Re: [ClusterLabs] Linux 8.2 - high totem token requires manual setting of ping_interval and ping_timeout

[Jan Friesse]

Robert,
thank you for the info/report. More comments inside.


All,
Hello.  Hope all is well.   I have been researching Oracle Linux 8.2 and ran 
across a situation that is not well documented.   I decided to provide some 
details to the community in case I am missing something.

Basically, if you increase the totem token above approximately 33000 with the 
knet transport, then a two node cluster will not properly form.   The exact 
threshold value will slightly fluctuate, depending on hardware type and 
debugging, but will consistently fail above 4.


At least corosync with 40sec timeout works just fine for me.

# corosync-cmapctl  | grep token
runtime.config.totem.token (u32) = 40650

# corosync-quorumtool
Quorum information
--
Date: Fri Jun 26 08:45:12 2020
Quorum provider:  corosync_votequorum
Nodes:2
Node ID:  1
Ring ID:  1.11be1
Quorate:  Yes

Votequorum information
--
Expected votes:   3
Highest expected: 3
Total votes:  2
Quorum:   2
Flags:Quorate

Membership information
--
Nodeid  Votes Name
 1  1 vmvlan-vmcos8-n05 (local)
 6  1 vmvlan-vmcos8-n06


It is indeed true that forming took a bit more time (30 sec to be more 
precise)




The failure to form a cluster would occur when running the "pcs cluster start 
--all" command or if I would start one cluster, let it stabilize, then start the 
second.  When it fails to form a cluster, each side would say they are ONLINE, but the 
other side is UNCLEAN(offline) (cluster state: partition WITHOUT quorum).   If I define 
proper stonith resources, then they will not fence since the cluster never makes it to an 
initial quorum state.  So, the cluster will stay in this split state indefinitely.


Maybe some timeout in pcs?



Changing the transport back to udpu or udp, the higher totem tokens worked as 
expected.


Yup. You've correctly find out that knet_* timeouts helps. Basically 
knet let link not working till it gets enough pongs. UDP/UDPU doesn't 
have this concept so it will create cluster faster.




 From the debug logging, I suspect that the Election Trigger (20 seconds) fires before all nodes are properly identified by the knet transport.  I noticed that with a totem token passing 32 seconds, the knet_ping* defaults were pushing up against that 20 second mark.  The output of "corosync-cfgtool -s" will show each node's link as enabled, but each side will state the other side's link is not connected.   Since each side thinks the other node is not active, they fail to properly send a join message to the other node during the election.   They will essentially form a singleton cluster(??).  


Till now your analysis is correct. Corosync is really unable to send 
join message and forms single node cluster.



It is more puzzling when you start one node at a time, waiting for the node to 
stabilize before starting the other.   It is like the first node will never see 
the remote knet interfaces become active, regardless of how long you wait.


This shouldn't happen. Knet will eventually receive enough pongs so 
corosync broadcast message to other nodes, which founds out that new 
membership should be formed.




The solution is to manually set the knet ping_timeout and ping_interval to 
lower values than the default values derived from the totem token.  This seems 
to allow for the knet transport to determine link status of all nodes before 
the election timer pops.


These timeouts are indeed not the best one. I had few ideas how to 
improve them, because currently they are in favor of multiple links 
clusters. Single links cluster may work better with slightly different 
defaults.




I tested this on both physical hardware and with VMs.  Both react similarly.

Bare bones test case to reproduce:
yum install pcs pacemaker fence-agents-all
firewall-cmd --permanent --add-service=high-availability
firewall-cmd --add-service=high-availability
systemctl start pcsd.service
systemctl enable pcsd.service
systemctl disable corosync
systemctl disable pacemaker
passwd hacluster
pcs host auth node1 node2
pcs cluster setup rhcs_test node1 node2 totem token=41000
pcs cluster start --all

Example command to create cluster that will properly form and get quorum:
pcs cluster setup rhcs_test node1 node2 totem token=61000 transport knet link 
ping_interval=1250 ping_timeout=2500

Hope this helps someone in the future.


Yup. It is interesting finding and thanks for that.

Regards,
  Honza



Thanks
Robert


Robert Hayden | Lead Technology Architect | Cerner Corporation


CONFIDENTIALITY NOTICE This message and any included attachments are from 
Cerner Corporation and are intended only for the addressee. The information 
contained in this message is confidential and may constitute inside or 
non-public information under international, federal, or state securities laws. 
Unauthorized forwarding, printing

[ClusterLabs] Linux 8.2 - high totem token requires manual setting of ping_interval and ping_timeout

[Hayden,Robert]

All,
Hello.  Hope all is well.   I have been researching Oracle Linux 8.2 and ran 
across a situation that is not well documented.   I decided to provide some 
details to the community in case I am missing something.

