression is satisfied if the node attribute value is not equal to the reference value * - .. _expression_type: .. index:: pair: expression; type type - :ref:`enumeration ` - The default type for ``lt``, ``gt``, ``lte``, and ``gte`` operations is ``number`` if either value contains a decimal point character, or ``integer`` otherwise. The default type for all other operations is ``string``. If a numeric parse fails for either value, then the values are compared as type ``string``. - How to interpret values. Allowed values are ``string``, ``integer`` *(since 2.0.5)*, ``number``, and ``version``. ``integer`` truncates floating-point values if necessary before performing a 64-bit integer comparison. ``number`` performs a double-precision floating-point comparison *(32-bit integer before 2.0.5)*. * - .. _expression_value: .. index:: pair: expression; value value - :ref:`text ` - - Reference value to compare node attribute against (used only with, and required for, operations other than ``defined`` and ``not_defined``) * - .. _expression_value_source: .. index:: pair: expression; value-source value-source - :ref:`enumeration ` - ``literal`` - How the reference value is obtained. Allowed values: * ``literal``: ``value`` contains the literal reference value to compare * ``param``: ``value`` contains the name of a resource parameter to compare (valid only in the context of a location constraint) * ``meta``: ``value`` is the name of a resource meta-attribute to compare (valid only in the context of a location constraint) .. _node-attribute-expressions-special: In addition to custom node attributes defined by the administrator, the cluster defines special, built-in node attributes for each node that can also be used in rule expressions. .. list-table:: **Built-in Node Attributes** :class: longtable :widths: 25 75 :header-rows: 1 * - Name - Description * - #uname - :ref:`Node name ` * - #id - Node ID * - #kind - Node type (``cluster`` for cluster nodes, ``remote`` for Pacemaker Remote nodes created with the ``ocf:pacemaker:remote`` resource, and ``container`` for Pacemaker Remote guest nodes and bundle nodes) * - #is_dc - ``true`` if this node is the cluster's Designated Controller (DC), ``false`` otherwise * - #cluster-name - The value of the ``cluster-name`` cluster property, if set * - #site-name - The value of the ``site-name`` node attribute, if set, otherwise identical to ``#cluster-name`` .. _rsc_expression: .. index:: single: rule; resource expression single: resource; rule expression pair: XML element; rsc_expression Resource Type Expressions ######################### The ``rsc_expression`` element *(since 2.0.5)* configures a rule condition based on the agent used for a resource. It is allowed in rules in a ``meta_attributes`` element within a ``rsc_defaults`` or ``op_defaults`` element. .. list-table:: **Attributes of a rsc_expression Element** :class: longtable :widths: 15 15 10 60 :header-rows: 1 * - Name - Type - Default - Description * - .. _rsc_expression_id: .. index:: pair: rsc_expression; id id - :ref:`id ` - - A unique name for this element (required) * - .. _rsc_expression_class: .. index:: pair: rsc_expression; class class - :ref:`text ` - - If this is set, the expression is satisfied only if the resource's agent standard matches this value * - .. _rsc_expression_provider: .. index:: pair: rsc_expression; provider provider - :ref:`text ` - - If this is set, the expression is satisfied only if the resource's agent provider matches this value * - .. _rsc_expression_type: .. index:: pair: rsc_expression; type type - :ref:`text ` - - If this is set, the expression is satisfied only if the resource's agent type matches this value Example Resource Type Expressions _________________________________ .. topic:: Satisfied for ``ocf:heartbeat:IPaddr2`` resources .. code-block:: xml .. topic:: Satisfied for ``stonith:fence_xvm`` resources .. code-block:: xml .. _op_expression: .. index:: single: rule; operation expression single: operation; rule expression pair: XML element; op_expression Operation Type Expressions ########################## The ``op_expression`` element *(since 2.0.5)* configures a rule condition based on a resource operation name and interval. It is allowed in rules in a ``meta_attributes`` element within an ``op_defaults`` element. .. list-table:: **Attributes of an op_expression Element** :class: longtable :widths: 15 15 10 60 :header-rows: 1 * - Name - Type - Default - Description * - .. _op_expression_id: .. index:: pair: op_expression; id id - :ref:`id ` - - A unique name for this element (required) * - .. _op_expression_name: .. index:: pair: op_expression; name name - :ref:`text ` - - The expression is satisfied only if the operation's name matches this value (required) * - .. _op_expression_interval: .. index:: pair: op_expression; interval interval - :ref:`duration ` - - If this is set, the expression is satisfied only if the operation's interval matches this value Example Operation Type Expressions __________________________________ .. topic:: Expression is satisfied for all monitor actions .. code-block:: xml .. topic:: Expression is satisfied for all monitor actions with a 10-second interval .. code-block:: xml .. _location_rule: .. index:: pair: location constraint; rule Using Rules to Determine Resource Location ########################################## If a :ref:`location constraint ` contains a rule, the cluster will apply the constraint to all nodes where the rule is satisfied. This acts as if identical location constraints without rules were defined for each of the nodes. In the context of a location constraint, ``rule`` elements may take additional attributes. These have an effect only when set for the constraint's top-level ``rule``; they are ignored if set on a subrule. .. list-table:: **Extra Attributes of a rule Element in a Location Constraint** :class: longtable :widths: 20 15 10 55 :header-rows: 1 * - Name - Type - Default - Description * - .. _rule_role: .. index:: pair: rule; role role - :ref:`enumeration ` - ``Started`` - If this is set in the constraint's top-level rule, the constraint acts as if ``role`` were set to this in the ``rsc_location`` element. * - .. _rule_score: .. index:: pair: rule; score score - :ref:`score ` - - If this is set in the constraint's top-level rule, the constraint acts as if ``score`` were set to this in the ``rsc_location`` element. Only one of ``score`` and ``score-attribute`` may be set. * - .. _rule_score_attribute: .. index:: pair: rule; score-attribute score-attribute - :ref:`text ` - - If this is set in the constraint's top-level rule, the constraint acts as if ``score`` were set to the value of this node attribute on each node where the rule is satisfied. Only one of ``score`` and ``score-attribute`` may be set. Consider the following simple location constraint: .. topic:: Prevent resource ``webserver`` from running on node ``node3`` .. code-block:: xml The same constraint can be written more verbosely using a rule: .. topic:: Prevent resource ``webserver`` from running on node ``node3`` using a rule .. code-block:: xml The advantage of using the expanded form is that one could add more expressions (for example, limiting the constraint to certain days of the week). Location Rules Based on Other Node Properties _____________________________________________ The expanded form allows us to match node attributes other than its name. As an example, consider this configuration of custom node attributes specifying each node's CPU capacity: .. topic:: Sample node section with node attributes .. code-block:: xml We can use a rule to prevent a resource from running on underpowered machines: .. topic:: Rule using a node attribute (to be used inside a location constraint) .. code-block:: xml Using ``score-attribute`` Instead of ``score`` ______________________________________________ When using ``score-attribute`` instead of ``score``, each node matched by the rule has its score adjusted according to its value for the named node attribute. In the previous example, if the location constraint rule used ``score-attribute="cpu_mips"`` instead of ``score="-INFINITY"``, node ``c001n01`` would have its preference to run the resource increased by 1234 whereas node ``c001n02`` would have its preference increased by 5678. .. _s-rsc-pattern-rules: Specifying location scores using pattern submatches ___________________________________________________ Location constraints may use :ref:`rsc-pattern ` to apply the constraint to all resources whose IDs match the given pattern. The pattern may contain up to 9 submatches in parentheses, whose values may be used as ``%1`` through ``%9`` in a ``rule`` element's ``score-attribute`` or an ``expression`` element's ``attribute``. For example, the following configuration excerpt gives the resources **server-httpd** and **ip-httpd** a preference of 100 on node1 and 50 on node2, and **ip-gateway** a preference of -100 on node1 and 200 on node2. .. topic:: Location constraint using submatches .. code-block:: xml .. _option_rule: .. index:: pair: cluster option; rule pair: instance attribute; rule pair: meta-attribute; rule pair: resource defaults; rule pair: operation defaults; rule pair: node attribute; rule Using Rules to Define Options ############################# Rules may be used to control a variety of options: * :ref:`Cluster options ` (as ``cluster_property_set`` elements) * :ref:`Node attributes ` (as ``instance_attributes`` or ``utilization`` elements inside a ``node`` element) * :ref:`Resource options ` (as ``utilization``, ``meta_attributes``, or ``instance_attributes`` elements inside a resource definition element or ``op`` , ``rsc_defaults``, ``op_defaults``, or ``template`` element) * :ref:`Operation options ` (as ``meta_attributes`` elements inside an ``op`` or ``op_defaults`` element) * :ref:`Alert options ` (as ``instance_attributes`` or ``meta_attributes`` elements inside an ``alert`` or ``recipient`` element) Using Rules to Control Resource Options _______________________________________ Often some cluster nodes will be different from their peers. Sometimes, these differences (for example, the location of a binary, or the names of network interfaces) require resources to be configured differently depending on the machine they're hosted on. By defining multiple ``instance_attributes`` elements for the resource and adding a rule to each, we can easily handle these special cases. In the example below, ``mySpecialRsc`` will use eth1 and port 9999 when run on node1, eth2 and port 8888 on node2 and default to eth0 and port 9999 for all other nodes. .. topic:: Defining different resource options based on the node name .. code-block:: xml Multiple ``instance_attributes`` elements are evaluated from highest score to lowest. If not supplied, the score defaults to zero. Objects with equal scores are processed in their listed order. If an ``instance_attributes`` object has no rule or a satisfied ``rule``, then for any parameter the resource does not yet have a value for, the resource will use the value defined by the ``instance_attributes``. For example, given the configuration above, if the resource is placed on ``node1``: * ``special-node1`` has the highest score (3) and so is evaluated first; its rule is satisfied, so ``interface`` is set to ``eth1``. * ``special-node2`` is evaluated next with score 2, but its rule is not satisfied, so it is ignored. * ``defaults`` is evaluated last with score 1, and has no rule, so its values are examined; ``interface`` is already defined, so the value here is not used, but ``port`` is not yet defined, so ``port`` is set to ``9999``. Using Rules to Control Resource Defaults ________________________________________ Rules can be used for resource and operation defaults. The following example illustrates how to set a different ``resource-stickiness`` value during and outside work hours. This allows resources to automatically move back to their most preferred hosts, but at a time that (in theory) does not interfere with business activities. .. topic:: Change ``resource-stickiness`` during working hours .. code-block:: xml ``rsc_expression`` is valid within both ``rsc_defaults`` and ``op_defaults``; ``op_expression`` is valid only within ``op_defaults``. .. topic:: Default all IPaddr2 resources to stopped .. code-block:: xml .. topic:: Default all monitor action timeouts to 7 seconds .. code-block:: xml .. topic:: Default the timeout on all 10-second-interval monitor actions on ``IPaddr2`` resources to 8 seconds .. code-block:: xml .. index:: pair: rule; cluster option Using Rules to Control Cluster Options ______________________________________ Controlling cluster options is achieved in much the same manner as specifying different resource options on different nodes. The following example illustrates how to set ``maintenance_mode`` during a scheduled maintenance window. This will keep the cluster running but not monitor, start, or stop resources during this time. .. topic:: Schedule a maintenance window for 9 to 11 p.m. CDT Sept. 20, 2019 .. code-block:: xml - + .. important:: The ``cluster_property_set`` with an ``id`` set to "cib-bootstrap-options" will *always* have the highest priority, regardless of any scores. Therefore, rules in another ``cluster_property_set`` can never take effect for any properties listed in the bootstrap set. diff --git a/doc/sphinx/Pacemaker_Explained/status.rst b/doc/sphinx/Pacemaker_Explained/status.rst index 82d846b00c..048707e568 100644 --- a/doc/sphinx/Pacemaker_Explained/status.rst +++ b/doc/sphinx/Pacemaker_Explained/status.rst @@ -1,459 +1,459 @@ .. index:: pair: XML element; status Status ------ Pacemaker automatically generates a ``status`` section in the CIB (inside the ``cib`` element, at the same level as ``configuration``). The status is transient, and is not stored to disk with the rest of the CIB. The section's structure and contents are internal to Pacemaker and subject to change from release to release. Its often obscure element and attribute names are kept for historical reasons, to maintain compatibility with older versions during rolling upgrades. Users should not modify the section directly, though various command-line tool options affect it indirectly. .. index:: pair: XML element; node_state single: node; state Node State ########## The ``status`` element contains ``node_state`` elements for each node in the cluster (and potentially nodes that have been removed from the configuration since the cluster started). The ``node_state`` element has attributes that allow the cluster to determine whether the node is healthy. .. topic:: Example minimal node state entry .. code-block:: xml .. list-table:: **Attributes of a node_state Element** :class: longtable :widths: 20 20 60 :header-rows: 1 * - Name - Type - Description * - .. _node_state_id: .. index:: pair: node_state; id id - :ref:`text ` - Node ID (identical to ``id`` of corresponding ``node`` element in the ``configuration`` section) * - .. node_state_uname: .. index:: pair: node_state; uname uname - :ref:`text ` - Node name (identical to ``uname`` of corresponding ``node`` element in the ``configuration`` section) * - .. node_state_in_ccm: .. index:: pair: node_state; in_ccm in_ccm - :ref:`epoch time ` *(since 2.1.7; previously boolean)* - If the node's controller is currently in the cluster layer's membership, this is the epoch time at which it joined (or 1 if the node is in the process of leaving the cluster), otherwise 0 *(since 2.1.7; previously, it was "true" or "false")* * - .. node_state_crmd: .. index:: pair: node_state; crmd crmd - :ref:`epoch time ` *(since 2.1.7; previously an enumeration)* - If the node's controller is currently in the cluster layer's controller messaging group, this is the epoch time at which it joined, otherwise 0 *(since 2.1.7; previously, the value was either "online" or "offline")* * - .. node_state_crm_debug_origin: .. index:: pair: node_state; crm-debug-origin crm-debug-origin - :ref:`text ` - Name of the source code function that recorded this ``node_state`` element (for debugging) * - .. node_state_join: .. index:: pair: node_state; join join - :ref:`enumeration ` - Current status of node's controller join sequence (and thus whether it is eligible to run resources). Allowed values: * ``down``: Not yet joined * ``pending``: In the process of joining or leaving * ``member``: Fully joined * ``banned``: Rejected by DC * - .. node_state_expected: .. index:: pair: node_state; expected expected - :ref:`enumeration ` - What cluster expects ``join`` to be in the immediate future. Allowed values are same as for ``join``. .. _transient_attributes: .. index:: pair: XML element; transient_attributes single: node; transient attribute single: node attribute; transient Transient Node Attributes ######################### The ``transient_attributes`` section specifies transient :ref:`node_attributes`. In addition to any values set by the administrator or resource agents using the ``attrd_updater`` or ``crm_attribute`` tools, the cluster stores various state information here. .. topic:: Example transient node attributes for a node .. code-block:: xml .. index:: pair: XML element; lrm pair: XML element; lrm_resources pair: node; history Node History ############ Each ``node_state`` element contains an ``lrm`` element with a history of certain resource actions performed on the node. The ``lrm`` element contains an ``lrm_resources`` element. .. index:: pair: XML element; lrm_resource pair: resource; history Resource History ________________ The ``lrm_resources`` element contains an ``lrm_resource`` element for each resource that has had an action performed on the node. An ``lrm_resource`` entry has attributes allowing the cluster to stop the resource safely even if it is removed from the configuration. Specifically, the resource's ``id``, ``class``, ``type`` and ``provider`` are recorded. .. index:: pair: XML element; lrm_rsc_op pair: action; history Action History ______________ Each ``lrm_resource`` element contains an ``lrm_rsc_op`` element for each recorded action performed for that resource on that node. (Not all actions are recorded, just enough to determine the resource's state.) .. list-table:: **Attributes of an lrm_rsc_op Element** :class: longtable :widths: 20 20 60 :header-rows: 1 * - Name - Type - Description * - .. _lrm_rsc_op_id: .. index:: pair: lrm_rsc_op; id id - :ref:`text ` - Identifier for the history entry constructed from the resource ID, action name or history entry type, and action interval. * - .. _lrm_rsc_op_operation_key: .. index:: pair: lrm_rsc_op; operation_key operation_key - :ref:`text ` - Identifier for the action that was executed, constructed from the resource ID, action name, and action interval. * - .. _lrm_rsc_op_operation: .. index:: pair: lrm_rsc_op; operation operation - :ref:`text ` - The name of the action the history entry is for * - .. _lrm_rsc_op_crm_debug_origin: .. index:: pair: lrm_rsc_op; crm-debug-origin crm-debug-origin - :ref:`text ` - Name of the source code function that recorded this entry (for debugging) * - .. _lrm_rsc_op_crm_feature_set: .. index:: pair: lrm_rsc_op; crm_feature_set crm_feature_set - :ref:`version ` - The Pacemaker feature set used to record this entry. * - .. _lrm_rsc_op_transition_key: .. index:: pair: lrm_rsc_op; transition-key transition-key - :ref:`text ` - A concatenation of the action's transition graph action number, the transition graph number, the action's expected result, and the UUID of the controller instance that scheduled it. * - .. _lrm_rsc_op_transition_magic: .. index:: pair: lrm_rsc_op; transition-magic transition-magic - :ref:`text ` - A concatenation of ``op-status``, ``rc-code``, and ``transition-key``. * - .. _lrm_rsc_op_exit_reason: .. index:: pair: lrm_rsc_op; exit-reason exit-reason - :ref:`text ` - An error message (if available) from the resource agent or Pacemaker if the action did not return success. * - .. _lrm_rsc_op_on_node: .. index:: pair: lrm_rsc_op; on_node