Question About Fencing

[damageG]

I'm putting together a cluster and confused about fencing. It looks like the recommended way is to use a watchdog timer to reboot a host that is hung. In my previous experience with clusters, the remaining hosts would "STONITH" the non-responsive host. Is there a reason that this method isn't recommended?

If the host is hung, the watchdog is fine but if there is a cluster network failure and VM are restarted on new hosts, you could have a split brain situation. Using IPMI to power cycle the disconnected server would be my choice.

Thanks

 

[dietmar]

If the host is hung, the watchdog is fine but if there is a cluster network failure and VM are restarted on new hosts, you could have a split brain situation.

This is simply not true. The corosync cluster stack detect such situations and the watchdog triggers.

 

[t.lamprecht]

I'm putting together a cluster and confused about fencing. It looks like the recommended way is to use a watchdog timer to reboot a host that is hung. In my previous experience with clusters, the remaining hosts would "STONITH" the non-responsive host. Is there a reason that this method isn't recommended?

Fence devices are often brittle and extra components which can fail to. Watchdogs resets (not reboots) the host, they are very simple and do not need network communication to work.

Watchdogs are always loaded, external fence devices are the oppossite and thus may not be reachable in certain failure cases.
See our documentation: https://pve.proxmox.com/pve-docs/chapter-ha-manager.html#ha_manager_fencing

If the host is hung, the watchdog is fine but if there is a cluster network failure and VM are restarted on new hosts, you could have a split brain situation

No, as then you also do not have quorum, which is the underlying principle of all of our operations.
Further, we only start VMs/CTs after getting the failed nodes cluster locks, so no.

 

[damageG]

Thanks for your help. I have a better understanding of the system now.