Previous  |  Next  >  
Product: Cluster Server Guides   
Manual: Cluster Server 4.1 Installation Guide   

How I/O Fencing Works in Different Event Scenarios

The following table describes how I/O fencing works to prevent data corruption in different failure event scenarios. For each event, corrective operator actions are indicated.

Event Node A: What Happens? Node B: What Happens? Operator Action

Both private networks fail.

Node A races for majority of coordinator disks.

If Node A wins race for coordinator disks, Node A ejects Node B from the shared disks and continues.

Node B races for majority of coordinator disks.

If Node B loses the race for the coordinator disks, Node B removes itself from the cluster.

When Node B is ejected from cluster, repair the private networks before attempting to bring Node B back.

Both private networks function again after event above.

Node A continues to work.

Node B has crashed. It cannot start the database since it is unable to write to the data disks.

Reboot Node B after private networks are restored.

One private network fails.

Node A prints message about an IOFENCE on the console but continues.

Node B prints message about an IOFENCE on the console but continues.

Repair private network. After network is repaired, both nodes automatically use it.

Node A hangs.

Node A is extremely busy for some reason or is in the kernel debugger.

When Node A is no longer hung or in the kernel debugger, any queued writes to the data disks fail because Node A is ejected. When Node A receives message from GAB about being ejected, it removes itself from the cluster.

Node B loses heartbeats with Node A, and races for a majority of coordinator disks.

Node B wins race for coordinator disks and ejects Node A from shared data disks.

Verify private networks function and reboot Node A.

Nodes A and B and private networks lose power. Coordinator and data disks retain power.

Power returns to nodes and they reboot, but private networks still have no power.

Node A reboots and I/O fencing driver (vxfen) detects Node B is registered with coordinator disks. The driver does not see Node B listed as member of cluster because private networks are down. This causes the I/O fencing device driver to prevent Node A from joining the cluster. Node A console displays:

Potentially a preexisting split brain. Dropping out of the cluster. Refer to the user documentation for steps required to clear preexisting split brain.

Node B reboots and I/O fencing driver (vxfen) detects Node A is registered with coordinator disks. The driver does not see Node A listed as member of cluster because private networks are down. This causes the I/O fencing device driver to prevent Node B from joining the cluster. Node B console displays:

Potentially a preexisting split brain. Dropping out of the cluster. Refer to the user documentation for steps required to clear preexisting split brain.

Refer to System Panics to Prevent Potential Data Corruption for instructions on resolving preexisting split brain condition.

Node A crashes while Node B is down. Node B comes up and Node A is still down.

Node A is crashed.

Node B reboots and detects Node A is registered with the coordinator disks. The driver does not see Node A listed as member of the cluster. The I/O fencing device driver prints message on console:

Potentially a preexisting split brain. Dropping out of the cluster. Refer to the user documentation for steps required to clear preexisting split brain.

Refer to System Panics to Prevent Potential Data Corruption for instructions on resolving preexisting split brain condition.

The disk array containing two of the three coordinator disks is powered off.

Node B leaves the cluster and the disk array is still powered off.

Node A continues to operate as long as no nodes leave the cluster.

Node A races for a majority of coordinator disks. Node A fails because only one of three coordinator disks is available. Node A removes itself from the cluster.

Node B continues to operate as long as no nodes leave the cluster.

Node B leaves the cluster.

Power on failed disk array and restart I/O fencing driver to enable Node A to register with all coordinator disks.

The vxfenadm Utility

Administrators can use the vxfenadm command to troubleshoot and test fencing configurations. The command's options for use by administrators are:

  • -g - read and display keys
  • -i - read SCSI inquiry information from device
  • -m - register with disks
  • -n - make a reservation with disks
  • -p - remove registrations made by other systems
  • -r - read reservations
  • -x - remove registrations

Registration Key Formatting

The key defined by VxVM associated with a disk group consists of seven bytes maximum. This key becomes unique among the systems when the VxVM prefixes it with the ID of the system. The key used for I/O fencing, therefore, consists of eight bytes.

Click the thumbnail above to view full-sized image.

The keys currently assigned to disks can be displayed by using the vxfenadm command. For example, from the system with node ID 1, display the key for the disk /dev/rdsk/c1t12d0 by entering:


vxfenadm -g /dev/rdsk/c1t12d0
Reading SCSI Registration Keys...
Device Name: /dev/rdsk/c1t12d0
Total Number of Keys: 1
key[0]:
   Key Value [Numeric Format]: 65,80,71,82,48,48,48,48
   Key Value [Character Format]: APGR0000

The -g option of vxfenadm displays all eight bytes of a key value in two formats. In the numeric format, the first byte, representing the Node ID, contains the system ID plus 65. The remaining bytes contain the ASCII values of the letters of the key, in this case, "PGR0000." In the next line, the node ID 0 is expressed as "A;" node ID 1 would be "B".

 ^ Return to Top Previous  |  Next  >  
Product: Cluster Server Guides  
Manual: Cluster Server 4.1 Installation Guide  
VERITAS Software Corporation
www.veritas.com