Basically, if you increase the totem token above approximately 33000 with the 
knet transport, then a two node cluster will not properly form.   The exact 
threshold value will slightly fluctuate, depending on hardware type and 
debugging, but will consistently fail above 4.

The failure to form a cluster would occur when running the "pcs cluster start 
--all" command or if I would start one cluster, let it stabilize, then start 
the second.  When it fails to form a cluster, each side would say they are 
ONLINE, but the other side is UNCLEAN(offline) (cluster state: partition 
WITHOUT quorum).   If I define proper stonith resources, then they will not 
fence since the cluster never makes it to an initial quorum state.  So, the 
cluster will stay in this split state indefinitely.

Changing the transport back to udpu or udp, the higher totem tokens worked as 
expected.

>From the debug logging, I suspect that the Election Trigger (20 seconds) fires 
>before all nodes are properly identified by the knet transport.  I noticed 
>that with a totem token passing 32 seconds, the knet_ping* defaults were 
>pushing up against that 20 second mark.  The output of "corosync-cfgtool -s" 
>will show each node's link as enabled, but each side will state the other 
>side's link is not connected.   Since each side thinks the other node is not 
>active, they fail to properly send a join message to the other node during the 
>election.   They will essentially form a singleton cluster(??).  It is more 
>puzzling when you start one node at a time, waiting for the node to stabilize 
>before starting the other.   It is like the first node will never see the 
>remote knet interfaces become active, regardless of how long you wait.

The solution is to manually set the knet ping_timeout and ping_interval to 
lower values than the default values derived from the totem token.  This seems 
to allow for the knet transport to determine link status of all nodes before 
the election timer pops.

I tested this on both physical hardware and with VMs.  Both react similarly.

Bare bones test case to reproduce:
yum install pcs pacemaker fence-agents-all
firewall-cmd --permanent --add-service=high-availability
firewall-cmd --add-service=high-availability
systemctl start pcsd.service
systemctl enable pcsd.service
systemctl disable corosync
systemctl disable pacemaker
passwd hacluster
pcs host auth node1 node2
pcs cluster setup rhcs_test node1 node2 totem token=41000
pcs cluster start --all

Example command to create cluster that will properly form and get quorum:
pcs cluster setup rhcs_test node1 node2 totem token=61000 transport knet link 
ping_interval=1250 ping_timeout=2500

Hope this helps someone in the future.

Thanks
Robert


Robert Hayden | Lead Technology Architect | Cerner Corporation


CONFIDENTIALITY NOTICE This message and any included attachments are from 
Cerner Corporation and are intended only for the addressee. The information 
contained in this message is confidential and may constitute inside or 
non-public information under international, federal, or state securities laws. 
Unauthorized forwarding, printing, copying, distribution, or use of such 
information is strictly prohibited and may be unlawful. If you are not the 
addressee, please promptly delete this message and notify the sender of the 
delivery error by e-mail or you may call Cerner's corporate offices in Kansas 
City, Missouri, U.S.A at (+1) (816)221-1024.
___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Re: [ClusterLabs] Beginner with STONITH Problem

[Strahil Nikolov]

Hi Stefan,

this  sounds  like  firewall issue.

Check that the port udp/1229 is opened  for  the Hypervisours and tcp/1229 for 
the VMs.

P.S.: The  protocols are based on my fading memory, so double check the .

