RHCSA and RHCE Cert Guide and Lab Manual

Download as pdf or txt
Download as pdf or txt
You are on page 1of 318
At a glance
Powered by AI
The document discusses Serviceguard for Linux, which is a high availability clustering software. It provides failover capabilities and can be used to configure clusters across extended distances.

Some of the main components of Serviceguard for Linux discussed are failover, Serviceguard Manager for monitoring and administering clusters, and configuration using packages.

The document discusses redundant cluster components like shared disks and network components. It also mentions some sample disk configurations and considerations for network, power supply and space planning.

Managing HP Serviceguard A.11.20.

20 for
Linux

HP Part Number: 701460-004


Published: February 2014
Copyright 2006, 2014 Hewlett-Packard Development Company, L.P.

Confidential computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendors standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein must be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.

HP Serviceguard is a registered trademark of Hewlett-Packard Company, and is protected by copyright.

NIS is a trademark of Sun Microsystems, Inc.

UNIX is a registered trademark of The Open Group.

Linux is a registered trademark of Linus Torvalds.

Red Hat is a registered trademark of Red Hat Software, Inc.

SUSE is a registered trademark of SUSE AG, a Novell Business.


Contents
Printing History ..........................................................................................15

Preface......................................................................................................17

1 Serviceguard for Linux at a Glance.............................................................19


1.1 What is Serviceguard for Linux? .........................................................................................19
1.1.1 Failover.....................................................................................................................20
1.2 Using Serviceguard for Configuring in an Extended Distance Cluster Environment......................21
1.3 Using Serviceguard Manager.............................................................................................22
1.3.1 Monitoring Clusters with Serviceguard Manager............................................................22
1.3.2 Administering Clusters with Serviceguard Manager........................................................22
1.3.3 Configuring Clusters with Serviceguard Manager...........................................................22
1.3.4 Starting Serviceguard Manager...................................................................................22
1.4 Configuration Roadmap.....................................................................................................22

2 Understanding Hardware Configurations for Serviceguard for Linux................25


2.1 Redundant Cluster Components...........................................................................................25
2.2 Redundant Network Components .......................................................................................25
2.2.1 Rules and Restrictions.................................................................................................26
2.2.2 Redundant Ethernet Configuration ...............................................................................26
2.2.3 Cross-Subnet Configurations.......................................................................................27
2.2.3.1 Configuration Tasks............................................................................................27
2.2.3.2 Restrictions........................................................................................................28
2.2.3.3 For More Information..........................................................................................28
2.3 Redundant Disk Storage.....................................................................................................29
2.3.1 Supported Disk Interfaces ..........................................................................................29
2.3.1.1 Using iSCSI LUNs as Shared Storage.....................................................................29
2.3.2 Disk Monitoring........................................................................................................30
2.3.3 Sample Disk Configurations .......................................................................................30
2.4 Redundant Power Supplies ................................................................................................30

3 Understanding Serviceguard Software Components......................................33


3.1 Serviceguard Architecture...................................................................................................33
3.1.1 Serviceguard Daemons...............................................................................................33
3.1.1.1 Configuration Daemon: cmclconfd.........................................................................34
3.1.1.2 Cluster Daemon: cmcld........................................................................................34
3.1.1.3 Network Manager Daemon: cmnetd......................................................................35
3.1.1.4 Log Daemon: cmlogd...........................................................................................35
3.1.1.5 Lock LUN Daemon: cmdisklockd............................................................................35
3.1.1.6 Generic Resource Assistant Daemon: cmresourced...................................................35
3.1.1.7 Persistent Reservation Daemon: cmprd....................................................................35
3.1.1.8 Service Assistant Daemon: cmserviced...................................................................35
3.1.1.9 Quorum Server Daemon: qs.................................................................................35
3.1.1.10 Utility Daemon: cmlockd......................................................................................36
3.1.1.11 Cluster SNMP Agent Daemon: cmsnmpd...............................................................36
3.1.1.12 Cluster WBEM Agent Daemon: cmwbemd.............................................................36
3.1.1.13 Proxy Daemon: cmproxyd....................................................................................36
3.1.2 Serviceguard WBEM Provider......................................................................................37

Contents 3
3.1.2.1 What is WBEM?.................................................................................................37
3.1.2.2 Support for Serviceguard WBEM Provider..............................................................37
3.1.2.3 WBEM Query....................................................................................................37
3.1.2.4 WBEM Indications..............................................................................................38
3.2 How the Cluster Manager Works .......................................................................................38
3.2.1 Configuration of the Cluster ........................................................................................38
3.2.2 Heartbeat Messages .................................................................................................39
3.2.3 Manual Startup of Entire Cluster..................................................................................39
3.2.4 Automatic Cluster Startup ..........................................................................................39
3.2.5 Dynamic Cluster Re-formation .....................................................................................40
3.2.6 Cluster Quorum to Prevent Split-Brain Syndrome............................................................40
3.2.7 Cluster Lock..............................................................................................................40
3.2.8 Use of a Lock LUN as the Cluster Lock..........................................................................40
3.2.9 Use of the Quorum Server as a Cluster Lock..................................................................41
3.2.10 No Cluster Lock ......................................................................................................42
3.2.11 What Happens when You Change the Quorum Configuration Online.............................43
3.3 How the Package Manager Works......................................................................................43
3.3.1 Package Types...........................................................................................................43
3.3.1.1 Non-failover Packages.........................................................................................43
3.3.1.2 Failover Packages...............................................................................................44
3.3.1.2.1 Configuring Failover Packages ......................................................................44
3.3.1.2.2 Deciding When and Where to Run and Halt Failover Packages ........................44
3.3.1.2.3 Failover Packages Switching Behavior...........................................................45
3.3.1.2.4 Failover Policy.............................................................................................47
3.3.1.2.5 Automatic Rotating Standby..........................................................................47
3.3.1.2.6 Failback Policy............................................................................................50
3.3.1.2.7 On Combining Failover and Failback Policies.................................................53
3.3.2 Using the Generic Resources Monitoring Service...........................................................53
3.3.3 Using Older Package Configuration Files......................................................................54
3.4 How Packages Run...........................................................................................................54
3.4.1 What Makes a Package Run?......................................................................................55
3.4.2 Before the Control Script Starts....................................................................................56
3.4.3 During Run Script Execution........................................................................................57
3.4.4 Normal and Abnormal Exits from the Run Script............................................................58
3.4.5 Service Startup with cmrunserv....................................................................................58
3.4.6 While Services are Running........................................................................................58
3.4.7 When a Service or Subnet Fails or Generic Resource or a Dependency is Not Met............59
3.4.8 When a Package is Halted with a Command................................................................59
3.4.9 During Halt Script Execution.......................................................................................59
3.4.10 Normal and Abnormal Exits from the Halt Script..........................................................60
3.4.10.1 Package Control Script Error and Exit Conditions...................................................61
3.5 How the Network Manager Works ....................................................................................62
3.5.1 Stationary and Relocatable IP Addresses and Monitored Subnets.....................................62
3.5.2 Types of IP Addresses................................................................................................63
3.5.3 Adding and Deleting Relocatable IP Addresses ............................................................63
3.5.3.1 Load Sharing ....................................................................................................63
3.5.4 Bonding of LAN Interfaces .........................................................................................63
3.5.5 Bonding for Load Balancing.......................................................................................66
3.5.6 Monitoring LAN Interfaces and Detecting Failure: Link Level............................................66
3.5.7 Monitoring LAN Interfaces and Detecting Failure: IP Level...............................................66
3.5.7.1 Reasons To Use IP Monitoring..............................................................................67
3.5.7.2 How the IP Monitor Works..................................................................................67
3.5.7.2.1 Failure and Recovery Detection Times............................................................68
3.5.7.3 Constraints and Limitations..................................................................................69
3.5.8 Reporting Link-Level and IP-Level Failures.......................................................................69

4 Contents
3.5.9 Package Switching and Relocatable IP Addresses..........................................................69
3.5.10 Address Resolution Messages after Switching on the Same Subnet .................................70
3.5.11 VLAN Configurations................................................................................................70
3.5.11.1 What is VLAN?.................................................................................................70
3.5.11.2 Support for Linux VLAN......................................................................................70
3.5.11.3 Configuration Restrictions....................................................................................70
3.5.11.4 Additional Heartbeat Requirements......................................................................71
3.6 Volume Managers for Data Storage....................................................................................71
3.6.1 Storage on Arrays......................................................................................................71
3.6.2 Monitoring Disks.......................................................................................................72
3.6.3 More Information on LVM...........................................................................................72
3.7 About Persistent Reservations..............................................................................................72
3.7.1 Rules and Limitations..................................................................................................73
3.7.2 How Persistent Reservations Work................................................................................74
3.8 Responses to Failures ........................................................................................................75
3.8.1 Reboot When a Node Fails .......................................................................................75
3.8.1.1 What Happens when a Node Times Out...............................................................75
3.8.1.1.1 Example .....................................................................................................76
3.8.2 Responses to Hardware Failures .................................................................................76
3.8.3 Responses to Package and Service Failures ..................................................................77
3.8.4 Responses to Package and Generic Resources Failures...................................................77
3.8.4.1 Service Restarts .................................................................................................78
3.8.4.2 Network Communication Failure .........................................................................78

4 Planning and Documenting an HA Cluster ..................................................79


4.1 General Planning .............................................................................................................79
4.1.1 Serviceguard Memory Requirements.............................................................................79
4.1.2 Planning for Expansion ..............................................................................................79
4.2 Using Serviceguard with Virtual Machines...........................................................................80
4.2.1 Rules and Restrictions.................................................................................................80
4.2.2 Supported cluster configuration options........................................................................81
4.3 Hardware Planning ..........................................................................................................81
4.3.1 SPU Information ........................................................................................................81
4.3.2 LAN Information ......................................................................................................81
4.3.3 Shared Storage.........................................................................................................82
4.3.3.1 FibreChannel.....................................................................................................82
4.3.3.2 iSCSI...............................................................................................................82
4.3.3.3 Multipath for Storage ........................................................................................82
4.3.4 Disk I/O Information ................................................................................................83
4.3.5 Hardware Configuration Worksheet ............................................................................83
4.4 Power Supply Planning .....................................................................................................84
4.4.1 Power Supply Configuration Worksheet .......................................................................84
4.5 Cluster Lock Planning........................................................................................................84
4.5.1 Cluster Lock Requirements...........................................................................................85
4.5.2 Planning for Expansion..............................................................................................85
4.5.3 Using a Quorum Server.............................................................................................85
4.5.3.1 Quorum Server Worksheet .................................................................................85
4.6 Volume Manager Planning ................................................................................................85
4.6.1 Volume Groups and Physical Volume Worksheet............................................................86
4.7 Cluster Configuration Planning ..........................................................................................86
4.7.1 Easy Deployment: cmpreparecl....................................................................................86
4.7.2 Heartbeat Subnet and Cluster Re-formation Time ..........................................................88
4.7.3 About Hostname Address Families: IPv4-Only, IPv6-Only, and Mixed Mode......................88
4.7.3.1 What Is IPv4only Mode?...................................................................................88

Contents 5
4.7.3.2 What Is IPv6-Only Mode?...................................................................................88
4.7.3.2.1 Rules and Restrictions for IPv6-Only Mode......................................................89
4.7.3.2.2 Recommendations for IPv6-Only Mode..........................................................90
4.7.3.3 What Is Mixed Mode?........................................................................................90
4.7.3.3.1 Rules and Restrictions for Mixed Mode...........................................................90
4.7.4 Cluster Configuration Parameters ................................................................................90
4.7.5 Cluster Configuration: Next Step ..............................................................................104
4.8 Package Configuration Planning ......................................................................................104
4.8.1 Logical Volume and File System Planning ...................................................................105
4.8.2 Planning for NFS-mounted File Systems......................................................................106
4.8.3 Planning for Expansion............................................................................................107
4.8.4 Choosing Switching and Failover Behavior.................................................................107
4.8.5 Parameters for Configuring Generic Resources............................................................108
4.8.6 Configuring a Generic Resource...............................................................................109
4.8.6.1 Getting and Setting the Status/Value of a Simple/Extended Generic Resource.........111
4.8.6.1.1 Using Serviceguard Command to Get the Status/Value of a Simple/Extended
Generic Resource...................................................................................................111
4.8.6.1.2 Using Serviceguard Command to Set the Status/Value of a Simple/Extended
Generic Resource...................................................................................................111
4.8.6.2 Online Reconfiguration of Generic Resources......................................................112
4.8.6.3 Online Reconfiguration of serviceguard-xdc Modular Package Parameters...............112
4.8.7 About Package Dependencies..................................................................................113
4.8.7.1 Simple Dependencies.......................................................................................113
4.8.7.2 Rules for Simple Dependencies..........................................................................113
4.8.7.2.1 Dragging Rules for Simple Dependencies.....................................................115
4.8.7.3 Guidelines for Simple Dependencies..................................................................117
4.8.7.4 Extended Dependencies...................................................................................117
4.8.7.4.1 Rules for Exclusionary Dependencies...........................................................118
4.8.7.4.2 Rules for different_node and any_node Dependencies...................................119
4.8.8 What Happens When a Package Fails......................................................................119
4.8.9 For More Information...............................................................................................120
4.8.10 About Package Weights..........................................................................................120
4.8.10.1 Package Weights and Node Capacities............................................................120
4.8.10.2 Configuring Weights and Capacities................................................................120
4.8.10.3 Simple Method..............................................................................................121
4.8.10.3.1 Example 1.............................................................................................121
4.8.10.3.2 Points to Keep in Mind............................................................................122
4.8.10.4 Comprehensive Method..................................................................................122
4.8.10.4.1 Defining Capacities.................................................................................122
4.8.10.4.2 Defining Weights...................................................................................124
4.8.10.5 Rules and Guidelines......................................................................................126
4.8.10.6 For More Information......................................................................................126
4.8.10.7 How Package Weights Interact with Package Priorities and Dependencies..............126
4.8.10.7.1 Example 1..............................................................................................127
4.8.10.7.2 Example 2.............................................................................................127
4.8.11 About External Scripts.............................................................................................127
4.8.11.1 Using Serviceguard Commands in an External Script............................................129
4.8.11.2 Determining Why a Package Has Shut Down......................................................130
4.8.11.2.1 last_halt_failed Flag..................................................................................130
4.8.12 About Cross-Subnet Failover....................................................................................130
4.8.12.1 Implications for Application Deployment.............................................................131
4.8.12.2 Configuring a Package to Fail Over across Subnets: Example...............................131
4.8.12.2.1 Configuring node_name...........................................................................131
4.8.12.2.2 Configuring monitored_subnet_access.......................................................132
4.8.12.2.3 Configuring ip_subnet_node.....................................................................132

6 Contents
4.8.13 Configuring a Package: Next Steps..........................................................................132
4.9 Planning for Changes in Cluster Size.................................................................................132

5 Building an HA Cluster Configuration........................................................135


5.1 Preparing Your Systems ...................................................................................................135
5.1.1 Installing and Updating Serviceguard .........................................................................135
5.1.2 Understanding the Location of Serviceguard Files.........................................................135
5.1.3 Enabling Serviceguard Command Access....................................................................136
5.1.4 Configuring Root-Level Access....................................................................................136
5.1.4.1 Allowing Root Access to an Unconfigured Node...................................................136
5.1.4.2 Ensuring that the Root User on Another Node Is Recognized..................................137
5.1.4.2.1 About identd.............................................................................................137
5.1.5 Configuring Name Resolution....................................................................................137
5.1.5.1 Safeguarding against Loss of Name Resolution Services.........................................139
5.1.6 Ensuring Consistency of Kernel Configuration ..............................................................140
5.1.7 Enabling the Network Time Protocol ..........................................................................140
5.1.8 Implementing Channel Bonding (Red Hat)...................................................................140
5.1.8.1 Sample Configuration........................................................................................140
5.1.8.2 Restarting Networking.......................................................................................141
5.1.8.3 Viewing the Configuration.................................................................................142
5.1.9 Implementing Channel Bonding (SUSE).......................................................................142
5.1.9.1 Restarting Networking.......................................................................................143
5.1.10 Setting up a Lock LUN.............................................................................................143
5.1.11 Setting Up and Running the Quorum Server................................................................145
5.1.12 Creating the Logical Volume Infrastructure ..................................................................145
5.1.12.1 Displaying Disk Information...............................................................................146
5.1.12.2 Creating Partitions...........................................................................................147
5.1.12.3 Enabling Volume Group Activation Protection......................................................148
5.1.12.4 Building Volume Groups: Example for Smart Array Cluster Storage (MSA 2000
Series).......................................................................................................................149
5.1.12.5 Building Volume Groups and Logical Volumes.....................................................150
5.1.12.6 Distributing the Shared Configuration to all Nodes...............................................150
5.1.12.7 Testing the Shared Configuration.......................................................................151
5.1.12.8 Storing Volume Group Configuration Data .........................................................152
5.1.12.8.1 Preventing Boot-Time vgscan and Ensuring Serviceguard Volume Groups Are
Deactivated...........................................................................................................152
5.1.12.9 Setting up Disk Monitoring................................................................................153
5.2 Configuring the Cluster....................................................................................................153
5.2.1 cmquerycl Options...................................................................................................154
5.2.1.1 Speeding up the Process....................................................................................154
5.2.1.2 Specifying the Address Family for the Cluster Hostnames.......................................154
5.2.1.3 Specifying the Address Family for the Heartbeat ..................................................154
5.2.1.4 Specifying the Cluster Lock.................................................................................155
5.2.1.5 Full Network Probing.........................................................................................155
5.2.2 Specifying a Lock LUN.............................................................................................155
5.2.3 Specifying a Quorum Server.....................................................................................155
5.2.4 Obtaining Cross-Subnet Information...........................................................................156
5.2.5 Identifying Heartbeat Subnets...................................................................................157
5.2.6 Specifying Maximum Number of Configured Packages ...............................................158
5.2.7 Modifying the MEMBER_TIMEOUT Parameter.............................................................158
5.2.8 Controlling Access to the Cluster...............................................................................158
5.2.8.1 A Note about Terminology................................................................................158
5.2.8.2 How Access Roles Work...................................................................................158
5.2.8.3 Levels of Access...............................................................................................159

Contents 7
5.2.8.4 Setting up Access-Control Policies......................................................................160
5.2.8.4.1 Role Conflicts...........................................................................................162
5.2.8.5 Package versus Cluster Roles.............................................................................163
5.2.9 Verifying the Cluster Configuration ............................................................................163
5.2.10 Cluster Lock Configuration Messages........................................................................163
5.2.11 Distributing the Binary Configuration File ..................................................................164
5.3 Managing the Running Cluster.........................................................................................164
5.3.1 Checking Cluster Operation with Serviceguard Commands...........................................164
5.3.2 Setting up Autostart Features ....................................................................................165
5.3.3 Changing the System Message ................................................................................166
5.3.4 Managing a Single-Node Cluster..............................................................................166
5.3.4.1 Single-Node Operation....................................................................................166
5.3.5 Disabling identd......................................................................................................166
5.3.6 Deleting the Cluster Configuration ............................................................................167
5.4 Rebuilding the Deadman Driver........................................................................................167

6 Configuring Packages and Their Services ..................................................169


6.1 Choosing Package Modules.............................................................................................169
6.1.1 Types of Package: Failover, Multi-Node, System Multi-Node............................................170
6.1.2 Differences between Failover and Multi-Node Packages................................................170
6.1.3 Package Modules and Parameters..............................................................................171
6.1.3.1 Base Package Modules......................................................................................171
6.1.3.2 Optional Package Modules................................................................................172
6.1.4 Package Parameter Explanations................................................................................174
6.1.4.1 package_name.................................................................................................175
6.1.4.2 module_name..................................................................................................175
6.1.4.3 module_version................................................................................................175
6.1.4.4 package_type..................................................................................................175
6.1.4.5 package_description.........................................................................................175
6.1.4.6 node_name.....................................................................................................176
6.1.4.7 auto_run.........................................................................................................176
6.1.4.8 node_fail_fast_enabled.....................................................................................176
6.1.4.9 run_script_timeout.............................................................................................177
6.1.4.10 halt_script_timeout...........................................................................................177
6.1.4.11 successor_halt_timeout.....................................................................................178
6.1.4.12 script_log_file..................................................................................................178
6.1.4.13 operation_sequence.........................................................................................178
6.1.4.14 log_level........................................................................................................178
6.1.4.15 failover_policy................................................................................................178
6.1.4.16 failback_policy................................................................................................179
6.1.4.17 priority...........................................................................................................179
6.1.4.18 dependency_name..........................................................................................180
6.1.4.19 dependency_condition.....................................................................................180
6.1.4.20 dependency_location......................................................................................180
6.1.4.21 weight_name, weight_value.............................................................................181
6.1.4.22 monitored_subnet...........................................................................................181
6.1.4.23 monitored_subnet_access................................................................................182
6.1.4.24 ip_subnet......................................................................................................182
6.1.4.25 ip_subnet_node .............................................................................................183
6.1.4.26 ip_address.....................................................................................................183
6.1.4.27 service_name.................................................................................................183
6.1.4.28 service_cmd...................................................................................................183
6.1.4.29 service_restart................................................................................................184
6.1.4.30 service_fail_fast_enabled.................................................................................184

8 Contents
6.1.4.31 service_halt_timeout........................................................................................184
6.1.4.32 generic_resource_name...................................................................................184
6.1.4.33 generic_resource_evaluation_type.....................................................................185
6.1.4.34 generic_resource_up_criteria............................................................................185
6.1.4.35 vgchange_cmd..............................................................................................186
6.1.4.36 vg................................................................................................................186
6.1.4.37 File system parameters.....................................................................................186
6.1.4.38 concurrent_fsck_operations..............................................................................187
6.1.4.39 fs_mount_retry_count.......................................................................................187
6.1.4.40 fs_umount_retry_count ....................................................................................187
6.1.4.41 fs_name........................................................................................................187
6.1.4.42 fs_server........................................................................................................188
6.1.4.43 fs_directory....................................................................................................188
6.1.4.44 fs_type..........................................................................................................188
6.1.4.45 fs_mount_opt.................................................................................................189
6.1.4.46 fs_umount_opt................................................................................................189
6.1.4.47 fs_fsck_opt.....................................................................................................189
6.1.4.48 pv................................................................................................................190
6.1.4.49 pev_.............................................................................................................190
6.1.4.50 external_pre_script..........................................................................................190
6.1.4.51 external_script................................................................................................190
6.1.4.52 user_host.......................................................................................................190
6.1.4.53 user_name.....................................................................................................191
6.1.4.54 user_role.......................................................................................................191
6.1.4.55 Additional Parameters Used Only by Legacy Packages........................................191
6.2 Generating the Package Configuration File.........................................................................191
6.2.1 Before You Start.......................................................................................................192
6.2.2 cmmakepkg Examples.............................................................................................192
6.2.3 Next Step...............................................................................................................193
6.3 Editing the Configuration File............................................................................................193
6.4 Adding or Removing a Module from an Existing Package.....................................................196
6.5 Verifying and Applying the Package Configuration..............................................................196
6.6 Alert Notification for Serviceguard Environment..................................................................197
6.7 Adding the Package to the Cluster....................................................................................198
6.8 Creating a Disk Monitor Configuration..............................................................................198

7 Cluster and Package Maintenance............................................................199


7.1 Reviewing Cluster and Package Status ...............................................................................199
7.1.1 Reviewing Cluster and Package Status with the cmviewcl Command.................................199
7.1.2 Viewing Package Dependencies.................................................................................199
7.1.3 Cluster Status ..........................................................................................................199
7.1.4 Node Status and State .............................................................................................200
7.1.5 Package Status and State...........................................................................................200
7.1.6 Package Switching Attributes......................................................................................202
7.1.7 Service Status ..........................................................................................................202
7.1.8 Generic Resource Status............................................................................................202
7.1.9 Network Status.........................................................................................................202
7.1.10 Failover and Failback Policies....................................................................................202
7.1.11 Examples of Cluster and Package States .....................................................................203
7.1.11.1 Normal Running Status......................................................................................203
7.1.11.2 Quorum Server Status........................................................................................204
7.1.11.3 Status After Halting a Package............................................................................204
7.1.11.4 Status After Moving the Package to Another Node................................................205
7.1.11.5 Status After Package Switching is Enabled............................................................206

Contents 9
7.1.11.6 Status After Halting a Node...............................................................................206
7.1.11.7 Viewing Information about Unowned Packages.....................................................207
7.1.12 Checking the Cluster Configuration and Components...................................................207
7.1.12.1 Verifying Cluster and Package Components..........................................................208
7.1.12.2 Setting up Periodic Cluster Verification................................................................210
7.1.12.3 Limitations.......................................................................................................210
7.2 Managing the Cluster and Nodes ....................................................................................211
7.2.1 Starting the Cluster When all Nodes are Down............................................................211
7.2.2 Adding Previously Configured Nodes to a Running Cluster............................................212
7.2.3 Removing Nodes from Participation in a Running Cluster...............................................212
7.2.3.1 Using Serviceguard Commands to Remove a Node from Participation in a Running
Cluster ......................................................................................................................212
7.2.4 Halting the Entire Cluster .........................................................................................213
7.2.5 Automatically Restarting the Cluster ...........................................................................213
7.3 Halting a Node or the Cluster while Keeping Packages Running............................................213
7.3.1 What You Can Do...................................................................................................213
7.3.2 Rules and Restrictions...............................................................................................214
7.3.3 Additional Points To Note.........................................................................................215
7.3.4 Halting a Node and Detaching its Packages...............................................................216
7.3.5 Halting a Detached Package.....................................................................................216
7.3.6 Halting the Cluster and Detaching its Packages............................................................216
7.3.7 Example: Halting the Cluster for Maintenance on the Heartbeat Subnets.........................217
7.4 Managing Packages and Services ....................................................................................217
7.4.1 Starting a Package ..................................................................................................217
7.4.1.1 Starting a Package that Has Dependencies...........................................................218
7.4.2 Halting a Package ..................................................................................................218
7.4.2.1 Halting a Package that Has Dependencies...........................................................218
7.4.2.2 Handling Failures During Package Halt...............................................................218
7.4.3 Moving a Failover Package ......................................................................................219
7.4.4 Changing Package Switching Behavior ......................................................................220
7.5 Maintaining a Package: Maintenance Mode......................................................................220
7.5.1 Characteristics of a Package Running in Maintenance Mode or Partial-Startup Maintenance
Mode ............................................................................................................................221
7.5.1.1 Rules for a Package in Maintenance Mode or Partial-Startup Maintenance Mode ......222
7.5.1.1.1 Additional Rules for Partial-Startup Maintenance Mode....................................222
7.5.1.2 Dependency Rules for a Package in Maintenance Mode or Partial-Startup Maintenance
Mode .......................................................................................................................223
7.5.2 Performing Maintenance Using Maintenance Mode.....................................................223
7.5.2.1 Procedure........................................................................................................223
7.5.3 Performing Maintenance Using Partial-Startup Maintenance Mode.................................224
7.5.3.1 Procedure........................................................................................................224
7.5.3.2 Excluding Modules in Partial-Startup Maintenance Mode.......................................224
7.6 Reconfiguring a Cluster....................................................................................................225
7.6.1 Previewing the Effect of Cluster Changes.....................................................................226
7.6.1.1 What You Can Preview......................................................................................226
7.6.1.2 Using Preview mode for Commands in Serviceguard Manager...............................226
7.6.1.3 Using cmeval...................................................................................................227
7.6.2 Reconfiguring a Halted Cluster .................................................................................228
7.6.3 Reconfiguring a Running Cluster................................................................................228
7.6.3.1 Adding Nodes to the Configuration While the Cluster is Running ...........................228
7.6.3.2 Removing Nodes from the Cluster while the Cluster Is Running ..............................229
7.6.4 Changing the Cluster Networking Configuration while the Cluster Is Running...................230
7.6.4.1 What You Can Do............................................................................................230
7.6.4.2 What You Must Keep in Mind...........................................................................230
7.6.4.3 Example: Adding a Heartbeat LAN....................................................................231

10 Contents
7.6.4.4 Example: Deleting a Subnet Used by a Package..................................................232
7.6.5 Updating the Cluster Lock LUN Configuration Online....................................................233
7.6.6 Changing MAX_CONFIGURED_PACKAGES...............................................................233
7.7 Configuring a Legacy Package..........................................................................................233
7.7.1 Creating the Legacy Package Configuration ................................................................233
7.7.1.1 Using Serviceguard Manager to Configure a Package ...........................................234
7.7.1.2 Using Serviceguard Commands to Configure a Package ........................................234
7.7.1.2.1 Configuring a Package in Stages..................................................................234
7.7.1.2.2 Editing the Package Configuration File..........................................................234
7.7.2 Creating the Package Control Script...........................................................................236
7.7.2.1 Customizing the Package Control Script ..............................................................236
7.7.2.2 Adding Customer Defined Functions to the Package Control Script .........................237
7.7.2.2.1 Adding Serviceguard Commands in Customer Defined Functions ....................237
7.7.2.3 Support for Additional Products..........................................................................237
7.7.3 Verifying the Package Configuration...........................................................................238
7.7.4 Distributing the Configuration....................................................................................238
7.7.4.1 Distributing the Configuration And Control Script with Serviceguard Manager..........238
7.7.4.2 Copying Package Control Scripts with Linux commands.........................................238
7.7.4.3 Distributing the Binary Cluster Configuration File with Linux Commands ..................239
7.7.5 Configuring Cross-Subnet Failover..............................................................................239
7.7.5.1 Configuring node_name....................................................................................239
7.7.5.2 Configuring monitored_subnet_access.................................................................239
7.7.5.3 Creating Subnet-Specific Package Control Scripts..................................................240
7.7.5.3.1 Control-script entries for nodeA and nodeB...................................................240
7.7.5.3.2 Control-script entries for nodeC and nodeD..................................................240
7.8 Reconfiguring a Package..................................................................................................240
7.8.1 Migrating a Legacy Package to a Modular Package.....................................................240
7.8.2 Reconfiguring a Package on a Running Cluster ...........................................................240
7.8.3 Renaming or Replacing an External Script Used by a Running Package..........................241
7.8.4 Reconfiguring a Package on a Halted Cluster .............................................................241
7.8.5 Adding a Package to a Running Cluster......................................................................242
7.8.6 Deleting a Package from a Running Cluster ................................................................242
7.8.7 Resetting the Service Restart Counter..........................................................................242
7.8.8 Allowable Package States During Reconfiguration .......................................................242
7.8.8.1 Changes that Will Trigger Warnings...................................................................247
7.8.9 Online Reconfiguration of Modular package...............................................................247
7.8.9.1 Handling Failures During Online Package Reconfiguration.....................................248
7.9 Responding to Cluster Events ...........................................................................................253
7.10 Single-Node Operation .................................................................................................253
7.11 Removing Serviceguard from a System..............................................................................254

8 Troubleshooting Your Cluster....................................................................255


8.1 Testing Cluster Operation ................................................................................................255
8.1.1 Testing the Package Manager ...................................................................................255
8.1.2 Testing the Cluster Manager .....................................................................................256
8.2 Monitoring Hardware .....................................................................................................256
8.3 Replacing Disks..............................................................................................................257
8.3.1 Replacing a Faulty Mechanism in a Disk Array............................................................257
8.3.2 Replacing a Lock LUN..............................................................................................257
8.4 Revoking Persistent Reservations after a Catastrophic Failure.................................................257
8.4.1 Examples...............................................................................................................258
8.5 Replacing LAN Cards......................................................................................................258
8.6 Replacing a Failed Quorum Server System.........................................................................259
8.7 Troubleshooting Approaches ...........................................................................................260

Contents 11
8.7.1 Reviewing Package IP Addresses ...............................................................................260
8.7.2 Reviewing the System Log File ..................................................................................261
8.7.2.1 Sample System Log Entries ................................................................................261
8.7.3 Reviewing Configuration Files ...................................................................................262
8.7.4 Reviewing the Package Control Script ........................................................................262
8.7.5 Using the cmquerycl and cmcheckconf Commands......................................................262
8.7.6 Reviewing the LAN Configuration .............................................................................263
8.8 Solving Problems ...........................................................................................................263
8.8.1 Name Resolution Problems.......................................................................................263
8.8.1.1 Networking and Security Configuration Errors......................................................263
8.8.2 Halting a Detached Package....................................................................................263
8.8.3 Cluster Re-formations Caused by Temporary Conditions...............................................264
8.8.4 Cluster Re-formations Caused by MEMBER_TIMEOUT Being Set too Low........................264
8.8.5 System Administration Errors ....................................................................................265
8.8.5.1 Package Control Script Hangs or Failures ...........................................................265
8.8.6 Package Movement Errors (Legacy Packages)..............................................................266
8.8.7 Node and Network Failures ....................................................................................267
8.8.8 Troubleshooting the Quorum Server...........................................................................267
8.8.8.1 Authorization File Problems...............................................................................267
8.8.8.2 Timeout Problems............................................................................................267
8.8.8.3 Messages.......................................................................................................268
8.8.9 Lock LUN Messages................................................................................................268
8.9 Troubleshooting serviceguard-xdc package........................................................................268
8.10 Troubleshooting Serviceguard Manager...........................................................................269

A Designing Highly Available Cluster Applications .......................................271


A.1 Automating Application Operation ...................................................................................271
A.1.1 Insulate Users from Outages .....................................................................................271
A.1.2 Define Application Startup and Shutdown ..................................................................272
A.2 Controlling the Speed of Application Failover ....................................................................272
A.2.1 Replicate Non-Data File Systems ...............................................................................272
A.2.2 Evaluate the Use of a Journaled Filesystem (JFS)..........................................................273
A.2.3 Minimize Data Loss ................................................................................................273
A.2.3.1 Minimize the Use and Amount of Memory-Based Data .........................................273
A.2.3.2 Keep Logs Small .............................................................................................273
A.2.3.3 Eliminate Need for Local Data .........................................................................273
A.2.4 Use Restartable Transactions ....................................................................................273
A.2.5 Use Checkpoints ....................................................................................................274
A.2.5.1 Balance Checkpoint Frequency with Performance ................................................274
A.2.6 Design for Multiple Servers .....................................................................................274
A.2.7 Design for Replicated Data Sites ..............................................................................275
A.3 Designing Applications to Run on Multiple Systems ............................................................275
A.3.1 Avoid Node Specific Information ..............................................................................275
A.3.1.1 Obtain Enough IP Addresses .............................................................................276
A.3.1.2 Allow Multiple Instances on Same System ...........................................................276
A.3.2 Avoid Using SPU IDs or MAC Addresses ...................................................................276
A.3.3 Assign Unique Names to Applications ......................................................................276
A.3.3.1 Use DNS .......................................................................................................276
A.3.4 Use uname(2) With Care ........................................................................................277
A.3.5 Bind to a Fixed Port ................................................................................................277
A.3.6 Bind to Relocatable IP Addresses .............................................................................277
A.3.6.1 Call bind() before connect() ..............................................................................278
A.3.7 Give Each Application its Own Volume Group ...........................................................278
A.3.8 Use Multiple Destinations for SNA Applications .........................................................278

12 Contents
A.3.9 Avoid File Locking ..................................................................................................278
A.4 Restoring Client Connections ...........................................................................................278
A.5 Handling Application Failures .........................................................................................279
A.5.1 Create Applications to be Failure Tolerant ..................................................................279
A.5.2 Be Able to Monitor Applications ..............................................................................280
A.6 Minimizing Planned Downtime ........................................................................................280
A.6.1 Reducing Time Needed for Application Upgrades and Patches .....................................280
A.6.1.1 Provide for Rolling Upgrades .............................................................................280
A.6.1.2 Do Not Change the Data Layout Between Releases ..............................................281
A.6.2 Providing Online Application Reconfiguration ............................................................281
A.6.3 Documenting Maintenance Operations .....................................................................281

B Integrating HA Applications with Serviceguard...........................................283


B.1 Checklist for Integrating HA Applications ...........................................................................283
B.1.1 Defining Baseline Application Behavior on a Single System ...........................................284
B.1.2 Integrating HA Applications in Multiple Systems ..........................................................284
B.1.3 Testing the Cluster ...................................................................................................284

C Blank Planning Worksheets ....................................................................287


C.1 Hardware Worksheet .....................................................................................................287
C.2 Power Supply Worksheet ................................................................................................287
C.3 Quorum Server Worksheet .............................................................................................288
C.4 Volume Group and Physical Volume Worksheet .................................................................288
C.5 Cluster Configuration Worksheet .....................................................................................289
C.6 Package Configuration Worksheet ...................................................................................289
C.7 Package Control Script Worksheet (Legacy).......................................................................290

D IPv6 Network Support.............................................................................291


D.1 IPv6 Address Types..........................................................................................................291
D.1.1 Textual Representation of IPv6 Addresses.....................................................................291
D.1.2 IPv6 Address Prefix...................................................................................................292
D.1.3 Unicast Addresses....................................................................................................292
D.1.4 IPv4 and IPv6 Compatibility......................................................................................292
D.1.4.1 IPv4 Compatible IPv6 Addresses.........................................................................292
D.1.4.2 IPv4 Mapped IPv6 Address...............................................................................292
D.1.4.3 Aggregatable Global Unicast Addresses.............................................................293
D.1.4.4 Link-Local Addresses.........................................................................................293
D.1.4.5 Site-Local Addresses.........................................................................................293
D.1.4.6 Multicast Addresses..........................................................................................293
D.2 Network Configuration Restrictions....................................................................................294
D.3 Configuring IPv6 on Linux................................................................................................294
D.3.1 Enabling IPv6 on Red Hat Linux.................................................................................295
D.3.2 Adding persistent IPv6 Addresses on Red Hat Linux.....................................................295
D.3.3 Configuring a Channel Bonding Interface with Persistent IPv6 Addresses on Red Hat
Linux..............................................................................................................................295
D.3.4 Adding Persistent IPv6 Addresses on SUSE.................................................................295
D.3.5 Configuring a Channel Bonding Interface with Persistent IPv6 Addresses on SUSE............296

E Using Serviceguard Manager...................................................................297


E.1 About the Online Help System...........................................................................................297
E.2 Launching Serviceguard Manager.....................................................................................297
E.2.1 Scenario 1 - Single cluster management......................................................................297

Contents 13
E.2.2 Scenario 2- Multi-Cluster Management.......................................................................298

F Maximum and Minimum Values for Parameters...........................................301

G Monitoring Script for Generic Resources...................................................303


G.1 Launching Monitoring Scripts...........................................................................................303
G.2 Template of a Monitoring Script.......................................................................................305

H HP Serviceguard Toolkit for Linux..............................................................309

Index.......................................................................................................311

14 Contents
Printing History
Table 1
Printing Date Part Number Edition

November 2001 B9903-90005 First

November 2002 B9903-90012 First

December 2002 B9903-90012 Second

November 2003 B9903-90033 Third

February 2005 B9903-90043 Fourth

June 2005 B9903-90046 Fifth

August 2006 B9903-90050 Sixth

July 2007 B9903-90054 Seventh

March 2008 B9903-90060 Eighth

April 2009 B9903-90068 Ninth

July 2009 B9903-90073 Tenth

June 2012 701460-001 NA

December 2012 701460-002 NA

May 2013 701460-003 NA

February 2014 701460-004 NA

The last printing date and part number indicate the current edition, which applies to the A.11.20.20
version of HP Serviceguard for Linux.
The printing date changes when a new edition is printed. (Minor corrections and updates which
are incorporated at reprint do not cause the date to change.) The part number is revised when
extensive technical changes are incorporated.
New editions of this manual will incorporate all material updated since the previous edition.

