On 24/07/19 12:33 -0500, Ken Gaillot wrote: > A recent bugfix (clbz#5386) brings up a question. > > A node may receive notification of its own fencing when fencing is > misconfigured (for example, an APC switch with the wrong plug number) > or when fabric fencing is used that doesn't cut the cluster network > (for example, fence_scsi).
One related idea that'd be better to think through on its own pace, whether it would make sense to maximize the benefit of knowing which kind of behaviour to expect from particular abstracted fencing device. Is it absolute cut-off of the whole node's acting, or is it just a partial isolation where it presumably matters the most (access to disk, access to network resources, ...)? Then, a dichotomy in failure modes could be introduced, since these are effectively _different_ disaster limiting scenarios with different pros and cons (consider also debug-ability). I always had mixed feelings about putting total/partial fencing into the same bucket. Apparently, that information would need to be propagated via the metadata of the agents, meaning pulling more complexity on that level. Broader picture might even be that compositions of the resources could as well point out which kinds of shared resources are in danger of amplifying the failure/causing split brain etc. and hence offer the feedback which of these are yet to be covered if the absolute cut-off is not preferred/available for whatever reason. /me gets back from daydreaming -- Poki
pgpoaxij46hZj.pgp
Description: PGP signature
_______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/