Best Regards,
Strahil Nikolov

На 25 юни 2020 г. 18:18:46 GMT+03:00, "stefan.schm...@farmpartner-tec.com" 
 написа:
>Hello,
>
>I have now tried to use that "how to" to make things work. Sadly I have
>
>run into a couple of Problems.
>
>I have installed and configured fence_xvm like it was told in the 
>walk-through but as expected the fence_virtd does not find all VMs,
>only 
>the one installed on itself.
>In the configuration I have chosen "bond0" as the listeners interface 
>since the hosts have bonding configured. I have appenmded the complete 
>fence_virt.conf at the end of the mail.
>All 4 servers, CentOS-Hosts and Ubuntu-VMs are in the same Network.
>Also 
>the generated key is present on all 4 Servers.
>
>Still the "fence_xvm -o list" command olny results in showing the local
>VM
>
># fence_xvm -o list
>kvm101   beee402d-c6ac-4df4-9b97-bd84e637f2e7
>on
>
>I hav tried the "Alternative configuration for guests running on 
>multiple hosts" but this fails right from the start, because the 
>packages libvirt-qpid are not available
>
># yum install -y libvirt-qpid qpidd
>[...]
>No package libvirt-qpid available.
>No package qpidd available.
>
>Could anyone please advise on how to proceed to get both nodes 
>recognized by the CentOS-Hosts? As a side note, all 4 Servers can ping 
>each other, so they are present and available in the same network.
>
>In addition, I cant seem to find the correct packages for Ubuntu 18.04 
>to install on the VMs. Trying to install fence_virt and/or fence_xvm 
>just results in "E: Unable to locate package fence_xvm/fence_virt".
>Are those packages available at all forUbubtu 18.04? I could only find 
>them for 20.04 or are they just called completely different so that I
>am 
>not able to find them?
>
>Thank you in advance for your help!
>
>Kind regards
>Stefan Schmitz
>
>
>The current /etc/fence_virt.conf:
>
>fence_virtd {
> listener = "multicast";
> backend = "libvirt";
> module_path = "/usr/lib64/fence-virt";
>}
>
>listeners {
> multicast {
> key_file = "/etc/cluster/fence_xvm.key";
> address = "225.0.0.12";
> interface = "bond0";
> family = "ipv4";
> port = "1229";
> }
>
>}
>
>backends {
> libvirt {
> uri = "qemu:///system";
> }
>
>}
>
>
>
>
>
>
>
>Am 25.06.2020 um 10:28 schrieb stefan.schm...@farmpartner-tec.com:
>> Hello and thank you both for the help,
>> 
>>  >> Are the VMs in the same VLAN like the hosts?
>> Yes the VMs and Hosts are all in the same VLan. So I will try the 
>> fence_xvm solution.
>> 
>>  > https://wiki.clusterlabs.org/wiki/Guest_Fencing
>> Thank you for the pointer to that walk-through. Sadly every VM is on
>its 
>> own host which is marked as "Not yet supported" but still this how to
>is 
>> a good starting point and I will try to work and tweak my way through
>it 
>> for out setup.
>> 
>> Thanks again!
>> 
>> Kind regards
>> Stefan Schmitz
>> 
>> Am 24.06.2020 um 15:51 schrieb Ken Gaillot:
>>> On Wed, 2020-06-24 at 15:47 +0300, Strahil Nikolov wrote:
 Hello Stefan,

 There are multiple options for stonith, but it depends on the
 environment.
 Are the VMs in the same VLAN like the hosts? I am asking this , as
 the most popular candidate is 'fence_xvm' but it requires the VM to
 send fencing request to the KVM host (multicast) where the partner
>VM
 is hosted .
>>>
>>> FYI a fence_xvm walk-through for the simple case is available on the
>>> ClusterLabs wiki:
>>>
>>> https://wiki.clusterlabs.org/wiki/Guest_Fencing
>>>
 Another approach is to use a shared disk (either over iSCSI or
 SAN)  and use sbd for power-based fencing,  or  use SCSI3
>Persistent
 Reservations (which can also be converted into a power-based
 fencing).


 Best Regards,
 Strahil Nikolov


 На 24 юни 2020 г. 13:44:27 GMT+03:00, "
 stefan.schm...@farmpartner-tec.com" <
 stefan.schm...@farmpartner-tec.com> написа:
> Hello,
>
> I am an absolute beginner trying to setup our first HA Cluster.
> So far I have been working with the "Pacemaker 1.1 Clusters from
> Scratch" Guide wich worked for me perfectly up to the Point where
>I
> need
> to install and configure STONITH.
>
> Curerent Situation is:2 Ubuntu Server as the cluster. Both of
> those
> Servers are virtual machines running on 2 Centos KVM Hosts.
> Those are the devices or ressources we can use for a STONITH
> implementation. In this and other guides I do read a lot about
> external
>
> devices and in the "pcs stonith list" there are some XEN but sadly
> I
> cannot find anything about KVM. At this po

Re: [ClusterLabs] Beginner with STONITH Problem

[stefan.schm...@farmpartner-tec.com]

Hello and thank you both for the help,

>> Are the VMs in the same VLAN like the hosts?
Yes the VMs and Hosts are all in the same VLan. So I will try the 
fence_xvm solution.