15
16
Preface
This guide describes how to configure and manage Serviceguard for Linux on HP ProLiant server
under the Linux operating system. It is intended for experienced Linux system administrators. (For
Linux system administration tasks that are not specific to Serviceguard, use the system administration
documentation and manpages for your distribution of Linux.)
The contents are as follows:
Chapter 1 (page 19) describes a Serviceguard cluster and provides a roadmap for using this
guide.
Chapter 2 (page 25) provides a general view of the hardware configurations used by
Serviceguard.
Chapter 3 (page 33) describes the software components of Serviceguard and shows how
they function within the Linux operating system.
Chapter 4 (page 79) steps through the planning process.
Chapter 5 (page 135) describes the creation of the cluster configuration.
Chapter 6 (page 169) describes the creation of high availability packages.
Chapter 7 (page 199) presents the basic cluster administration tasks.
Chapter 8 (page 255) explains cluster testing and troubleshooting strategies.
Appendix A (page 271) gives guidelines for creating cluster-aware applications that provide
optimal performance in a Serviceguard environment.
Appendix B (page 283) provides suggestions for integrating your existing applications with
Serviceguard for Linux.
Appendix C (page 287) contains a set of empty worksheets for preparing a Serviceguard
configuration.
Appendix D (page 291) provides information about IPv6.
Appendix E (page 297) is an introduction to Serviceguard Manager.
Appendix F (page 301) provides a reference to the supported ranges for Serviceguard
parameters.
Appendix G (page 303) provides the monitoring script template for Generic Resources.
Appendix H (page 309) describes a group of tools to simplify the integration of popular
applications with Serviceguard.

Related Publications
For additional information, see the following documents at http://www.hp.com/go/
linux-serviceguard-docs:
HP Serviceguard A.11.20.20 for Linux Release Notes
HP Serviceguard Quorum Server Version A.04.00 Release Notes
HP Serviceguard Extended Distance Cluster for Linux A.11.20.20 Deployment Guide
HP Serviceguard for Linux Version A.11.20 Deployment Guide
Clusters for High Availability: a Primer of HP Solutions. Second Edition. HP Press, 2001
(ISBN 0-13-089355-2)

17
Information about supported configurations is in the HP Serviceguard for Linux Configuration Guide.
For updated information on supported hardware and Linux distributions refer to the HP Serviceguard
for Linux Certification Matrix. Both documents are available at:
http://www.hp.com/info/sglx

Problem Reporting
If you have any problems with the software or documentation, please contact your local
Hewlett-Packard Sales Office or Customer Service Center.

18
1 Serviceguard for Linux at a Glance
This chapter introduces Serviceguard for Linux and shows where to find different kinds of information
in this book. It includes the following topics:
What is Serviceguard for Linux? (page 19)
Using Serviceguard for Configuring in an Extended Distance Cluster Environment (page 21)
Using Serviceguard Manager (page 22)
Configuration Roadmap (page 22)
If you are ready to start setting up Serviceguard clusters, skip ahead to Chapter 4 (page 79).
Specific steps for setup are in Chapter 5 (page 135).

1.1 What is Serviceguard for Linux?


Serviceguard for Linux allows you to create high availability clusters of HP ProLiant server. A high
availability computer system allows application services to continue in spite of a hardware or
software failure. Highly available systems protect users from software failures as well as from failure
of a system processing unit (SPU), disk, or local area network (LAN) component. In the event that
one component fails, the redundant component takes over. Serviceguard and other high availability
subsystems coordinate the transfer between components.
A Serviceguard cluster is a networked grouping of HP ProLiant server (host systems known as
nodes) having sufficient redundancy of software and hardware that a single point of failure will
not significantly disrupt service. Application services (individual Linux processes) are grouped
together in packages; in the event of a single service, node, network, or other resource failure,
Serviceguard can automatically transfer control of the package to another node within the cluster,
allowing services to remain available with minimal interruption.

1.1 What is Serviceguard for Linux? 19


Figure 1 Typical Cluster Configuration

In the figure, node 1 (one of two SPU's) is running package A, and node 2 is running package B.
Each package has a separate group of disks associated with it, containing data needed by the
package's applications, and a copy of the data. Note that both nodes are physically connected
to disk arrays. However, only one node at a time may access the data for a given group of disks.
In the figure, node 1 is shown with exclusive access to the top two disks (solid line), and node 2
is shown as connected without access to the top disks (dotted line). Similarly, node 2 is shown with
exclusive access to the bottom two disks (solid line), and node 1 is shown as connected without
access to the bottom disks (dotted line).
Disk arrays provide redundancy in case of disk failures. In addition, a total of four data buses are
shown for the disks that are connected to node 1 and node 2. This configuration provides the
maximum redundancy and also gives optimal I/O performance, since each package is using
different buses.
Note that the network hardware is cabled to provide redundant LAN interfaces on each node.
Serviceguard uses TCP/IP network services for reliable communication among nodes in the cluster,
including the transmission of heartbeat messages, signals from each functioning node which are
central to the operation of the cluster. TCP/IP services also are used for other types of inter-node
communication. (See, Understanding Serviceguard Software Components (page 33) for more
information about heartbeat.)

1.1.1 Failover
Under normal conditions, a fully operating Serviceguard cluster simply monitors the health of the
cluster's components while the packages are running on individual nodes. Any host system running
in the Serviceguard cluster is called an active node. When you create the package, you specify
a primary node and one or more adoptive nodes.When a node or its network communications
fails, Serviceguard can transfer control of the package to the next available adoptive node. This
situation is shown in Figure 2 (page 21).

20 Serviceguard for Linux at a Glance


Figure 2 Typical Cluster After Failover

After this transfer, the package typically remains on the adoptive node as long the adoptive node
continues running. If you wish, however, you can configure the package to return to its primary
node as soon as the primary node comes back online. Alternatively, you may manually transfer
control of the package back to the primary node at the appropriate time.
Figure 2 (page 21) does not show the power connections to the cluster, but these are important
as well. In order to remove all single points of failure from the cluster, you should provide as many
separate power circuits as needed to prevent a single point of failure of your nodes, disks and
disk mirrors. Each power circuit should be protected by an uninterruptible power source. For more
details, see Power Supply Planning (page 84) section.
Serviceguard is designed to work in conjunction with other high availability products, such as disk
arrays, which use various RAID levels for data protection; and HP-supported uninterruptible power
supplies (UPS), which eliminate failures related to power outage. HP recommends these products;
in conjunction with Serviceguard they provide the highest degree of availability.

1.2 Using Serviceguard for Configuring in an Extended Distance Cluster


Environment
An extended distance cluster (also known as extended campus cluster) is a normal Serviceguard
cluster that has alternate nodes located in different data centers separated by some distance, with
a third location supporting the quorum service. Extended distance clusters are connected using a
high speed cable that guarantees network access between the nodes as long as all guidelines for
disaster recovery architecture are followed. For more information, see the following documents at
http://www.hp.com/go/linux-serviceguard-docs:
HP Serviceguard Extended Distance Cluster for Linux A.11.20.20 Deployment Guide
Understanding and Designing Serviceguard Disaster Recovery Architectures

1.2 Using Serviceguard for Configuring in an Extended Distance Cluster Environment 21


1.3 Using Serviceguard Manager
NOTE: For more information, see Appendix E (page 297), and the section on Serviceguard
Manager in the latest version of the Serviceguard Release Notes. For more information about
Serviceguard Manager compatibility, see Serviceguard/Serviceguard Manager Plug-in Compatibility
and Feature Matrix and the latest Release Notes at http://www.hp.com/go/hpux-serviceguard-docs
(Select HP Serviceguard).
Serviceguard Manager is the graphical user interface for Serviceguard. It is available as a plug-in
to the web-based HP System Management Homepage (HP SMH).
You can use Serviceguard Manager to monitor, administer, and configure Serviceguard cluster.
You can see properties, status, and alerts of cluster, nodes, and packages.
You can do administrative tasks such as run or halt clusters, cluster nodes, and packages.
You can create or modify a cluster and its packages.
For an introduction to using Serviceguard Manager, see Appendix E (page 297). For more information
about Serviceguard Manager compatibility, see Serviceguard/Serviceguard Manager Plug-in
Compatibility and Feature Matrix and the latest Release Notes at http://www.hp.com/go/
hpux-serviceguard-docs (Select HP Serviceguard).

1.3.1 Monitoring Clusters with Serviceguard Manager


From the main page of Serviceguard Manager, you can see status and alerts for the cluster, nodes,
and packages. You can also drill down to see the configuration and alerts of the cluster, nodes,
and packages.

1.3.2 Administering Clusters with Serviceguard Manager


You can administer clusters, nodes, and packages if access control policies permit:
Cluster: halt, run
Cluster nodes: halt, run
Package: halt, run, move from one node to another, reset node and package-switching flags.

1.3.3 Configuring Clusters with Serviceguard Manager


You can configure clusters and packages in Serviceguard Manager. You must have Cluster Admin
privileges.

1.3.4 Starting Serviceguard Manager


Follow the directions in the Release Notes for your version of Serviceguard for Linux to start the
Serviceguard Manager. Then select a cluster, node, or package, and use the drop-down menus
below the Serviceguard Manager banner to navigate to the task you need to do.
Use Serviceguard Managers built-in help to guide you through the tasks; this manual will tell you
if a task can be done in Serviceguard Manager.

1.4 Configuration Roadmap


This manual presents the tasks you need to perform in order to create a functioning HA cluster
using Serviceguard. These tasks are shown in Figure 3.

22 Serviceguard for Linux at a Glance


Figure 3 Tasks in Configuring a Serviceguard Cluster

HP recommends that you gather all the data that is needed for configuration before you start. See
Chapter 4 (page 79) for tips on gathering data.

1.4 Configuration Roadmap 23


24
2 Understanding Hardware Configurations for Serviceguard
for Linux
This chapter gives a broad overview of how the server hardware components operate with
Serviceguard for Linux. The following topics are presented:
Redundant Cluster Components
Redundant Network Components (page 25)
Redundant Disk Storage (page 29)
Redundant Power Supplies (page 30)
Refer to the next chapter for information about Serviceguard software components.

2.1 Redundant Cluster Components


In order to provide a high level of availability, a typical cluster uses redundant system components,
for example, two or more SPUs and two or more independent disks. Redundancy eliminates single
points of failure. In general, the more redundancy, the greater your access to applications, data,
and supportive services in the event of a failure. In addition to hardware redundancy, you need
software support to enable and control the transfer of your applications to another SPU or network
after a failure. Serviceguard provides this support as follows:
In the case of LAN failure, the Linux bonding facility provides a standby LAN, or Serviceguard
moves packages to another node.
In the case of SPU failure, your application is transferred from a failed SPU to a functioning
SPU automatically and in a minimal amount of time.
For software failures, an application can be restarted on the same node or another node with
minimum disruption.
Serviceguard also gives you the advantage of easily transferring control of your application to
another SPU in order to bring the original SPU down for system administration, maintenance, or
version upgrades.
The maximum number of nodes supported in a Serviceguard Linux cluster is 4; the actual number
depends on the storage configuration. For example, a package that accesses data over a
FibreChannel connection can be configured to fail over among 16 nodes, while SCSI disk arrays
are typically limited to four nodes.
A package that does not use data from shared storage can be configured to fail over to as many
nodes as you have configured in the cluster (up to the maximum of 16), regardless of disk
technology. For instance, a package that runs only local executables, and uses only local data,
can be configured to fail over to all nodes in the cluster.

2.2 Redundant Network Components


To eliminate single points of failure for networking, each subnet accessed by a cluster node is
required to have redundant network interfaces. Redundant cables are also needed to protect
against cable failures. Each interface card is connected to a different cable and hub or switch.
Network interfaces are allowed to share IP addresses through a process known as channel bonding.
See Implementing Channel Bonding (Red Hat) (page 140) or Implementing Channel Bonding
(SUSE) (page 142).
Serviceguard supports a maximum of 30 network interfaces per node. For this purpose an interface
is defined as anything represented as a primary interface in the output of ifconfig, so the total
of 30 can comprise any combination of physical LAN interfaces or bonding interfaces. (A node
can have more than 30 such interfaces, but only 30 can be part of the cluster configuration.)

2.1 Redundant Cluster Components 25


2.2.1 Rules and Restrictions
A single subnet cannot be configured on different network interfaces (NICs) on the same node.
In the case of subnets that can be used for communication between cluster nodes, the same
network interface must not be used to route more than one subnet configured on the same
node.
For IPv4 subnets, Serviceguard does not support different subnets on the same LAN interface.
For IPv6, Serviceguard supports up to two subnets per LAN interface (site-local and global).
Serviceguard does support different subnets on the same bridged network (this applies at both
the node and the cluster level).
Serviceguard does not support using networking tools such as ifconfig to add IP addresses
to network interfaces that are configured into the Serviceguard cluster, unless those IP addresses
themselves will be immediately configured into the cluster as stationary IP addresses.

CAUTION: If you configure any address other than a stationary IP address on a Serviceguard
network interface, it could collide with a relocatable package IP address assigned by
Serviceguard. See Stationary and Relocatable IP Addresses and Monitored Subnets
(page 62).

Similarly, Serviceguard does not support using networking tools to move or reconfigure
any IP addresses configured into the cluster.
Doing so leads to unpredictable results because the Serviceguard view of the configuration
is different from the reality.

NOTE: If you will be using a cross-subnet configuration, see also the Restrictions (page 28) that
apply specifically to such configurations.

2.2.2 Redundant Ethernet Configuration


The use of redundant network components is shown in Figure 4, which is an Ethernet configuration.

26 Understanding Hardware Configurations for Serviceguard for Linux


Figure 4 Redundant LANs

In Linux configurations, the use of symmetrical LAN configurations is strongly recommended, with
the use of redundant hubs or switches to connect Ethernet segments. The software bonding
configuration should be identical on each node, with the active interfaces connected to the same
hub or switch.

2.2.3 Cross-Subnet Configurations


As of Serviceguard A.11.18 or later, it is possible to configure multiple subnets, joined by a router,
both for the cluster heartbeat and for data, with some nodes using one subnet and some another.
A cross-subnet configuration allows:
Automatic package failover from a node on one subnet to a node on another
A cluster heartbeat that spans subnets.

2.2.3.1 Configuration Tasks


Cluster and package configuration tasks are affected as follows:
You must use the -w full option to cmquerycl discover actual or potential nodes and
subnets across routers.
You must configure two new parameters in the package configuration file to allow packages
to fail over across subnets:
ip_subnet_node - to indicate which nodes the subnet is configured on

monitored_subnet_access - to indicate whether the subnet is configured on all nodes


(FULL) or only some (PARTIAL)
(For legacy packages, see Configuring Cross-Subnet Failover (page 239).)

2.2 Redundant Network Components 27


You should not use the wildcard (*) for node_name in the package configuration file, as this
could allow the package to fail over across subnets when a node on the same subnet is eligible;
failing over across subnets can take longer than failing over on the same subnet. List the nodes
in order of preference instead of using the wildcard.
You should configure IP monitoring for each subnet; see Monitoring LAN Interfaces and
Detecting Failure: IP Level (page 66).

2.2.3.2 Restrictions
The following restrictions apply:
All nodes in the cluster must belong to the same network domain (that is, the domain portion
of the fully-qualified domain name must be the same.)
The nodes must be fully connected at the IP level.
A minimum of two heartbeat paths must be configured for each cluster node.
There must be less than 200 milliseconds of latency in the heartbeat network.
Each heartbeat subnet on each node must be physically routed separately to the heartbeat
subnet on another node; that is, each heartbeat path must be physically separate:
The heartbeats must be statically routed; static route entries must be configured on each
node to route the heartbeats through different paths.
Failure of a single router must not affect both heartbeats at the same time.
IPv6 heartbeat subnets are not supported in a cross-subnet configuration.
IPv6only and mixed modes are not supported in a cross-subnet configuration. For more
information about these modes, see About Hostname Address Families: IPv4-Only, IPv6-Only,
and Mixed Mode (page 88).
Deploying applications in this environment requires careful consideration; see Implications
for Application Deployment (page 131).
cmrunnode will fail if the hostname LAN is down on the node in question. (Hostname
LAN refers to the public LAN on which the IP address that the nodes hostname resolves to
is configured.)
If a monitored_subnet is configured for PARTIAL monitored_subnet_access in a
packages configuration file, it must be configured on at least one of the nodes on the
node_name list for that package. Conversely, if all of the subnets that are being monitored
for this package are configured for PARTIAL access, each node on the node_name list must
have at least one of these subnets configured.
As in other configurations, a package will not start on a node unless the subnets configured
on that node, and specified in the package configuration file as monitored subnets, are
up.

NOTE: See also the Rules and Restrictions (page 26) that apply to all cluster networking
configurations.

2.2.3.3 For More Information


For more information on the details of configuring the cluster and packages in a cross-subnet
context, see About Cross-Subnet Failover (page 130), Obtaining Cross-Subnet Information
(page 156), and (for legacy packages only) Configuring Cross-Subnet Failover (page 239).
See also the white paper Technical Considerations for Creating a Serviceguard Cluster that Spans
Multiple IP Subnets, which you can find at the address below. This paper discusses and illustrates
supported configurations, and also potential mis-configurations.

28 Understanding Hardware Configurations for Serviceguard for Linux


IMPORTANT: Although cross-subnet topology can be implemented on a single site, it is most
commonly used by extended-distance clusters and Metrocluster. For more information about such
clusters, see the following documents at http://www.hp.com/go/linux-serviceguard-docs:
Understanding and Designing Serviceguard Disaster Recovery Architectures
HP Serviceguard Extended Distance Cluster for Linux Deployment Guide
Building Disaster Recovery Serviceguard Solutions Using Metrocluster with 3PAR Remote Copy
for Linux
Building Disaster Recovery Serviceguard Solutions Using Metrocluster with Continuous Access
XP P9000 for Linux
Building Disaster Recovery Serviceguard Solutions Using Metrocluster with Continuous Access
EVA P6000 for Linux

2.3 Redundant Disk Storage


Each node in a cluster has its own root disk, but each node may also be physically connected to
several other disks in such a way that more than one node can obtain access to the data and
programs associated with a package it is configured for. This access is provided by the Logical
Volume Manager (LVM). A volume group must be activated by no more than one node at a time,
but when the package is moved, the volume group can be activated by the adoptive node.

NOTE: As of release A.11.16.07, Serviceguard for Linux provides functionality similar to HP-UX
exclusive activation. This feature is based on LVM2 hosttags, and is available only for Linux
distributions that officially support LVM2.
All of the disks in the volume group owned by a package must be connected to the original node
and to all possible adoptive nodes for that package.
Shared disk storage in Serviceguard Linux clusters is provided by disk arrays, which have redundant
power and the capability for connections to multiple nodes. Disk arrays use RAID modes to provide
redundancy.

2.3.1 Supported Disk Interfaces


The following interfaces are supported by Serviceguard for disks that are connected to two or more
nodes (shared data disks):
FibreChannel
iSCSI
For information on configuring multipathing, see Multipath for Storage (page 82).

2.3.1.1 Using iSCSI LUNs as Shared Storage


The following guidelines are applicable when iSCSI LUNs are used as shared storage:
The iSCSI storage can be configured on a channel bonding. For more information about
channel bonding, see Implementing Channel Bonding (Red Hat) (page 140) or Implementing
Channel Bonding (SUSE) (page 142).
Software initiator models support iSCSI storage.

NOTE: Ensure that the iSCSI daemon is persistent across reboots.

Configuring multiple paths from different networks to the iSCSI LUN is not supported.
The iSCSI storage configured over LAN is similar to other LANs that are part of the cluster.

2.3 Redundant Disk Storage 29


Only IPv4 networks support iSCSI storage devices.
HP recommends that you do not use heartbeat LAN for iSCSI storage device.
The following restrictions are applicable when iSCSI LUNs are used as a shared storage:
An iSCSI storage device does not support configuring a lock LUN.
Hardware initiator models does not support iSCSI storage.
An iSCSI storage device that are exposed using SCSI targets is not supported.

2.3.2 Disk Monitoring


You can configure monitoring for disks and configure packages to be dependent on the monitor.
For each package, you define a package service that monitors the disks that are activated by that
package. If a disk failure occurs on one node, the monitor will cause the package to fail, with the
potential to fail over to a different node on which the same disks are available.

2.3.3 Sample Disk Configurations


Figure 5 shows a two node cluster. Each node has one root disk which is mirrored and one package
for which it is the primary node. Resources have been allocated to each node so that each node
can adopt the package from the other node. Each package has one disk volume group assigned
to it and the logical volumes in that volume group are mirrored.

Figure 5 Mirrored Disks Connected for High Availability

2.4 Redundant Power Supplies


You can extend the availability of your hardware by providing battery backup to your nodes and
disks. HP-supported uninterruptible power supplies (UPS) can provide this protection from momentary
power loss.
Disks should be attached to power circuits in such a way that disk array copies are attached to
different power sources. The boot disk should be powered from the same circuit as its corresponding
node. Quorum server systems should be powered separately from cluster nodes. Your HP

30 Understanding Hardware Configurations for Serviceguard for Linux


representative can provide more details about the layout of power supplies, disks, and LAN
hardware for clusters.

2.4 Redundant Power Supplies 31


32
3 Understanding Serviceguard Software Components
This chapter gives a broad overview of how the Serviceguard software components work. It includes
the following topics:
Serviceguard Architecture
How the Cluster Manager Works (page 38)
How the Package Manager Works (page 43)
How Packages Run (page 54)
How the Network Manager Works (page 62)
Volume Managers for Data Storage (page 71)
Responses to Failures (page 75)
If you are ready to start setting up Serviceguard clusters, skip ahead to Chapter 4, Planning and
Documenting an HA Cluster.

3.1 Serviceguard Architecture


The following figure shows the main software components used by Serviceguard for Linux. This
chapter discusses these components in some detail.

Figure 6 Serviceguard Software Components on Linux

3.1.1 Serviceguard Daemons


Serviceguard for Linux uses the following daemons:
cmclconfdconfiguration daemon
cmcldcluster daemon
cmnetdNetwork Manager daemon

3.1 Serviceguard Architecture 33


cmlogdcluster system log daemon
cmdisklockdcluster lock LUN daemon
cmresourcedServiceguard Generic Resource Assistant daemon
cmprdPersistent Reservation daemon
cmservicedService Assistant daemon
qsQuorum Server daemon
cmlockdutility daemon
cmsnmpdcluster SNMP subagent (optionally running)
cmwbemdWBEM daemon
cmproxydproxy daemon
Each of these daemons logs to the Linux system logging files. The quorum server daemon logs to
the user specified log file, such as, /usr/local/qs/log/qs.log file on Red Hat or /var/
log/qs/sq.log on SUSE.

NOTE: The file cmcluster.conf contains the mappings that resolve symbolic references to
$SGCONF, $SGROOT, $SGLBIN, etc, used in the pathnames in the subsections that follow. See
Understanding the Location of Serviceguard Files (page 135) for details.

3.1.1.1 Configuration Daemon: cmclconfd


This daemon is used by the Serviceguard commands to gather information from all the nodes within
the cluster. It gathers configuration information such as information on networks and volume groups.
It also distributes the cluster binary configuration file to all nodes in the cluster. This daemon is
started by the internet daemon, xinetd(1M).
Parameters are in the /etc/xinetd.d/hacl-cfg and /etc/xinetd.d/hacl-cfgudp files.
The path for this daemon is $SGLBIN/cmclconfd.

3.1.1.2 Cluster Daemon: cmcld


This daemon determines cluster membership by sending heartbeat messages to cmcld daemons
on other nodes in the Serviceguard cluster. It runs at a real time priority and is locked in memory.
The cmcld daemon sets a safety timer in the kernel which is used to detect kernel hangs. If this
timer is not reset periodically by cmcld, the kernel will cause a system reboot This could occur
because cmcld could not communicate with the majority of the clusters members, or because
cmcld exited unexpectedly, aborted, or was unable to run for a significant amount of time and
was unable to update the kernel timer, indicating a kernel hang. Before a system reset resulting
from the expiration of the safety timer, messages will be written to syslog, and the kernels
message buffer, if possible, and a system dump is performed.
The duration of the safety timer depends on the cluster configuration parameter MEMBER_TIMEOUT,
and also on the characteristics of the cluster configuration, such as whether it uses a quorum server
or a cluster lock (and what type of lock) and whether or not standby LANs are configured.
For further discussion, see What Happens when a Node Times Out (page 75). For advice on
setting MEMBER_TIMEOUT, see Cluster Configuration Parameters (page 90). For troubleshooting,
see Cluster Re-formations Caused by MEMBER_TIMEOUT Being Set too Low (page 264).
cmcld also manages Serviceguard packages, determining where to run them and when to start
them. The path for this daemon is: $SGLBIN/cmcld.

NOTE: Two of the central components of ServiceguardPackage Manager, and Cluster


Managerrun as parts of the cmcld daemon. This daemon runs at priority 94 and is in the
SCHED_RR class. No other process is allowed a higher real-time priority.

34 Understanding Serviceguard Software Components


3.1.1.3 Network Manager Daemon: cmnetd
This daemon monitors the health of cluster networks. It also handles the addition and deletion of
relocatable package IPs, for both IPv4 and IPv6 addresses.

3.1.1.4 Log Daemon: cmlogd


cmlogd is used by cmcld to write messages to the system log file. Any message written to the
system log by cmcld it written through cmlogd. This is to prevent any delays in writing to syslog
from impacting the timing of cmcld. The path for this daemon is $SGLBIN/cmlogd.

3.1.1.5 Lock LUN Daemon: cmdisklockd


If a lock LUN is being used, cmdisklockd runs on each node in the cluster, providing tie-breaking
services when needed during cluster re-formation. It is started by cmcld when the node joins the
cluster. The path for this daemon is $SGLBIN/cmdisklockd.

NOTE: An iSCSI storage device does not support configuring a lock LUN.

3.1.1.6 Generic Resource Assistant Daemon: cmresourced


This daemon is responsible to set and get the status/value of generic resources configured as part
of the package and influence the availability of the package based on the availability of the
resource.
Generic resources allows integration of custom defined monitors in Serviceguard. It provides better
control, options, and flexibility in terms of getting and setting the status of a resource.
This daemon is used by the Serviceguard commands cmgetresource(1m) and
cmsetresource(1m) to get or set the status/value of a simple/extended generic resource
configured in a package and is local to a node. This daemon runs on every node on which cmcld
is running.

3.1.1.7 Persistent Reservation Daemon: cmprd


This daemon is responsible for managing persistent reservations for a FibreChannel or iSCSI storage
that is configured in a multi-node package. The daemon clears the reservations during halt or
failure of the multi-node package. It also ensures that the reservation on the disk is always held by
a node where the multi-node package is up and running. This daemon runs on every node where
the cmcld cluster daemon is executed.

3.1.1.8 Service Assistant Daemon: cmserviced


This daemon forks and execs any script or processes as required by the cluster daemon, cmcld.
There are two type of forks that this daemon carries out:
Executing package run and halt scripts
Launching services
For services, cmcld monitors the service process and, depending on the number of service retries,
cmcld either restarts the service through cmsrvassistd or it causes the package to halt and
moves the package to an available alternate node. The path for this daemon is:
$SGLBIN/cmserviced.

3.1.1.9 Quorum Server Daemon: qs


Using a quorum server is one way to break a tie and establish a quorum when the cluster is
re-forming; the other way is to use a Lock LUN. See Cluster Quorum to Prevent Split-Brain
Syndrome (page 40) and the sections that follow it.
The quorum server, if used, runs on a system external to the cluster. It is normally started from
/etc/inittab with the respawn option, which means that it automatically restarts if it fails or

3.1 Serviceguard Architecture 35


is killed. It can also be configured as a Serviceguard package in a cluster other than the one(s) it
serves; see Figure 9 (page 42).
All members of the cluster initiate and maintain a connection to the quorum server; if it dies, the
Serviceguard nodes will detect this and then periodically try to reconnect to it. If there is a cluster
re-formation while the quorum server is down and tie-breaking is needed, the re-formation will fail
and all the nodes will halt (system reset). For this reason it is important to bring the quorum server
back up as soon as possible.
For more information about the Quorum Server software and how it works, including instructions
for configuring the Quorum Server as a Serviceguard package, see the latest version of the HP
Serviceguard Quorum Server release notes at http://www.hp.com/go/hpux-serviceguard-docs
(Select HP Serviceguard Quorum Server Software). See also Use of the Quorum Server as a Cluster
Lock (page 41).
The path for this daemon is:
For SUSE: /opt/qs/bin/qs
For Red Hat: /usr/local/qs/bin/qs

3.1.1.10 Utility Daemon: cmlockd


Runs on every node on which cmcld is running. It maintains the active and pending cluster resource
locks.

3.1.1.11 Cluster SNMP Agent Daemon: cmsnmpd


This daemon collaborates with the SNMP Master Agent to provide instrumentation for the cluster
Management Information Base (MIB).
The SNMP Master Agent and the cmsnmpd provide notification (traps) for cluster-related events.
For example, a trap is sent when the cluster configuration changes, or when a Serviceguard
package has failed. To configure the agent to send traps to one or more specific destinations, add
the trap destinations to /etc/snmp/snmptrapd.conf (SUSE and Red Hat). Make sure traps
are turned on with trap2sink in /etc/snmp/snmpd.conf (SUSE and Red Hat).
The installation of the cmsnmpd rpm configures snmpd and cmsnmpd to start up automatically.
Their startup scripts are in /etc/init.d/. The scripts can be run manually to start and stop the
daemons.
For more information, see the cmsnmpd (1)manpage.

3.1.1.12 Cluster WBEM Agent Daemon: cmwbemd


This daemon collaborates with the Serviceguard WBEM provider plug-in module (SGProviders)
and WBEM services cimserver (for Red Hat Enterprise Linux server) or sfcbd (SUSE Linux
Enterprise Server) to provide notification (WBEM Indications) of Serviceguard cluster events to
Serviceguard WBEM Indication subscribers that have registered a subscription with the cimserver
(for Red Hat Enterprise Linux server) or sfcbd (SUSE Linux Enterprise Server) . For example, an
Indication is sent when the cluster configuration changes, or when a Serviceguard package has
failed.
You can start and stop cmwbemd with the commands /etc/init.d/cmwbemd start and
/etc/init.d/cmwbemd stop.

3.1.1.13 Proxy Daemon: cmproxyd


This daemon is used to proxy or cache Serviceguard configuration data for use by certain
Serviceguard commands running on the local node. This allows these commands to get the data
quicker and removes the burden of responding to certain requests from cmcld.

36 Understanding Serviceguard Software Components


3.1.2 Serviceguard WBEM Provider
3.1.2.1 What is WBEM?
Web-Based Enterprise Management (WBEM) is a set of management and Internet standard
technologies developed to unify the management of distributed computing environments, facilitating
the exchange of data across otherwise disparate technologies and platforms. WBEM is based on
Internet standards and Distributed Management Task Force (DMTF) open standards: Common
Information Model (CIM) infrastructure and schema, CIM-XML, CIM operations over HTTP, and
WS-Management.
For more information, see the following:
Common Information Model (CIM)
Web-Based Enterprise Management (WBEM)

3.1.2.2 Support for Serviceguard WBEM Provider


Serviceguard WBEM provider allows you to get the basic Serviceguard cluster information via the
Common Information Model object Manager (CIMOM) technology. It also sends notification
(WBEM Indications) of Serviceguard cluster events to Serviceguard WBEM Indication subscribers
that have registered a subscription with the SFCB (for SUSE Linux Enterprise Server) or cimserver
(for Red Hat Enterprise Linux Server). For example, an indication is sent when the cluster
configuration changes, or when a Serviceguard package fails.
To use the Serviceguard WBEM provider:
1. Verify whether the SGProviders rpm is installed:
rpm -qa | fgrep sgproviders
2. If it is not installed, install the rpm. For example,
On SUSE Linux Enterprise Server 11
rpm ivh sgproviders-A.04.00.10-0.sles11.x86_64.rpm

3.1.2.3 WBEM Query


Serviceguard WBEM provider implements the following classes that can be queried to retrieve the
cluster information:
HP_Cluster
HP_Node
HP_ParticipatingCS
HP_ClusterSoftware
HP_NodeIdentity
HP_SGCluster
HP_SGNode
HP_SGParticipatingCS
HP_SGClusterSoftware
HP_SGNodeIdentity
HP_SGIPProtocolEndpoint
HP_SGClusterIPProtocolEndpoint
HP_SGPackage
HP_SGClusterPackage

3.1 Serviceguard Architecture 37


HP_SGNodePackage
HP_SGPService
HP_SGPackagePService
HP_SGNodePService
HP_SGLockLunDisk
HP_SGRemoteQuorumService
HP_SGLockObject
HP_SGQuorumServer
HP_SGLockLun
HP_SGLockDisk
For more information about WBEM provider classes, see Managed Object Format (MOF) files for
properties. When SGProviders is installed, the MOF files are copied to the /opt/sgproviders/
mof/ directory on SUSE Linux Enterprise Server and /usr/local/sgproviders/mof/ directory
on Red Hat Enterprise Linux server.

NOTE: WBEM queries for the previous classes on SUSE Linux Enterprise Server might fail because
of access denied issues, if Serviceguard is not able to validate the credentials of the WBEM request.
Small Footprint CIM Broker (SFCB) which is the CIM server in SUSE Linux Enterprise Server 11 SP1
and SP2 has a configuration parameter doBasicAuth which enables basic authentication for
HTTP and HTTPS connections. This parameter must be set to true in the /etc/sfcb/sfcb.cfg
file. Otherwise, the user credentials of any WBEM request is not passed to Serviceguard WBEM
Provider.

3.1.2.4 WBEM Indications


For an indication to be received on occurrence of a Serviceguard event, a WBEM subscription
must exist for one of the following indication classes:
CIM_AlertIndication
HP_ServiceguardIndication

3.2 How the Cluster Manager Works


The cluster manager is used to initialize a cluster, to monitor the health of the cluster, to recognize
node failure if it should occur, and to regulate the re-formation of the cluster when a node joins or
leaves the cluster. The cluster manager operates as a daemon process that runs on each node.
During cluster startup and re-formation activities, one node is selected to act as the cluster
coordinator.Although all nodes perform some cluster management functions, the cluster coordinator
is the central point for inter-node communication.

3.2.1 Configuration of the Cluster


The system administrator sets up cluster configuration parameters and does an initial cluster startup;
thereafter, the cluster regulates itself without manual intervention in normal operation. Configuration
parameters for the cluster include the cluster name and nodes, networking parameters for the cluster
heartbeat, cluster lock information, and timing parameters (discussed in detail in Chapter 4
(page 79) ). Cluster parameters are entered by editing the cluster configuration file (see Configuring
the Cluster (page 153)). The parameters you enter are used to build a binary configuration file
which is propagated to all nodes in the cluster. This binary cluster configuration file must be the
same on all the nodes in the cluster.

38 Understanding Serviceguard Software Components


3.2.2 Heartbeat Messages
Central to the operation of the cluster manager is the sending and receiving of heartbeat messages
among the nodes in the cluster. Each node in the cluster exchanges UDP heartbeat messages with
every other node over each IP network configured as a heartbeat device.
If a cluster node does not receive heartbeat messages from all other cluster nodes within the
prescribed time, a cluster re-formation is initiated; see What Happens when a Node Times Out
(page 75). At the end of the re-formation, if a new set of nodes form a cluster, that information is
passed to the package coordinator (described later in this chapter, under How the Package
Manager Works (page 43)). Failover packages that were running on nodes that are no longer
in the new cluster are transferred to their adoptive nodes.
If heartbeat and data are sent over the same LAN subnet, data congestion may cause Serviceguard
to miss heartbeats and initiate a cluster re-formation that would not otherwise have been needed.
For this reason, HP recommends that you dedicate a LAN for the heartbeat as well as configuring
heartbeat over the data network.
Each node sends its heartbeat message at a rate calculated by Serviceguard on the basis of the
value of the MEMBER_TIMEOUT parameter, set in the cluster configuration file, which you create
as a part of cluster configuration.

IMPORTANT: When multiple heartbeats are configured, heartbeats are sent in parallel;
Serviceguard must receive at least one heartbeat to establish the health of a node. HP recommends
that you configure all subnets that interconnect cluster nodes as heartbeat networks; this increases
protection against multiple faults at no additional cost.
Heartbeat IP addresses must be on the same subnet on each node, but it is possible to configure
a cluster that spans subnets; see Cross-Subnet Configurations (page 27). See HEARTBEAT_IP,
under Cluster Configuration Parameters (page 90), for more information about heartbeat
requirements. For timeout requirements and recommendations, see the MEMBER_TIMEOUT parameter
description in the same section. For troubleshooting information, see Cluster Re-formations Caused
by MEMBER_TIMEOUT Being Set too Low (page 264). See also Cluster Daemon: cmcld (page 34).

3.2.3 Manual Startup of Entire Cluster


A manual startup forms a cluster out of all the nodes in the cluster configuration. Manual startup
is normally done the first time you bring up the cluster, after cluster-wide maintenance or upgrade,
or after reconfiguration.
Before startup, the same binary cluster configuration file must exist on all nodes in the cluster. The
system administrator starts the cluster with the cmruncl command issued from one node. The
cmruncl command can only be used when the cluster is not running, that is, when none of the
nodes is running the cmcld daemon.
During startup, the cluster manager software checks to see if all nodes specified in the startup
command are valid members of the cluster, are up and running, are attempting to form a cluster,
and can communicate with each other. If they can, then the cluster manager forms the cluster.

3.2.4 Automatic Cluster Startup


An automatic cluster startup occurs any time a node reboots and joins the cluster. This can follow
the reboot of an individual node, or it may be when all nodes in a cluster have failed, as when
there has been an extended power failure and all SPUs went down.
Automatic cluster startup will take place if the flag AUTOSTART_CMCLD is set to 1 in the $SGCONF/
cmcluster.rc file. When any node reboots with this parameter set to 1, it will rejoin an existing
cluster, or if none exists it will attempt to form a new cluster.

3.2 How the Cluster Manager Works 39


3.2.5 Dynamic Cluster Re-formation
A dynamic re-formation is a temporary change in cluster membership that takes place as nodes
join or leave a running cluster. Re-formation differs from reconfiguration, which is a permanent
modification of the configuration files. Re-formation of the cluster occurs under the following
conditions (not a complete list):
An SPU or network failure was detected on an active node.
An inactive node wants to join the cluster. The cluster manager daemon has been started on
that node.
A node has been added to or deleted from the cluster configuration.
The system administrator halted a node.
A node halts because of a package failure.
A node halts because of a service failure.
Heavy network traffic prohibited the heartbeat signal from being received by the cluster.
The heartbeat network failed, and another network is not configured to carry heartbeat.
Typically, re-formation results in a cluster with a different composition. The new cluster may contain
fewer or more nodes than in the previous incarnation of the cluster.

3.2.6 Cluster Quorum to Prevent Split-Brain Syndrome


In general, the algorithm for cluster re-formation requires a cluster quorum of a strict majority (that
is, more than 50%) of the nodes previously running. If both halves (exactly 50%) of a previously
running cluster were allowed to re-form, there would be a split-brain situation in which two instances
of the same cluster were running. In a split-brain scenario, different incarnations of an application
could end up simultaneously accessing the same disks. One incarnation might well be initiating
recovery activity while the other is modifying the state of the disks. Serviceguards quorum
requirement is designed to prevent a split-brain situation.

3.2.7 Cluster Lock


Although a cluster quorum of more than 50% is generally required, exactly 50% of the previously
running nodes may re-form as a new cluster provided that the other 50% of the previously running
nodes do not also re-form. This is guaranteed by the use of a tie-breaker to choose between the
two equal-sized node groups, allowing one group to form the cluster and forcing the other group
to shut down. This tie-breaker is known as a cluster lock. The cluster lock is implemented either by
means of a lock LUN or a quorum server. A cluster lock is required on two-node clusters.
The cluster lock is used as a tie-breaker only for situations in which a running cluster fails and, as
Serviceguard attempts to form a new cluster, the cluster is split into two sub-clusters of equal size.
Each sub-cluster will attempt to acquire the cluster lock. The sub-cluster which gets the cluster lock
will form the new cluster, preventing the possibility of two sub-clusters running at the same time. If
the two sub-clusters are of unequal size, the sub-cluster with greater than 50% of the nodes will
form the new cluster, and the cluster lock is not used.
If you have a two-node cluster, you are required to configure a cluster lock. If communications are
lost between these two nodes, the node that obtains the cluster lock will take over the cluster and
the other node will halt (system reset). Without a cluster lock, a failure of either node in the cluster
will cause the other node, and therefore the cluster, to halt. Note also that if the cluster lock fails
during an attempt to acquire it, the cluster will halt.

3.2.8 Use of a Lock LUN as the Cluster Lock


A lock LUN can be used for clusters up to and including four nodes in size. The cluster lock LUN
is a special piece of storage (known as a partition) that is shareable by all nodes in the cluster.

40 Understanding Serviceguard Software Components


When a node obtains the cluster lock, this partition is marked so that other nodes will recognize
the lock as taken.

NOTE:
The lock LUN is dedicated for use as the cluster lock, and, in addition, HP recommends that
this LUN comprise the entire disk; that is, the partition should take up the entire disk.
An iSCSI storage device does not support configuring a lock LUN.

The complete path name of the lock LUN is identified in the cluster configuration file.
The operation of the lock LUN is shown in Figure 7.

Figure 7 Lock LUN Operation

Serviceguard periodically checks the health of the lock LUN and writes messages to the syslog
file if the disk fails the health check. This file should be monitored for early detection of lock disk
problems.

3.2.9 Use of the Quorum Server as a Cluster Lock


The cluster lock in Linux can also be implemented by means of a quorum server. A quorum server
can be used in clusters of any size. The quorum server software can be configured as a Serviceguard
package, or standalone, but in either case it must run on a system outside of the cluster for which
it is providing quorum services.
The quorum server listens to connection requests from the Serviceguard nodes on a known port.
The server maintains a special area in memory for each cluster, and when a node obtains the
cluster lock, this area is marked so that other nodes will recognize the lock as taken.
If the quorum server is not available when its tie-breaking services are needed during a cluster
re-formation, the cluster will halt.
The operation of the quorum server is shown in Figure 8. When there is a loss of communication
between node 1 and node 2, the quorum server chooses one node (in this example, node 2) to
continue running in the cluster. The other node halts.

3.2 How the Cluster Manager Works 41


Figure 8 Quorum Server Operation

A quorum server can provide quorum services for multiple clusters. Figure 9 illustrates quorum
server use across four clusters.

Figure 9 Quorum Server to Cluster Distribution

IMPORTANT: For more information about the quorum server, see the latest version of the HP
Serviceguard Quorum Server release notes at http://www.hp.com/go/hpux-serviceguard-docs
(Select HP Serviceguard Quorum Server Software).

3.2.10 No Cluster Lock


Normally, you should not configure a cluster of three or fewer nodes without a cluster lock. In
two-node clusters, a cluster lock is required. You may consider using no cluster lock with
configurations of three or more nodes, although the decision should be affected by the fact that
any cluster may require tie-breaking. For example, if one node in a three-node cluster is removed
for maintenance, the cluster re-forms as a two-node cluster. If a tie-breaking scenario later occurs
due to a node or communication failure, the entire cluster will become unavailable.

42 Understanding Serviceguard Software Components


In a cluster with four or more nodes, you may not need a cluster lock since the chance of the cluster
being split into two halves of equal size is very small. However, be sure to configure your cluster
to prevent the failure of exactly half the nodes at one time. For example, make sure there is no
potential single point of failure such as a single LAN between equal numbers of nodes, and that
you dont have exactly half of the nodes on a single power circuit.

3.2.11 What Happens when You Change the Quorum Configuration Online
You can change the quorum configuration while the cluster is up and running. This includes changes
to the quorum method (for example, from a lock disk to a quorum server), the quorum device (for
example, from one quorum server to another), and the parameters that govern them (for example,
the quorum server polling interval). For more information about the quorum server and lock
parameters, see Cluster Configuration Parameters (page 90).
When you make quorum configuration changes, Serviceguard goes through a two-step process:
1. All nodes switch to a strict majority quorum (turning off any existing quorum devices).
2. All nodes switch to the newly configured quorum method, device and parameters.

IMPORTANT: During Step 1, while the nodes are using a strict majority quorum, node failures
can cause the cluster to go down unexpectedly if the cluster has been using a quorum device before
the configuration change. For example, suppose you change the quorum server polling interval
while a two-node cluster is running. If a node fails during Step 1, the cluster will lose quorum and
go down, because a strict majority of prior cluster members (two out of two in this case) is required.
The duration of Step 1 is typically around a second, so the chance of a node failure occurring
during that time is very small.
In order to keep the time interval as short as possible, make sure you are changing only the quorum
configuration, and nothing else, when you apply the change.
If this slight risk of a node failure leading to cluster failure is unacceptable, halt the cluster before
you make the quorum configuration change.

3.3 How the Package Manager Works


Packages are the means by which Serviceguard starts and halts configured applications. A package
is a collection of services, disk volumes, generic resources , and IP addresses, that are managed
by Serviceguard to ensure they are available.
Each node in the cluster runs an instance of the package manager; the package manager residing
on the cluster coordinator is known as the package coordinator.
The package coordinator does the following:
Decides when and where to run, halt, or move packages.
The package manager on all nodes does the following:
Executes the control scripts that run and halt packages and their services.
Reacts to changes in the status of monitored resources.

3.3.1 Package Types


Three different types of packages can run in the cluster; the most common is the failoverpackage.
There are also special-purpose packages that run on more than one node at a time, and so do not
fail over. They are typically used to manage resources of certain failover packages.

3.3.1.1 Non-failover Packages


There are two types of special-purpose packages that do not fail over and that can run on more
than one node at the same time: the system multi-node package, which runs on all nodes in the

3.3 How the Package Manager Works 43


cluster, and the multi-node package, which can be configured to run on all or some of the nodes
in the cluster. System multi-node packages are reserved for use by HP-supplied applications.
The rest of this section describes failover packages.

3.3.1.2 Failover Packages


A failover package starts up on an appropriate node (see node_name (page 176)) when the cluster
starts. In the case of a service, network, or other resource or dependency failure, package failover
takes place. A package failover involves both halting the existing package and starting the new
instance of the package on a new node.
Failover is shown in the following figure:

Figure 10 Package Moving During Failover

3.3.1.2.1 Configuring Failover Packages


You configure each package separately. You create a failover package by generating and editing
a package configuration file template, then adding the package to the cluster configuration
database; details are in Chapter 6: Configuring Packages and Their Services (page 169).
For legacy packages (packages created by the method used on versions of Serviceguard earlier
than A.11.18), you must also create a package control script for each package, to manage the
execution of the packages services. See Configuring a Legacy Package (page 233) for detailed
information.
Customized package control scripts are not needed for modular packages (packages created by
the method introduced in Serviceguard A.11.18). These packages are managed by a master
control script that is installed with Serviceguard; see Chapter 6: Configuring Packages and Their
Services (page 169), for instructions for creating modular packages.

3.3.1.2.2 Deciding When and Where to Run and Halt Failover Packages
The package configuration file assigns a name to the package and includes a list of the nodes on
which the package can run.

44 Understanding Serviceguard Software Components


Failover packages list the nodes in order of priority (i.e., the first node in the list is the highest
priority node). In addition, failover packages files contain three parameters that determine failover
behavior. These are the auto_run parameter, the failover_policy parameter, and the
failback_policy parameter.

3.3.1.2.3 Failover Packages Switching Behavior


The auto_run parameter (known in earlier versions of Serviceguard as the
PKG_SWITCHING_ENABLED parameter) defines the default global switching attribute for a failover
package at cluster startup: that is, whether Serviceguard can automatically start the package when
the cluster is started, and whether Serviceguard should automatically restart the package on a new
node in response to a failure. Once the cluster is running, the package switching attribute of each
package can be temporarily set with the cmmodpkg command; at reboot, the configured value
will be restored.
The auto_run parameter is set in the package configuration file.
A package switch normally involves moving failover packages and their associated IP addresses
to a new system. The new system must already have the same subnet configured and working
properly, otherwise the packages will not be started.

NOTE: It is possible to configure a cluster that spans subnets joined by a router, with some nodes
using one subnet and some another. This is known as a cross-subnet configuration. In this context,
you can configure packages to fail over from a node on one subnet to a node on another, and
you will need to configure a relocatable IP address for each subnet the package is configured to
start on; see About Cross-Subnet Failover (page 130), and in particular the subsection Implications
for Application Deployment (page 131).
When a package fails over, TCP connections are lost. TCP applications must reconnect to regain
connectivity; this is not handled automatically. Note that if the package is dependent on multiple
subnets, normally all of them must be available on the target node before the package will be
started. (In a cross-subnet configuration, all the monitored subnets that are specified for this package,
and configured on the target node, must be up.)
If the package has a dependency on a resource or another package, the dependency must be met
on the target node before the package can start.
The switching of relocatable IP addresses is shown in the figures that follow. Users connect to each
node with the IP address of the package they wish to use. Each node has a stationary IP address
associated with it, and each package has an IP address associated with it.

3.3 How the Package Manager Works 45


Figure 11 Before Package Switching

In Figure 12, node1 has failed and pkg1 has been transferred to node2. pkg1's IP address was
transferred to node2 along with the package. pkg1 continues to be available and is now running
on node2. Also note that node2 now has access both to pkg1's disk and pkg2's disk.

NOTE: For design and configuration information about clusters that span subnets, see the
documents listed under Cross-Subnet Configurations (page 27).

46 Understanding Serviceguard Software Components


Figure 12 After Package Switching

3.3.1.2.4 Failover Policy


The Package Manager selects a node for a failover package to run on based on the priority list
included in the package configuration file together with the failover_policy parameter, also
in the configuration file. The failover policy governs how the package manager selects which node
to run a package on when a specific node has not been identified and the package needs to be
started. This applies not only to failovers but also to startup for the package, including the initial
startup. The failover policies are configured_node (the default), min_package_node,
site_preferred, and site_preferred_manual. The parameter is set in the package
configuration file. For more information, see failover_policy (page 178).

3.3.1.2.5 Automatic Rotating Standby


Using the min_package_node failover policy, it is possible to configure a cluster that lets you
use one node as an automatic rotating standby node for the cluster. Consider the following package
configuration for a four node cluster. Note that all packages can run on all nodes and have the
same node_name lists. Although the example shows the node names in a different order for each
package, this is not required.

3.3 How the Package Manager Works 47


Table 2 Package Configuration Data
Package Name NODE_NAME List FAILOVER_POLICY

pkgA node1, node2, node3, min_package_node


node4

pkgB node2, node3, node4, min_package_node


node1

pkgC node3, node4, node1, min_package_node


node2

When the cluster starts, each package starts as shown in Figure 13.

Figure 13 Rotating Standby Configuration before Failover

If a failure occurs, the failing package would fail over to the node containing fewest running
packages:

48 Understanding Serviceguard Software Components


Figure 14 Rotating Standby Configuration after Failover

NOTE: Under the min_package_node policy, when node2 is repaired and brought back into
the cluster, it will then be running the fewest packages, and thus will become the new standby
node.
If these packages had been set up using the configured_node failover policy, they would start
initially as in Figure 13, but the failure of node2 would cause the package to start on node3, as
shown in Figure 15.

3.3 How the Package Manager Works 49


Figure 15 configured_node Policy Packages after Failover

If you use configured_node as the failover policy, the package will start up on the highest-priority
eligible node in its node list. When a failover occurs, the package will move to the next eligible
node in the list, in the configured order of priority.

3.3.1.2.6 Failback Policy


The use of the failback_policy parameter allows you to decide whether a package will return
to its primary node if the primary node becomes available and the package is not currently running
on the primary node. The configured primary node is the first node listed in the packages node
list.
The two possible values for this policy are automatic and manual. The parameter is set in the
package configuration file:
As an example, consider the following four-node configuration, in which failover_policy is
set to configured_node and failback_policy is automatic:

50 Understanding Serviceguard Software Components


Figure 16 Automatic Failback Configuration before Failover

Table 3 Node Lists in Sample Cluster


Package Name NODE_NAME List FAILOVER POLICY FAILBACK POLICY

pkgA node1, node4 configured_node automatic

pkgB node2, node4 configured_node automatic

pkgC node3, node4 configured_node automatic

node1 panics, and after the cluster reforms, pkgA starts running on node4:

3.3 How the Package Manager Works 51


Figure 17 Automatic Failback Configuration After Failover

After rebooting, node1 rejoins the cluster. At that point, pkgA will be automatically stopped on
node4 and restarted on node1.

Figure 18 Automatic Failback Configuration After Restart of node1

52 Understanding Serviceguard Software Components


NOTE: Setting the failback_policy to automatic can result in a package failback and
application outage during a critical production period. If you are using automatic failback, you
may want to wait to add the packages primary node back into the cluster until you can allow the
package to be taken out of service temporarily while it switches back to the primary node.
Serviceguard automatically chooses a primary node for a package when the NODE_NAME is set
to '*'. When you set the NODE_NAME to '*' and the failback_policy is automatic, if you
add, delete, or rename a node in the cluster, the primary node for the package might change
resulting in the automatic failover of that package.

3.3.1.2.7 On Combining Failover and Failback Policies


Combining a failover_policy of min_package_node with a failback_policy of
automatic can result in a packages running on a node where you did not expect it to run, since
the node running the fewest packages will probably not be the same host every time a failover
occurs.

3.3.2 Using the Generic Resources Monitoring Service


Generic Resources module is a resource monitoring mechanism in Serviceguard that allows you
to monitor critical resources for a package. It provides integration of custom, user-defined monitors
in Serviceguard by configuring generic resources as part of package configuration. With generic
resources different kind of monitoring mechanisms, such as Custom monitors can be used and
these can co-exist in a single package.
Generic resources has the following advantages:
Custom defined monitors can also be integrated
Provides better control, options, and flexibility in terms of getting and setting the status of a
resource
Generic resources can be configured into any modular style package. They can be configured for
failover or multi-node packages and are included in modular failover packages by default. A single
resource can be specified across multiple packages.
You can either generate a new package configuration file containing the generic resource
parameters or add the module to an existing package to include the generic resource parameters.
When you generate a package with the generic resource module, Serviceguard provides the
following parameters for configuring generic resources:
generic_resource_name
generic_resource_evaluation_type
generic_resource_up_criteria
You can then configure generic resources using these parameters. For details on the parameters,
see Package Parameter Explanations (page 174) and the cmmakepkg (1m) manpage. For steps
to configure a generic resources, see Configuring a Generic Resource (page 109).
You can also add, delete, or modify generic resources depending on certain conditions. For
information, see Online Reconfiguration of Generic Resources (page 112).
Monitoring of these resources takes place outside of the Serviceguard environment. These are done
by writing monitoring scripts that can be launched either within the Serviceguard environment by
configuring them as services, or outside of Serviceguard environment.
These scripts are written by end-users and must contain the core logic to monitor a resource , and
the status of the generic resource set accordingly using cmsetresource(1m). These are started
as part of package start and will continue to run until package services are halted. For more
information, see Monitoring Script for Generic Resources (page 303).

3.3 How the Package Manager Works 53


If there is a common generic resource that needs to be monitored as a part of multiple packages,
then the monitoring script for that resource can be launched as part of one package and all other
packages can use the same monitoring script. There is no need to launch multiple monitors for a
common resource. If the package that has started the monitoring script fails or is halted, then all
the other packages that are using this common resource also fail.
See the recommendation from HP and an example under Launching Monitoring Scripts (page 303).
Generic resources can be of two types - Simple and Extended.
A given generic resource is considered to be a simple generic resource when the up criteria
parameter is not specified.
For a simple resource, the monitoring mechanism is based on the status of the resource.
The status can be UP, DOWN, or UNKNOWN.
The default status is UNKNOWN; UP and DOWN can be set using the cmsetresource(1m)
command.
A given generic resource is considered to be an extended generic resource when the up criteria
parameter is specified.
For an extended resource, the monitoring mechanism is based on the current value of the
resource.
The current value is matched with the generic_resource_up_criteria specified for the
resource in a package and this determines whether the generic resource status is UP or DOWN.
The default current value is 0.
Valid values are positive integer values ranging from 1 to 2147483647.

NOTE: You can get or set the status/value of a simple/extended generic resource using the
cmgetresource(1m) and cmsetresource(1m) commands respectively. See Getting and
Setting the Status/Value of a Simple/Extended Generic Resource (page 111) and the manpages
for more information.
A single package can have a combination of simple and extended resources, but a given generic
resource cannot be configured as a simple resource in one package and as an extended resource
in another package. It must be either simple generic resource or extended generic resource in all
packages.

3.3.3 Using Older Package Configuration Files


If you are using package configuration files that were generated using a previous version of
Serviceguard, HP recommends you use the cmmakepkg command to open a new template, and
then copy the parameter values into it. In the new template, read the descriptions and defaults of
the choices that did not exist when the original configuration was made. For example, the default
for failover_policy is now configured_node and the default for failback_policy is
now manual.
For full details of the current parameters and their default values, see Chapter 6: Configuring
Packages and Their Services (page 169), and the package configuration file template itself.

3.4 How Packages Run


Packages are the means by which Serviceguard starts and halts configured applications. Failover
packages are also units of failover behavior in Serviceguard. A package is a collection of services,
disk volumes, generic resources, and IP addresses that are managed by Serviceguard to ensure
they are available. There can be a maximum of 300 packages per cluster, a total of 900 services
and a total of 100 generic resources per cluster.

54 Understanding Serviceguard Software Components


3.4.1 What Makes a Package Run?
There are 3 types of packages:
The failover package is the most common type of package. It runs on one node at a time. If
a failure occurs, it can switch to another node listed in its configuration file. If switching is
enabled for several nodes, the package manager will use the failover policy to determine
where to start the package.
A system multi-node package runs on all the active cluster nodes at the same time. It can be
started or halted on all nodes, but not on individual nodes.
A multi-node package can run on several nodes at the same time. If auto_run is set to yes,
Serviceguard starts the multi-node package on all the nodes listed in its configuration file. It
can be started or halted on all nodes, or on individual nodes, either by user command
(cmhaltpkg) or automatically by Serviceguard in response to a failure of a package
component, such as service or subnet.
System multi-node packages are supported only for use by applications supplied by Hewlett-Packard.
A failover package can be configured to have a dependency on a multi-node or system multi-node
package. The package manager cannot start a package on a node unless the package it depends
on is already up and running on that node.
The package manager will always try to keep a failover package running unless there is something
preventing it from running on any node. The most common reasons for a failover package not
being able to run are that auto_run is disabled so Serviceguard is not allowed to start the
package, that node switching is disabled for the package on particular nodes, or that the package
has a dependency that is not being met. When a package has failed on one node and is enabled
to switch to another node, it will start up automatically in a new location where its dependencies
are met. This process is known as package switching, or remote switching.
A failover package starts on the first available node in its configuration file; by default, it fails over
to the next available one in the list. Note that you do not necessarily have to use a cmrunpkg
command to restart a failed failover package; in many cases, the best way is to enable package
and/or node switching with the cmmodpkg command.
When you create the package, you indicate the list of nodes on which it is allowed to run. System
multi-node packages must list all cluster nodes in their cluster. Multi-node packages and failover
packages can name some subset of the clusters nodes or all of them.
If the auto_run parameter is set to yes in a packages configuration file Serviceguard
automatically starts the package when the cluster starts. System multi-node packages are required
to have auto_run set to yes. If a failover package has auto_run set to no, Serviceguard cannot
start it automatically at cluster startup time; you must explicitly enable this kind of package using
the cmmodpkg command.

NOTE: If you configure the package while the cluster is running, the package does not start up
immediately after the cmapplyconf command completes. To start the package without halting
and restarting the cluster, issue the cmrunpkg or cmmodpkg command.
How does a failover package start up, and what is its behavior while it is running? Some of the
many phases of package life are shown in Figure 19.

NOTE: This diagram applies specifically to legacy packages. Differences for modular scripts are
called out below.

3.4 How Packages Run 55


Figure 19 Legacy Package Time Line Showing Important Events

The following are the most important moments in a packages life:


1. Before the control script starts. (For modular packages, this is the master control script.)
2. During run script execution. (For modular packages, during control script execution to start
the package.)
3. While services are running
4. If there is a generic resource configured and it fails, then the package will be halted.
5. When a service or subnet fails, or a dependency is not met.
6. During halt script execution. (For modular packages, during control script execution to halt
the package.)
7. When the package or the node is halted with a command
8. When the node fails

3.4.2 Before the Control Script Starts


First, a node is selected. This node must be in the packages node list, it must conform to the
packages failover policy, and any resources required by the package must be available on the
chosen node. One resource is the subnet that is monitored for the package. If the subnet is not
available, the package cannot start on this node. Another type of resource is a dependency on
another package. If monitoring shows a value for a configured resource that is outside the permitted
range, the package cannot start.
If a generic resource of type BPS is configured, it must be up; if not, the package cannot start on
this node.
Once a node is selected, a check is then done to make sure the node allows the package to start
on it. Then services are started up for a package by the control script on the selected node. Strictly
speaking, the run script on the selected node is used to start a legacy package; the master control
script starts a modular package.

56 Understanding Serviceguard Software Components


3.4.3 During Run Script Execution
Once the package manager has determined that the package can start on a particular node, it
launches the script that starts the package (that is, a packages control script or master control
script is executed with the start parameter). This script carries out the following steps:
1. Executes any external_pre_scripts (modular packages only; see About External Scripts
(page 127))
2. Activates volume groups or disk groups.
3. Mounts file systems.
4. Assigns package IP addresses to the LAN card on the node (failover packages only).
5. Executes any customer-defined run commands (legacy packages only; see Adding Customer
Defined Functions to the Package Control Script (page 237)) or external_scripts (modular
packages only; see About External Scripts (page 127)).
6. Starts each package service.
7. Exits with an exit code of zero (0).

Figure 20 Legacy Package Time Line

At any step along the way, an error will result in the script exiting abnormally (with an exit code
of 1). For example, if a package service is unable to be started, the control script will exit with an
error.

NOTE: This diagram is specific to legacy packages. Modular packages also run external scripts
and pre-scripts as explained above.
If the run script execution is not complete before the time specified in the run_script_timeout
parameter (page 177), the package manager will kill the script. During run script execution, messages
are written to a log file. For legacy packages, this is in the same directory as the run script and
has the same name as the run script and the extension.log. For modular packages, the pathname
is determined by the script_log_file parameter in the package configuration file (page 178)).

3.4 How Packages Run 57


Normal starts are recorded in the log, together with error messages or warnings related to starting
the package.

NOTE: After the package run script has finished its work, it exits, which means that the script is
no longer executing once the package is running normally. After the script exits, the PIDs of the
services started by the script are monitored by the package manager directly. If the service dies,
the package manager will then run the package halt script or, if service_fail_fast_enabled
(page 184) is set to yes, it will halt the node on which the package is running. If a number of restarts
is specified for a service in the package control script, the service may be restarted if the restart
count allows it, without re-running the package run script.

3.4.4 Normal and Abnormal Exits from the Run Script


Exit codes on leaving the run script determine what happens to the package next. A normal exit
means the package startup was successful, but all other exits mean that the start operation did not
complete successfully.
0normal exit. The package started normally, so all services are up on this node.
1abnormal exit, also known as no_restart exit. The package did not complete all startup
steps normally. Services are killed, and the package is disabled from failing over to other
nodes.
2alternative exit, also known as restart exit. There was an error, but the package is
allowed to start up on another node. You might use this kind of exit from a customer defined
procedure if there was an error, but starting the package on another node might succeed. A
package with a restart exit is disabled from running on the local node, but can still run on
other nodes.
TimeoutAnother type of exit occurs when the run_script_timeout is exceeded. In this
scenario, the package is killed and disabled globally. It is not disabled on the current node,
however. The package script may not have been able to clean up some of its resources such
as LVM volume groups or package mount points, so before attempting to start up the package
on any node, be sure to check whether any resources for the package need to be cleaned
up.

3.4.5 Service Startup with cmrunserv


Within the package control script, the cmrunserv command starts up the individual services. This
command is executed once for each service that is coded in the file. You can configure a number
of restarts for each service. The cmrunserv command passes this number to the package manager,
which will restart the service the appropriate number of times if the service should fail. The following
are some typical settings in a legacy package; for more information about configuring services in
modular packages, see the discussion starting with service_name (page 183) in Chapter 6,
and the comments in the package configuration template file.
SERVICE_RESTART[0]=" " ; do not restart
SERVICE_RESTART[0]="-r <n>" ; restart as many as <n> times
SERVICE_RESTART[0]="-R" ; restart indefinitely

NOTE: If you set <n> restarts and also set service_fail_fast_enabled to yes, the failfast
will take place after <n> restart attempts have failed. It does not make sense to set
service_restart to -R for a service and also set service_fail_fast_enabled to yes.

3.4.6 While Services are Running


During the normal operation of cluster services, the package manager continuously monitors the
following:

58 Understanding Serviceguard Software Components


Process IDs of the services
Subnets configured for monitoring in the package configuration file
Generic resources configured for monitoring in the package configuration file
If a service fails but the restart parameter for that service is set to a value greater than 0, the service
will restart, up to the configured number of restarts, without halting the package.
During normal operation, while all services are running, you can see the status of the services in
the Script Parameters section of the output of the cmviewcl command.

3.4.7 When a Service or Subnet Fails or Generic Resource or a Dependency is Not


Met
What happens when something goes wrong? If a service fails and there are no more restarts, or
if a configured dependency on another package is not met, then a failover package will halt on
its current node and, depending on the setting of the package switching flags, may be restarted
on another node. If a multi-node or system multi-node package fails, all of the packages that have
configured a dependency on it will also fail.
Package halting normally means that the package halt script executes (see the next section).
However, if a failover packages configuration has the service_fail_fast_enabled flag
(page 184) set to yes for the service that fails, then the node will halt as soon as the failure is
detected. If this flag is not set, the loss of a service will result in halting the package gracefully by
running the halt script.
If auto_run (page 176) is set to yes, the package will start up on another eligible node, if it meets
all the requirements for startup. If auto_run is set to no, then the package simply halts without
starting up anywhere else.

NOTE: If a package is dependent on a subnet, and the subnet on the primary node fails, the
package will start to shut down. If the subnet recovers immediately (before the package is restarted
on an adoptive node), the package manager restarts the package on the same node; no package
switch occurs.

3.4.8 When a Package is Halted with a Command


The Serviceguard cmhaltpkg command has the effect of executing the package halt script, which
halts the services that are running for a specific package. This provides a graceful shutdown of
the package that is followed by disabling automatic package startup (see auto_run (page 176)).
You cannot halt a multi-node or system multi-node package unless all the packages that have a
configured dependency on it are down. Use cmviewcl to check the status of dependents. For
example, if pkg1 and pkg2 depend on PKGa, both pkg1 and pkg2 must be halted before you
can halt PKGa.

NOTE: If you use cmhaltpkg command with the -n <nodename> option, the package is
halted only if it is running on that node.
The cmmodpkg command cannot be used to halt a package, but it can disable switching either
on particular nodes or on all nodes. A package can continue running when its switching has been
disabled, but it will not be able to start on other nodes if it stops running on its current node.

3.4.9 During Halt Script Execution


Once the package manager has detected the failure of a service or package that a failover package
depends on, or when the cmhaltpkg command has been issued for a particular package, the
package manager launches the halt script. That is, a packages control script or master control
script is executed with the stop parameter. This script carries out the following steps (also shown
in Figure 21) :

3.4 How Packages Run 59


1. Halts all package services.
2. Executes any customer-defined halt commands (legacy packages only) or external_scripts
(modular packages only; see external_script (page 190)).
3. Removes package IP addresses from the LAN card on the node.
4. Unmounts file systems.
5. Deactivates volume groups.
6. Revokes Persistent registrations and reservations, if any
7. Exits with an exit code of zero (0).
8. Executes any external_pre_scripts (modular packages only; see
external_pre_script (page 190)).

Figure 21 Legacy Package Time Line for Halt Script Execution

At any step along the way, an error will result in the script exiting abnormally (with an exit code
of 1). If the halt script execution is not complete before the time specified in the
halt_script_timeout (page 177) , the package manager will kill the script. During halt script
execution, messages are written to a log file. For legacy packages, this is in the same directory
as the run script and has the same name as the run script and the extension.log. For modular
packages, the pathname is determined by the script_log_file parameter in the package
configuration file (page 178). Normal starts are recorded in the log, together with error messages
or warnings related to halting the package.

NOTE: This diagram applies specifically to legacy packages. Differences for modular scripts are
called out above.

3.4.10 Normal and Abnormal Exits from the Halt Script


The packages ability to move to other nodes is affected by the exit conditions on leaving the halt
script. The following are the possible exit codes:

60 Understanding Serviceguard Software Components


0normal exit. The package halted normally, so all services are down on this node.
1abnormal exit, also known as no_restart exit. The package did not halt normally.
Services are killed, and the package is disabled globally. It is not disabled on the current
node, however.
2 abnormal exit, also known as restart exit. The package did not halt normally. Services
are killed, and the package is disabled globally. It is not disabled on the current node, however.
The package is allowed to run on an alternate node.
3abnormal exit. The package did not halt normally and will be placed in the halt_aborted
state (page 200). The package switching is disabled and it will not failover to other nodes.
TimeoutAnother type of exit occurs when the halt_script_timeout is exceeded. In this
scenario, the package is killed and disabled globally. It is not disabled on the current node,
however.

3.4.10.1 Package Control Script Error and Exit Conditions


Table 4 shows the possible combinations of error condition, failfast setting and package movement
for failover packages.
Table 4 Error Conditions and Package Movement for Failover Packages
Package Error Condition Results

Error or Exit Code Node Failfast Service Linux Status Halt script Package Allowed to Package
Enabled Failfast on Primary runs after Run on Primary Allowed to Run
Enabled after Error Error or Exit Node after Error on Alternate
Node

Service Failure Either Setting Yes system reset No N/A (system reset) Yes

Service Failure Either Setting No Running Yes No Yes

Run Script Exit 1 Either Setting Either Setting Running No Not changed No

Run Script Exit 2 Yes Either Setting system reset No N/A (system reset) Yes

Run Script Exit 2 No Either Setting Running No No Yes

Run Script Yes Either Setting system reset No N/A (system reset) Yes
Timeout

Run Script No Either Setting Running No Not changed No


Timeout

Halt Script Exit 1 Yes Either Setting Running N/A Yes No

Halt Script Exit 1 No Either Setting Running N/A Yes No

Halt Script Exit 2 No Either Setting Running N/A Yes Yes

Halt Script Exit 3 No No Running N/A Yes No

Halt Script Yes Either Setting system reset N/A N/A (system reset) Yes, unless the
Timeout timeout
happened after
the cmhaltpkg
command was
executed.

Halt Script No Either Setting Running N/A Yes No


Timeout

Service Failure Either Setting Yes system reset No N/A (system reset) Yes

Service Failure Either Setting No Running Yes No Yes

Loss of Network Yes Either Setting system reset No N/A (system reset) Yes

3.4 How Packages Run 61


Table 4 Error Conditions and Package Movement for Failover Packages (continued)
Package Error Condition Results

Error or Exit Code Node Failfast Service Linux Status Halt script Package Allowed to Package
Enabled Failfast on Primary runs after Run on Primary Allowed to Run
Enabled after Error Error or Exit Node after Error on Alternate
Node

Loss of Network No Either Setting Running Yes Yes Yes

package Either Setting Either Setting Running Yes Yes when Yes if
depended on dependency is dependency met
failed again met

3.5 How the Network Manager Works


The purpose of the network manager is to detect and recover from network card failures so that
network services remain highly available to clients. In practice, this means assigning IP addresses
for each package to LAN interfaces on the node where the package is running and monitoring
the health of all interfaces, switching them when necessary.

NOTE: Serviceguard monitors the health of the network interfaces (NICs) and can monitor the
IP level (layer 3) network.

3.5.1 Stationary and Relocatable IP Addresses and Monitored Subnets


Each node (host system) should have an IP address for each active network interface. This address,
known as a stationary IP address, is configured in the file
/etc/sysconfig/network-scripts/ifcfg-<interface> on Red Hat or
/etc/sysconfig/network/ifcfg-<mac_address> on SUSE. The stationary IP address is
not associated with packages, and it is not transferable to another node.
Stationary IP addresses are used to transmit data, heartbeat messages (described under How the
Cluster Manager Works (page 38)), or both. They are configured into the cluster via the cluster
configuration file; see the entries for HEARTBEAT_IP and STATIONARY_IP under Cluster
Configuration Parameters (page 90).
Serviceguard monitors the subnets represented by these IP addresses. They are referred to as
monitored subnets, and you can see their status at any time in the output of the cmviewcl
command; see Network Status (page 202) for an example.
You can also configure these subnets to be monitored for packages, using the monitored_subnet
parameter in the package configuration file (page 181). A package will not start on a node unless
the subnet(s) identified by monitored_subnet in its package configuration file are up and
reachable from that node.

IMPORTANT: Any subnet identified as a monitored_subnet in the package configuration file


must be configured into the cluster via NETWORK_INTERFACE and either STATIONARY_IP or
HEARTBEAT_IP in the cluster configuration file. See Cluster Configuration Parameters (page 90)
and Package Parameter Explanations (page 174).
In addition to the stationary IP address, you normally assign one or more unique IP addresses to
each package. The package IP address is assigned to a LAN interface when the package starts
up.
The IP addresses associated with a package are called relocatable IP addresses (also known as
IP aliases, package IP addresses or floating IP addresses) because the addresses can actually move
from one cluster node to another. You can use up to 200 relocatable IP addresses in a cluster
spread over as many as 300 packages. These addresses can be IPv4, IPv6, or a combination of
both address families.

62 Understanding Serviceguard Software Components


Because system multi-node and multi-node packages do not fail over, they do not have relocatable
IP address.
A relocatable IP address is like a virtual host IP address that is assigned to a package. HP
recommends that you configure names for each package through DNS (Domain Name System).
A program then can use the packages name like a host name as the input to gethostbyname(3),
which will return the packages relocatable IP address.
Relocatable addresses (but not stationary addresses) can be taken over by an adoptive node if
control of the package is transferred. This means that applications can access the package via its
relocatable address without knowing which node the package currently resides on.

IMPORTANT: Any subnet that is used by a package for relocatable addresses should be
configured into the cluster via NETWORK_INTERFACE and either STATIONARY_IP or
HEARTBEAT_IP in the cluster configuration file. For more information about those parameters,
see Cluster Configuration Parameters (page 90). For more information about configuring
relocatable addresses, see the descriptions of the package ip_ parameters (page 182).

NOTE: It is possible to configure a cluster that spans subnets joined by a router, with some nodes
using one subnet and some another. This is called a cross-subnet configuration. In this context, you
can configure packages to fail over from a node on one subnet to a node on another, and you
will need to configure a relocatable address for each subnet the package is configured to start on;
see About Cross-Subnet Failover (page 130), and in particular the subsection Implications for
Application Deployment (page 131).

3.5.2 Types of IP Addresses


Both IPv4 and IPv6 address types are supported in Serviceguard. IPv4 addresses are the traditional
addresses of the form n.n.n.n where n is a decimal digit between 0 and 255. IPv6 addresses
have the form x:x:x:x:x:x:x:x where x is the hexadecimal value of each of eight 16-bit pieces
of the 128-bit address. You can define heartbeat IPs, stationary IPs, and relocatable (package) IPs
as IPv4 or IPv6 addresses (or certain combinations of both).

3.5.3 Adding and Deleting Relocatable IP Addresses


When a package is started, any relocatable IP addresses configured for that package are added
to the specified IP subnet. When the package is stopped, the relocatable IP address is deleted
from the subnet. These functions are performed by the cmmodnet command in the package master
control script (package control script for legacy packages).
IP addresses are configured only on each primary network interface card. Multiple IPv4 addresses
on the same network card must belong to the same IP subnet.

CAUTION: HP strongly recommends that you add relocatable addresses to packages only by
editing ip_address (page 183) in the package configuration file (or IP [] entries in the control
script of a legacy package) and running cmapplyconf (1m).

3.5.3.1 Load Sharing


Serviceguard allows you to configure several services into a single package, sharing a single IP
address; in that case all those services will fail over when the package does. If you want to be
able to load-balance services (that is, move a specific service to a less loaded system when
necessary) you can do so by putting each service in its own package and giving it a unique IP
address.

3.5.4 Bonding of LAN Interfaces


Several LAN interfaces on a node can be grouped together in a process known in Linux as channel
bonding. In the bonded group, typically one interface is used to transmit and receive data, while

3.5 How the Network Manager Works 63


the others are available as backups. If one interface fails, another interface in the bonded group
takes over. HP strongly recommends you use channel bonding in each critical IP subnet to achieve
highly available network services.
Host Bus Adapters (HBAs) do not have to be identical. Ethernet LANs must be the same type, but
can be of different bandwidth (for example, 1 Gb and 100 Mb). Serviceguard for Linux supports
the use of bonding of LAN interfaces at the driver level. The Ethernet driver is configured to employ
a group of interfaces.
Once bonding is enabled, each interface can be viewed as a single logical link of multiple physical
ports with only one IP and MAC address. There is no limit to the number of slaves (ports) per bond,
and the number of bonds per system is limited to the number of Linux modules you can load.
You can bond the ports within a multi-ported networking card (cards with up to four ports are
currently available). Alternatively, you can bond ports from different cards. HP recommends that
use different cards.Figure 22 shows an example of four separate interfaces bonded into one
aggregate.

Figure 22 Bonded Network Interfaces

The LANs in the non-bonded configuration have four LAN cards, each associated with a separate
non-aggregated IP address and MAC address, and each with its own LAN name (eth1, eth2,
eth3, or eth4). When these ports are aggregated, all four ports are associated with a single IP
address and MAC address. In this example, the aggregated ports are collectively known as bond0,
and this is the name by which the bond is known during cluster configuration.
Figure 3-18 shows a bonded configuration using redundant hubs with a crossover cable.

64 Understanding Serviceguard Software Components


Figure 23 Bonded NICs

Node1 Node2

bond0: bond0:

eth0 eth1 eth0 eth1

active active

Hub

Crossover cable

Hub

In the bonding model, individual Ethernet interfaces are slaves, and the bond is the master. In the
basic high availability configuration (mode 1), one slave in a bond assumes an active role, while
the others remain inactive until a failure is detected. (In Figure 3-18, both eth0 slave interfaces are
active.) It is important that during configuration, the active slave interfaces on all nodes are
connected to the same hub. If this were not the case, then normal operation of the LAN would
require the use of the crossover between the hubs and the crossover would become a single point
of failure.
After the failure of a card, messages are still carried on the bonded LAN and are received on the
other node, but now eth1 has become active in bond0 on node1. This situation is shown in
Figure 24.

Figure 24 Bonded NICs After Failure

Various combinations of Ethernet card types (single or dual-ported) and bond groups are possible,
but it is vitally important to remember that at least two physical cards (or physically separate

3.5 How the Network Manager Works 65


on-board LAN interfaces) must be used in any combination of channel bonds to avoid a single
point of failure for heartbeat connections.

3.5.5 Bonding for Load Balancing


It is also possible to configure bonds in load balancing mode, which allows all slaves to transmit
data in parallel, in an active/active arrangement. In this case, high availability is provided by the
fact that the bond still continues to function (with less throughput) if one of the component LANs
should fail. The user should check the Bonding documentation to determine if the hardware
configuration must use Ethernet switches such as the HP Procurve switch, which supports trunking
of switch ports. The bonding driver configuration must specify mode 0 for the bond type.
An example of this type of configuration is shown in Figure 25.

Figure 25 Bonded NICs Configured for Load Balancing

3.5.6 Monitoring LAN Interfaces and Detecting Failure: Link Level


At regular intervals, determined by the NETWORK_POLLING_INTERVAL (see Cluster Configuration
Parameters (page 90)), Serviceguard polls all the network interface cards specified in the cluster
configuration file (both bonded and non-bonded). If the link status of an interface is down,
Serviceguard marks the interface, and all subnets running on it, as down; this is shown in the output
of cmviewcl (1m); see Reporting Link-Level and IP-Level Failures (page 69). When the link
comes back up, Serviceguard marks the interface, and all subnets running on it, as up.

3.5.7 Monitoring LAN Interfaces and Detecting Failure: IP Level


Serviceguard can also monitor the IP level, checking Layer 3 health and connectivity for both IPv4
and IPv6 subnets. This is done by the IP Monitor, which is configurable: you can enable IP monitoring
for any subnet configured into the cluster, but you do not have to monitor any. You can configure
IP monitoring for a subnet, or turn off monitoring, while the cluster is running.
The IP Monitor:

66 Understanding Serviceguard Software Components


Detects when a network interface fails to send or receive IP messages, even though it is still
up at the link level.
Handles the failure, failover, recovery, and failback.

3.5.7.1 Reasons To Use IP Monitoring


Beyond the capabilities already provided by link-level monitoring, IP monitoring can:
Monitor network status beyond the first level of switches; see How the IP Monitor Works
(page 67)
Detect and handle errors such as:
IP packet corruption on the router or switch

Link failure between switches and a first-level router

Inbound failures

Errors that prevent packets from being received but do not affect the link-level health of
an interface

IMPORTANT: You should configure the IP Monitor in a cross-subnet configuration, because IP


monitoring will detect some errors that link-level monitoring will not. See also Cross-Subnet
Configurations (page 27).

3.5.7.2 How the IP Monitor Works


Using Internet Control Message Protocol (ICMP) and ICMPv6, the IP Monitor sends polling messages
to target IP addresses and verifies that responses are received. When the IP Monitor detects a
failure, it marks the network interface down at the IP level, as shown in the output of cmviewcl
(1m); see Reporting Link-Level and IP-Level Failures (page 69) and Failure and Recovery Detection
Times (page 68).
The monitor can perform two types of polling:
Peer polling.
In this case the IP Monitor sends ICMP ECHO messages from each IP address on a subnet to
all other IP addresses on the same subnet on other nodes in the cluster.
Target polling.
In this case the IP Monitor sends ICMP ECHO messages from each IP address on a subnet to
an external IP address specified in the cluster configuration file; see POLLING_TARGET under
Cluster Configuration Parameters (page 90). cmquerycl (1m) will detect gateways
available for use as polling targets, as shown in the example below.
Target polling enables monitoring beyond the first level of switches, allowing you to detect if
the route is broken anywhere between each monitored IP address and the target.

NOTE: In a cross-subnet configuration, nodes can configure peer interfaces on nodes on


the other routed subnet as polling targets.

HP recommends that you configure target polling if the subnet is not private to the cluster.
The IP Monitor section of the cmquerycl output looks similar to this:

Route Connectivity (no probing was performed):

IPv4:

1 16.89.143.192

3.5 How the Network Manager Works 67


16.89.120.0

Possible IP Monitor Subnets:

IPv4:

16.89.112.0 Polling Target 16.89.112.1

IPv6:

3ffe:1000:0:a801:: Polling Target 3ffe:1000:0:a801::254


The IP Monitor section of the cluster configuration file will look similar to the following for a subnet
on which IP monitoring is configured with target polling.

IMPORTANT: By default, the cmquerycl does not verify that the gateways it detects will work
correctly for monitoring. But if you use the -w full option, cmquerycl will validate them as
polling targets.
SUBNET 192.168.1.0
IP_MONITOR ON
POLLING_TARGET 192.168.1.254
By default, IP_MONITOR parameter is set to OFF. If a gateway is detected for the subnet in question,
it populates the POLLING_TARGET , which is commented out, and sets the IP_MONITOR parameter
to OFF.
SUBNET 192.168.1.0
IP_MONITOR OFF
#POLLING_TARGET 192.168.1.254
To configure a subnet for IP monitoring with peer polling, edit the IP Monitor section of the cluster
configuration file to look similar to this:
SUBNET 192.168.2.0
IP_MONITOR ON
The IP Monitor section of the cluster configuration file will look similar to the following in the case
of a subnet on which IP monitoring is disabled:
SUBNET 192.168.3.0
IP_MONITOR OFF

3.5.7.2.1 Failure and Recovery Detection Times


With the default NETWORK_POLLING_INTERVAL of 2 seconds (see Cluster Configuration
Parameters (page 90)), the IP monitor will detect IP failures typically within 810 seconds for
Ethernet and within 1618 seconds for InfiniBand. Similarly, with the default
NETWORK_POLLING_INTERVAL, the IP monitor will detect the recovery of an IP address typically
within 810 seconds for Ethernet and with 1618 seconds for InfiniBand.
The minimum time for detecting a failure/recovery of an IP address is 8 seconds for Ethernet and
15 seconds for InfiniBand.

IMPORTANT: HP strongly recommends that you do not change the default


NETWORK_POLLING_INTERVAL value of 2 seconds.
See also Reporting Link-Level and IP-Level Failures (page 69).

68 Understanding Serviceguard Software Components


3.5.7.3 Constraints and Limitations
A subnet must be configured into the cluster in order to be monitored.
Polling targets are not detected beyond the first-level router.
Polling targets must accept and respond to ICMP (or ICMPv6) ECHO messages.
A peer IP on the same subnet should not be a polling target because a node can always ping
itself.
The following constraints apply to peer polling when there are only two interfaces on a subnet:
If one interface fails, both interfaces and the entire subnet will be marked down on each node,
unless bonding is configured and there is a working standby.
If the node that has one of the interfaces goes down, the subnet on the other node will be
marked down.
In a 2-node cluster, there is only a single peer for polling. When POLLING_TARGET is not
defined, if either of the nodes fail (For example, a node is rebooted or all the interfaces of a
node are down), IP monitoring fails and all the subnets are marked down on the operational
node. This results in failure of packages running on the operational node.
Therefore, peer polling is not suitable when there is only a single peer as exists in a 2-node
cluster. In such scenarios, a polling target should always be defined so that a single LAN
failure does not affect polling of other LANs.

3.5.8 Reporting Link-Level and IP-Level Failures


Any given failure may occur at the link level or the IP level; a failure is reported slightly differently
in the output of cmviewcl (1m) depending on whether link-level or IP monitoring detects the
failure.
If a failure is detected at the link level, output from cmviewcl -v will look like something like
this:
Network_Parameters:
INTERFACE STATUS PATH NAME
PRIMARY down (Link and IP) 0/3/1/0 eth2
PRIMARY up 0/5/1/0 eth3
cmviewcl -v -f line will report the same failure like this:
node:gary|interface:lan2|status=down
node:gary|interface:lan2|disabled=false
node:gary|interface:lan2|failure_type=link+ip
If a failure is detected by IP monitoring, output from cmviewcl -v will look like something like
this:
Network_Parameters:
INTERFACE STATUS PATH NAME
PRIMARY down (IP only) 0/3/1/0 eth2
PRIMARY up 0/5/1/0 eth3
cmviewcl -v -f line will report the same failure like this:
node:gary|interface:lan2|status=down
node:gary|interface:lan2|disabled=false
node:gary|interface:lan2|failure_type=ip_only

3.5.9 Package Switching and Relocatable IP Addresses


A package switch involves moving the package to a new system. In the most common configuration,
in which all nodes are on the same subnet(s), the package IP (relocatable IP; see Stationary and
Relocatable IP Addresses and Monitored Subnets (page 62)) moves as well, and the new system
must already have the subnet configured and working properly, otherwise the packages will not
be started.

3.5 How the Network Manager Works 69


NOTE: It is possible to configure a cluster that spans subnets joined by a router, with some nodes
using one subnet and some another. This is called a cross-subnet configuration. In this context, you
can configure packages to fail over from a node on one subnet to a node on another, and you
will need to configure a relocatable address for each subnet the package is configured to start on;
see About Cross-Subnet Failover (page 130), and in particular the subsectionImplications for
Application Deployment (page 131).
When a package switch occurs, TCP connections are lost. TCP applications must reconnect to
regain connectivity; this is not handled automatically. Note that if the package is dependent on
multiple subnets (specified as monitored_subnets in the package configuration file), all those
subnets must normally be available on the target node before the package will be started. (In a
cross-subnet configuration, all subnets configured on that node, and identified as monitored subnets
in the package configuration file, must be available.)
The switching of relocatable IP addresses is shown in Figure 11 and Figure 12 .

3.5.10 Address Resolution Messages after Switching on the Same Subnet


When a relocatable IP address is moved to a new interface, either locally or remotely, an ARP
message is broadcast to indicate the new mapping between IP address and link layer address.
An ARP message is sent for each IP address that has been moved. All systems receiving the
broadcast should update the associated ARP cache entry to reflect the change. Currently, the ARP
messages are sent at the time the IP address is added to the new system. An ARP message is sent
in the form of an ARP request. The sender and receiver protocol address fields of the ARP request
message are both set to the same relocatable IP address. This ensures that nodes receiving the
message will not send replies.
Unlike IPv4, IPv6 addresses use NDP messages to determine the link-layer addresses of their
neighbors.

3.5.11 VLAN Configurations


Virtual LAN configuration (VLAN) is supported in Serviceguard clusters.

3.5.11.1 What is VLAN?


VLAN is a technology that allows logical grouping of network nodes, regardless of their physical
locations.
VLAN can be used to divide a physical LAN into multiple logical LAN segments or broadcast
domains, helping to reduce broadcast traffic, increase network performance and security, and
improve manageability.
Multiple VLAN interfaces, each with its own IP address, can be configured from a physical LAN
interface; these VLAN interfaces appear to applications as ordinary network interfaces (NICs). See
the documentation for your Linux distribution for more information on configuring VLAN interfaces.

3.5.11.2 Support for Linux VLAN


VLAN interfaces can be used as heartbeat as well as data networks in the cluster. The Network
Manager monitors the health of VLAN interfaces configured in the cluster, and performs remote
failover of VLAN interfaces when failure is detected. Failure of a VLAN interface is typically the
result of the failure of the underlying physical NIC port or Channel Bond interface.

3.5.11.3 Configuration Restrictions


Linux allows up to 1024 VLANs to be created from a physical NIC port. A large pool of system
resources is required to accommodate such a configuration; Serviceguard could suffer performance
degradation if many network interfaces are configured in each cluster node. To prevent this and
other problems, Serviceguard imposes the following restrictions:

70 Understanding Serviceguard Software Components


A maximum of 30 network interfaces per node is supported. The interfaces can be physical
NIC ports, VLAN interfaces, Channel Bonds, or any combination of these.
Only port-based and IP-subnet-based VLANs are supported. Protocol-based VLAN is not
supported because Serviceguard does not support any transport protocols other than TCP/IP.
Each VLAN interface must be assigned an IP address in a unique subnet.
Using VLAN in a Wide Area Network cluster is not supported.

3.5.11.4 Additional Heartbeat Requirements


VLAN technology allows great flexibility in network configuration. To maintain Serviceguards
reliability and availability in such an environment, the heartbeat rules are tightened as follows
when the cluster is using VLANs:
1. VLAN heartbeat networks must be configured on separate physical NICs or Channel Bonds,
to avoid single points of failure.
2. Heartbeats are still recommended on all cluster networks, including VLANs.
3. If you are using VLANs, but decide not to use VLANs for heartbeat networks, heartbeats are
recommended for all other physical networks or Channel Bonds specified in the cluster
configuration file.

3.6 Volume Managers for Data Storage


A volume manager lets you create units of disk storage that are more flexible than individual disk
partitions. These units can be used on single systems or in high-availability clusters. HP Serviceguard
for Linux uses the Linux Logical Volume Manager (LVM) which creates redundant storage groups.
This section provides an overview of volume management with LVM. See Creating the Logical
Volume Infrastructure (page 145) in Chapter 5 for information about configuring volume groups,
logical volumes, and file systems for use in Serviceguard packages.
In HP Serviceguard for Linux, the supported shared data storage type is disk arrays which configure
redundant storage in hardware.
In a disk array, the basic element of storage is a LUN, which already provides storage redundancy
via RAID1 or RAID5. Before you can use the LUNs, you must partition them using fdisk.
In LVM, you manipulate storage in one or more volume groups. A volume group is built by grouping
individual physical volumes. Physical volumes can be disk partitions or LUNs that have been marked
as physical volumes as described below.
You use the pvcreate command to mark the LUN as physical volumes. Then you use the vgcreate
command to create volume groups out of one or more physical volumes. Once configured, a
volume group can be subdivided into logical volumes of different sizes and types. File systems or
databases used by the applications in the cluster are mounted on these logical volumes. In
Serviceguard clusters, volume groups are activated by package control scripts when an application
starts up, and they are deactivated by package control scripts when the application halts.

3.6.1 Storage on Arrays


Figure 26 shows LUNs configured on a storage array. Physical disks are configured by an array
utility program into logical units, or LUNs, which are seen by the operating system.

3.6 Volume Managers for Data Storage 71


Figure 26 Physical Disks Combined into LUNs

NOTE: LUN definition is normally done using utility programs provided by the disk array
manufacturer. Since arrays vary considerably, you should refer to the documentation that
accompanies your storage unit.
For information about configuring multipathing, see Multipath for Storage (page 82).

3.6.2 Monitoring Disks


Each package configuration includes information about the disks that are to be activated by the
package at startup. If monitoring is used, the health of the disks is checked at package startup.
The package will fail if the disks are not available.
When this happens, the package may be restarted on another node. If auto_run is set to yes,
the package will start up on another eligible node, if it meets all the requirements for startup. If
auto_run is set to no, then the package simply halts without starting up anywhere else.
The process for configuring disk monitoring is described in Creating a Disk Monitor Configuration
(page 198).

3.6.3 More Information on LVM


Refer to the section Creating the Logical Volume Infrastructure in Chapter 5 for details about
configuring volume groups, logical volumes, and file systems for use in Serviceguard packages.
For a basic description of Linux LVM, see the article, Logical Volume Manager HOWTO on the
Linux Documentation Project page at http://www.tldp.org.

3.7 About Persistent Reservations


Serviceguard for Linux packages use persistent reservations (PR) to control access to LUNs. Persistent
reservations, defined by the SCSI Primary Commands version 3 (SPC-3) standard, provide a means
to register I/O initiators and specify who can access LUN devices (anyone, all registrants, only
one registrant) and how (read-only, write-only).

72 Understanding Serviceguard Software Components


Unlike exclusive activation for volume groups, which does not prevent unauthorized access to the
underlying LUNs, PR controls access at the LUN level. Registration and reservation information is
stored on the device and enforced by its firmware; this information persists across device resets
and system reboots.

NOTE: Persistent Reservations coexist with, and are independent of, activation protection of
volume groups. You should continue to configure activation protection as instructed under Enabling
Volume Group Activation Protection. Subject to the Rules and Limitations spelled out below, Persistent
Reservations will be applied to the cluster's LUNs, whether or not the LUNs are configured into
volume groups.
Advantages of PR are:
Consistent behavior.
Whereas different volume managers may implement exclusive activation differently (or not at
all) PR is implemented at the device level and does not depend on volume-manager support
for exclusive activation.
Packages can control access to LUN devices independently of a volume manager.
Serviceguard's support for the ASM manager allows packages whose applications use these
protocols to access storage devices directly, without using a volume manager.

3.7.1 Rules and Limitations


Serviceguard automatically implements PR for packages that use LUN storage, subject to the
following constraints:
PR is supported with Device Mapper (DM) multipath in the modular package. You can use PR
with the following restrictions:
During package startup, Serviceguard performs registration only on active paths. If the
path becomes active after package startup, it remains unusable until the package is
restarted.
Legacy packages do not support PR with multipath.

Persistent Reservation (PR) module pr_cntl internally uses the dmsetup info command
to probe /dev/dm-n devices. In SUSE Linux Enterprise Server 11 SP1, the dmsetup
info command does not support probing /dev/dm-n devices. Therefore, the features
that use /dev/dm-n, such as udev alias cannot be supported with PR. If you are using
udev aliases in serviceguard-xdc environment, then PR module cannot be supported with
that configuration.

NOTE: This restriction is applicable only on SUSE Linux Enterprise Server 11 SP1.

If you are not using the udev alias names, multipath physical volumes names must be in
the /dev/mapper/XXXX or /dev/mpath/XXXX format.
The udev alias names must not be configured in the /dev/mapper/ or/dev/mpath/
directory.
Multipath device alias names must not contain pN or _partN strings, where N is the
number.
For example, /dev/mapper/evadskp1 or /dev/mapper/evadsk_part1

If you accidently run the pr_cleanup command on LUNs belonging to a package that is
already running, PR protection is disabled. To enable PR protection, you must restart the
package.

3.7 About Persistent Reservations 73


If you are using a storage device that does not support SPC-3 PR, disable the PR support using
the FORCED_PR_DISABLE flag in the cluster configuration.
If you are using Serviceguard Manager for creating modular packages, PR module is displayed
as optional. However, HP recommends that you always enable PR module for creating the
modular packages.
The udev alias names must be created using symlinks. For more information about how to
create udev alias names using symlinks, see the Using udev to Simplify HP Serviceguard for
Linux Configuration white paper at http://www.hp.com/go/linux-serviceguard-docs.
PR is available in serviceguard-xdc packages. For more information, see HP Serviceguard
Extended Distance Cluster for Linux A.11.20.20 Deployment Guide.
The LUN device must support PR and be consistent with the SPC-3 specification
PR is not available in legacy multi-node packages.
PR is available in modular multi-node packages, and in both modular and legacy failover
packages.

All instances of a modular multi-node package must be able to use PR; otherwise it will
be turned off for all instances.
The package must have access to real devices, not only virtualized ones.

CAUTION: Serviceguard makes and revokes registrations and reservations during normal package
startup and shutdown, or package failover. Serviceguard also provides a script to clear reservations
in the event of a catastrophic cluster failure. You need to make sure that this script is run in that
case; the LUN devices could become unusable otherwise. See Revoking Persistent Reservations
after a Catastrophic Failure (page 257) for more information.

3.7.2 How Persistent Reservations Work


You do not need to do any configuration to enable or activate PR, and in fact you cannot enable
it or disable it, either at the cluster or the package level; Serviceguard makes the decision for each
cluster and package on the basis of the Rules and Limitations described above.
When you run cmapplyconf (1m) to configure a new cluster, or add a new node, Serviceguard
sets the variable cluster_pr_mode to either pr_enabled or pr_disabled.
ENABLED means that packages can in principle use PR, but in practice will do so only if they
meet the conditions spelled out under Rules and Limitations.
DISABLED means that no packages can use PR
You can see the setting of cluster_pr_mode in the output of cmviewcl -f line; for example:
...
cluster_pr_mode: pr_enabled

NOTE: You cannot change the setting of cluster_pr_mode.


If a package is qualified to use PR, Serviceguard automatically makes and revokes registrations
and reservations for the package's LUNs during package startup, and revokes them during package
shutdown, using the sg_persist command. This command is available, and has a manpage,
on both Red Hat 5, Red Hat 6, and SUSE 11 .
Serviceguard makes a PR of type Write Exclusive Registrants Only (WERO) on the package's LUN
devices. This gives read access to any initiator regardless of whether the initiator is registered or
not, but grants write access only to those initiators who are registered. (WERO is defined in the
SPC-3 standard.)

74 Understanding Serviceguard Software Components


All initiators on each node running the package register with LUN devices using the same PR Key,
known as the node_pr_key. Each node in the cluster has a unique node_pr_key, which you
can see in the output of cmviewcl -f line; for example:
...
node:bla2|node_pr_key=10001
When a failover package starts up, any existing PR keys and reservations are cleared from the
underlying LUN devices first; then the node_pr_key of the node that the package is starting on
is registered with each LUN.
In the case of a multi-node package, the PR reservation is made for the underlying LUNs by the
first instance of the package, and the appropriate node_pr_key is registered each time the
package starts on a new node. If a node fails, the instances of the package running on other nodes
will remove the registrations of the failed node.
You can use cmgetpkgenv (1m) to see whether PR is enabled for a given package; for example:
cmgetpkgenv pkg1
...
PKG_PR_MODE="pr_enabled"

3.8 Responses to Failures


Serviceguard responds to different kinds of failures in specific ways. For most hardware failures,
the response is not user-configurable, but for package and service failures, you can choose the
systems response, within limits.

3.8.1 Reboot When a Node Fails


The most dramatic response to a failure in a Serviceguard cluster is a system reboot. This allows
packages to move quickly to another node, protecting the integrity of the data.
A reboot is done if a cluster node cannot communicate with the majority of cluster members for
the pre-determined time, or under other circumstances such as a kernel hang or failure of the cluster
daemon (cmcld). When this happens, you may see the following message on the console:
DEADMAN: Time expired, initiating system restart.
The case is covered in more detail under What Happens when a Node Times Out. See also
Cluster Daemon: cmcld (page 34).
A reboot is also initiated by Serviceguard itself under specific circumstances; see Responses to
Package and Service Failures (page 77).

3.8.1.1 What Happens when a Node Times Out


Each node sends a heartbeat message to all other nodes at an interval equal to one-fourth of the
value of the configured MEMBER_TIMEOUT or 1 second, whichever is less. You configure
MEMBER_TIMEOUT in the cluster configuration file; see Cluster Configuration Parameters
(page 90). The heartbeat interval is not directly configurable. If a node fails to send a heartbeat
message within the time set by MEMBER_TIMEOUT, the cluster is reformed minus the node no
longer sending heartbeat messages.
When a node detects that another node has failed (that is, no heartbeat message has arrived
within MEMBER_TIMEOUT microseconds), the following sequence of events occurs:
1. The node contacts the other nodes and tries to re-form the cluster without the failed node.
2. If the remaining nodes are a majority or can obtain the cluster lock, they form a new cluster
without the failed node.
3. If the remaining nodes are not a majority or cannot get the cluster lock, they halt (system reset).

3.8 Responses to Failures 75


3.8.1.1.1 Example
Situation. Assume a two-node cluster, with Package1 running on SystemA and Package2 running
on SystemB. Volume group vg01 is exclusively activated on SystemA; volume group vg02is
exclusively activated on SystemB. Package IP addresses are assigned to SystemA and SystemB
respectively.
Failure. Only one LAN has been configured for both heartbeat and data traffic. During the course
of operations, heavy application traffic monopolizes the bandwidth of the network, preventing
heartbeat packets from getting through.
Since SystemA does not receive heartbeat messages from SystemB, SystemA attempts to re-form
as a one-node cluster. Likewise, since SystemB does not receive heartbeat messages from
SystemA, SystemB also attempts to reform as a one-node cluster. During the election protocol,
each node votes for itself, giving both nodes 50 percent of the vote. Because both nodes have 50
percent of the vote, both nodes now vie for the cluster lock. Only one node will get the lock.
Outcome. Assume SystemA gets the cluster lock. SystemA re-forms as a one-node cluster. After
re-formation, SystemA will make sure all applications configured to run on an existing clustered
node are running. When SystemA discovers Package2 is not running in the cluster it will try to
start Package2 if Package2 is configured to run on SystemA.
SystemB recognizes that it has failed to get the cluster lock and so cannot re-form the cluster. To
release all resources related toPackage2 (such as exclusive access to volume group vg02 and
the Package2 IP address) as quickly as possible, SystemB halts (system reset).

NOTE: If AUTOSTART_CMCLD in /etc/rc.config.d/cmcluster ($SGAUTOSTART) is set


to zero, the node will not attempt to join the cluster when it comes back up.
For more information on cluster failover, see the white paper Optimizing Failover Time in a
Serviceguard Environment (version A.11.19 or later) at http://www.hp.com/go/
linux-serviceguard-docs (Select White Papers). For troubleshooting information, see Cluster
Re-formations Caused by MEMBER_TIMEOUT Being Set too Low (page 264).

3.8.2 Responses to Hardware Failures


If a serious system problem occurs, such as a system panic or physical disruption of the SPU's
circuits, Serviceguard recognizes a node failure and transfers the packages currently running on
that node to an adoptive node elsewhere in the cluster. (System multi-node and multi-node packages
do not fail over.)
The new location for each package is determined by that package's configuration file, which lists
primary and alternate nodes for the package. Transfer of a package to another node does not
transfer the program counter. Processes in a transferred package will restart from the beginning.
In order for an application to be expeditiously restarted after a failure, it must be crash-tolerant;
that is, all processes in the package must be written so that they can detect such a restart. This is
the same application design required for restart after a normal system crash.
In the event of a LAN interface failure, bonding provides a backup path for IP messages. If a
heartbeat LAN interface fails and no redundant heartbeat is configured, the node fails with a
reboot. If a monitored data LAN interface fails, the node fails with a reboot only if
node_fail_fast_enabled (described further under Configuring a Package: Next Steps
(page 132)) is set to yes for the package. Otherwise any packages using that LAN interface will
be halted and moved to another node if possible (unless the LAN recovers immediately; see When
a Service or Subnet Fails or Generic Resource or a Dependency is Not Met (page 59)).
Disk monitoring provides additional protection. You can configure packages to be dependent on
the health of disks, so that when a disk monitor reports a problem, the package can fail over to
another node. See Creating a Disk Monitor Configuration (page 198).
Serviceguard does not respond directly to power failures, although a loss of power to an individual
cluster component may appear to Serviceguard like the failure of that component, and will result

76 Understanding Serviceguard Software Components


in the appropriate switching behavior. Power protection is provided by HP-supported uninterruptible
power supplies (UPS).

3.8.3 Responses to Package and Service Failures


In the default case, the failure of a package, a generic resource or service of the package or of a
service within a package causes the package to shut down by running the control script with the
stop parameter, and then restarting the package on an alternate node. A package will also fail
if it is configured to have a dependency on another package, and that package fails.
You can modify this default behavior by specifying that the node should halt (system reset) before
the transfer takes place. You do this by setting failfast parameters in the package configuration
file.
In cases in which package shutdown might hang, leaving the node in an unknown state, failfast
options can provide a quick failover, after which the node will be cleaned up on reboot. Remember,
however, that a system reset causes all packages on the node to halt abruptly.
The settings of the failfast parameters in the package configuration file determine the behavior of
the package and the node in the event of a package or resource failure:
If service_fail_fast_enabled (page 184) is set to yes in the package configuration
file, Serviceguard will reboot the node if there is a failure of that specific service.
If node_fail_fast_enabled (page 176) is set to yes in the package configuration file,
and the package fails, Serviceguard will halt (reboot) the node on which the package is
running.
For more information, see Package Configuration Planning (page 104) and Chapter 6 (page 169).

3.8.4 Responses to Package and Generic Resources Failures


In a package that is configured with a generic resource and is running, failure of a resource prompts
the Serviceguard Package Manager to take appropriate action based on the style of the package.
For failover packages, the package is halted on the node where the resource failure occurred and
started on an available alternative node. For multi-node packages, failure of a generic resources
causes the package to be halted only on the node where the failure occurred.
In case of simple resources, failure of a resource must trigger the monitoring script to set the
status of a resource to 'down' using the cmsetresource command.
In case of extended resources, the value fetched by the monitoring script can be set using the
cmsetresource command.
The Serviceguard Package Manager evaluates this value against the
generic_resource_up_criteria set for a resource in the packages where it is configured.
If the value that is set (current_value) does not satisfy the generic_resource_up_criteria,
then the generic resource is marked as 'down' on that node.

NOTE: If a simple resource is down on a particular node, it is down on that node for all the
packages using it whereas, in case of an extended resource the resource may be up on a node
for a particular package and down for another package, since it is dependent on the
generic_resource_up_criteria.
Additionally, in a running package configured with a generic resource:
Any failure of a generic resource of evaluation type "before_package_start" configured in a
package will not disable the node switching for the package.
Any failure of a generic resource of evaluation type "during_package_start" configured in a
package will disable the node switching for the package.

3.8 Responses to Failures 77


Choosing Switching and Failover Behavior (page 107) provides advice on choosing appropriate
failover behavior.
See Parameters for Configuring Generic Resources (page 108).

3.8.4.1 Service Restarts


You can allow a service to restart locally following a failure. To do this, you indicate a number of
restarts for each service in the package control script. When a service starts, the variable
service_restart is set in the services environment. The service, as it executes, can examine
this variable to see whether it has been restarted after a failure, and if so, it can take appropriate
action such as cleanup.

3.8.4.2 Network Communication Failure


An important element in the cluster is the health of the network itself. As it continuously monitors
the cluster, each node listens for heartbeat messages from the other nodes confirming that all nodes
are able to communicate with each other. If a node does not hear these messages within the
configured amount of time, a node timeout occurs, resulting in a cluster re-formation and later, if
there are still no heartbeat messages received, a reboot. See What Happens when a Node Times
Out (page 75)

78 Understanding Serviceguard Software Components


4 Planning and Documenting an HA Cluster
Building a Serviceguard cluster begins with a planning phase in which you gather and record
information about all the hardware and software components of the configuration.
This chapter assists you in the following planning areas:
General Planning
Hardware Planning (page 81)
Power Supply Planning (page 84)
Cluster Lock Planning (page 84)
Volume Manager Planning (page 85)
Cluster Configuration Planning (page 86)
Package Configuration Planning (page 104)
Appendix C (page 287) contains a set of blank worksheets which you may find useful as an offline
record of important details of the configuration.

NOTE: Planning and installation overlap considerably, so you may not be able to complete the
worksheets before you proceed to the actual configuration. In that case, fill in the missing elements
to document the system as you proceed with the configuration.
Subsequent chapters describe configuration and maintenance tasks in detail.

4.1 General Planning


A clear understanding of your high availability objectives will quickly help you to define your
hardware requirements and design your system. Use the following questions as a guide for general
planning:
1. What applications must continue to be available in the event of a failure?
2. What system resources (processing power, networking, SPU, memory, disk space) are needed
to support these applications?
3. How will these resources be distributed among the nodes in the cluster during normal operation?
4. How will these resources be distributed among the nodes of the cluster in all possible
combinations of failures, especially node failures?
5. How will resources be distributed during routine maintenance of the cluster?
6. What are the networking requirements? Are all networks and subnets available?
7. Have you eliminated all single points of failure? For example:
network points of failure.
disk points of failure.
electrical points of failure.
application points of failure.

4.1.1 Serviceguard Memory Requirements


Serviceguard requires approximately 15.5 MB of lockable memory.

4.1.2 Planning for Expansion


When you first set up the cluster, you indicate a set of nodes and define a group of packages for
the initial configuration. At a later time, you may wish to add additional nodes and packages, or
you may wish to use additional disk hardware for shared data storage. If you intend to expand

4.1 General Planning 79


your cluster without having to bring it down, you need to plan the initial configuration carefully.
Use the following guidelines:
Set the Maximum Configured Packages parameter (described later in this chapter under
Cluster Configuration Planning (page 86)) high enough to accommodate the additional
packages you plan to add.
Networks should be pre-configured into the cluster configuration if they will be needed for
packages you will add later while the cluster is running. See LAN Information (page 81).
See Chapter 7: Cluster and Package Maintenance (page 199), for more information about
changing the cluster configuration dynamically, that is, while the cluster is running.

4.2 Using Serviceguard with Virtual Machines


This section describes the various configurations for Serviceguard for Linux clusters using physical
machine, VMware virtual machines running on ESX server, and Kernel-based Virtual Machine
(KVM) guests built on KVM hypervisor provided with Red Hat Enterprise Linux 6 so as to provide
high availability for applications.
Serviceguard for Linux supports using VMWare and KVM guests as cluster nodes. In this
configuration, the virtual machine is a member of a Serviceguard cluster, allowing failover of
application packages between other physical or VM nodes in the cluster.
Running Serviceguard for Linux in the virtual machines provides a significant level of extra protection.
Serviceguard fails over an application when one or more number of failures occur, including:
Failure of the application
Failure of networking required by the application
Failure of storage
An operating system hang or the failure of virtual machine itself
Failure of the physical machine
In addition, it provides the following advantages:
Minimize both planned and unplanned downtime of VM guests
Serviceguard for Linux rolling upgrade feature allows for less planned downtime

4.2.1 Rules and Restrictions


Using VMware guests as cluster nodes
HP recommends that you configure the node using NPIV to have more than one guests from
each host as cluster.

Using KVM guests as cluster nodes


The iSCSI is the only supported storage mechanism for shared storage in a KVM environment.
FibreChannel storage is not supported.
Lock LUN is not supported on iSCSI storage device. Hence, Quorum server is the only supported
quorum mechanism that can be used for arbitration.
Live migration of KVM guests is not supported when the KVM guests are configured as
Serviceguard cluster nodes.
Serviceguard does not support KVM guests running on Red Hat Enterprise Virtualization
Hypervisor (RHEV) as cluster nodes.

80 Planning and Documenting an HA Cluster


4.2.2 Supported cluster configuration options
Following are the supported cluster configuration options when using VMWare or KVM guests as
cluster nodes:
Cluster with VMware or KVM guests from a single host as cluster nodes (cluster-in-a-box; not
recommended)

NOTE: This configuration is not recommended because failure of the host brings down all
the nodes in the cluster which is a single point of failure.

Cluster with VMware or KVM guests from multiple hosts as cluster nodes
Cluster with VMware or KVM guests and physical machines as cluster nodes

NOTE:
Guests running on different Hypervisor (VMware or KVM guests) must not be configured as
cluster nodes in the same cluster.
Cluster with VMware from a single host as cluster nodes configuration must be avoided in
serviceguard-xdc environment. For more information about serviceguard-xdc support with
VMware virtual machines, see HP Serviceguard Extended Distance Cluster for Linux A.11.20.20
Deployment Guide.
KVM guests cannot be used as cluster nodes in the serviceguard-xdc environment.

For more information about how to integrate VMware and KVM guests as Serviceguard cluster
nodes, see the following white paper at http://www.hp.com/go/linux-serviceguard-docs:
Using HP Serviceguard for Linux with VMware Virtual Machines
Using HP Serviceguard for Linux with Red Hat KVM Guests

4.3 Hardware Planning


Hardware planning requires examining the physical hardware itself. One useful procedure is to
sketch the hardware configuration in a diagram that shows adapter cards and buses, cabling,
disks and peripherals.
You may also find it useful to record the information on the Hardware worksheet (page 287) indicating
which device adapters occupy which slots and updating the details as you create the cluster
configuration. Use one form for each node (server).

4.3.1 SPU Information


SPU information includes the basic characteristics of the server systems you are using in the cluster.
You may want to record the following on the Hardware worksheet (page 287) :
Server Series Number Enter the series number, for example, DL980 G7.
Host Name Enter the name to be used on the system as the host name.
Memory Capacity Enter the memory in MB.
Number of I/O slots Indicate the number of slots.

4.3.2 LAN Information


While a minimum of one LAN interface per subnet is required, at least two LAN interfaces are
needed to eliminate single points of network failure.
HP recommends that you configure heartbeats on all subnets, including those to be used for client
data.
Collect the following information for each LAN interface:

4.3 Hardware Planning 81


Subnet Name The IP address for the subnet. Note that heartbeat IP addresses must
be on the same subnet on each node.
Interface Name The name of the LAN card as used by this node to access the subnet.
This name is shown by ifconfig after you install the card.
IP Address The IP address to be used on this interface.
An IPv4 address is a string of 4 digits separated with decimals, in
this form:
nnn.nnn.nnn.nnn
An IPV6 address is a string of 8 hexadecimal values separated with
colons, in this form:
xxx:xxx:xxx:xxx:xxx:xxx:xxx:xxx
For more details of IPv6 address format, see Appendix D (page 291).
Kind of LAN Traffic The purpose of the subnet. Valid types include the following:
Heartbeat
Client Traffic
Label the list to show the subnets that belong to a bridged net.
This information is used in creating the subnet groupings and identifying the IP addresses used in
the cluster and package configuration files.

4.3.3 Shared Storage


SCSI can be used for up to four-node clusters; FibreChannel and iSCSI can be used for clusters of
up to 16 nodes.

4.3.3.1 FibreChannel
FibreChannel cards can be used to connect up to 16 nodes to a disk array containing storage.
After installation of the cards and the appropriate driver, the LUNs configured on the storage unit
are presented to the operating system as device files, which can be used to build LVM volume
groups.

NOTE: Multipath capabilities are supported by FibreChannel HBA device drivers and the Linux
Device Mapper. Check with the storage device documentation for details.
See also Multipath for Storage .

4.3.3.2 iSCSI
You can use the storage link based on IP to connect up to 16 nodes to a disk array containing
storage. The LUNs configured on the storage unit are presented to the operating system as device
files, which can be used to build LVM volume groups.

NOTE: Configuring multiple paths from different networks to the iSCSI LUN is not supported.
You can use the worksheet to record the names of the device files that correspond to each LUN
for the Fibre-Channel-attached and iSCSI attached storage unit.

4.3.3.3 Multipath for Storage


The method for achieving a multipath solution is dependent on the storage sub-system attached to
the cluster and the Host Bus Adapters (HBAs) in the servers. Please check the documentation that
accompanied your storage sub-system and HBA.
For fibre-channel-attached storage, the multipath function within the HBA driver should be used, if
it is supported by HP. For the QLogic driver, see Using the QLogic HBA driver for single-path or

82 Planning and Documenting an HA Cluster


multipath failover mode on Linux systems application note, which you can find by entering the
terms qlogic multipath application into the search box of www.hp.com.

NOTE: With the rapid evolution of Linux, the multipath mechanisms may change, or new ones
may be added. Serviceguard for Linux supports DeviceMapper multipath (DM-MPIO) with some
restrictions; see the Serviceguard for Linux Certification Matrix at the address provided in the
Preface to this manual for up-to-date information.
NOTE: md also supports software RAID; but this configuration is not currently supported with
Serviceguard for Linux.

4.3.4 Disk I/O Information


You may want to use the Hardware worksheet in Appendix C to record the following information
for each disk connected to each disk device adapter on the node:
Bus Type Indicate the type of bus. Supported buses are SAS (Serial Attached SCSI)
and FibreChannel.
LUN Number Indicate the number of the LUN as defined in the storage unit.
Slot Number Indicate the slot number(s) into which the SCSI or FibreChannel interface
card(s) are inserted in the backplane of the computer.
Address Enter the bus hardware path number, which is the numeric part of the
host parameter, which can be seen on the system by using the following
command:
cat /proc/scsi/scsi

Disk Device File Enter the disk device file name for each SCSI disk or LUN.
This information is needed when you create the mirrored disk configuration using LVM. In addition,
it is useful to gather as much information as possible about your disk configuration.
You can obtain information about available disks by using the following commands; your system
may provide other utilities as well.
ls /dev/sd* (Smart Array cluster storage)
ls /dev/hd* (non-SCSI/FibreChannel disks)
ls /dev/sd* (SCSI and FibreChannel disks)
du
df
mount
vgdisplay -v
lvdisplay -v
See the manpages for these commands for information about specific usage. The commands should
be issued from all nodes after installing the hardware and rebooting the system. The information
will be useful when doing LVM and cluster configuration.

4.3.5 Hardware Configuration Worksheet


The hardware configuration worksheet (page 287) will help you organize and record your specific
cluster hardware configuration. Make as many copies as you need.

4.3 Hardware Planning 83


4.4 Power Supply Planning
There are two sources of power for your cluster which you will have to consider in your design:
line power and uninterruptible power supplies (UPS). Loss of a power circuit should not bring down
the cluster.
Frequently, servers, mass storage devices, and other hardware have two or three separate power
supplies, so they can survive the loss of power to one or more power supplies or power circuits.
If a device has redundant power supplies, connect each power supply to a separate power circuit.
This way the failure of a single power circuit will not cause the complete failure of any critical
device in the cluster. For example, if each device in a cluster has three power supplies, you will
need a minimum of three separate power circuits to eliminate electrical power as a single point
of failure for the cluster. In the case of hardware with only one power supply, no more than half
of the nodes should be on a single power source. If a power source supplies exactly half of the
nodes, it must not also supply the cluster lock LUN or quorum server, or the cluster will not be able
to re-form after a failure. See Cluster Lock Planning (page 84) for more information.
To provide a high degree of availability in the event of power failure, use a separate UPS at least
for each nodes SPU and for the cluster lock disk (if any). If you use a quorum server, or quorum
server cluster, make sure each quorum server node has a power source separate from that of every
cluster it serves. If you use software mirroring, make sure power supplies are not shared among
different physical volume groups; this allows you to set up mirroring between physical disks that
are not only on different I/O buses, but also connected to different power supplies.
To prevent confusion, label each hardware unit and power supply unit clearly with a different unit
number. Indicate on the Power Supply Worksheet the specific hardware units you are using and
the power supply to which they will be connected. Enter the following label information on the
worksheet:
Host Name Enter the host name for each SPU.
Disk Unit Enter the disk drive unit number for each disk.
Tape Unit Enter the tape unit number for each backup device.
Other Unit Enter the number of any other unit.
Power Supply Enter the power supply unit number of the UPS to which the host or other
device is connected.
Be sure to follow UPS, power circuit, and cabinet power limits as well as SPU power limits.

4.4.1 Power Supply Configuration Worksheet


The Power Supply Planning worksheet (page 287) will help you organize and record your specific
power supply configuration. Make as many copies as you need.

4.5 Cluster Lock Planning


The purpose of the cluster lock is to ensure that only one new cluster is formed in the event that
exactly half of the previously clustered nodes try to form a new cluster. It is critical that only one
new cluster is formed and that it alone has access to the disks specified in its packages. You can
specify a lock LUN or a quorum server as the cluster lock. For more information about the cluster
lock, seeCluster Lock (page 40).

NOTE:
You cannot use more than one type of lock in the same cluster.
An iSCSI storage device does not support configuring a lock LUN.

84 Planning and Documenting an HA Cluster


4.5.1 Cluster Lock Requirements
A one-node cluster does not require a lock. Two-node clusters require the use of a cluster lock, and
a lock is recommended for larger clusters as well. Clusters larger than four nodes can use only a
quorum server as the cluster lock.
For information on configuring lock LUNs and the Quorum Server, see Setting up a Lock LUN
(page 143), section Specifying a Lock LUN (page 155), and HP Serviceguard Quorum Server
Version A.04.00, or later Release Notes at http://www.hp.com/go/hpux-serviceguard-docs (Select
HP Serviceguard Quorum Server Software).

4.5.2 Planning for Expansion


Bear in mind that a cluster with more than 4 nodes cannot use a lock LUN. So if you plan to add
enough nodes to bring the total to more than 4, you should use a quorum server.

4.5.3 Using a Quorum Server


The Quorum Server is described under Use of the Quorum Server as a Cluster Lock (page 41).
See also Cluster Lock (page 40).
A quorum server:
Can be used with up to 150 clusters, not exceeding 300 nodes total.
Can support a cluster with any supported number of nodes.
Can support a cluster with any supported number of nodes.
Can communicate with the cluster on up to two subnets (a primary and an alternate).

IMPORTANT: If you plan to use a Quorum Server, make sure you read the HP Serviceguard
Quorum Server Version A.04.00 Release Notes before you proceed. You can find them at http://
www.hp.com/go/hpux-serviceguard-docs (Select HP Serviceguard Quorum Server Software).. You
should also consult the Quorum Server white papers at the same location.

4.5.3.1 Quorum Server Worksheet


You can use the Quorum Server Worksheet (page 288) to identify a quorum server for use with one
or more clusters. You may want to record the following:
Quorum Server Host The host name for the quorum server.
IP Address The IP address(es) by which the quorum server will communicate
with the cluster nodes.
Supported Node Names The name (39 characters or fewer) of each cluster node that will
be supported by this quorum server. These entries will be entered
into qs_authfile on the system that is running the quorum server
process.

4.6 Volume Manager Planning


When designing your disk layout using LVM, you should consider the following:
The volume groups that contain high availability applications, services, or data must be on a
bus or buses available to the primary node and all adoptive nodes.
High availability applications, services, and data should be placed in volume groups that are
separate from non-high availability applications, services, and data.
You must group high availability applications, services, and data, whose control needs to be
transferred together, on a single volume group or a series of volume groups.

4.6 Volume Manager Planning 85


You must not group two different high availability applications, services, or data, whose control
needs to be transferred independently, on the same volume group.
Your root disk must not belong to a volume group that can be activated on another node.

4.6.1 Volume Groups and Physical Volume Worksheet


You can organize and record your physical disk configuration by identifying which physical disks,
LUNs, or disk array groups will be used in building each volume group for use with high availability
applications. Use the Volume Group and Physical Volume worksheet (page 288).

NOTE: HP recommends that you use volume group names other than the default volume group
names (vg01, vg02, etc.). Choosing volume group names that represent the high availability
applications they are associated with (For example, /dev/vgdatabase) will simplify cluster
administration.

4.7 Cluster Configuration Planning


A cluster should be designed to provide the quickest possible recovery from failures. The actual
time required to recover from a failure depends on several factors:
The length of the MEMBER_TIMEOUT; see the description of this parameter under Cluster
Configuration Parameters for recommendations.
The design of the run and halt instructions in the package control script. They should be written
for fast execution.
The application and database recovery time. They should be designed for the shortest recovery
time.
In addition, you must provide consistency across the cluster so that:
User names are the same on all nodes.
UIDs are the same on all nodes.
GIDs are the same on all nodes.
Applications in the system area are the same on all nodes.
System time is consistent across the cluster.
Files that could be used by more than one node, such as /usr or/opt files, must be the same
on all nodes.

4.7.1 Easy Deployment: cmpreparecl


The cmpreparecl script allows you to ease the process of setting up the servers participating in
the cluster. It also checks for the availability of ports used by Serviceguard Linux, starts the xinetd
services, updates specific files, and sets up the firewall. As of Serviceguard A.11.20.10, the
cmpreparecl script is supported.

NOTE: After you run the cmpreparecl script, you can start the cluster configuration.

Advantages
Simple ways to configure the system before you create a cluster.
Configuration for all the nodes can be done from one of the nodes in the cluster.

Limitations
All the nodes that are part of the cluster must be known before hand.

86 Planning and Documenting an HA Cluster


NOTE: After the configuration is complete, you cannot add the nodes.

Does not set up lock LUN or quorum server.


Does not ensure that all other network connections between the servers are valid.

Before You Start

IMPORTANT: The nodes which are given as inputs should not have cluster configured in them.
Before you start, you should have done the planning and preparation as described in previous
sections. You must also do the following:
Install Serviceguard on each node that is to be configured into the cluster; see Installing and
Updating Serviceguard (page 135).
You must have superuser capability on each node.
Make sure all the nodes have access to at least one fully configured network.
Make sure all the subnets used by the prospective nodes are accessible to all the nodes.

Using cmpreparecl to Configure the System


The following example illustrates how to prepare two nodes using the cmpreparecl command:
1. Verify the prerequisites for cluster configuration:
cmpreparecl n <node1> n <node2> -p
2. Run the cmpreparecl command with the nodes on which the cluster needs to be configured:
cmpreparecl n <node1> n <node2>
3. The cmpreparecl command performs the following actions:
a. Verifies the availability of ports required by Serviceguard. For information about port
requirements on Red Hat Enterprise Linux Server and SUSE Linux Enterprise Server, see
HP Serviceguard A.11.20.20 for Linux Release Notes.
b. Confirms the runlevels of xinetd and set xinetd to run at boot.
c. Enables the ident protocol daemon. Starts authd on Red Hat Enterprise Linux Server
and starts identd on SUSE Linux Enterprise Server.
d. Restarts the xinetd service.
e. Sets the Serviceguard manual pages paths.
f. Sets the AUTOSTART_CMCLD=1. In SUSE Linux Enterprise Server 11 environment, the
RUN_PARALLEL parameter in the /etc/sysconfig/boot file, is set to "NO".
g. The host names of the nodes and quorum if specified, their IP addresses are validated
and updated in the /etc/hosts file.
h. The /etc/lvm/lvm.conf and /etc/lvm/lvm_$(uname -n).conf files are updated
to enable VG Activation Protection.
i. Creates and deploys the firewall rules.
If firewall is disabled on the system, the rules are stored at /tmp/sg_firewall_rules.
An appropriate log message is displayed on how to run this file for the rules to be applied.

NOTE: The modified files are backed up in the same directory as the original files with
".original" extension and the output is logged to the /tmp/cmpreparecl.log file. This log
file is a cumulative log of the configuration done on the node. Each time you run
cmpreparecl, logs are appended with appropriate time stamp.

For more information, and other options, see manpages for cmpreparecl (1m).

4.7 Cluster Configuration Planning 87


4.7.2 Heartbeat Subnet and Cluster Re-formation Time
The speed of cluster re-formation depends on the number of heartbeat subnets.
If the cluster has only a single heartbeat network, and a network card on that network fails,
heartbeats will be lost while the failure is being detected and the IP address is being switched to
a standby interface. The cluster may treat these lost heartbeats as a failure and re-form without
one or more nodes. To prevent this, a minimum MEMBER_TIMEOUT value of 14 seconds is required
for clusters with a single heartbeat network.
If there is more than one heartbeat subnet, and there is a failure on one of them, heartbeats will
go through another, so you can configure a smaller MEMBER_TIMEOUT value.

NOTE: For heartbeat configuration requirements, see the discussion of the HEARTBEAT_IP
parameter later in this chapter. For more information about managing the speed of cluster
re-formation, see the discussion of the MEMBER_TIMEOUT parameter, and further discussion under
What Happens when a Node Times Out (page 75), and, for troubleshooting, Cluster
Re-formations Caused by MEMBER_TIMEOUT Being Set too Low (page 264).

4.7.3 About Hostname Address Families: IPv4-Only, IPv6-Only, and Mixed Mode
Serviceguard supports three possibilities for resolving the nodes' hostnames (and Quorum Server
hostnames, if any) to network address families:
IPv4-only
IPv6-only
Mixed
IPv4-only means that Serviceguard will try to resolve the hostnames to IPv4 addresses only.

IMPORTANT: You can configure an IPv6 heartbeat, or stationary or relocatable IP address, in


any mode: IPv4-only, IPv6-only, or mixed. You can configure an IPv4 heartbeat, or stationary or
relocatable IP address, in IPv4-only or mixed mode.
IPv6-only means that Serviceguard will try to resolve the hostnames to IPv6 addresses only.
Mixed means that when resolving the hostnames, Serviceguard will try both IPv4 and IPv6 address
families.
You specify the address family the cluster will use in the cluster configuration file (by setting
HOSTNAME_ADDRESS_FAMILY to IPV4, IPV6, or ANY), or by means of the -a of cmquerycl
(1m); see Specifying the Address Family for the Cluster Hostnames (page 154). The default is
IPV4. See the subsections that follow for more information and important rules and restrictions.

4.7.3.1 What Is IPv4only Mode?


IPv4 is the default mode: unless you specify IPV6 or ANY (either in the cluster configuration file or
via cmquerycl -a) Serviceguard will always try to resolve the nodes' hostnames (and the Quorum
Server's, if any) to IPv4 addresses, and will not try to resolve them to IPv6 addresses. This means
that you must ensure that each hostname can be resolved to at least one IPv4 address.

NOTE: This applies only to hostname resolution. You can have IPv6 heartbeat and data LANs
no matter what the HOSTNAME_ADDRESS_FAMILY parameter is set to. (IPv4 heartbeat and data
LANs are allowed in IPv4 and mixed mode.)

4.7.3.2 What Is IPv6-Only Mode?


If you configure IPv6-only mode (HOSTNAME_ADDRESS_FAMILY set to IPV6, or cmquerycl -a
ipv6), then all the hostnames and addresses used by the cluster including the heartbeat and
stationary and relocatable IP addresses, and Quorum Server addresses if any must be or resolve

88 Planning and Documenting an HA Cluster


to IPv6 addresses. The single exception to this is each node's IPv4 loopback address, which cannot
be removed from /etc/hosts.

NOTE: How the clients of IPv6-only cluster applications handle hostname resolution is a matter
for the discretion of the system or network administrator; there are no HP requirements or
recommendations specific to this case.
In IPv6-only mode, all Serviceguard daemons will normally use IPv6 addresses for communication
among the nodes, although local (intra-node) communication may occur on the IPv4 loopback
address.
For more information about IPv6, see Appendix D (page 291).

4.7.3.2.1 Rules and Restrictions for IPv6-Only Mode


Red Hat 5 and Red Hat 6 clusters are not supported.

NOTE: This also applies if HOSTNAME_ADDRESS_FAMILY is set to ANY; Red Hat 5 supports
only IPv4-only clusters.

All addresses used by the cluster must be in each node's /etc/hosts file. In addition, the
file must contain the following entry:
::1 localhost ipv6-localhost ipv6-loopback
For more information and recommendations about hostname resolution, see Configuring
Name Resolution (page 137).
All addresses must be IPv6, apart from the node's IPv4 loopback address, which cannot be
removed from /etc/hosts.
The node's public LAN address (by which it is known to the outside world) must be the last
address listed in /etc/hosts.
Otherwise there is a possibility of the address being used even when it is not configured into
the cluster.
You must use $SGCONF/cmclnodelist, not ~/.rhosts or /etc/hosts.equiv, to
provide root access to an unconfigured node.

NOTE: This also applies if HOSTNAME_ADDRESS_FAMILY is set to ANY. See Allowing


Root Access to an Unconfigured Node (page 136) for more information.

If you use a Quorum Server, you must make sure that the Quorum Server hostname (and the
alternate Quorum Server address specified by QS_ADDR, if any) resolve to IPv6 addresses,
and you must use Quorum Server version A.04.00 or later. See the latest Quorum Server
release notes for more information; you can find them at http://www.hp.com/go/
linux-serviceguard-docs.

NOTE: The Quorum Server itself can be an IPv6only system; in that case it can serve
IPv6only and mixed-mode clusters, but not IPv4only clusters.

If you use a Quorum Server, and the Quorum Server is on a different subnet from cluster, you
must use an IPv6-capable router.
Hostname aliases are not supported for IPv6 addresses, because of operating system limitations.

NOTE: This applies to all IPv6 addresses, whether HOSTNAME_ADDRESS_FAMILY is set to


IPV6 or ANY.

4.7 Cluster Configuration Planning 89


Cross-subnet configurations are not supported in IPv6-only mode.
Virtual machines are not supported.
You cannot have a virtual machine that is either a node or a package if
HOSTNAME_ADDRESS_FAMILY is set to ANY or IPV6.

4.7.3.2.2 Recommendations for IPv6-Only Mode


If you decide to migrate the cluster to IPv6-only mode, you should plan to do so while the
cluster is down.

4.7.3.3 What Is Mixed Mode?


If you configure mixed mode (HOSTNAME_ADDRESS_FAMILY set to ANY, or cmquerycl -a
any) then the addresses used by the cluster, including the heartbeat, and Quorum Server addresses
if any, can be IPv4 or IPv6 addresses. Serviceguard will first try to resolve a node's hostname to
an IPv4 address, then, if that fails, will try IPv6.

4.7.3.3.1 Rules and Restrictions for Mixed Mode


Red Hat 5 and Red Hat 6 clusters are not supported.

NOTE: This also applies if HOSTNAME_ADDRESS_FAMILY is set to IPv6; Red Hat 5 supports
only IPv4-only clusters.

The hostname resolution file on each node (for example, /etc/hosts) must contain entries
for all the IPv4 and IPv6 addresses used throughout the cluster, including all STATIONARY_IP
and HEARTBEAT_IP addresses as well any private addresses. There must be at least one
IPv4 address in this file (in the case of /etc/hosts, the IPv4 loopback address cannot be
removed). In addition, the file must contain the following entry:
::1 localhost ipv6-localhost ipv6-loopback
For more information and recommendations about hostname resolution, see Configuring
Name Resolution (page 137).
You must use $SGCONF/cmclnodelist, not ~/.rhosts or /etc/hosts.equiv, to
provide root access to an unconfigured node.
See Allowing Root Access to an Unconfigured Node (page 136) for more information.
Hostname aliases are not supported for IPv6 addresses, because of operating system limitations.

NOTE: This applies to all IPv6 addresses, whether HOSTNAME_ADDRESS_FAMILY is set to


IPV6 or ANY.

Cross-subnet configurations are not supported.


This also applies if HOSTNAME_ADDRESS_FAMILY is set to IPV6. See Cross-Subnet
Configurations (page 27) for more information about such configurations.
Virtual machines are not supported.
You cannot have a virtual machine that is either a node or a package if
HOSTNAME_ADDRESS_FAMILY is set to ANY or IPV6.

4.7.4 Cluster Configuration Parameters


You need to define a set of cluster parameters. These are stored in the binary cluster configuration
file, which is distributed to each node in the cluster. You configure these parameters by editing the

90 Planning and Documenting an HA Cluster


cluster configuration template file created by means of the cmquerycl command, as described
under Configuring the Cluster (page 153).

NOTE: See Reconfiguring a Cluster (page 225) for a summary of changes you can make while
the cluster is running.
The following parameters must be configured:
CLUSTER_NAME The name of the cluster as it will appear in the output of
cmviewcl and other commands, and as it appears in the
cluster configuration file.
The cluster name must not contain any of the following
characters: space, slash (/), backslash (\), and asterisk (*).

NOTE: In addition, the following characters must not be


used in the cluster name if you are using the Quorum Server:
at-sign (@), equal-sign (=), or-sign (|), semicolon (;).
These characters are deprecated, meaning that you should
not use them, even if you are not using the Quorum Server.

All other characters are legal. The cluster name can contain
up to 39 characters.

CAUTION: Make sure that the cluster name is unique


within the subnets configured on the cluster nodes; under
some circumstances Serviceguard may not be able to detect
a duplicate name and unexpected problems may result.
In particular make sure that two clusters with the same name
do not use the same quorum server; this could result in one
of the clusters failing to obtain the quorum servers
arbitration services when it needs them, and thus failing to
re-form.

HOSTNAME_ADDRESS_FAMILY Specifies the Internet Protocol address family to which


Serviceguard will try to resolve cluster node names and
Quorum Server host names. Valid values are IPV4, IPV6,
and ANY. The default is IPV4.
IPV4 means Serviceguard will try to resolve the names
to IPv4 addresses only.
IPV6 means Serviceguard will try to resolve the names
to IPv6 addresses only.
ANY means Serviceguard will try to resolve the names
to both IPv4 and IPv6 addresses.

IMPORTANT: See About Hostname Address Families:


IPv4-Only, IPv6-Only, and Mixed Mode (page 88) for
important information. See also the latest Serviceguard
release notes at
http://www.hp.com/go/linux-serviceguard-docs.

QS_HOST The fully-qualified hostname or IP address of a host system


outside the current cluster that is providing quorum server
functionality. It must be (or resolve to) an IPv4 address on
Red Hat 5. On SLES 11, it can be (or resolve to) either an

4.7 Cluster Configuration Planning 91


IPv4 or an IPv6 address if HOSTNAME_ADDRESS_FAMILY
is set to ANY, but otherwise must match the setting of
HOSTNAME_ADDRESS_FAMILY. This parameter is used
only when you employ a quorum server for tie-breaking
services in the cluster. You can also specify an alternate
address (QS_ADDR) by which the cluster nodes can reach
the quorum server.
For more information, see Cluster Lock Planning (page 84)
and Specifying a Quorum Server (page 155). See also
Configuring Serviceguard to Use the Quorum Server in
the latest version HP Serviceguard Quorum Server Version
A.04.00 Release Notes, at http://www.hp.com/go/
hpux-serviceguard-docs (Select HP Serviceguard Quorum
Server Software).

IMPORTANT: See alsoAbout Hostname Address Families:


IPv4-Only, IPv6-Only, and Mixed Mode (page 88) for
important information about requirements and restrictions
in an IPv6only cluster.
Can be changed while the cluster is running; see What
Happens when You Change the Quorum Configuration
Online (page 43) for important information.
QS_ADDR An alternate fully-qualified hostname or IP address for the
quorum server. It must be (or resolve to) an IPv4 address on
Red Hat 5 and Red Hat 6. On SLES 11, it can be (or resolve
to) either an IPv4 or an IPv6 address if
HOSTNAME_ADDRESS_FAMILY is set to ANY, but otherwise
must match the setting of HOSTNAME_ADDRESS_FAMILY.
This parameter is used only if you use a quorum server and
want to specify an address on an alternate subnet by which
it can be reached. On SLES 11, the alternate subnet need
not use the same address family as QS_HOST if
HOSTNAME_ADDRESS_FAMILY is set to ANY. For more
information, see Cluster Lock Planning (page 84) and
Specifying a Quorum Server (page 155).

IMPORTANT: For special instructions that may apply to


your version of Serviceguard and the Quorum Server see
Configuring Serviceguard to Use the Quorum Server in
the latest version HP Serviceguard Quorum Server Version
A.04.00 Release Notes, at http://www.hp.com/go/
hpux-serviceguard-docs (Select HP Serviceguard Quorum
Server Software).
Can be changed while the cluster is running; see What
Happens when You Change the Quorum Configuration
Online (page 43) for important information.
QS_POLLING_INTERVAL The time (in microseconds) between attempts to contact the
quorum server to make sure it is running. Default is
300,000,000 microseconds (5 minutes). Minimum is
10,000,000 (10 seconds). Maximum is 2,147,483,647
(approximately 35 minutes).

92 Planning and Documenting an HA Cluster


Can be changed while the cluster is running; see What
Happens when You Change the Quorum Configuration
Online (page 43) for important information.
QS_TIMEOUT_EXTENSION You can use the QS_TIMEOUT_EXTENSION to increase the
time interval after which the current connection (or attempt
to connect) to the quorum server is deemed to have failed;
but do not do so until you have read the HP Serviceguard
Quorum Server Version A.04.00 Release Notes, and in
particular the following sections in that document: About
the QS Polling Interval and Timeout Extension, Network
Recommendations, and Setting Quorum Server Parameters
in the Cluster Configuration File.
Can be changed while the cluster is running; see What
Happens when You Change the Quorum Configuration
Online (page 43) for important information.
SITE_NAME The name of a site to which nodes (see NODE_NAME) belong.
Can be used only in a site-aware disaster recovery cluster,
which requires Metrocluster (additional HP software); see
the documents listed under Cross-Subnet Configurations
(page 27) for more information.
You can define multiple SITE_NAMEs. SITE_NAME entries
must precede any NODE_NAME entries. See also SITE.

IMPORTANT: SITE_NAME must be 39 characters or less,


and are case-sensitive. Duplicate SITE_NAME entries are
not allowed.

NODE_NAME The hostname of each system that will be a node in the


cluster.

CAUTION: Make sure that the node name is unique within


the subnets configured on the cluster nodes; under some
circumstances Serviceguard may not be able to detect a
duplicate name and unexpected problems may result.
Do not use the full domain name. For example, enter
ftsys9, not ftsys9.cup.hp.com. A cluster can contain
up to 16 nodes.

IMPORTANT: Node names must be 39 characters or less,


and are case-sensitive; for each node, the node_name in
the cluster configuration file must exactly match the
corresponding node_name in the package configuration
file (see Chapter 6: Configuring Packages and Their
Services (page 169)) and these in turn must exactly match
the hostname portion of the name specified in the nodes
networking configuration. (Using the above example,
ftsys9 must appear in exactly that form in the cluster
configuration and package configuration files, and as
ftsys9.cup.hp.com in the DNS database).
The parameters immediately following NODE_NAME in this
list (NETWORK_INTERFACE, HEARTBEAT_IP,
STATIONARY_IP, CLUSTER_LOCK_LUN,

4.7 Cluster Configuration Planning 93


CAPACITY_NAME, and CAPACITY_VALUE) apply
specifically to the node identified by the preceding
NODE_NAME entry.
CLUSTER_LOCK_LUN The pathname of the device file to be used for the lock LUN
on each node. The pathname can contain up to 39
characters.
See Setting up a Lock LUN (page 143) and Specifying a
Lock LUN (page 155)
Can be changed while the cluster is running; see Updating
the Cluster Lock LUN Configuration Online (page 233). See
also What Happens when You Change the Quorum
Configuration Online (page 43) for important information.

NOTE: An iSCSI storage device does not support


configuring a lock LUN.

SITE The name of a site (defined by SITE_NAME) to which the


node identified by the preceding NODE_NAME entry belongs.
Can be used only in a site-aware disaster recovery cluster,
which requires Metrocluster (additional HP software); see
the documents listed under Cross-Subnet Configurations
(page 27) for more information.
If SITE is used, it must be used for each node in the cluster
(that is, all the nodes must be associated with some defined
site, though not necessarily the same one).
If you are using SITEs, you can restrict the output of
cmviewcl (1m) to a given site by means of the -S
<sitename> option. In addition, you can configure a
site_preferred or site_preferred_manual
failover_policy (page 178) for a package.

IMPORTANT: SITE must be 39 characters or less, and


are case-sensitive; each SITE entry must exactly match with
one of the SITE_NAME entries. Duplicate SITE entries are
not allowed.

NETWORK_INTERFACE The name of each LAN that will be used for heartbeats or
for user data on the node identified by the preceding
NODE_NAME. An example is eth0. See also
HEARTBEAT_IP, STATIONARY_IP, and About Hostname
Address Families: IPv4-Only, IPv6-Only, and Mixed Mode
(page 88).

