[CI] problem when I removed the network cable from one node

David Teigland teigland@sistina.com
Thu, 9 Aug 2001 19:28:05 -0500


On Thu, Aug 09, 2001 at 03:07:55PM -0700, Bruce Walker wrote:
> All,
>   Everything Kai-Min says below is correct.  The Split-Brain
> avoidance code (SBA) utilized a serial line between the nodes;
> before doing a takeover, the line was queried. In addition, there
> are two other approaches to the problem:
>    a: STOMITH - (Shoot The Other Man In The Head);  Sistina
>       has code for this used in GFS that needs to be integrated.
>    b: multiple interconnects;  in NSC we supported having more
>       than one ethernet between nodes and to failover if one
>       path failed;  haven't ported that part yet either.


Because my exposure to SBA systems and Quorum systems is limited, I'm really
not an expert on this, so please fill me in if I'm missing something here.

I understand SBA and Quorum algorithms as doing similar things.  They are
employed by cluster managers to determine the operating state of the cluster.
Based on this, the cluster manager will support further system functions it
has control of, or disable them.

I/O fencing (STOMITH) is something different.  Cluster managers work fine
without STOMITH.  When a node fails the cluster manager invokes various
recovery steps.  One recovery step may involve a resource shared directly by
nodes (like a FC or SCSI disk).  GFS recovery falls in this category.  The
recovery proceedure for a resource like this needs to begin with STOMITH.

The answer to why STOMITH needs to be the first step in shared resource
recovery is another topic which is simple but often not completely understood.

In an arrangement where a software layer can be programmed on the side of the
shared resource, STOMITH simplifies to a situation where the software in front
of the shared resource blocks access from a STOMITH victim.  This is so simple
that it's often not even explicitly pointed out in systems which do it.

So, a cluster where STOMITH happens to be a part of a recovery step still
requires some sort of SBA or Quorum in the cluster manager.

-- 
Dave Teigland  <teigland@sistina.com>