> https://wiki.clusterlabs.org/wiki/Guest_Fencing
Thank you for the pointer to that walk-through. Sadly every VM is on its 
own host which is marked as "Not yet supported" but still this how to is 
a good starting point and I will try to work and tweak my way through it 
for out setup.


Thanks again!

Kind regards
Stefan Schmitz

Am 24.06.2020 um 15:51 schrieb Ken Gaillot:

On Wed, 2020-06-24 at 15:47 +0300, Strahil Nikolov wrote:

Hello Stefan,

There are multiple options for stonith, but it depends on the
environment.
Are the VMs in the same VLAN like the hosts? I am asking this , as
the most popular candidate is 'fence_xvm' but it requires the VM to
send fencing request to the KVM host (multicast) where the partner VM
is hosted .


FYI a fence_xvm walk-through for the simple case is available on the
ClusterLabs wiki:

https://wiki.clusterlabs.org/wiki/Guest_Fencing


Another approach is to use a shared disk (either over iSCSI or
SAN)  and use sbd for power-based fencing,  or  use SCSI3 Persistent
Reservations (which can also be converted into a power-based
fencing).


Best Regards,
Strahil Nikolov


На 24 юни 2020 г. 13:44:27 GMT+03:00, "
stefan.schm...@farmpartner-tec.com" <
stefan.schm...@farmpartner-tec.com> написа:

Hello,

I am an absolute beginner trying to setup our first HA Cluster.
So far I have been working with the "Pacemaker 1.1 Clusters from
Scratch" Guide wich worked for me perfectly up to the Point where I
need
to install and configure STONITH.

Curerent Situation is:2 Ubuntu Server as the cluster. Both of
those
Servers are virtual machines running on 2 Centos KVM Hosts.
Those are the devices or ressources we can use for a STONITH
implementation. In this and other guides I do read a lot about
external

devices and in the "pcs stonith list" there are some XEN but sadly
I
cannot find anything about KVM. At this point I am stumped and have
no
clue in how to proceed, I am not even sure what further inforamtion
I
shopuld provide that would be useful for giving advise?

The current pcs status is:

# pcs status
Cluster name: pacemaker_cluster
WARNING: corosync and pacemaker node names do not match (IPs used
in
setup?)
Stack: corosync
Current DC: server2ubuntu1 (version 1.1.18-2b07d5c5a9) - partition
with

quorum
Last updated: Wed Jun 24 12:43:24 2020
Last change: Wed Jun 24 12:35:17 2020 by root via cibadmin on
server4ubuntu1

2 nodes configured
12 resources configured

Online: [ server2ubuntu1 server4ubuntu1 ]

Full list of resources:

  Master/Slave Set: r0_pacemaker_Clone [r0_pacemaker]
  Masters: [ server4ubuntu1 ]
  Slaves: [ server2ubuntu1 ]
  Clone Set: dlm-clone [dlm]
  Stopped: [ server2ubuntu1 server4ubuntu1 ]
  Clone Set: ClusterIP-clone [ClusterIP] (unique)
  ClusterIP:0(ocf::heartbeat:IPaddr2):   Started
server4ubuntu1
  ClusterIP:1(ocf::heartbeat:IPaddr2):   Started
server4ubuntu1
  Master/Slave Set: WebDataClone [WebData]
  Masters: [ server2ubuntu1 server4ubuntu1 ]
  Clone Set: WebFS-clone [WebFS]
  Stopped: [ server2ubuntu1 server4ubuntu1 ]
  Clone Set: WebSite-clone [WebSite]
  Stopped: [ server2ubuntu1 server4ubuntu1 ]

Failed Actions:
* dlm_start_0 on server2ubuntu1 'not configured' (6): call=437,
status=complete, exitreason='',
 last-rc-change='Wed Jun 24 12:35:30 2020', queued=0ms,
exec=86ms
* r0_pacemaker_monitor_6 on server2ubuntu1 'master' (8):
call=438,
status=complete, exitreason='',
 last-rc-change='Wed Jun 24 12:36:30 2020', queued=0ms, exec=0ms
* dlm_start_0 on server4ubuntu1 'not configured' (6): call=441,
status=complete, exitreason='',
 last-rc-change='Wed Jun 24 12:35:30 2020', queued=0ms,
exec=74ms


Daemon Status:
   corosync: active/disabled
   pacemaker: active/disabled
   pcsd: active/enabled



I have researched the shown dlm Problem but everything I have found
says
that configuring STONITH would solve that issue.
Could please someone advise on how to proceed?

Thank you in advance!

Kind regards
Stefan Schmitz


___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/


___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/