94 Planning and Documenting an HA Cluster


NOTE: Any subnet that is configured in this cluster
configuration file as a SUBNET for IP monitoring purposes,
or as a monitored_subnet in a package configuration
file (or SUBNET in a legacy package; see Package
Configuration Planning (page 104)) must be specified in
the cluster configuration file via NETWORK_INTERFACE and
either STATIONARY_IP or HEARTBEAT_IP. Similarly, any
subnet that is used by a package for relocatable addresses
should be configured into the cluster via
NETWORK_INTERFACE and either STATIONARY_IP or
HEARTBEAT_IP. For more information about relocatable
addresses, see Stationary and Relocatable IP Addresses
and Monitored Subnets (page 62) and the descriptions of
the package ip_ parameters (page 182).
For information about changing the configuration online,
see Changing the Cluster Networking Configuration while
the Cluster Is Running (page 230).
HEARTBEAT_IP IP notation indicating this node's connection to a subnet that
will carry the cluster heartbeat.

NOTE: Any subnet that is configured in this cluster


configuration file as a SUBNET for IP monitoring purposes,
or as a monitored_subnet in a package configuration
file (or SUBNET in a legacy package; see Package
Configuration Planning (page 104)) must be specified in
the cluster configuration file via NETWORK_INTERFACE and
either STATIONARY_IP or HEARTBEAT_IP. Similarly, any
subnet that is used by a package for relocatable addresses
should be configured into the cluster via
NETWORK_INTERFACE and either STATIONARY_IP or
HEARTBEAT_IP. For more information about relocatable
addresses, see Stationary and Relocatable IP Addresses
and Monitored Subnets (page 62) and the descriptions of
the package ip_ parameters (page 182).
If HOSTNAME_ADDRESS_FAMILY is set to IPV4 or ANY, a
heartbeat IP address can be either an IPv4 or an IPv6
address, with the exceptions noted below. If
HOSTNAME_ADDRESS_FAMILY is set to IPV6, all heartbeat
IP addresses must be IPv6 addresses.
For more details of the IPv6 address format, see IPv6
Address Types (page 291). Heartbeat IP addresses on a
given subnet must all be of the same type: IPv4 or IPv6
site-local or IPv6 global.
For information about changing the configuration online,
see Changing the Cluster Networking Configuration while
the Cluster Is Running (page 230).
Heartbeat configuration requirements:
The cluster needs at least two network interfaces for the
heartbeat in all cases, using one of the following minimum
configurations:

4.7 Cluster Configuration Planning 95


two heartbeat subnets;
or
one heartbeat subnet using bonding in high availability
mode (or mode 1) with two slaves.
You cannot configure more than one heartbeat IP address
on an interface; only one HEARTBEAT_IP is allowed for
each NETWORK_INTERFACE.

NOTE: The Serviceguard cmapplyconf, cmcheckconf,


and cmquerycl commands check that these minimum
requirements are met, and produce a warning if they are
not met at the immediate network level. If you see this
warning, you need to check that the requirements are met
in your overall network configuration.
If you are using virtual machine guests as nodes, you have
a valid configuration (and can ignore the warning) if there
is one heartbeat network on the guest, backed by a network
using NIC bonding as in the second bullet above (VMware
ESX Server).

Considerations for cross-subnet:


IP addresses for a given heartbeat path are usually on the
same subnet on each node, but it is possible to configure
the heartbeat on multiple subnets such that the heartbeat is
carried on one subnet for one set of nodes and another
subnet for others, with the subnets joined by a router.
This is called a cross-subnet configuration, and in this case
at least two heartbeat paths must be configured for each
cluster node, and each heartbeat subnet on each node must
be physically routed separately to the heartbeat subnet on
another node (that is, each heartbeat path must be physically
separate). See Cross-Subnet Configurations (page 27).

NOTE: IPv6 heartbeat subnets are not supported in a


cross-subnet configuration.
NOTE: The use of a private heartbeat network is not
advisable if you plan to use Remote Procedure Call (RPC)
protocols and services. RPC assumes that each network
adapter device or I/O card is connected to a route-able
network. An isolated or private heartbeat LAN is not
route-able, and could cause an RPC request-reply, directed
to that LAN, to timeout without being serviced.
NFS, NIS and NIS+, and CDE are examples of RPC based
applications that are frequently used. Other third party and
home-grown applications may also use RPC services through
the RPC API libraries. If necessary, consult with the
application vendor.

STATIONARY_IP This node's IP address on each subnet that does not carry
the cluster heartbeat, but is monitored for packages.

96 Planning and Documenting an HA Cluster


NOTE: Any subnet that is configured in this cluster
configuration file as a SUBNET for IP monitoring purposes,
or as a monitored_subnet in a package configuration
file (or SUBNET in a legacy package; see Package
Configuration Planning (page 104)) must be specified in
the cluster configuration file via NETWORK_INTERFACE and
either STATIONARY_IP or HEARTBEAT_IP. Similarly, any
subnet that is used by a package for relocatable addresses
should be configured into the cluster via
NETWORK_INTERFACE and either STATIONARY_IP or
HEARTBEAT_IP. For more information about relocatable
addresses, see Stationary and Relocatable IP Addresses
and Monitored Subnets (page 62) and the descriptions of
the package ip_ parameters (page 182).
If HOSTNAME_ADDRESS_FAMILY is set to IPV4 or ANY, a
stationary IP address can be either an IPv4 or an IPv6
address, with the exceptions noted below. If
HOSTNAME_ADDRESS_FAMILY is set to IPV6, all the IP
addresses used by the cluster must be IPv6 addresses.
If you want to separate application data from heartbeat
messages, define one or more monitored non-heartbeat
subnets here. You can identify any number of subnets to be
monitored.
A stationary IP address can be either an IPv4 or an IPv6
address. For more information about IPv6 addresses, see
IPv6 Address Types (page 291).
For information about changing the configuration online,
see Changing the Cluster Networking Configuration while
the Cluster Is Running (page 230).
CAPACITY_NAME, Node capacity parameters. Use the CAPACITY_NAME and
CAPACITY_VALUE CAPACITY_VALUE parameters to define a capacity for this
node. Node capacities correspond to package weights;
node capacity is checked against the corresponding
package weight to determine if the package can run on that
node.
CAPACITY_NAME name can be any string that starts and
ends with an alphanumeric character, and otherwise
contains only alphanumeric characters, dot (.), dash (-),
or underscore (_). Maximum length is 39 characters.
CAPACITY_NAME must be unique in the cluster.
CAPACITY_VALUE specifies a value for the
CAPACITY_NAME that precedes it. It must be a floating-point
value between 0 and 1000000. Capacity values are
arbitrary as far as Serviceguard is concerned; they have
meaning only in relation to the corresponding package
weights.
Capacity definition is optional, but if CAPACITY_NAME is
specified, CAPACITY_VALUE must also be specified;
CAPACITY_NAME must come first.

4.7 Cluster Configuration Planning 97


NOTE: cmapplyconf will fail if any node defines a
capacity and any package has min_package_node as
its failover_policy (page 178) or automatic as its
failback_policy (page 179).
To specify more than one capacity for a node, repeat these
parameters for each capacity. You can specify a maximum
of four capacities per cluster, unless you use the reserved
CAPACITY_NAME package_limit; in that case, you can
use only that capacity throughout the cluster.
For all capacities other than package_limit, the default
weight for all packages is zero, though you can specify a
different default weight for any capacity other than
package_limit; see the entry for WEIGHT_NAME and
WEIGHT_DEFAULT later in this list.
See About Package Weights (page 120) for more
information.
Can be changed while the cluster is running; will trigger a
warning if the change would cause a running package to
fail.
MEMBER_TIMEOUT The amount of time, in microseconds, after which
Serviceguard declares that the node has failed and begins
re-forming the cluster without this node.
Default value: 14 seconds (14,000,000 microseconds).
This value leads to a failover time of between approximately
18 and 22 seconds, if you are using a quorum server, or
a Fiber Channel cluster lock, or no cluster lock. Increasing
the value to 25 seconds increases the failover time to
between approximately 29 and 39 seconds. The time will
increase by between 5 and 13 seconds if you are you using
a SCSI cluster lock or dual Fibre Channel cluster lock).
Maximum supported value: 300 seconds (300,000,000
microseconds).
If you enter a value greater than 60 seconds (60,000,000
microseconds), cmcheckconf and cmapplyconf will note
the fact, as confirmation that you intend to use a large value.
Minimum supported values:
3 seconds for a cluster with more than one heartbeat
subnet.
14 seconds for a cluster that has only one heartbeat
LAN
With the lowest supported value of 3 seconds, a failover
time of 4 to 5 seconds can be achieved.

98 Planning and Documenting an HA Cluster


NOTE: The failover estimates provided here apply to the
Serviceguard component of failover; that is, the package is
expected to be up and running on the adoptive node in this
time, but the application that the package runs may take
more time to start.
For most clusters that use a lock LUN, a minimum
MEMBER_TIMEOUT of 14 seconds is appropriate.
For most clusters that use a MEMBER_TIMEOUT value lower
than 14 seconds, a quorum server is more appropriate than
a lock LUN. The cluster will fail if the time it takes to acquire
the disk lock exceeds 0.2 times the MEMBER_TIMEOUT. This
means that if you use a disk-based quorum device (lock
LUN), you must be certain that the nodes in the cluster, the
connection to the disk, and the disk itself can respond
quickly enough to perform 10 disk writes within 0.2 times
the MEMBER_TIMEOUT.

Keep the following guidelines in mind when deciding how


to set the value.
Guidelines: You need to decide whether it's more important
for your installation to have fewer (but slower) cluster
re-formations, or faster (but possibly more frequent)
re-formations:
To ensure the fastest cluster re-formations, use the
minimum value applicable to your cluster. But keep in
mind that this setting will lead to a cluster re-formation,
and to the node being removed from the cluster and
rebooted, if a system hang or network load spike
prevents the node from sending a heartbeat signal
within the MEMBER_TIMEOUT value. More than one
node could be affected if, for example, a network event
such as a broadcast storm caused kernel interrupts to
be turned off on some or all nodes while the packets
are being processed, preventing the nodes from
sending and processing heartbeat messages.
See Cluster Re-formations Caused by
MEMBER_TIMEOUT Being Set too Low (page 264) for
troubleshooting information.
For fewer re-formations, use a setting in the range of
10 to 25 seconds (10,000,000 to 25,000,000
microseconds), keeping in mind that a value larger than
the default will lead to slower re-formations than the
default. A value in this range is appropriate for most
installations
See also What Happens when a Node Times Out
(page 75), Cluster Daemon: cmcld (page 34), and the
white paper Optimizing Failover Time in a Serviceguard
Environment (version A.11.19 and later) at http://
www.hp.com/go/linux-serviceguard-docs.
Can be changed while the cluster is running.

4.7 Cluster Configuration Planning 99


AUTO_START_TIMEOUT The amount of time a node waits before it stops trying to
join a cluster during automatic cluster startup. All nodes wait
this amount of time for other nodes to begin startup before
the cluster completes the operation. The time should be
selected based on the slowest boot time in the cluster. Enter
a value equal to the boot time of the slowest booting node
minus the boot time of the fastest booting node plus 600
seconds (ten minutes).
Default is 600,000,000 microseconds.
Can be changed while the cluster is running.
NETWORK_POLLING_INTERVAL Specifies the Interval at which Serviceguard periodically
polls all the LAN Interfaces (link-level and the ones
configured for IP MONITOR)
Default is 2,000,000 microseconds (2 seconds). This means
that the network manager will poll each network interface
every 2 seconds, to make sure it can still send and receive
information.
The minimum value is 1,000,000 (1 second) and the
maximum value supported is 30 seconds.
For example,
If NETWORK_POLLING_INTERVAL is defined to be
6,000,000 (6 seconds), then the polling happens at
6th second, 12th second and so on.
If NETWORK_POLLING_INTERVAL is defined to be
9,000,000 (9 seconds), then the polling happens at
9th second, 18th second and so on.
Serviceguard also uses this parameter to calculate the
number of consecutive packets that each LAN interface
can miss/receive to mark a LAN interface DOWN/UP.
When an interface is monitored at IP-Level, and the
NETWORK_POLLING_INTERVAL is defined to be 8
seconds or more, then the number of consecutive
packets that each LAN interface can miss/receive to
be marked DOWN/UP is 2.
For example,
If NETWORK_POLLING_INTERVAL is defined to be 10
seconds, then the detection of failure/recovery for a
interface at IP Level will happen between 10 to 20
seconds.
The following are the failure/recovery detection times for
different values of Network Polling Interval (NPI) for an IP
monitored Ethernet interface:

100 Planning and Documenting an HA Cluster


Table 5 Failure Recovery Detection Times for an IP Monitored
Ethernet Interface
Values of
Network Polling
Failure/Recovery Detection Times (in seconds)
Interval (NPI) (in
seconds)

1 ~ NPI x 8 - NPI x 9

2 ~ NPI x 4 - NPI x 5

3 ~ NPI x 3 - NPI x 4

4 to 8 ~ NPI x 2 - NPI x 3

>=8 ~ NPI x 1- NPI x 2

IMPORTANT: HP strongly recommends using the default.


Changing this value can affect how quickly the link-level
and IP-level monitors detect a network failure. See
Monitoring LAN Interfaces and Detecting Failure: Link Level
(page 66).
Can be changed while the cluster is running.
CONFIGURED_IO_TIMEOUT_EXTENSION The number of microseconds by which to increase the time
Serviceguard waits after detecting a node failure, so as to
ensure that all pending I/O on the failed node has ceased.
This parameter must be set in the following cases.
For extended-distance clusters using software mirroring
across data centers over links between iFCP switches;
it must be set to the switches' maximum R_A_TOV value.

NOTE: CONFIGURED_IO_TIMEOUT_EXTENSION
is supported only with iFCP switches that allow you to
get their R_A_TOV value.

For switches and routers connecting an NFS server and


cluster-node clients that can run packages using the
NFS-mounted file system; see Planning for
NFS-mounted File Systems (page 106).
To set the value for the
CONFIGURED_IO_TIMEOUT_EXTENSION, you must
first determine the Maximum Bridge Transit Delay
(MBTD) for each switch and router. The value should
be in the vendors' documentation. Set the
CONFIGURED_IO_TIMEOUT_EXTENSION to the sum
of the values for the switches and routers. If there is
more than one possible path between the NFS server
and the cluster nodes, sum the values for each path
and use the largest number.

CAUTION: Serviceguard supports NFS-mounted file


systems only over switches and routers that support
MBTD. If you are using NFS-mounted file systems, you
must set CONFIGURED_IO_TIMEOUT_EXTENSION as
described here.

4.7 Cluster Configuration Planning 101


For more information about MBTD, see the white paper
Support for NFS as a filesystem type with HP
Serviceguard A.11.20 on HP-UX and Linux available
at http://www.hp.com/go/linux-serviceguard-docs.
For clusters in which both of the above conditions
apply.
In this case, set the
CONFIGURED_IO_TIMEOUT_EXTENSION to the higher
of the two values you get from following the instructions
in the preceding two bullets.
Default is 0. The value can range from zero to
2147483647.
SUBNET IP address of a cluster subnet for which IP Monitoring can
be turned on or off (see IP_MONITOR). The subnet must be
configured into the cluster, via NETWORK_INTERFACE and
either HEARTBEAT_IP or STATIONARY_IP. All entries for
IP_MONITOR and POLLING_TARGET apply to this subnet
until the next SUBNET entry; SUBNET must be the first of
each trio.
By default, each of the cluster subnets is listed under
SUBNET, and, if at least one gateway is detected for that
subnet, IP_MONITOR is set to ON and POLLING_TARGET
entries are populated with the gateway addresses, enabling
target polling; otherwise the subnet is listed with
IP_MONITOR set to OFF.
By default, IP_MONITOR parameter is set to OFF. If a
gateway is detected for the SUBNET in question, and
POLLING_TARGET entries are populated with the gateway
addresses, setting IP_MONITOR parameter to ON enables
target polling. For more information, see the description for
POLLING_TARGET.
See Monitoring LAN Interfaces and Detecting Failure: IP
Level (page 66) for more information.
Can be changed while the cluster is running; must be
removed, with its accompanying IP_MONITOR and
POLLING_TARGET entries, if the subnet in question is
removed from the cluster configuration.
IP_MONITOR Specifies whether or not the subnet specified in the
preceding SUBNET entry will be monitored at the IP layer.
To enable IP monitoring for the subnet, set IP_MONITOR to
ON; to disable it, set it to OFF.
By default, IP_MONITOR parameter is set to OFF. If a
gateway is detected for the SUBNET in question, and
POLLING_TARGET entries are populated with the gateway
addresses, setting IP_MONITOR parameter to ON enables
target polling. For more information, see the description for
POLLING_TARGET.
HP recommends you use target polling because it enables
monitoring beyond the first level of switches, but if you want

102 Planning and Documenting an HA Cluster


to use peer polling instead, set IP_MONITOR to ON for this
SUBNET, but do not use POLLING_TARGET (comment out
or delete any POLLING_TARGET entries that are already
there).
If a network interface in this subnet fails at the IP level and
IP_MONITOR is set to ON, the interface will be marked
down. If it is set to OFF, failures that occur only at the IP-level
will not be detected.
Can be changed while the cluster is running; must be
removed if the preceding SUBNET entry is removed.
POLLING_TARGET The IP address to which polling messages will be sent from
all network interfaces on the subnet specified in the
preceding SUBNET entry, if IP_MONITOR is set to ON. This
is called target polling.
Each subnet can have multiple polling targets; repeat
POLLING_TARGET entries as needed.
If IP_MONITOR is set to ON, but no POLLING_TARGET is
specified, polling messages are sent between network
interfaces on the same subnet (peer polling). HP recommends
you use target polling; see How the IP Monitor Works
(page 67) for more information.

NOTE: cmquerycl (1m) detects first-level routers in the


cluster (by looking for gateways in each node's routing
table) and lists them here as polling targets. If you run
cmquerycl with the -w full option (for full network
probing) it will also verify that the gateways will work
correctly for monitoring purposes.
Can be changed while the cluster is running; must be
removed if the preceding SUBNET entry is removed.
WEIGHT_NAME, WEIGHT_DEFAULT Default value for this weight for all packages that can have
weight; see Rules and Guidelines (page 126) underAbout
Package Weights (page 120). WEIGHT_NAME specifies a
name for a weight that exactly corresponds to a
CAPACITY_NAME specified earlier in the cluster
configuration file. (A package has weight; a node has
capacity.) The rules for forming WEIGHT_NAME are the same
as those spelled out for CAPACITY_NAME earlier in this list.
These parameters are optional, but if they are defined,
WEIGHT_DEFAULT must follow WEIGHT_NAME, and must
be set to a floating-point value between 0 and 1000000.
If they are not specified for a given weight, Serviceguard
will assume a default value of zero for that weight. In either
case, the default can be overridden for an individual
package via the weight_name and weight_value
parameters in the package configuration file.
For more information and examples, see Defining Weights
(page 124).

IMPORTANT: CAPACITY_NAME, WEIGHT_NAME, and


weight_value must all match exactly.

4.7 Cluster Configuration Planning 103


NOTE: A weight (WEIGHT_NAME, WEIGHT_DEFAULT)
has no meaning on a node unless a corresponding capacity
(CAPACITY_NAME, CAPACITY_VALUE) is defined for that
node.
For the reserved weight and capacity package_limit,
the default weight is always one. This default cannot be
changed in the cluster configuration file, but it can be
overridden for an individual package in the package
configuration file.
cmapplyconf will fail if you define a default for a weight
but do not specify a capacity of the same name for at least
one node in the cluster. You can define a maximum of four
WEIGHT_DEFAULTs per cluster.
Can be changed while the cluster is running.
(Access Control Policies) Specify three things for each policy: USER_NAME,
USER_HOST, and USER_ROLE. Policies set in the
configuration file of a cluster and its packages must not be
conflicting or redundant. For more information, see
Controlling Access to the Cluster (page 158).
MAX_CONFIGURED_PACKAGES This parameter sets the maximum number of packages that
can be configured in the cluster. The minimum value is 0,
and the maximum value, which is also the default, is 300.
Can be changed while the cluster is running.

4.7.5 Cluster Configuration: Next Step


When you are ready to configure the cluster, proceed to Configuring the Cluster (page 153). If
you find it useful to record your configuration ahead of time, use the Cluster Configuration worksheet
(page 289).

4.8 Package Configuration Planning


Planning for packages involves assembling information about each group of highly available
services.

NOTE: As of Serviceguard A.11.18, there is a new and simpler way to configure packages.
This method allows you to build packages from smaller modules, and eliminates the separate
package control script and the need to distribute it manually; see Chapter 6: Configuring Packages
and Their Services (page 169), for complete instructions.
This manual refers to packages created by the newer method as modular packages, and to packages
created by the older method as legacy packages.
The discussion that follows assumes you will be using the modular method. For information and
instructions on creating and maintaining legacy packages, see Configuring a Legacy Package
(page 233).

The document HP Serviceguard Developers Toolbox User Guide, December 2012 provides a
guide for integrating an application with Serviceguard using a suite of customizable scripts known
as "Serviceguard Developers Toolbox" intended for use with modular packages only. The
Serviceguard Developers Toolbox is available free of charge and can be downloaded from
Software Depot at http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?
productNumber=SGDTOOLBOX.

104 Planning and Documenting an HA Cluster


NOTE: The HP Serviceguard Developers Toolbox User Guide, December 2012 deals specifically
with modular packages only. The Serviceguard Developers Toolbox do not support legacy style
packages.

4.8.1 Logical Volume and File System Planning


Use logical volumes in volume groups as the storage infrastructure for package operations on a
cluster. When the package moves from one node to another, it must still be able to access the
same data on the same disk as it did when it was running on the previous node. This is accomplished
by activating the volume group and mounting the file system that resides on it.
In Serviceguard, high availability applications, services, and data are located in volume groups
that are on a shared bus. When a node fails, the volume groups containing the applications,
services, and data of the failed node are deactivated on the failed node and activated on the
adoptive node (the node the packages move to). In order for this to happen, you must configure
the volume groups so that they can be transferred from the failed node to the adoptive node.

NOTE: To prevent an operator from accidentally activating volume groups on other nodes in the
cluster, versions A.11.16.07 and later of Serviceguard for Linux include a type of VG activation
protection. This is based on the hosttags feature of LVM2.
This feature is not mandatory, but HP strongly recommends you implement it as you upgrade
existing clusters and create new ones. See Enabling Volume Group Activation Protection (page 148)
for instructions. However, if you are using PR feature this step is not required.

As part of planning, you need to decide the following:


What volume groups are needed?
How much disk space is required, and how should this be allocated in logical volumes?
What file systems need to be mounted for each package?
Which nodes need to import which logical volume configurations.
If a package moves to an adoptive node, what effect will its presence have on performance?
What hardware/software resources need to be monitored as part of the package? You can
then configure these as generic resources in the package and write appropriate monitoring
scripts for monitoring the resources.

NOTE: Generic resources influence the package based on their status. The actual monitoring
of the resource should be done in a script and this must be configured as a service. The script
sets the status of the resource based on the availability of the resource. See Monitoring Script
for Generic Resources (page 303).

Create a list by package of volume groups, logical volumes, and file systems. Indicate which nodes
need to have access to common file systems at different times.
HP recommends that you use customized logical volume names that are different from the default
logical volume names (lvol1, lvol2, etc.). Choosing logical volume names that represent the
high availability applications that they are associated with (for example, lvoldatabase) will
simplify cluster administration.
To further document your package-related volume groups, logical volumes, and file systems on
each node, you can add commented lines to the /etc/fstab file. The following is an example
for a database application:
# /dev/vg01/lvoldb1 /applic1 ext3 defaults 0 1 # These six entries are
# /dev/vg01/lvoldb2 /applic2 ext3 defaults 0 1 # for information purposes
# /dev/vg01/lvoldb3 raw_tables ignore ignore 0 0 # only. They record the
# /dev/vg01/lvoldb4 /general ext3 defaults 0 2 # logical volumes that

4.8 Package Configuration Planning 105


# /dev/vg01/lvoldb5 raw_free ignore ignore 0 0 # exist for Serviceguard's
# /dev/vg01/lvoldb6 raw_free ignore ignore 0 0 # HA package. Do not uncomment.
Create an entry for each logical volume, indicating its use for a file system or for a raw device.

CAUTION: Do not use /etc/fstab to mount file systems that are used by Serviceguard packages.
For information about creating, exporting, and importing volume groups, see Creating the Logical
Volume Infrastructure (page 145).

4.8.2 Planning for NFS-mounted File Systems


As of Serviceguard A.11.20.00, you can use NFS-mounted (imported) file systems as shared
storage in packages.
The same package can mount more than one NFS-imported file system, and can use both cluster-local
shared storage and NFS imports.

NOTE: Ensure that the NFS module is loaded during boot time for the configurations using NFS
file systems as part of the package configuration.
The following rules and restrictions apply.
NFS mounts are supported for modular failover packages.
So that Serviceguard can ensure that all I/O from a node on which a package has failed is
flushed before the package restarts on an adoptive node, all the network switches and routers
between the NFS server and client must support a worst-case timeout, after which packets and
frames are dropped. This timeout is known as the Maximum Bridge Transit Delay (MBTD).

IMPORTANT: Find out the MBTD value for each affected router and switch from the vendors'
documentation; determine all of the possible paths; find the worst case sum of the MBTD values
on these paths; and use the resulting value to set the Serviceguard
CONFIGURED_IO_TIMEOUT_EXTENSION parameter. For instructions, see the discussion of
this parameter under Cluster Configuration Parameters (page 90).
Switches and routers that do not support MBTD value must not be used in a Serviceguard NFS
configuration. This might lead to delayed packets that in turn could lead to data corruption.

Networking among the Serviceguard nodes must be configured in such a way that a single
failure in the network does not cause a package failure.
Only NFS client-side locks (local locks) are supported.
Server-side locks are not supported.
Because exclusive activation is not available for NFS-imported file systems, you must take the
following precautions to ensure that data is not accidentally overwritten.

The server must be configured so that only the cluster nodes have access to the file system.

The NFS file system used by a package must not be imported by any other system,
including other nodes in the cluster.
The nodes should not mount the file system on boot; it should be mounted only as part of
the startup for the package that uses it.
The NFS file system should be used by only one package.

While the package is running, the file system should be used exclusively by the package.

If the package fails, do not attempt to restart it manually until you have verified that the
file system has been unmounted properly.

106 Planning and Documenting an HA Cluster


In addition, you should observe the following guidelines.
HP recommends that you avoid a single point of failure by ensuring that the NFS server is
highly available.

NOTE: If network connectivity to the NFS Server is lost, the applications using the imported
file system may hang and it may not be possible to kill them. If the package attempts to halt
at this point, it may not halt successfully.

Do not use the automounter; otherwise package startup may fail.


If storage is directly connected to all the cluster nodes and shared, configure it as a local file
system rather than using NFS.
An NFS file system should not be mounted on more than one mount point at the same time.
Access to an NFS file system used by a package should be restricted to the nodes that can
run the package.
For more information, see the white paperUsing NFS as a file system type with Serviceguard 11.20
on HP-UX and Linux available at http://www.hp.com/go/linux-serviceguard-docs. This paper
includes instructions for setting up a sample package that uses an NFS-imported file system.
See also the description of fs_name (page 187), fs_type (page 188), and the other file
system-related package parameters.

4.8.3 Planning for Expansion


You can add packages to a running cluster. This process is described in Chapter 7: Cluster and
Package Maintenance (page 199).
When adding packages, be sure not to exceed the value of max_configured_packages as
defined in the cluster configuration file (see Cluster Configuration Parameters (page 90)). You
can modify this parameter while the cluster is running if you need to.

4.8.4 Choosing Switching and Failover Behavior


To determine the failover behavior of a failover package (see Package Types (page 43)), you
define the policy that governs where Serviceguard will automatically start up a package that is not
running. In addition, you define a failback policy that determines whether a package will be
automatically returned to its primary node when that is possible.
The following table describes different types of failover behavior and the settings in the package
configuration file that determine each behavior. See Package Parameter Explanations (page 174)
for more information.

4.8 Package Configuration Planning 107


Table 6 Package Failover Behavior
Switching Behavior Parameters in Configuration File

Package switches normally after detection of node_fail_fast_enabled set to no. (Default)


service or network failure, generic resource
failure or when a configured dependency is service_fail_fast_enabled set to no for all services. (Default)
not met. Halt script runs before switch takes auto_run set to yes for the package. (Default)
place. (Default)

Package fails over to the node with the fewest failover_policy set to min_package_node.
active packages.

Package fails over to the node that is next on failover_policy set to configured_node. (Default)
the list of nodes. (Default)

Package is automatically halted and restarted failback_policy set to automatic.


on its primary node if the primary node is
available and the package is running on a
non-primary node.

Package can be manually returned to its failback_policy set to manual. (Default)


primary node if it is running on a non-primary
node, but this does not happen automatically. failover_policy set to configured_node. (Default)

All packages switch following a system reboot service_fail_fast_enabled set to yes for a specific service.
on the node when a specific service fails. Halt
scripts are not run. auto_run set to yes for all packages.

All packages switch following a system reboot service_fail_fast_enabled set to yes for all services.
on the node when any service fails.
auto_run set to yes for all packages.

All packages switch following a system reset service_fail_fast_enabled set to yes for a specific service.
(an immediate halt without a graceful
shutdown) on the node when a specific auto_run set to yes for all packages.
service fails. Halt scripts are not run.

All packages switch following a system reset service_fail_fast_enabled set to yes for all services.
on the node when any service fails. An
attempt is first made to reboot the system prior auto_run set to yes for all packages.
to the system reset.

Failover packages can be also configured so that IP addresses switch from a failed NIC to a
standby NIC on the same node and the same physical subnet.

4.8.5 Parameters for Configuring Generic Resources


Serviceguard provides the following parameters for configuring generic resources. Configure each
of these parameters in the package configuration file for each resource the package is dependent
on.

108 Planning and Documenting an HA Cluster


generic_resource_name: defines the logical name used to identify a generic resource in
a package.
generic_resource_evaluation_type: defines when the status of a generic resource
is evaluated. This can be set to during_package_start or before_package_start.
If not specified, DPS is considered as default.
during_package_start means the status of generic resources are evaluated during
the course of start of the package.
before_package_start means resource monitoring must be started before the package
start and all the configured resources must be UP on a given node for the package to be
started on that node.
generic_resource_up_criteria: defines a criterion to determine the 'up' condition for
a generic resource. It also determines whether a generic resource is a simple resource or an
extended resource. This parameter requires an operator and a value. The operators ==, !=,
>, <, >=, and <= are allowed. Values must be positive integer values ranging from 1 to
2147483647.
The following is an example of how to configure simple and extended resources.
Simple generic resource:
generic_resource_name sfm_disk
generic_resource_evaluation_type before_package_start
Extended generic resource:
generic_resource_name cpu_lan
generic_resource_evaluation_type during_package_start
generic_resource_up_criteria <50
For more information on the generic resource parameters, see Package Parameter Explanations
(page 174).

4.8.6 Configuring a Generic Resource


This section describes the step-by-step procedure to configure generic resources. You can also
configure generic resources from Serviceguard Manager. See the online help for instructions on
how to configure from Serviceguard Manager.
1. Create a package configuration file that contains the generic resource module:
cmmakepkg $SGCONF/pkg1/pkg1.conf
Package template is created.
This file must be edited before it can be used.

NOTE: To generate a configuration file adding the generic resource module to an existing
package (enter the command all on one line):
cmmakepkg -i $SGCONF/pkg1/pkg1.conf -m sg/generic_resource

2. Edit the package configuration file and specify the generic resource parameters (as shown in
the snippet):
service_name cpu_monitor
service_cmd $SGCONF/generic_resource_monitors/cpu_monitor.sh
service_halt_timeout 10

generic_resource_name sfm_cpu
generic_resource_evaluation_type during_package_start

4.8 Package Configuration Planning 109


NOTE: Generic resources must be configured to use the monitoring script. It is the monitoring
script that contains the logic to monitor the resource and set the status of a generic resource
accordingly by using cmsetresource(1m).
These scripts must be written by end-users according to their requirements. The monitoring
script must be configured as a service in the package if the monitoring of the resource is
required to be started and stopped as a part of the package.
This can be achieved by configuring a service_name and a service_cmd, by providing
the full path name of the monitoring script as the service_cmd value as shown in the step.
The service_name and generic_resource_name need not be the same. However, it
would be a good practice to do it, so that it would be easier to identify the monitor.
HP provides a template that describes how a monitoring script can be written. For more
information on monitoring scripts and the template, see Monitoring Script for Generic
Resources (page 303) and Template of a Monitoring Script (page 305).
If the generic_resource_up_criteria is specified, the given resource is considered to
be an extended generic resource, else it is a simple generic resource. For the description of
generic resources parameters, see Package Parameter Explanations (page 174). See Using
the Generic Resources Monitoring Service (page 53).

3. After editing the package configuration file, verify the content of the package configuration
file:
cmcheckconf -v -P $SGCONF/pkg1/pkg1.conf
cmcheckconf: Verification completed with no errors found.
Use the cmapplyconf command to apply the configuration
4. When verification completes without errors, apply the package configuration file. This adds
the package configuration information (along with generic resources) to the binary cluster
configuration file in the $SGCONF directory and distributes it to all the cluster nodes.
cmapplyconf -P $SGCONF/pkg1/pkg1.conf
Modify the package configuration ([y]/n)? y
Completed the cluster update
5. Verify that the generic resources parameters are configured.
cmviewcl -v -p pkg1
UNOWNED_PACKAGES

PACKAGE STATUS STATE AUTO_RUN NODE

pkg1 down halted disabled unowned

Policy_Parameters:
POLICY_NAME CONFIGURED_VALUE
Failover configured_node
Failback manual

Script_Parameters:
ITEM STATUS NODE_NAME NAME
Generic Resource unknown node1 sfm_disk
Generic Resource unknown node2 sfm_disk

Node_Switching_Parameters:
NODE_TYPE STATUS SWITCHING NAME
Primary up enabled node1
Alternate up enabled node2

Other_Attributes:

110 Planning and Documenting an HA Cluster


ATTRIBUTE_NAME ATTRIBUTE_VALUE
Style modular
Priority no_priority
The cmviewcl -v -f line output (snippet) will be as follows:
cmviewcl -v -f line -p pkg1 | grep generic_resource
generic_resource:sfm_disk|name=sfm_disk
generic_resource:sfm_disk|evaluation_type=during_package_start
generic_resource:sfm_disk|up_criteria=N/A
generic_resource:sfm_disk|node:node1|status=unknown
generic_resource:sfm_disk|node:node1|current_value=0
generic_resource:sfm_disk|node:node2|status=unknown
generic_resource:sfm_disk|node:node2|current_value=0

NOTE: The default status of a generic resource is UNKNOWN and the default current_value
is "0" unless the status/value of a simple/extended generic resource is set using the
cmsetresource command.

6. Start the package. As part of the package start, the monitoring script will start the monitoring
of the generic resource and set the status accordingly.
cmrunpkg pkg1

4.8.6.1 Getting and Setting the Status/Value of a Simple/Extended Generic Resource


You can use the Serviceguard commands cmgetresource(1m) and cmsetresource(1m),
to get or set the status of a simple generic resource or the value of an extended generic resource.
These commands can also be used in the monitoring script or executed from the CLI. You must be
a root user (UID=0) to execute these commands. Non-root users cannot run these commands.

4.8.6.1.1 Using Serviceguard Command to Get the Status/Value of a Simple/Extended Generic


Resource
Use the cmgetresource command to get the status of a simple generic resource or the value of
an extended generic resource. For example:
cmgetresource -r sfm_disk
This retrieves the status of the generic resource sfm_disk if it is configured as a simple resource.
If configured as an extended resource, the current value is returned.

4.8.6.1.2 Using Serviceguard Command to Set the Status/Value of a Simple/Extended Generic


Resource
Use the cmsetresource command to set the status of a simple generic resource or the value of
an extended generic resource. For example:
cmsetresource -r sfm_disk -s up
This sets the status of the generic resource sfm_disk to up. This is a simple generic resource and
only the status can be set to up/down.
cmsetresource -r sfm_lan 10
This sets the current value of the generic resource sfm_lan to 10. This is an extended generic
resource and only numeric values from 1 to 2147483647 can be set.
See the man pages for more information.

4.8 Package Configuration Planning 111


4.8.6.2 Online Reconfiguration of Generic Resources
Online operations such as addition, deletion, and modification of generic resources in packages
are supported. The following operations can be performed online:
Addition of a generic resource of generic_resource_evaluation_type set to
during_package_start, whose status is not down.
Please ensure that while adding a generic resource, the equivalent monitor is available; if not
add the monitor while adding a generic resource.
Addition of a generic resource of generic_resource_evaluation_type set to
before_package_start, whose status is 'up'.
Deletion of a generic resource. Please ensure that while deleting a generic resource, the
equivalent monitor is also removed. However, if a common resource is being monitored across
multiple packages, then before removing the monitor ensure that the generic resource being
deleted is not configured in other packages that are also using this monitor.
Modification of generic_resource_evaluation_type from before_package_start
to during_package_start or vice versa when the resource is 'up'.
Modification of generic_resource_up_criteria specified for resources of evaluation
type before_package_start or during_package_start provided the new up criteria
does not cause the resource status to evaluate to 'down' (i.e., the current_value of the resource
still satisfies the new up_criteria).
Modification of resource type from a simple resource to an extended resource is allowed only
if the generic_resource_evaluation_type is during_package_start in all the
running packages that currently use the resource.

