Linux HA 集群原理和配置-02
本文介绍在Linux HA集群中的仲裁和分区概念。
集群正常工作时,所有节点都在一个分区内(partition),分区内的所有节点将选举出一个仲裁节点,这个仲裁节点负责向其他节点发送集群控制命令。当网络发生故障时,集群中的节点发现无法和仲裁节点通信,则会在可通信的范围内重新选举一个新的仲裁节点。此时集群内可能出现多个仲裁节点,每个仲裁节点的管理范围为一个分区。
0. 准备:启动防火墙
下文中将通过防火墙策略的设置模拟集群网络中通信出现异常的各种情况,如:
- 有一个节点down机,其他节点均无法访问该节点。
- 两个节点之间的网络故障,两个节点互相无法访问,当时其他节点均能访问这两个节点。
通过防火墙策略可以精准控制两两节点之间的连通性,使我们能更准确的了解在网络连通性发生变化对集群的影响。
在所有节点上启动防火墙,并添加策略对整个管理网络192.168.56.0/24放通。
# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
# systemctl start iptables
# iptables -I INPUT 1 -s 192.168.56.0/24 -j ACCEPT
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.56.0/24 anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
...
保存上述策略,之后在实验过程会使用iptables命名加入新策略模拟网络通信异常效果,如果需要恢复网络通信正常状态,直接不保存策略重启firewalld服务即可。
# service iptables save
1. 集群正常工作
通过pcs status查看集群状态:
[root@ha-host1 ~]# pcs status
Cluster name: linuxha
Stack: corosync
Current DC: ha-host3 (version 1.1.16-12.el7_4.8-94ff4df) - partition with quorum
Last updated: Mon Apr 23 15:43:42 2018
Last change: Mon Apr 23 15:41:10 2018 by root via cibadmin on ha-host3
3 nodes configured
1 resource configured
Online: [ ha-host1 ha-host2 ha-host3 ]
Full list of resources:
vip (ocf::heartbeat:IPaddr2): Started ha-host1
Daemon Status:
corosync: active/enabled
pacemaker: active/enabled
pcsd: active/enabled
上述结果显示当前集群只有一个分区,分区内的节点包括全部3台主机,仲裁节点是ha-host3,这表示集群间的通信是完好的。下图显示当前集群状态:
2. 一个普通节点和仲裁节点的连接中断
在ha-host1上添加以下策略:
[root@ha-host1 ~]# iptables -I INPUT 1 -s 192.168.56.23/32 -j REJECT
该策略将使得ha-host1和ha-host3之间的通信中断,在所有节点上查看集群状态:
[root@ha-host1 ~]# pcs status
...
Current DC: ha-host2 (version 1.1.16-12.el7_4.8-94ff4df) - partition with quorum
...
Online: [ ha-host1 ha-host2 ]
OFFLINE: [ ha-host3 ]
[root@ha-host2 pcsd]# pcs status
...
Current DC: ha-host2 (version 1.1.16-12.el7_4.8-94ff4df) - partition with quorum
...
Online: [ ha-host1 ha-host2 ]
OFFLINE: [ ha-host3 ]
...
[root@ha-host3 ~]# pcs status
...
Current DC: ha-host3 (version 1.1.16-12.el7_4.8-94ff4df) - partition WITHOUT quorum
...
Online: [ ha-host3 ]
OFFLINE: [ ha-host1 ha-host2 ]
...
上面的结果显示,ha-host1失去和当前仲裁节点ha-host3的联系之后,和ha-host2一起组成新的分区并选举出ha-host2作为新的仲裁节点。有趣的是ha-host2和ha-host3的通信并未中断,但是他被“优先级较高的ha-host1抢走并推举为老大”,剩下ha-host3独自留在其自身所在的分区。此时ha-host3所在的分区提示了“partition WITHOUT quorum”,表示该分区中的节点数目不超过一半。
下图显示当前集群状态:
3. 不完整分区中的普通节点和仲裁节点的连接中断
在ha-host1上再添加策略:
[root@ha-host1 ~]# iptables -I INPUT 1 -s 192.168.56.22/32 -j REJECT
使其和当前的仲裁节点ha-host2的通信中断,集群状态变为:
[root@ha-host1 ~]# pcs status
...
Current DC: ha-host1 (version 1.1.16-12.el7_4.8-94ff4df) - partition WITHOUT quorum
...
Online: [ ha-host1 ]
OFFLINE: [ ha-host2 ha-host3 ]
Full list of resources:
vip (ocf::heartbeat:IPaddr2): Stopped
...
[root@ha-host2 ~]# pcs status
...
Current DC: ha-host3 (version 1.1.16-12.el7_4.8-94ff4df) - partition with quorum
...
Online: [ ha-host2 ha-host3 ]
OFFLINE: [ ha-host1 ]
Full list of resources:
vip (ocf::heartbeat:IPaddr2): Started ha-host2
...
[root@ha-host3 ~]# pcs status
...
Current DC: ha-host3 (version 1.1.16-12.el7_4.8-94ff4df) - partition with quorum
...
Online: [ ha-host2 ha-host3 ]
OFFLINE: [ ha-host1 ]
Full list of resources:
vip (ocf::heartbeat:IPaddr2): Started ha-host2
...
发现ha-host2和ha-host3一起组成了新的分区,由于ha-host1所在分区节点数不足一半,无法启动资源,虚拟ip资源vip被切换到了ha-host2上。下图显示当前集群状态:
4. 所有节点的两两间连接中断
如果再把ha-host2和ha-host3直接的通信中断,此时3个节点间两两均无法通信。每个节点都是一个分区,每个分区的主机数均不过半,因此无法启动任何资源,原先运行在ha-host2上的vip也停止了。
[root@ha-host2 ~]# iptables -I INPUT 1 -s 192.168.56.23/32 -j REJECT
[root@ha-host2 ~]# pcs status
Cluster name: linuxha
Stack: corosync
Current DC: ha-host2 (version 1.1.16-12.el7_4.8-94ff4df) - partition WITHOUT quorum
Last updated: Mon Apr 23 16:03:28 2018
Last change: Mon Apr 23 15:41:10 2018 by root via cibadmin on ha-host3
3 nodes configured
1 resource configured
Online: [ ha-host2 ]
OFFLINE: [ ha-host1 ha-host3 ]
Full list of resources:
vip (ocf::heartbeat:IPaddr2): Stopped
Daemon Status:
corosync: active/enabled
pacemaker: active/enabled
pcsd: active/enabled
当前集群状态如下图: