<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Andrew,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">How much of this is RDO specific ? It seems to be a generic approach similar to Russel Bryant’s blogs using pacemaker to get VM HA.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Can these approaches be converged to come up with a community supported approach for all OpenStack configurations ?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> rdo-list-bounces@redhat.com [mailto:rdo-list-bounces@redhat.com]
<b>On Behalf Of </b>Pedro Sousa<br>
<b>Sent:</b> 11 April 2015 01:32<br>
<b>To:</b> Andrew Beekhof<br>
<b>Cc:</b> milind.manjrekar@redhat.com; rdo-list@redhat.com; rhos-pgm; Perry Myers; Marcos Garcia; Balaji Jayavelu<br>
<b>Subject:</b> Re: [Rdo-list] New deployment model for HA compute nodes - now with automated recovery of VMs<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi Andrew,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I've checked your git, great work, but I'm using native toois with keepalived approach, using mmonit utility to monitor the infrastructure without pacemaker/corosync.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm testing this approach to evacuate and disable a compute node, if something fails. What approach do you consider best, having in mind that a external monitoring tool like mmonit is not "cluster aware" and doesn't do things like fencing
the dead node like pacemaker does?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thank you.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Apr 8, 2015 at 3:12 AM, Andrew Beekhof <<a href="mailto:abeekhof@redhat.com" target="_blank">abeekhof@redhat.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">Previously in order monitor the healthiness of compute nodes and the services running on them, we had to create single node clusters due to corosync's scaling limits.<br>
We can now announce a new deployment model that allows Pacemaker to continue this role, but presents a single coherent view of the entire deployment while allowing us to scale beyond corosync's limits.<br>
<br>
Having this single administrative domain then allows us to do clever things like automated recovery of VMs running on a failed or failing compute node.<br>
<br>
The main difference with the previous deployment mode is that services on the compute nodes are now managed and driven by the Pacemaker cluster on the control plane.<br>
The compute nodes do not become full members of the cluster and they no longer require the full cluster stack, instead they run pacemaker_remoted which acts as a conduit.<br>
<br>
Implementation Details:<br>
<br>
- Pacemaker monitors the connection to pacemaker_remoted to verify that the node is reachable or not.<br>
Failure to talk to a node triggers recovery action.<br>
<br>
- Pacemaker uses pacemaker_remoted to start compute node services in the same sequence as before (neutron-ovs-agent -> ceilometer-compute -> nova-compute).<br>
<br>
- If a service fails to start, any services that depend on the FAILED service will not be started.<br>
This avoids the issue of adding a broken node (back) to the pool.<br>
<br>
- If a service fails to stop, the node where the service is running will be fenced.<br>
This is necessary to guarantee data integrity and a core HA concept (for the purposes of this particular discussion, please take this as a given).<br>
<br>
- If a service's health check fails, the resource (and anything that depends on it) will be stopped and then restarted.<br>
Remember that failure to stop will trigger a fencing action.<br>
<br>
- A successful restart of all the services can only potentially affect network connectivity of the instances for a short period of time.<br>
<br>
With these capabilities in place, we can exploit Pacemaker's node monitoring and fencing capabilities to drive nova host-evacuate for the failed compute nodes and recover the VMs elsewhere.<br>
When a compute node fails, Pacemaker will:<br>
<br>
1. Execute 'nova service-disable'<br>
2. fence (power off) the failed compute node<br>
3. fence_compute off (waiting for nova to detect the compute node is gone)<br>
4. fence_compute on (a no-op unless the host happens to be up already)<br>
5. Execute 'nova service-enable' when the compute node returns<br>
<br>
Technically steps 1 and 5 are optional and they are aimed to improve user experience by immediately excluding a failed host from nova scheduling.<br>
The only benefit is a faster scheduling of VMs that happens during a failure (nova does not have to recognize a host is down, timeout and subsequently schedule the VM on another host).<br>
<br>
Step 2 will make sure the host is completely powered off and nothing is running on the host.<br>
Optionally, you can have the failed host reboot which would potentially allow it to re-enter the pool.<br>
<br>
We have an implementation for Step 3 but the ideal solution depends on extensions to the nova API.<br>
Currently fence_compute loops, waiting for nova to recognise that the failed host is down, before we make a host-evacuate call which triggers nova to restart the VMs on another host.<br>
The discussed nova API extensions will speed up recovery times by allowing fence_compute to proactively push that information into nova instead.<br>
<br>
<br>
To take advantage of the VM recovery features:<br>
<br>
- VMs need to be running off a cinder volume or using shared ephemeral storage (like RBD or NFS)<br>
- If VM is not running using shared storage, recovery of the instance on a new compute node would need to revert to a previously stored snapshot/image in Glance (potentially losing state, but in some cases that may not matter)<br>
- RHEL7.1+ required for infrastructure nodes (controllers and compute). Instance guests can run anything.<br>
- Compute nodes need to have a working fencing mechanism (IPMI, hardware watchdog, etc)<br>
<br>
<br>
Detailed instructions for deploying this new model are of course available on Github:<br>
<br>
<a href="https://github.com/beekhof/osp-ha-deploy/blob/master/ha-openstack.md#compute-node-implementation" target="_blank">
https://github.com/beekhof/osp-ha-deploy/blob/master/ha-openstack.md#compute-node-implementation</a><br>
<br>
It has been successfully deployed in our labs, but we'd really like to hear how it works for you in the field.<br>
Please contact me if you encounter any issues.<br>
<br>
-- Andrew<br>
<br>
_______________________________________________<br>
Rdo-list mailing list<br>
<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/rdo-list" target="_blank">https://www.redhat.com/mailman/listinfo/rdo-list</a><br>
<br>
To unsubscribe: <a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>