4.8.6.3 Online Reconfiguration of serviceguard-xdc Modular Package Parameters


Online operations such as addition, deletion, and modification of serviceguard-xdc package
parameters in serviceguard-xdc packages are supported. The following operations can be performed
online:
Modification of xdc/xdc/rpo_target parameter.
Modification of xdc/xdc/raid_monitor_interval parameter.
Addition of a new MD device (xdc/xdc/raid_device[]) along with its mirror halves
(xdc/xdc/raid_device_0[] and xdc/xdc/raid_device_1[]).
Deletion of an existing MD device (xdc/xdc/raid_device[]) and its mirror halves
(xdc/xdc/raid_device_0[] and xdc/xdc/raid_device_1[]).
Changing one mirror half (xdc/xdc/raid_device_0[] or xdc/xdc/raid_device_1[])
of an existing MD at once.
The following operations cannot be performed online:
Changing at once both the mirror halves (xdc/xdc/raid_device_0[] and
xdc/xdc/raid_device_1[]) of an existing MD device (xdc/xdc/raid_device[]).
Changing the service_name attribute of "raid_monitor" service when the serviceguard-xdc
package is running.

112 Planning and Documenting an HA Cluster


Limitations
Following are the limitations with new behavior of online reconfiguration for serviceguard-xdc
packages:
Cannot add and delete an MD device simultaneously.
Cannot add an MD device and replace a mirror half in another existing MD device
simultaneously.
Cannot delete an MD device and replace a mirror half in another existing MD device
simultaneously.
Cannot replace multiple mirror halves simultaneously while the package is running.

4.8.7 About Package Dependencies


A package can have dependencies on other packages, meaning the package will not start on a
node unless the packages it depends on are running on that node.
You can make a package dependent on any other package or packages running on the same
cluster node, subject to the restrictions spelled out in Chapter 6, under dependency_condition
(page 180).
Serviceguard adds two new capabilities: you can specify broadly where the package depended
on must be running, and you can specify that it must be down. These capabilities are discussed
later in this section under Extended Dependencies (page 117). You should read the next section,
Simple Dependencies (page 113), first.

4.8.7.1 Simple Dependencies


A simple dependency occurs when one package requires another to be running on the same node.
You define these conditions by means of the parameters dependency_condition and
dependency_location, using the literal values UP and same_node, respectively. (For detailed
configuration information, see the package parameter definitions starting with dependency_name
(page 180). For a discussion of complex dependencies, see Extended Dependencies (page 117).
Make a package dependent on another package if the first package cannot (or should not) function
without the services provided by the second. For example, pkg1 might run a real-time web interface
to a database managed by pkg2. In this case it might make sense to make pkg1 dependent on
pkg2.
In considering whether or not to create a dependency between packages, use the Rules for Simple
Dependencies and Guidelines for Simple Dependencies (page 117) that follow.

4.8.7.2 Rules for Simple Dependencies


Assume that we want to make pkg1 depend on pkg2.

NOTE: pkg1 can depend on more than one other package, and pkg2 can depend on another
package or packages; we are assuming only two packages in order to make the rules as clear as
possible.

4.8 Package Configuration Planning 113


pkg1 will not start on any node unless pkg2 is running on that node.
pkg1s package_type (page 175) and failover_policy (page 178) constrain the type
and characteristics of pkg2, as follows:
If pkg1 is a multi-node package, pkg2 must be a multi-node or system multi-node package.
(Note that system multi-node packages are not supported for general use.)
If pkg1 is a failover package and its failover_policy is min_package_node, pkg2
must be a multi-node or system multi-node package.
If pkg1 is a failover package and its failover_policy is configured_node, pkg2
must be:
a multi-node or system multi-node package, or
a failover package whose failover_policy is configured_node.

pkg2 cannot be a failover package whose failover_policy is min_package_node.


pkg2s node_name list (page 176) must contain all of the nodes on pkg1s.
This means that if pkg1 is configured to run on any node in the cluster (*), pkg2 must
also be configured to run on any node.

NOTE: If pkg1 lists all the nodes, rather than using the asterisk (*), pkg2 must also
list them.

Preferably the nodes should be listed in the same order if the dependency is between
packages whose failover_policy is configured_node; cmcheckconf and
cmapplyconf will warn you if they are not.
A package cannot depend on itself, directly or indirectly.
That is, not only must pkg1 not specify itself in the dependency_condition (page 180), but
pkg1 must not specify a dependency on pkg2 if pkg2 depends on pkg1, or if pkg2 depends
on pkg3 which depends on pkg1, etc.

If pkg1 is a failover package and pkg2 is a multi-node or system multi-node package, and
pkg2 fails, pkg1 will halt and fail over to the next node on its node_name list on which pkg2
is running (and any other dependencies, such as resource dependencies or a dependency on
a third package, are met).
In the case of failover packages with a configured_node failover_policy, a set of
rules governs under what circumstances pkg1 can force pkg2 to start on a given node. This
is called dragging and is determined by each packages priority (page 179). See Dragging
Rules for Simple Dependencies (page 115).
If pkg2 fails, Serviceguard will halt pkg1 and any other packages that depend directly or
indirectly on pkg2.
By default, Serviceguard halts packages in dependency order, the dependent package(s) first,
then the package depended on. In our example, pkg1 would be halted first, then pkg2. If
there were a third package, pkg3, that depended on pkg1, pkg3 would be halted first, then
pkg1, then pkg2.
If the halt script for any dependent package hangs, by default the package depended on will
wait forever (pkg2 will wait forever for pkg1, and if there is apkg3 that depends on pkg1,
pkg1 will wait forever for pkg3). You can modify this behavior by means of the
successor_halt_timeout parameter (page 178)). (The successor of a package depends
on that package; in our example, pkg1 is a successor of pkg2; conversely pkg2 can be
referred to as a predecessor of pkg1.)

114 Planning and Documenting an HA Cluster


4.8.7.2.1 Dragging Rules for Simple Dependencies
The priority parameter (page 179) gives you a way to influence the startup, failover, and failback
behavior of a set of failover packages that have a configured_node failover_policy,
when one or more of those packages depend on another or others.
The broad rule is that a higher-priority package can drag a lower-priority package, forcing it to
start on, or move to, a node that suits the higher-priority package.

NOTE: This applies only when the packages are automatically started (package switching
enabled); cmrunpkg will never force a package to halt.
Keep in mind that you do not have to set priority, even when one or more packages depend
on another. The default value, no_priority, may often result in the behavior you want. For
example, if pkg1 depends on pkg2, and priority is set to no_priority for both packages,
and other parameters such as node_name and auto_run are set as recommended in this section,
then pkg1 will normally follow pkg2 to wherever both can run, and this is the common-sense (and
may be the most desirable) outcome.
The following examples express the rules as they apply to two failover packages whose
failover_policy (page 178) is configured_node. Assume pkg1 depends on pkg2, that
node1, node2 and node3 are all specified (in some order) under node_name (page 176) in the
configuration file for each package, and that failback_policy (page 179) is set to automatic
for each package.

NOTE: Keep the following in mind when reading the examples that follow, and when actually
configuring priorities:
1. auto_run (page 176) should be set to yes for all the packages involved; the examples assume
that it is.
2. Priorities express a ranking order, so a lower number means a higher priority (10 is a higher
priority than 30).
HP recommends assigning values in increments of 20 so as to leave gaps in the sequence;
otherwise you may have to shuffle all the existing priorities when assigning priority to a new
package.
no_priority, the default, is treated as a lower priority than any numerical value.
3. All packages with no_priority are by definition of equal priority, and there is no other
way to assign equal priorities; a numerical priority must be unique within the cluster. See
priority (page 179) for more information.

4.8 Package Configuration Planning 115


If pkg1 depends on pkg2, and pkg1s priority is lower than or equal to pkg2s, pkg2s node order
dominates. Assuming pkg2s node order is node1, node2, node3, then:
On startup:
pkg2 will start on node1, or node2 if node1 is not available or does not at present
meet all of its dependencies, etc.
pkg1 will start on whatever node pkg2 has started on (no matter where that node
appears on pkg1s node_name list) provided all of pkg1s other dependencies are
met there.
If the node where pkg2 has started does not meet all pkg1s dependencies, pkg1
will not start.
On failover:
If pkg2 fails on node1, pkg2 will fail over to node2 (or node3 if node2 is not available
or does not currently meet all of its dependencies, etc.)
pkg1 will fail over to whatever node pkg2 has restarted on (no matter where that
node appears on pkg1s node_name list) provided all of pkg1s dependencies are
met there.
If the node where pkg2 has restarted does not meet all pkg1s dependencies,
pkg1 will not restart.

If pkg1 fails, pkg1 will not fail over.


This is because pkg1 cannot restart on any adoptive node until pkg2 is running there,
and pkg2 is still running on the original node. pkg1 cannot drag pkg2 because it has
insufficient priority to do so.

On failback:
If both packages have moved from node1 to node2 and node1 becomes available,
pkg2 will fail back to node1 only if pkg2s priority is higher than pkg1s:
If the priorities are equal, neither package will fail back (unless pkg1 is not running;
in that case pkg2 can fail back).
If pkg2s priority is higher than pkg1s, pkg2 will fail back to node1; pkg1 will
fail back to node1 provided all of pkg1s other dependencies are met there;
if pkg2 has failed back to node1 and node1 does not meet all of pkg1s
dependencies, pkg1 will halt.

If pkg1 depends on pkg2, and pkg1s priority is higher than pkg2s, pkg1s node order dominates.
Assuming pkg1s node order is node1, node2, node3, then:
On startup:
pkg1 will select node1 to start on.

pkg2 will start on node1, provided it can run there (no matter where node1 appears
on pkg2s node_name list).
If pkg2 is already running on another node, it will be dragged to node1, provided
it can run there.

If pkg2 cannot start on node1, then both packages will attempt to start on node2 (and
so on).

116 Planning and Documenting an HA Cluster


Note that the nodes will be tried in the order of pkg1s node_name list, and pkg2 will be
dragged to the first suitable node on that list whether or not it is currently running on another
node.
On failover:
If pkg1 fails on node1, pkg1 will select node2 to fail over to (or node3 if it can run
there and node2 is not available or does not meet all of its dependencies; etc.)
pkg2 will be dragged to whatever node pkg1 has selected, and restart there; then pkg1
will restart there.
On failback:
If both packages have moved to node2 and node1 becomes available, pkg1 will fail
back to node1 if both packages can run there;
otherwise, neither package will fail back.

4.8.7.3 Guidelines for Simple Dependencies


As you can see from the above Dragging Rules for Simple Dependencies, if pkg1 depends on
pkg2, it can sometimes be a good idea to assign a higher priority to pkg1, because that provides
the best chance for a successful failover (and failback) if pkg1 fails.
But you also need to weigh the relative importance of the packages. If pkg2 runs a database that
is central to your business, you probably want it to run undisturbed, no matter what happens to
application packages that depend on it. In this case, the database package should have the highest
priority.
Note that, if no priorities are set, the dragging rules favor a package that is depended on over a
package that depends on it.
Consider assigning a higher priority to a dependent package if it is about equal in real-world
importance to the package it depends on; otherwise assign the higher priority to the more important
package, or let the priorities of both packages default.
You also need to think about what happens when a package fails. If other packages depend on
it, Serviceguard will halt those packages (and any packages that depend on them, etc.) This
happens regardless of the priority of the failed package.
By default the packages are halted in the reverse of the order in which they were started; and if
the halt script for any of the dependent packages hangs, the failed package will wait indefinitely
to complete its own halt process. This provides the best chance for all the dependent packages to
halt cleanly, but it may not be the behavior you want. You can change it by means of the
successor_halt_timeout parameter (page 178).
If you set successor_halt_timeout to zero, Serviceguard will halt the dependent packages
in parallel with the failed package; if you set it to a positive number, Serviceguard will halt the
packages in the reverse of the start order, but will allow the failed package to halt after the
successor_halt_timeout number of seconds whether or not the dependent packages have
completed their halt scripts.
If you decide to create dependencies between packages, it is a good idea to test thoroughly,
before putting the packages into production, to make sure that package startup, halt, failover, and
failback behavior is what you expect.

4.8.7.4 Extended Dependencies


To the capabilities provided by Simple Dependencies (page 113), extended dependencies add the
following:

4.8 Package Configuration Planning 117


You can specify whether the package depended on must be running or must be down.
You define this condition by means of the dependency_condition, using one of the literals
UP or DOWN (the literals can be upper or lower case). We'll refer to the requirement that
another package be down as an exclusionary dependency; see Rules for Exclusionary
Dependencies (page 118).
You can specify where the dependency_condition must be satisfied: on the same node,
a different node, all nodes, or any node in the cluster.
You define this by means of the dependency_location parameter (page 180), using one
of the literals same_node, different_node, all_nodes, or any_node.
different_node and any_node are allowed only if dependency_condition is UP.
all_nodes is allowed only if dependency_condition is DOWN.
See Rules for different_node and any_node Dependencies (page 119).
For more information about the dependency_ parameters, see the definitions starting with
dependency_name (page 180), and the cmmakepkg (1m) manpage.

IMPORTANT: If you have not already done so, read the discussion of Simple Dependencies
(page 113) before you go on.
The interaction of the legal values of dependency_location and dependency_condition
creates the following possibilities:
Same-node dependency: a package can require that another package be UP on the same
node.
This is the case covered in the section on Simple Dependencies (page 113).
Different-node dependency: a package can require that another package be UP on a different
node.
Any-node dependency: a package can require that another package be UP on any node in
the cluster.
Same-node exclusion: a package can require that another package be DOWN on the same
node. (But this does not prevent that package from being UP on another node.)
All-nodes exclusion: a package can require that another package be DOWN on all nodes in
the cluster.

4.8.7.4.1 Rules for Exclusionary Dependencies


All exclusions must be mutual.
That is, if pkg1 requires pkg2 to be DOWN, pkg2 must also require pkg1 to be DOWN.
By creating an exclusionary relationship between any two packages, you ensure that only
one of them can be running at any time either on a given node (same-node exclusion) or
throughout the cluster (all-nodes exclusion). A package can have an exclusionary relationship
with any number of other packages, but each such relationship must be mutual.
Priority (discussed in detail under Dragging Rules for Simple Dependencies (page 115)) must
be set for at least one of the packages in an exclusionary relationship.
The higher-priority package can force the lower-priority package to halt or (in the case of a
same-node exclusion) move to another eligible node, if any.
dependency_location must be either same_node or all_nodes, and must be the same
for both packages.
Both packages must be failover packages whose failover_policy (page 178) is
configured_node.

118 Planning and Documenting an HA Cluster


4.8.7.4.2 Rules for different_node and any_node Dependencies
These rules apply to packages whose dependency_condition is UP and whose
dependency_location is different_node or any_node. For same-node dependencies,
see Simple Dependencies (page 113); for exclusionary dependencies, see Rules for Exclusionary
Dependencies (page 118).
Both packages must be failover packages whose failover_policy (page 178) is
configured_node.
The priority (page 179) of the package depended on must be higher than or equal to the
priority of the dependent package and the priorities of that package's dependents.
For example, if pkg1 has a different_node or any_node dependency on pkg2,
pkg2's priority must be higher than or equal to pkg1's priority and the priority of any
package that depends on pkg1 to be UP. pkg2's node order dominates when
Serviceguard is placing the packages.
A package cannot depend on itself, directly or indirectly.
For example, not only must pkg1 not specify itself in the dependency_condition (page 180),
but pkg1 must not specify a dependency on pkg2 if pkg2 depends on pkg1, or if pkg2
depends on pkg3 which depends on pkg1, etc.

Dragging rules apply. See Dragging Rules for Simple Dependencies (page 115).

4.8.8 What Happens When a Package Fails


This discussion applies to packages that have dependents, or are depended on, or both (UP
dependencies only). When such a package fails, Serviceguard does the following:
1. Halts the packages that depend on the failing package, if any.
Serviceguard halts the dependent packages (and any packages that depend on them, etc.)
This happens regardless of the priority of the failed package.

NOTE: Dependent packages are halted even in the case of different_node or any_node
dependency. For example, if pkg1 running on node1 has a different_node or any_node
dependency on pkg2 running on node2, and pkg2 fails over to node3, pkg1 will be halted
and restarted as described below.
By default the packages are halted in the reverse of the order in which they were started; and
if the halt script for any of the dependent packages hangs, the failed package will wait
indefinitely to complete its own halt process. This provides the best chance for all the dependent
packages to halt cleanly, but it may not be the behavior you want. You can change it by
means of the successor_halt_timeout parameter (page 178). (A successor is a package
that depends on another package.)
If the failed package's successor_halt_timeout is set to zero, Serviceguard will halt the
dependent packages in parallel with the failed package; if it is set to a positive number,
Serviceguard will halt the packages in the reverse of the start order, but will allow the failed
package to halt after the successor_halt_timeout number of seconds whether or not
the dependent packages have completed their halt scripts.
2. Halts the failing package.
After the successor halt timer has expired or the dependent packages have all halted,
Serviceguard starts the halt script of the failing package, regardless of whether the dependents'
halts succeeded, failed, or timed out.
3. Halts packages the failing package depends on, starting with the package this package
immediately depends on. The packages are halted only if:

4.8 Package Configuration Planning 119


these are failover packages, and
the failing package can drag these packages to a node on which they can all run.
Otherwise the failing package halts and the packages it depends on continue to run
4. Starts the packages the failed package depends on (those halted in step 3, if any).
If the failed package has been able to drag the packages it depends on to the adoptive node,
Serviceguard starts them in the reverse of the order it halted them in the previous step (that is,
the package that does not depend on any other package is started first).
5. Starts the failed package.
6. Starts the packages that depend on the failed package (those halted in step 1).
7. If a package has the all_nodes dependency, and if the package changes to halt_aborted
state, the dependent package does not start. However, if the dependency_condition is
same_node or any_node, the dependent package is started, even if the dependent package
is in halt_aborted state.

4.8.9 For More Information


For more information, see:
The parameter descriptions for priority (page 179) and dependency_ (page 180), and the
corresponding comments in the package configuration template file
The cmmakepkg (1m) manpage
The white paper Serviceguards Package Dependency Feature, which you can find at http://
www.hp.com/go/hpux-serviceguard-docs

4.8.10 About Package Weights


Package weights and node capacities allow you to restrict the number of packages that can run
concurrently on a given node, or, alternatively, to limit the total package weight (in terms of
resource consumption) that a node can bear.
For example, suppose you have a two-node cluster consisting of a large system and a smaller
system. You want all your packages to be able to run on the large system at the same time, but,
if the large node fails, you want only the critical packages to run on the smaller system. Package
weights allow you to configure Serviceguard to enforce this behavior.

4.8.10.1 Package Weights and Node Capacities


You define a capacity, or capacities, for a node (in the cluster configuration file), and corresponding
weights for packages (in the package configuration file).
Node capacity is consumed by package weights. Serviceguard ensures that the capacity limit you
set for a node is never exceeded by the combined weight of packages running on it; if a node's
available capacity will be exceeded by a package that wants to run on that node, the package
will not run there. This means, for example, that a package cannot fail over to a node if that node
does not currently have available capacity for it, even if the node is otherwise eligible to run the
package unless the package that wants to run has sufficient priority to force one of the packages
that are currently running to move; see How Package Weights Interact with Package Priorities
and Dependencies (page 126).

4.8.10.2 Configuring Weights and Capacities


You can configure multiple capacities for nodes, and multiple corresponding weights for packages,
up to four capacity/weight pairs per cluster. This allows you considerable flexibility in managing
package use of each node's resources but it may be more flexibility than you need. For this
reason Serviceguard provides two methods for configuring capacities and weights: a simple method
and a comprehensive method. The subsections that follow explain each of these methods.

120 Planning and Documenting an HA Cluster


4.8.10.3 Simple Method
Use this method if you simply want to control the number of packages that can run on a given
node at any given time. This method works best if all the packages consume about the same amount
of computing resources.
If you need to make finer distinctions between packages in terms of their resource consumption,
use the Comprehensive Method (page 122) instead.
To implement the simple method, use the reserved keyword package_limit to define each
node's capacity. In this case, Serviceguard will allow you to define only this single type of capacity,
and corresponding package weight, in this cluster. Defining package weight is optional; for
package_limit it will default to 1 for all packages, unless you change it in the package
configuration file.

4.8.10.3.1 Example 1
For example, to configure a node to run a maximum of ten packages at any one time, make the
following entry under the node's NODE_NAME entry in the cluster configuration file:
NODE_NAME node1
...
CAPACITY_NAME package_limit
CAPACITY_VALUE 10
Now all packages will be considered equal in terms of their resource consumption, and this node
will never run more than ten packages at one time. (You can change this behavior if you need to
by modifying the weight for some or all packages, as the next example shows.) Next, define the
CAPACITY_NAME and CAPACITY_VALUE parameters for the remaining nodes, setting
CAPACITY_NAME to package_limit in each case. You may want to set CAPACITY_VALUE to
different values for different nodes. A ten-package capacity might represent the most powerful
node, for example, while the least powerful has a capacity of only two or three.

NOTE: Serviceguard does not require you to define a capacity for each node. If you define the
CAPACITY_NAME and CAPACITY_VALUE parameters for some nodes but not for others, the nodes
for which these parameters are not defined are assumed to have limitless capacity; in this case,
those nodes would be able to run any number of eligible packages at any given time.
If some packages consume more resources than others, you can use the weight_name and
weight_value parameters to override the default value (1) for some or all packages. For example,
suppose you have three packages, pkg1, pkg2, and pkg3. pkg2 is about twice as
resource-intensive as pkg3 which in turn is about one-and-a-half times as resource-intensive as
pkg1. You could represent this in the package configuration files as follows:
For pkg1:
weight_name package_limit
weight_value 2

For pkg2:
weight_name package_limit
weight_value 6

For pkg3:
weight_name package_limit
weight_value 3
Now node1, which has a CAPACITY_VALUE of 10 for the reserved CAPACITY_NAME
package_limit, can run any two of the packages at one time, but not all three. If in addition

4.8 Package Configuration Planning 121


you wanted to ensure that the larger packages, pkg2 and pkg3, did not run on node1 at the
same time, you could raise the weight_value of one or both so that the combination exceeded
10 (or reduce node1's capacity to 8).

4.8.10.3.2 Points to Keep in Mind


The following points apply specifically to the Simple Method (page 121). Read them in conjunction
with the Rules and Guidelines (page 126), which apply to all weights and capacities.
If you use the reserved CAPACITY_NAME package_limit, then this is the only type of
capacity and weight you can define in this cluster.
If you use the reserved CAPACITY_NAME package_limit, the default weight for all packages
is 1. You can override this default in the package configuration file, via the weight_name
and weight_value parameters, as in the example above.
(The default weight remains 1 for any package to which you do not explicitly assign a different
weight in the package configuration file.)
If you use the reserved CAPACITY_NAME package_limit, weight_name, if used, must
also be package_limit.
You do not have to define a capacity for every node; if you don't, the node is assumed to
have unlimited capacity and will be able to run any number of eligible packages at the same
time.
If you want to define only a single capacity, but you want the default weight to be zero rather
than 1, do not use the reserved name package_limit. Use another name (for example,
resource_quantity) and follow the Comprehensive Method. This is also a good idea if
you think you may want to use more than one capacity in the future.
To learn more about configuring weights and capacities, see the documents listed under For More
Information (page 126).

4.8.10.4 Comprehensive Method


Use this method if the Simple Method (page 121) does not meet your needs. (Make sure you have
read that section before you proceed.) The comprehensive method works best if packages consume
differing amounts of computing resources, so that simple one-to-one comparisons between packages
are not useful.

IMPORTANT: You cannot combine the two methods. If you use the reserved capacity
package_limit for any node, Serviceguard will not allow you to define any other type of
capacity and weight in this cluster; so you are restricted to the Simple Method in that case.

4.8.10.4.1 Defining Capacities


Begin by deciding what capacities you want to define; you can define up to four different capacities
for the cluster.
You may want to choose names that have common-sense meanings, such as processor, memory,
or IO, to identify the capacities, but you do not have to do so. In fact it could be misleading to
identify single resources, such as processor, if packages really contend for sets of interacting
resources that are hard to characterize with a single name. In any case, the real-world meanings
of the names you assign to node capacities and package weights are outside the scope of
Serviceguard. Serviceguard simply ensures that for each capacity configured for a node, the
combined weight of packages currently running on that node does not exceed that capacity.
For example, if you define a CAPACITY_NAME and weight_name processor, and a
CAPACITY_NAME and weight_name memory, and a node has a processor capacity of 10
and a memory capacity of 1000, Serviceguard ensures that the combined processor weight
of packages running on the node at any one time does not exceed 10, and that the combined

122 Planning and Documenting an HA Cluster


memory weight does not exceed 1000. But Serviceguard has no knowledge of the real-world
meanings of the names processor and memory; there is no mapping to actual processor and
memory usage and you would get exactly the same results if you used the names apples and
oranges.
For example, suppose you have the following configuration:
A two node cluster running four packages. These packages contend for resource we'll simply
call A and B.
node1 has a capacity of 80 for A and capacity of 50 for B.
node2 has a capacity of 60 for A and capacity of 70 for B.
pkg1 uses 60 of the A capacity and 15 of the B capacity.
pkg2 uses 40 of the A capacity and 15 of the B capacity.
pkg3 uses insignificant amount (zero) of the A capacity and 35 of the B capacity.
pkg4 uses 20 of the A capacity and 40 of the B capacity.
pkg1 and pkg2 together require 100 of the A capacity and 30 of the B capacity. This means
pkg1 and pkg2 cannot run together on either of the nodes. While both nodes have sufficient B
capacity to run both packages at the same time, they do not have sufficient A capacity.
pkg3 and pkg4 together require 20 of the A capacity and 75 of the B capacity. This means pkg3
and pkg4 cannot run together on either of the nodes. While both nodes have sufficient A capacity
to run both packages at the same time, they do not have sufficient B capacity.

4.8.10.4.1.1 Example 2
To define these capacities, and set limits for individual nodes, make entries such as the following
in the cluster configuration file:
CLUSTER_NAME cluster_23
...
NODE_NAME node1
...
CAPACITY_NAME A
CAPACITY_VALUE 80
CAPACITY_NAME B
CAPACITY_VALUE 50
NODE_NAME node2
CAPACITY_NAME A
CAPACITY_VALUE 60
CAPACITY_NAME B
CAPACITY_VALUE 70
...

4.8 Package Configuration Planning 123


NOTE: You do not have to define capacities for every node in the cluster. If any capacity is not
defined for any node, Serviceguard assumes that node has an infinite amount of that capacity. In
our example, not defining capacity A for a given node would automatically mean that node could
run pkg1 and pkg2 at the same time no matter what A weights you assign those packages; not
defining capacity B would mean the node could run pkg3 and pkg4 at the same time; and not
defining either one would mean the node could run all four packages simultaneously.
When you have defined the nodes' capacities, the next step is to configure the package weights;
see Defining Weights.

4.8.10.4.2 Defining Weights


Package weights correspond to node capacities, and for any capacity/weight pair,
CAPACITY_NAME and weight_name must be identical.
You define weights for individual packages in the package configuration file, but you can also
define a cluster-wide default value for a given weight, and, if you do, this default will specify the
weight of all packages that do not explicitly override it in their package configuration file.

NOTE: There is one exception: system multi-node packages cannot have weight, so a cluster-wide
default weight does not apply to them.

4.8.10.4.2.1 Defining Default Weights


To pursue the example begun under Defining Capacities (page 122), let's assume that all packages
other than pkg1 and pkg2 use about the same amount of capacity A, and all packages other than
pkg3 and pkg4 use about the same amount of capacity B. You can use the WEIGHT_DEFAULT
parameter in the cluster configuration file to set defaults for both weights, as follows.

4.8.10.4.2.1.1 Example 3
WEIGHT_NAME A
WEIGHT_DEFAULT 20
WEIGHT_NAME B
WEIGHT_DEFAULT 15
This means that any package for which weight A is not defined in its package configuration file
will have a weight A of 20, and any package for which weight B is not defined in its package
configuration file will have a weight B of 15.
Given the capacities we defined in the cluster configuration file (see Defining Capacities), node1
can run any three packages that use the default for both A and B. This would leave 20 units of
spare A capacity on this node, and 5 units of spare B capacity.

4.8.10.4.2.2 Defining Weights for Individual Packages


For each capacity you define in the cluster configuration file (see Defining Capacities) you have
the following choices when it comes to assigning a corresponding weight to a given package:
1. Configure a cluster-wide default weight and let the package use that default.
2. Configure a cluster-wide default weight but override it for this package in its package
configuration file.
3. Do not configure a cluster-wide default weight, but assign a weight to this package in its
package configuration file.
4. Do not configure a cluster-wide default weight and do not assign a weight for this package
in its package configuration file.

124 Planning and Documenting an HA Cluster


NOTE: Option 4 means that the package is weightless as far as this particular capacity is
concerned, and can run even on a node on which this capacity is completely consumed by other
packages.
(You can make a package weightless for a given capacity even if you have defined a cluster-wide
default weight; simply set the corresponding weight to zero in the package's cluster configuration
file.)

Pursuing the example started under Defining Capacities (page 122), we can now use options 1
and 2 to set weights for pkg1 through pkg4.

4.8.10.4.2.2.1 Example 4
In pkg1's package configuration file:
weight_name A
weight_value 60
In pkg2's package configuration file:
weight_name A
weight_value 40
In pkg3's package configuration file:
weight_name B
weight_value 35
weight_name A
weight_value 0
In pkg4's package configuration file:
weight_name B
weight_value 40

IMPORTANT: weight_name in the package configuration file must exactly match the
corresponding CAPACITY_NAME in the cluster configuration file. This applies to case as well as
spelling: weight_name a would not match CAPACITY_NAME A.
You cannot define a weight unless the corresponding capacity is defined: cmapplyconf will fail
if you define a weight in the package configuration file and no node in the package's node_name
list (page 176) has specified a corresponding capacity in the cluster configuration file; or if you
define a default weight in the cluster configuration file and no node in the cluster specifies a
capacity of the same name.

Some points to notice about this example:


Since we did not configure a B weight for pkg1 or pkg2, these packages have the default B
weight (15) that we set in the cluster configuration file in Example 3 (page 124). Similarly,
pkg4 has the default A weight (20).
We have configured pkg3 to have a B weight of 35, but no A weight.
pkg1 will consume all of node2's A capacity; no other package that has A weight can run
on this node while pkg1 is running there.
But node2 could still run pkg3 while running pkg1, because pkg3 has no A weight, and
pkg1 is consuming only 15 units (the default) of node2's B capacity, leaving 35 available
to pkg3 (assuming no other package that has B weight is already running there).

Similarly, if any package that has A weight is already running on node2, pkg1 will not be
able to start there (unless pkg1 has sufficient priority to force another package or packages

4.8 Package Configuration Planning 125


to move; see How Package Weights Interact with Package Priorities and Dependencies
(page 126)). This is true whenever a package has a weight that exceeds the available amount
of the corresponding capacity on the node.

4.8.10.5 Rules and Guidelines


The following rules and guidelines apply to both the Simple Method (page 121) and the
Comprehensive Method (page 122) of configuring capacities and weights.
You can define a maximum of four capacities, and corresponding weights, throughout the
cluster.

NOTE: But if you use the reserved CAPACITY_NAME package_limit, you can define
only that single capacity and corresponding weight. See Simple Method (page 121).

Node capacity is defined in the cluster configuration file, via the CAPACITY_NAME and
CAPACITY_VALUE parameters.
Capacities can be added, changed, and deleted while the cluster is running. This can cause
some packages to be moved, or even halted and not restarted.
Package weight can be defined in cluster configuration file, via the WEIGHT_NAME and
WEIGHT_DEFAULT parameters, or in the package configuration file, via the weight_name
and weight_value parameters, or both.
Weights can be assigned (and WEIGHT_DEFAULTs, apply) only to multi-node packages and
to failover packages whose failover_policy (page 178) is configured_node and whose
failback_policy (page 179) is manual.
If you define weight (weight_name and weight_value) for a package, make sure you
define the corresponding capacity (CAPACITY_NAME and CAPACITY_VALUE) in the cluster
configuration file for at least one node on the package's node_name list (page 176). Otherwise
cmapplyconf will fail when you try to apply the package.
Weights (both cluster-wide WEIGHT_DEFAULTs, and weights defined in the package
configuration files) can be changed while the cluster is up and the packages are running. This
can cause some packages to be moved, or even halted and not restarted.

4.8.10.6 For More Information


For more information about capacities, see the comments under CAPACITY_NAME and
CAPACITY_VALUE in:
the cluster configuration file
the cmquerycl (1m) manpage
the section Cluster Configuration Parameters (page 90) in this manual.
For more information about weights, see the comments under weight_name and weight_value
in:
the package configuration file
the cmmakepkg (1m) manpage
the section Package Parameter Explanations (page 174) in this manual.
For further discussion and use cases, see the white paper Using Serviceguards Node Capacity
and Package Weight Feature at http://www.hp.com/go/linux-serviceguard-docs.

4.8.10.7 How Package Weights Interact with Package Priorities and Dependencies
If necessary, Serviceguard will halt a running lower-priority package that has weight to make room
for a higher-priority package that has weight. But a running package that has no priority (that is,

126 Planning and Documenting an HA Cluster


its priority is set to the default, no_priority) will not be halted to make room for a down
package that has no priority. Between two down packages without priority, Serviceguard will
decide which package to start if it cannot start them both because there is not enough node capacity
to support their weight.

4.8.10.7.1 Example 1
pkg1 is configured to run on nodes turkey and griffon. It has a weight of 1 and a priority
of 10. It is down and has switching disabled.
pkg2 is configured to run on nodes turkey and griffon. It has a weight of 1 and a priority
of 20. It is running on node turkey and has switching enabled.
turkey and griffon can run one package each (package_limit is set to 1).
If you enable switching for pkg1, Serviceguard will halt the lower-priority pkg2 on turkey. It
will then start pkg1 on turkey and restart pkg2 on griffon.
If neither pkg1 nor pkg2 had priority, pkg2 would continue running on turkey and pkg1 would
run on griffon.

4.8.10.7.2 Example 2
pkg1 is configured to run on nodes turkey and griffon. It has a weight of 1 and a priority
of 10. It is running on node turkey and has switching enabled.
pkg2 is configured to run on nodes turkey and griffon. It has a weight of 1 and a priority
of 20. It is running on node turkey and has switching enabled.
pkg3 is configured to run on nodes turkey and griffon. It has a weight of 1 and a priority
of 30. It is down and has switching disabled.
pkg3 has a same_node dependency on pkg2
turkey and griffon can run two packages each (package_limit is set to 2).
If you enable switching for pkg3, it will stay down because pkg2, the package it depends on, is
running on node turkey, which is already running two packages (its capacity limit). pkg3 has
a lower priority than pkg2, so it cannot drag it to griffon where they both can run.

4.8.11 About External Scripts


As of Serviceguard A.11.18, the package configuration template for modular packages explicitly
provides for external scripts. These replace the CUSTOMER DEFINED FUNCTIONS in legacy
scripts and can be run either:
On package startup and shutdown, as essentially the first and last functions the package
performs. These scripts are invoked by means of the parameter external_pre_script
(page 190); or
During package execution, after volume-groups and file systems are activated, and IP addresses
are assigned, and before the service and resource functions are executed; and again, in the
reverse order, on package shutdown. These scripts are invoked by means of the parameter
external_script (page 190).
The scripts are also run when the package is validated by cmcheckconf and cmapplyconf.
A package can make use of both kinds of script, and can launch more than one of each kind; in
that case the scripts will be executed in the order they are listed in the package configuration file
(and in the reverse order when the package shuts down).
In some cases you can rename or replace an external script while the package that uses it is
running; see Renaming or Replacing an External Script Used by a Running Package (page 241).
Each external script must have three entry points: start, stop, and validate, and should exit
with one of the following values:

4.8 Package Configuration Planning 127


0 - indicating success.
1 - indicating the package will be halted, and should not be restarted, as a result of failure
in this script.
2 - indicating the package will be restarted on another node, or halted if no other node is
available.

NOTE: In the case of the validate entry point, exit values 1 and 2 are treated the same; you
can use either to indicate that validation failed.
The script can make use of a standard set of environment variables (including the package name,
SG_PACKAGE, and the name of the local node, SG_NODE) exported by the package manager or
the master control script that runs the package; and can also call a function to source in a logging
function and other utility functions. One of these functions, sg_source_pkg_env(), provides
access to all the parameters configured for this package, including package-specific environment
variables configured via the pev_ parameter (page 190).