on_node - :ref:`text ` - The name of the node that executed the action (identical to the ``uname`` of the enclosing ``node_state`` element) * - .. _lrm_rsc_op_call_id: .. index:: pair: lrm_rsc_op; call-id call-id - :ref:`integer ` - A node-specific counter used to determine the order in which actions were executed. * - .. _lrm_rsc_op_rc_code: .. index:: pair: lrm_rsc_op; rc-code rc-code - :ref:`integer ` - The resource agent's exit status for this action. Refer to the *Resource Agents* chapter of *Pacemaker Administration* for how these values are interpreted. * - .. _lrm_rsc_op_op_status: .. index:: pair: lrm_rsc_op; op-status op-status - :ref:`integer ` - The execution status of this action. The meanings of these codes are internal to Pacemaker. * - .. _lrm_rsc_op_interval: .. index:: pair: lrm_rsc_op; interval interval - :ref:`nonnegative integer ` - If the action is recurring, its frequency (in milliseconds), otherwise 0. * - .. _lrm_rsc_op_last_rc_change: .. index:: pair: lrm_rsc_op; last-rc-change last-rc-change - :ref:`epoch time ` - Node-local time at which the action first returned the current value of ``rc-code``. * - .. _lrm_rsc_op_exec_time: .. index:: pair: lrm_rsc_op; exec-time exec-time - :ref:`integer ` - Time (in seconds) that action execution took (if known) * - .. _lrm_rsc_op_queue_time: .. index:: pair: lrm_rsc_op; queue-time queue-time - :ref:`integer ` - Time (in seconds) that action was queued in the local executor (if known) * - .. _lrm_rsc_op_op_digest: .. index:: pair: lrm_rsc_op; op-digest op-digest - :ref:`text ` - If present, this is a hash of the parameters passed to the action. If a hash of the currently configured parameters does not match this, that means the resource configuration changed since the action was performed, and the resource must be reloaded or restarted. * - .. _lrm_rsc_op_op_restart_digest: .. index:: pair: lrm_rsc_op; op-restart-digest op-restart-digest - :ref:`text ` - If present, the resource agent supports reloadable parameters, and this is a hash of the non-reloadable parameters passed to the action. This allows the cluster to choose between reload and restart when one is needed. * - .. _lrm_rsc_op_op_secure_digest: .. index:: pair: lrm_rsc_op; op-secure-digest op-secure-digest - :ref:`text ` - If present, the resource agent marks some parameters as sensitive, and this is a hash of the non-sensitive parameters passed to the action. This allows the value of sensitive parameters to be removed from a saved copy of the CIB while still allowing scheduler simulations to be performed on that copy. Simple Operation History Example ________________________________ -.. topic:: A monitor operation (determines current state of the ``apcstonith`` resource) +.. topic:: A monitor operation (determines current state of the ``apcfencing`` resource) .. code-block:: xml - - + The above example shows the history entry for a probe (non-recurring monitor -operation) for the ``apcstonith`` resource. +operation) for the ``apcfencing`` resource. The cluster schedules probes for every configured resource on a node when the node first starts, in order to determine the resource's current state before it takes any further action. From the ``transition-key``, we can see that this was the 22nd action of the 2nd graph produced by this instance of the controller (2668bbeb-06d5-40f9-936d-24cb7f87006a). The third field of the ``transition-key`` contains a 7, which indicates that the cluster expects to find the resource inactive. By looking at the ``rc-code`` property, we see that this was the case. As that is the only action recorded for this node, we can conclude that the cluster started the resource elsewhere. Complex Operation History Example _________________________________ .. topic:: Resource history of a ``pingd`` clone with multiple entries .. code-block:: xml When more than one history entry exists, it is important to first sort them by ``call-id`` before interpreting them. Once sorted, the above example can be summarized as: #. A non-recurring monitor operation returning 7 (not running), with a ``call-id`` of 3 #. A stop operation returning 0 (success), with a ``call-id`` of 32 #. A start operation returning 0 (success), with a ``call-id`` of 33 #. A recurring monitor returning 0 (success), with a ``call-id`` of 34 The cluster processes each history entry to build up a picture of the resource's state. After the first and second entries, it is considered stopped, and after the third it considered active. Based on the last operation, we can tell that the resource is currently active. Additionally, from the presence of a ``stop`` operation with a lower ``call-id`` than that of the ``start`` operation, we can conclude that the resource has been restarted. Specifically this occurred as part of actions 11 and 31 of transition 11 from the controller instance with the key ``2668bbeb...``. This information can be helpful for locating the relevant section of the logs when looking for the source of a failure.