NOTE: Some variables, including SG_PACKAGE, and SG_NODE, are available only at package
run and halt time, not when the package is validated. You can use SG_PACKAGE_NAME at validation
time as a substitute for SG_PACKAGE.
For more information, see the template in $SGCONF/examples/external_script.template.
A sample script follows. It assumes there is another script called monitor.sh, which will be
configured as a Serviceguard service to monitor some application. The monitor.sh script (not
included here) uses a parameter PEV_MONITORING_INTERVAL, defined in the package
configuration file, to periodically poll the application it wants to monitor; for example:
PEV_MONITORING_INTERVAL 60
At validation time, the sample script makes sure the PEV_MONITORING_INTERVAL and the
monitoring service are configured properly; at start and stop time it prints out the interval to the
log file.
#!/bin/sh
# Source utility functions.
if [[ -z $SG_UTILS ]]
then
. $SGCONF.conf
SG_UTILS=$SGCONF/scripts/mscripts/utils.sh
fi

if [[ -f ${SG_UTILS} ]]; then


. ${SG_UTILS}
if (( $? != 0 ))
then
echo "ERROR: Unable to source package utility functions file: ${SG_UTILS}"
exit 1
fi
else
echo "ERROR: Unable to find package utility functions file: ${SG_UTILS}"
exit 1
fi

# Get the environment for this package through utility function


# sg_source_pkg_env().
sg_source_pkg_env $*

function validate_command
{

typeset -i ret=0
typeset -i i=0
typeset -i found=0
# check PEV_ attribute is configured and within limits
if [[ -z PEV_MONITORING_INTERVAL ]]
then
sg_log 0 "ERROR: PEV_MONITORING_INTERVAL attribute not configured!"
ret=1
elif (( PEV_MONITORING_INTERVAL < 1 ))
then
sg_log 0 "ERROR: PEV_MONITORING_INTERVAL value ($PEV_MONITORING_INTERVAL) not within legal limits!"
ret=1
fi
# check monitoring service we are expecting for this package is configured

128 Planning and Documenting an HA Cluster


while (( i < ${#SG_SERVICE_NAME[*]} ))
do
case ${SG_SERVICE_CMD[i]} in
*monitor.sh*) # found our script
found=1
break
;;
*)
;;
esac
(( i = i + 1 ))
done
if (( found == 0 ))
then
sg_log 0 "ERROR: monitoring service not configured!"
ret=1
fi
if (( ret == 1 ))
then
sg_log 0 "Script validation for $SG_PACKAGE_NAME failed!"
fi
return $ret
}

function start_command
{ sg_log 5 "start_command"

# log current PEV_MONITORING_INTERVAL value, PEV_ attribute can be changed


# while the package is running
sg_log 0 "PEV_MONITORING_INTERVAL for $SG_PACKAGE_NAME is $PEV_MONITORING_INTERVAL"
return 0
}

function stop_command
{

sg_log 5 "stop_command"
# log current PEV_MONITORING_INTERVAL value, PEV_ attribute can be changed
# while the package is running
sg_log 0 "PEV_MONITORING_INTERVAL for $SG_PACKAGE_NAME is $PEV_MONITORING_INTERVAL"
return 0
}
typeset -i exit_val=0
case ${1} in
start)
start_command $*
exit_val=$?
;;
stop)
stop_command $*
exit_val=$?
;;
validate)
validate_command $*
exit_val=$?
;;
*)
sg_log 0 "Unknown entry point $1"
;;
esac
exit $exit_val

4.8.11.1 Using Serviceguard Commands in an External Script


You can use Serviceguard commands (such as cmmodpkg) in an external script. These commands
must not interact with the package itself (that is, the package that runs the external script) but can
interact with other packages. But be careful how you code these interactions.
If a Serviceguard command interacts with another package, be careful to avoid command loops.
For instance, a command loop might occur under the following circumstances. Suppose a pkg1
script does a cmmodpkg -d of pkg2, and a pkg2 script does a cmmodpkg -d of pkg1. If both
pkg1 and pkg2 start at the same time, the pkg1 script now tries to cmmodpkg pkg2. But that
cmmodpkg command has to wait for pkg2 startup to complete. The pkg2 script tries to cmmodpkg
pkg1, but pkg2 has to wait for pkg1 startup to complete, thereby causing a command loop.
To avoid this situation, it is a good idea to specify a run_script_timeout and
halt_script_timeout for all packages, especially packages that use Serviceguard commands
in their external scripts. If a timeout is not specified and your package has a command loop as
described above, inconsistent results can occur, including a hung cluster.

NOTE: cmhalt operations interact with all the packages and should not be used from external
scripts.

4.8 Package Configuration Planning 129


4.8.11.2 Determining Why a Package Has Shut Down
You can use an external script (or CUSTOMER DEFINED FUNCTIONS area of a legacy package
control script) to find out why a package has shut down.
Serviceguard sets the environment variable SG_HALT_REASON in the package control script to
one of the following values when the package halts:
failure - set if the package halts because of the failure of a subnet, resource, or service it
depends on
user_halt - set if the package is halted by a cmhaltpkg or cmhaltnode command, or
by corresponding actions in Serviceguard Manager
automatic_halt - set if the package is failed over automatically because of the failure of
a package it depends on, or is failed back to its primary node automatically
(failback_policy = automatic)
You can add custom code to the package to interrogate this variable, determine why the package
halted, and take appropriate action. For legacy packages, put the code in the
customer_defined_halt_cmds() function in the CUSTOMER DEFINED FUNCTIONS area
of the package control script (see Adding Customer Defined Functions to the Package Control
Script (page 237)); for modular packages, put the code in the packages external script (see
About External Scripts (page 127)).
For example, if a database package is being halted by an administrator (SG_HALT_REASON set
to user_halt) you would probably want the custom code to perform an orderly shutdown of the
database; on the other hand, a forced shutdown might be needed if SG_HALT_REASON is set to
failure, indicating thatthe package is halting abnormally (for example, because of the
failure of a service it depends on).

4.8.11.2.1 last_halt_failed Flag


cmviewcl -v -f line displays a last_halt_failed flag.

NOTE: last_halt_failed appears only in the line output of cmviewcl, not the default
tabular format; you must use the -f line option to see it.
The value of last_halt_failed is no if the halt script ran successfully, or has not run since the
node joined the cluster, or has not run since the package was configured to run on the node;
otherwise it is yes.

4.8.12 About Cross-Subnet Failover


It is possible to configure a cluster that spans subnets joined by a router, with some nodes using
one subnet and some another. This is known as a cross-subnet configuration; see Cross-Subnet
Configurations (page 27). In this context, you can configure packages to fail over from a node
on one subnet to a node on another.
The implications for configuring a package for cross-subnet failover are as follows:
For modular packages, you must configure two new parameters in the package configuration
file to allow packages to fail over across subnets:
ip_subnet_node (page 183) - to indicate which nodes a subnet is configured on

monitored_subnet_access (page 182) - to indicate whether a monitored subnet is


configured on all nodes ( FULL) or only some (PARTIAL). (Leaving

130 Planning and Documenting an HA Cluster


monitored_subnet_access unconfigured for a monitored subnet is equivalent to
FULL).
(For legacy packages, see Configuring Cross-Subnet Failover (page 239)).
You should not use the wildcard (*) for node_name in the package configuration file, as this
could allow the package to fail over across subnets when a node on the same subnet is eligible;
failing over across subnets can take longer than failing over on the same subnet. List the nodes
in order of preference instead of using the wildcard.
Deploying applications in this environment requires careful consideration; see Implications
for Application Deployment (page 131).
If a monitored_subnet is configured for PARTIAL monitored_subnet_access in a
packages configuration file, it must be configured on at least one of the nodes on the
node_name list (page 176) for that package.
Conversely, if all of the subnets that are being monitored for this package are configured for
PARTIAL access, each node on the node_name list must have at least one of these subnets
configured.

As in other cluster configurations, a package will not start on a node unless the subnets
configured on that node, and specified in the package configuration file as monitored
subnets, are up.

4.8.12.1 Implications for Application Deployment


Because the relocatable IP address will change when a package fails over to a node on another
subnet, you need to make sure of the following:
The hostname used by the package is correctly remapped to the new relocatable IP address.
The application that the package runs must be configured so that the clients can reconnect to
the packages new relocatable IP address.
In the worst case (when the server where the application was running is down), the client may
continue to retry the old IP address until TCPs tcp_timeout is reached (typically about ten
minutes), at which point it will detect the failure and reset the connection.
For more information, see the white paper Technical Considerations for Creating a Serviceguard
Cluster that Spans Multiple IP Subnets at http://www.hp.com/go/hpux-serviceguard-docs (Select
HP Serviceguard).

4.8.12.2 Configuring a Package to Fail Over across Subnets: Example


To configure a package to fail over across subnets, you need to make some additional edits to the
package configuration file.

NOTE: This section provides an example for a modular package; for legacy packages, see
Configuring Cross-Subnet Failover (page 239).
Suppose that you want to configure a package, pkg1, so that it can fail over among all the nodes
in a cluster comprising NodeA, NodeB, NodeC, and NodeD.
NodeA and NodeB use subnet 15.244.65.0, which is not used by NodeC and NodeD; and
NodeC and NodeD use subnet 15.244.56.0, which is not used by NodeA and NodeB. (See
Obtaining Cross-Subnet Information (page 156) for sample cmquerycl output).

4.8.12.2.1 Configuring node_name


First you need to make sure that pkg1 will fail over to a node on another subnet only if it has to.
For example, if it is running on NodeA and needs to fail over, you want it to try NodeB, on the
same subnet, before incurring the cross-subnet overhead of failing over to NodeC or NodeD.

4.8 Package Configuration Planning 131


Assuming nodeA is pkg1s primary node (where it normally starts), create node_name entries in
the package configuration file as follows:
node_name nodeA
node_name nodeB
node_name nodeC
node_name nodeD

4.8.12.2.2 Configuring monitored_subnet_access


In order to monitor subnet 15.244.65.0 or 15.244.56.0, depending on where pkg1 is running,
you would configure monitored_subnet and monitored_subnet_access in pkg1s
package configuration file as follows:
monitored_subnet 15.244.65.0
monitored_subnet_access PARTIAL
monitored_subnet 15.244.56.0
monitored_subnet_access PARTIAL

NOTE: Configuring monitored_subnet_access as FULL (or not configuring


monitored_subnet_access) for either of these subnets will cause the package configuration
to fail, because neither subnet is available on all the nodes.

4.8.12.2.3 Configuring ip_subnet_node


Now you need to specify which subnet is configured on which nodes. In our example, you would
do this by means of entries such as the following in the package configuration file:
ip_subnet 15.244.65.0
ip_subnet_node nodeA
ip_subnet_node nodeB
ip_address 15.244.65.82
ip_address 15.244.65.83
ip_subnet 15.244.56.0
ip_subnet_node nodeC
ip_subnet_node nodeD
ip_address 15.244.56.100
ip_address 15.244.56.101

4.8.13 Configuring a Package: Next Steps


When you are ready to start configuring a package, proceed to Chapter 6: Configuring Packages
and Their Services (page 169); start with Choosing Package Modules (page 169). (If you find it
helpful, you can assemble your package configuration data ahead of time on a separate worksheet
for each package; blank worksheets are in Appendix C).

4.9 Planning for Changes in Cluster Size


If you intend to add additional nodes to the cluster online (while it is running) ensure that they are
connected to the same heartbeat subnets and to the same lock disks as the other cluster nodes.
In selecting a cluster lock configuration, be careful to anticipate any potential need for additional
cluster nodes. Remember that while a two-node cluster must use a cluster lock, a cluster of more
than four nodes must not use a lock LUN, but can use a quorum server. So if you will eventually
need five nodes, you should build an initial configuration that uses a quorum server.

132 Planning and Documenting an HA Cluster


If you intend to remove a node from the cluster configuration while the cluster is running, ensure
that the resulting cluster configuration will still conform to the rules for cluster locks described above.
See Cluster Lock Planning (page 84) for more information.
If you are planning to add a node online, and a package will run on the new node, ensure that
any existing cluster-bound volume groups for the package have been imported to the new node.
Also, ensure that the MAX_CONFIGURED_PACKAGES parameter is set high enough to accommodate
the total number of packages you will be using; see Cluster Configuration Parameters (page 90).

4.9 Planning for Changes in Cluster Size 133


134
5 Building an HA Cluster Configuration
This chapter and the next take you through the configuration tasks required to set up a Serviceguard
cluster. You carry out these procedures on one node, called the configuration node, and
Serviceguard distributes the resulting binary file to all the nodes in the cluster. In the examples in
this chapter, the configuration node is named ftsys9, and the sample target node is called
ftsys10.
This chapter covers the following major topics:
Preparing Your Systems
Configuring the Cluster (page 153)
Managing the Running Cluster (page 164)
Rebuilding the Deadman Driver (page 167)
Configuring packages is described in the next chapter.
Use the Serviceguard manpages for each command to obtain full information about syntax and
usage.

5.1 Preparing Your Systems


Before configuring your cluster, ensure that Serviceguard is installed on all cluster nodes, and that
all nodes have the appropriate security files, kernel configuration and NTP (network time protocol)
configuration.

5.1.1 Installing and Updating Serviceguard


For information about installing and updating Serviceguard, see the Release Notes for your version
at http://www.hp.com/go/linux-serviceguard-docs.
Alternatively, you can use cmeasyinstall script for installing and updating Serviceguard. For
more information, see HP Serviceguard for Linux Version A.11.20 Deployment Guide at http://
www.hp.com/go/linux-serviceguard-docs.

5.1.2 Understanding the Location of Serviceguard Files


Serviceguard uses a special file, /etc/cmcluster.conf, to define the locations for configuration
and log files within the Linux file system. The different distributions may use different locations. The
following are example locations for a Red Hat distribution:
############################## cmcluster.conf ###########################
#
# Highly Available Cluster file locations
#
# This file must not be edited
#########################################################################
SGROOT=/usr/local/cmcluster # SG root directory
SGCONF=/usr/local/cmcluster/conf # configuration files
SGSBIN=/usr/local/cmcluster/bin # binaries
SGLBIN=/usr/local/cmcluster/bin # binaries
SGLIB=/usr/local/cmcluster/lib # libraries
SGRUN=/usr/local/cmcluster/run # location of core dumps from daemons
SGAUTOSTART=/usr/local/cmcluster/conf/cmcluster.rc # SG Autostart file
The following are example locations for a SUSE distribution:
############################## cmcluster.conf ###########################
#
# Highly Available Cluster file locations
#
# This file must not be edited

5.1 Preparing Your Systems 135


#########################################################################
SGROOT=/opt/cmcluster # SG root directory
SGCONF=/opt/cmcluster/conf # configuration files
SGSBIN=/opt/cmcluster/bin # binaries
SGLBIN=/opt/cmcluster/bin # binaries
SGLIB=/opt/cmcluster/lib # libraries
SGRUN=/opt/cmcluster/run # location of core dumps from daemons
SGAUTOSTART=/opt/cmcluster/conf/cmcluster.rc # SG Autostart file
Throughout this document, system filenames are usually given with one of these location prefixes.
Thus, references to $SGCONF/<FileName> can be resolved by supplying the definition of the
prefix that is found in this file. For example, if SGCONF is /usr/local/cmcluster/conf, then
the complete pathname for file $SGCONF/cmclconfig would be
/usr/local/cmcluster/conf/cmclconfig.

5.1.3 Enabling Serviceguard Command Access


To allow the creation of a Serviceguard configuration, you should complete the following steps on
all cluster nodes before running any Serviceguard commands. Alternatively, you can also use
cmpreparecl to configure the nodes. For more information, see cmpreparecl(1M) .
1. Make sure the root users path includes the Serviceguard executables. If the Serviceguard
commands are not accessible, run the following commands:
. /etc/profile.d/serviceguard.sh for Bourne-type shells
. /etc/profile.d/serviceguard.csh for C-type shells
2. Edit the /etc/man.config file for Red Hat Enterprise Linux Server and /etc/
manpath.config file for SUSE Linux Enterprise Server to include the following:
For Red Hat Enterprise Linux Server:
MANPATH /usr/local/cmcluster/doc/man
For SUSE Linux Enterprise Server:
MANDATORY_MANPATH` /opt/cmcluster/doc/man
This will allow use of the Serviceguard man pages.

NOTE: Update the $MANPATH environment variable with /opt/cmcluster/doc/man/.

3. Enable use of Serviceguard variables.


If the Serviceguard variables are not defined on your system, then include the file /etc/
cmcluster.conf in your login profile for user root:
. /etc/cmcluster.conf
You can confirm the access to the one of the variables as follows:
cd $SGCONF

5.1.4 Configuring Root-Level Access


The subsections that follow explain how to set up root access between the nodes in the prospective
cluster. (When you proceed to configuring the cluster, you will define various levels of non-root
access as well; see Controlling Access to the Cluster (page 158)).

NOTE: For more information and advice, see the white paper Securing Serviceguard at http://
www.hp.com/go/hpux-serviceguard-docs (Select HP Serviceguard -> White Papers).

5.1.4.1 Allowing Root Access to an Unconfigured Node


To enable a system to be included in a cluster, you must enable Linux root access to the system by
the root user of every other potential cluster node. The Serviceguard mechanism for doing this is

136 Building an HA Cluster Configuration


the file $SGCONF/cmclnodelist. This is sometimes referred to as a bootstrap file because
Serviceguard consults it only when configuring a node into a cluster for the first time; it is ignored
after that. It does not exist by default, but you will need to create it.
You may want to add a comment such as the following at the top of the file:
###########################################################
# Do not edit this file!
# Serviceguard uses this file only to authorize access to an
# unconfigured node. Once the node is configured,
# Serviceguard will not consult this file.
###########################################################
The format for entries in cmclnodelist is as follows:
[hostname] [user] [#Comment]
For example:
gryf root #cluster1, node1
sly root #cluster1, node2
bit root #cluster1, node3
This example grants root access to the node on which this cmclnodelist file resides to root users
on the nodes gryf, sly, and bit.
Serviceguard also accepts the use of a + in the cmclnodelist file; this indicates that the root
user on any Serviceguard node can configure Serviceguard on this node.

IMPORTANT: If $SGCONF/cmclnodelist does not exist, Serviceguard will look at ~/.rhosts.


HP strongly recommends that you use cmclnodelist.

NOTE: When you upgrade a cluster from Version A.11.15 or earlier, entries in
$SGCONF/cmclnodelist are automatically updated to Access Control Policies in the cluster
configuration file. All non-root user-hostname pairs are assigned the role of Monitor.

5.1.4.2 Ensuring that the Root User on Another Node Is Recognized


The Linux root user on any cluster node can configure the cluster. This requires that Serviceguard
on one node be able to recognize the root user on another.
Serviceguard uses the identd daemon to verify user names, and, in the case of a root user,
verification succeeds only if identd returns the username root. Because identd may return the
username for the first match on UID 0, you must check /etc/passwd on each node you intend
to configure into the cluster, and ensure that the entry for the root user comes before any other
entry with a UID of 0.

5.1.4.2.1 About identd


HP strongly recommends that you use identd for user verification, so you should make sure that
each prospective cluster node is configured to run it. identd is usually started from /etc/init.d/
xinetd.
(It is possible to disable identd, though HP recommends against doing so. If for some reason
you have to disable identd, see Disabling identd (page 166)).
For more information about identd, see the white paper Securing Serviceguard at http://
www.hp.com/go/hpux-serviceguard-docs (Select HP Serviceguard -> White Papers), and the
identd manpage.

5.1.5 Configuring Name Resolution


Serviceguard uses the name resolution services built into Linux.

5.1 Preparing Your Systems 137


Serviceguard nodes can communicate over any of the clusters shared networks, so the network
resolution service you are using (such as DNS, NIS, or LDAP) must be able to resolve each of their
primary addresses on each of those networks to the primary hostname of the node in question.
In addition, HP recommends that you define name resolution in each nodes /etc/hosts file,
rather than rely solely on a service such as DNS. Configure the name service switch to consult the
/etc/hosts file before other services. See Safeguarding against Loss of Name Resolution
Services (page 139) for instructions.

NOTE: If you are using private IP addresses for communication within the cluster, and these
addresses are not known to DNS (or the name resolution service you use) these addresses must
be listed in /etc/hosts.
For requirements and restrictions that apply to IPv6only clusters and mixed-mode clusters, see
Rules and Restrictions for IPv6-Only Mode (page 89) and Rules and Restrictions for Mixed
Mode (page 90), respectively, and the latest version of the Serviceguard release notes.

For example, consider a two node cluster (gryf and sly) with two private subnets and a public
subnet. These nodes will be granting access by a non-cluster node (bit) which does not share the
private subnets. The /etc/hosts file on both cluster nodes should contain:
15.145.162.131 gryf.uksr.hp.com gryf
10.8.0.131 gryf.uksr.hp.com gryf
10.8.1.131 gryf.uksr.hp.com gryf

15.145.162.132 sly.uksr.hp.com sly


10.8.0.132 sly.uksr.hp.com sly
10.8.1.132 sly.uksr.hp.com sly

15.145.162.150 bit.uksr.hp.com bit


Keep the following rules in mind when creating entries in a Serviceguard node's/etc/hosts:
1. NODE_NAME in the cluster configuration file must be identical to the hostname which is the
first element of a fully qualified domain name (a name with four elements separated by periods).
This hostname is what is returned by the hostname(1) command. For example, the
NODE_NAME should be gryf rather than gryf.uksr.hp.com. For more information, see
the NODE_NAME entry under Cluster Configuration Parameters (page 90).

NOTE: Since Serviceguard recognizes only the hostname, gryf.uksr.hp.com and


gryf.cup.hp.com cannot be nodes in the same cluster, Serviceguard identifies them as the
same host gryf.

2. All primary IP addresses configured.

NOTE: Serviceguard recognizes only the hostname (the first element) in a fully qualified domain
name (a name like those in the example above). This means, for example, that gryf.uksr.hp.com
and gryf.cup.hp.com cannot be nodes in the same cluster, as Serviceguard would see them
as the same host gryf.
If applications require the use of hostname aliases, the Serviceguard hostname must be one of the
aliases in all the entries for that host. For example, if the two-node cluster in the previous example
were configured to use the alias hostnames alias-node1 and alias-node2, then the entries
in /etc/hosts should look something like this:
15.145.162.131 gryf.uksr.hp.com gryf1 alias-node1
10.8.0.131 gryf.uksr.hp.com gryf2 alias-node1
10.8.1.131 gryf.uksr.hp.com gryf3 alias-node1
15.145.162.132 sly.uksr.hp.com sly1 alias-node2
10.8.0.132 sly.uksr.hp.com sly2 alias-node2
10.8.1.132 sly.uksr.hp.com sly3 alias-node2

138 Building an HA Cluster Configuration


IMPORTANT: Serviceguard does not support aliases for IPv6 addresses.
For information about configuring an IPv6only cluster, or a cluster that uses a combination of IPv6
and IPv4 addresses for the nodes' hostnames, see About Hostname Address Families: IPv4-Only,
IPv6-Only, and Mixed Mode (page 88).

5.1.5.1 Safeguarding against Loss of Name Resolution Services


When you employ any user-level Serviceguard command (including cmviewcl), the command
uses the name service you have configured (such as DNS) to obtain the addresses of all the cluster
nodes. If the name service is not available, the command could hang or return an unexpected
networking error message.

NOTE: If such a hang or error occurs, Serviceguard and all protected applications will continue
working even though the command you issued does not. That is, only the Serviceguard configuration
commands (and corresponding Serviceguard Manager functions) are affected, not the cluster
daemon or package services.
The procedure that follows shows how to create a robust name-resolution configuration that will
allow cluster nodes to continue communicating with one another if a name service fails.
1. Edit the /etc/hosts file on all nodes in the cluster. Add name resolution for all heartbeat
IP addresses, and other IP addresses from all the cluster nodes; see Configuring Name
Resolution (page 137) for discussion and examples.

NOTE: For each cluster node, the public-network IP address must be the first address listed.
This enables other applications to talk to other nodes on public networks.

2. If you are using DNS, make sure your name servers are configured in /etc/resolv.conf,
for example:
domain cup.hp.com
search cup.hp.com hp.com
nameserver 15.243.128.51
nameserver 15.243.160.51
3. Edit or create the /etc/nsswitch.conf file on all nodes and add the following text, if it
does not already exist:
for DNS, enter (two lines) :
hosts: files [NOTFOUND=continue UNAVAIL=continue] dns [NOTFOUND=return UNAVAIL=return]

for NIS, enter (two lines) :


hosts: files [NOTFOUND=continue UNAVAIL=continue] nis [NOTFOUND=return UNAVAIL=return]

If a line beginning with the string hosts: already exists, then make sure that the text
immediately to the right of this string is (on one line):
files [NOTFOUND=continue UNAVAIL=continue] dns [NOTFOUND=return UNAVAIL=return]
or
files [NOTFOUND=continue UNAVAIL=continue] nis [NOTFOUND=return UNAVAIL=return]
This step is critical, allowing the cluster nodes to resolve hostnames to IP addresses while DNS,
NIS, or the primary LAN is down.
4. Create a $SGCONF/cmclnodelist file on all nodes that you intend to configure into the
cluster, and allow access by all cluster nodes. See Allowing Root Access to an Unconfigured
Node (page 136).

5.1 Preparing Your Systems 139


NOTE: HP recommends that you also make the name service itself highly available, either by
using multiple name servers or by configuring the name service into a Serviceguard package.

5.1.6 Ensuring Consistency of Kernel Configuration


Make sure that the kernel configurations of all cluster nodes are consistent with the expected
behavior of the cluster during failover. In particular, if you change any kernel parameters on one
cluster node, they may also need to be changed on other cluster nodes that can run the same
packages.

5.1.7 Enabling the Network Time Protocol


HP strongly recommends that you enable network time protocol (NTP) services on each node in
the cluster. The use of NTP, which runs as a daemon process on each system, ensures that the
system time on all nodes is consistent, resulting in consistent timestamps in log files and consistent
behavior of message services. This ensures that applications running in the cluster are correctly
synchronized. The NTP services daemon, xntpd, should be running on all nodes before you begin
cluster configuration. The NTP configuration file is /etc/ntp.conf.

5.1.8 Implementing Channel Bonding (Red Hat)


This section applies to Red Hat installations. If you are using a SUSE distribution, skip ahead to
the next section.
Channel bonding of LAN interfaces is implemented by the use of the bonding driver, which is
installed in the kernel at boot time. With this driver installed, the networking software recognizes
bonding definitions that are created in the /etc/sysconfig/network-scripts directory for
each bond. For example, the file named ifcfg-bond0 defines bond0 as the master bonding
unit, and the ifcfg-eth0 and ifcfg-eth1 scripts define each individual interface as a slave.
Bonding can be defined in different modes. Mode 0, which is used for load balancing, uses all
slave devices within the bond in parallel for data transmission. This can be done when the LAN
interface cards are connected to an Ethernet switch, with the ports on the switch configured as Fast
EtherChannel trunks. Two switches should be cabled together as an HA grouping to allow package
failover.
For high availability, in which one slave serves as a standby for the bond and the other slave
transmits data, install the bonding module in mode 1. This is most appropriate for dedicated
heartbeat connections that are cabled through redundant network hubs or switches that are cabled
together.
For more information on networking bonding, make sure you have installed the kernel-doc rpm,
and see:
/usr/share/doc/kernel-doc-<version>/Documentation/networking/bonding.txt

NOTE: HP recommends that you do the bonding configuration from the system console, because
you will need to restart networking from the console when the configuration is done.

5.1.8.1 Sample Configuration


Configure the following files to support LAN redundancy. For a single failover only one bond is
needed.
1. Create a bond0 file, ifcfg-bond0.
Create the configuration in the /etc/sysconfig/network-scripts directory. For
example, in the file, ifcfg-bond0, bond0 is defined as the master (for your installation,
substitute the appropriate values for your network instead of 192.168.1.1).
Include the following information in the ifcfg-bond0 file:

140 Building an HA Cluster Configuration


DEVICE=bond0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
For Red Hat 5 and Red Hat 6 only, add the following line to the ifcfg-bond0file:
BONDING OPTS=miimon=100 mode=1
2. Create an ifcfg-ethn file for each interface in the bond. All interfaces should have SLAVE
and MASTER definitions. For example, in a bond that uses eth0 and eth1, edit the
ifcfg-eth0 file to appear as follows:
DEVICE=eth0
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
Edit the ifcfg-eth1 file to appear as follows:
DEVICE=eth1
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
For Red Hat 5 and Red Hat 6 only, add a line containing the hardware (MAC) address of
the interface to the corresponding ifcfg-ethn slave file, for example:
HWADDR=00:12:79:43:5b:f4
3. Add the following lines to /etc/modprobe.conf:
alias bond0 bonding options bond0 miimon=100 mode=1
Use MASTER=bond1 for bond1 if you have configured a second bonding interface, then add
the following after the first bond (bond0): options bond1 -o bonding1 miimon=100
mode=1

NOTE: During configuration, you need to make sure that the active slaves for the same bond on
each node are connected the same hub or switch. You can check on this by examining the file
/proc/net/bonding/bond<x>/info on each node. This file will show the active slave for
bond x.

5.1.8.2 Restarting Networking


Restart the networking subsystem. From the console of either node in the cluster, execute the
following command on a Red Hat system:
/etc/rc.d/init.d/network restart

NOTE: It is better not to restart the network from outside the cluster subnet, as there is a chance
the network could go down before the command can complete.
The command prints bringing up network statements.
If there was an error in any of the bonding configuration files, the network might not function
properly. If this occurs, check each configuration file for errors, then try to restart the network again.

5.1 Preparing Your Systems 141


5.1.8.3 Viewing the Configuration
You can test the configuration and transmit policy with ifconfig. For the configuration created
above, the display should look like this:
/sbin/ifconfig
bond0 Link encap:Ethernet HWaddr 00:C0:F0:1F:37:B4
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:7224794 errors:0 dropped:0 overruns:0 frame:0
TX packets:3286647 errors:1 dropped:0 overruns:1 carrier:0
collisions:0 txqueuelen:0

eth0 Link encap:Ethernet HWaddr 00:C0:F0:1F:37:B4


inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:3573025 errors:0 dropped:0 overruns:0 frame:0
TX packets:1643167 errors:1 dropped:0 overruns:1 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0x1080

eth1 Link encap:Ethernet HWaddr 00:C0:F0:1F:37:B4


inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:3651769 errors:0 dropped:0 overruns:0 frame:0
TX packets:1643480 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:9 Base address:0x1400

5.1.9 Implementing Channel Bonding (SUSE)


If you are using a Red Hat distribution, use the procedures described in the previous section. The
following applies only to the SUSE distributions.
First run yast/yast2 and configure Ethernet devices as DHCP so they create the
ifcfg-eth-id-<mac> files.
Next modify each of ifcfg-eth-id-<mac> files that you want to bond, they are located in
/etc/sysconfig/network, and change them from:
BOOTPROTO='dhcp'
MTU=''
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='gZD2.ZqnB7JKTdX0'
_nm_name='bus-pci-0000:00:0b.0'
to:
BOOTPROTO='none'
STARTMODE='onboot'
UNIQUE='gZD2.ZqnB7JKTdX0'
_nm_name='bus-pci-0000:00:0b.0'

NOTE: Do not change the UNIQUE and _nm_name parameters. You can leave MTU and
REMOTE_IPADDR in the file as long as they are not set.
Next, in /etc/sysconfig/network, edit your ifcfg-bond0 file so it looks like this:
BROADCAST='172.16.0.255'
BOOTPROTO='static'
IPADDR='172.16.0.1'
MTU=''
NETMASK='255.255.255.0'
NETWORK='172.16.0.0'

142 Building an HA Cluster Configuration


REMOTE_IPADDR=''
STARTMODE='onboot'
BONDING_MASTER='yes'
BONDING_MODULE_OPTS='miimon=100 mode=1'
BONDING_SLAVE0='eth0'
BONDING_SLAVE1='eth1'
The above example configures bond0 with mii monitor equal to 100 and active-backup mode.
Adjust the IP, BROADCAST, NETMASK, and NETWORK parameters to correspond to your
configuration.
As you can see, you are adding the configuration options BONDING_MASTER,
BONDING-MODULE_OPTS, and BONDING_SLAVE. BONDING-MODULE_OPTS are the additional
options you want to pass to the bonding module. You cannot pass max_bonds as an option, and
you do not need to because the ifup script will load the module for each bond needed.
BONDING_SLAVE tells ifup which Ethernet devices to enslave to bond0. So if you wanted to
bond four Ethernet devices you would add:
BONDING_SLAVE2='eth2'
BONDING_SLAVE3='eth3'

NOTE: Use ifconfig to find the relationship between eth IDs and the MAC addresses.
For more networking information on bonding, see
/usr/src/linux<kernel_version>/Documentation/networking/bonding.txt.

5.1.9.1 Restarting Networking


Restart the networking subsystem. From the console of any node in the cluster, execute the following
command on a SUSE system:
/etc/init.d/network restart

NOTE: It is better not to restart the network from outside the cluster subnet, as there is a chance
the network could go down before the command can complete.
If there is an error in any of the bonding configuration files, the network may not function properly.
If this occurs, check each configuration file for errors, then try to start the network again.

5.1.10 Setting up a Lock LUN


Serviceguard supports the usage of either a partitioned disk or a whole LUN as a lock LUN. This
section describes how to create a lock LUN on a partitioned disk and on a whole LUN.

NOTE: An iSCSI storage device does not support configuring a lock LUN.

Creating a Lock LUN on a Partitioned Disk


The lock LUN can be created on a partition of one cylinder of at least 100K defined (via the fdisk
command) as type Linux (83).
You will need the pathnames for the lock LUN as it is seen on each cluster node. On one node,
use the fdisk command to define a partition of 1 cylinder, type 83, on this LUN. Here is an
example:
Respond to the prompts as shown in the following table to set up the lock LUN partition:
fdisk <Lock LUN Device File>

5.1 Preparing Your Systems 143


Table 7 Changing Linux Partition Types
Prompt Response Action Performed

1. Command (m for help): n Create new partition

2. Partition number (1-4): 1 Partition affected

3. Hex code (L to list codes): 83 Set partition to type to Linux, default

Command (m for help): 1 Define first partition

Command (m for help): 1 Set size to 1 cylinder

Command (m for help): p Display partition data

Command (m for help): w Write data to the partition table

The following example of the fdisk dialog shows that the disk on the device file /dev/sdc is
set to Smart Array type partition, and appears as follows:
fdisk /dev/sdc
Command (m for help): n
Partition number (1-4): 1
HEX code (type L to list codes): 83
Command (m for help): 1
Command (m for help): 1

Command (m for help): p


Disk /dev/sdc: 64 heads, 32 sectors, 4067 cylinders
Units = cylinders of 2048 * 512 bytes

Device Boot Start End Blocks Id System


/dev/sdc 1 1 1008 83 Linux

Command (m for help): w


The partition table has been altered!

NOTE: Follow these rules:


Do not try to use LVM to configure the lock LUN.
The partition type must be 83.
Do not create any filesystem on the partition used for the lock LUN.
Do not use md to configure multiple paths to the lock LUN.
HP recommends that you can configure the same multipath device name for all the LUNs on
various nodes of a cluster, so that the administration of the cluster can be made easier.

To transfer the disk partition format to other nodes in the cluster use the command:
sfdisk -R <device>
where <device> corresponds to the same physical device as on the first node. For example, if
/dev/sdc is the device name on the other nodes use the command:
sfdisk -R /dev/sdc
You can check the partition table by using the command:
fdisk -l /dev/sdc

NOTE: fdisk may not be available for SUSE on all platforms. In this case, using YAST2 to set
up the partitions is acceptable.

144 Building an HA Cluster Configuration


Creating a Lock LUN on a Whole LUN
The lock LUN can be created on a whole LUN of at least 100K starting with the below patches.
On Red Hat Enterprise Linux server, you have to install the following patches on Serviceguard Linux
Version A.11.20.00:
SGLX_00339 for Red Hat Enterprise Linux 5 (x86_64 architecture)
SGLX_00340 for Red Hat Enterprise Linux 6 (x86_64 architecture)
Patches can be downloaded from HP Support Center at http://www.hp.com/go/hpsc.

NOTE: On SUSE Linux Enterprise Server, the patches are not required as this feature is supported
on Serviceguard Linux Version A.11.20.10 main release.

Support for Lock LUN Devices


The following table describes the support for lock LUN devices on udev and device mapper:

If udev device is selected as lock This is supported, but the same udev rules must be used across all nodes in the
LUN. cluster for the whole LUN or the partitioned LUN.

If /dev/disk/by-id, /dev/ This is not supported on a whole LUN or a partitioned LUN.


disk/by-path, and /dev/disk/
by-uuid device is selected as lock
LUN.

If /dev/dm-xx is selected as lock This is not supported on a whole LUN or a partitioned LUN.
LUN.

If /dev/mpath/mpathX is selected This is supported on a whole LUN and a partitioned LUN.


as lock LUN.

If /dev/mapper/mpathX This is supported on a whole LUN and a partitioned LUN.


(user-friendly names) is selected as
lock LUN.

If /dev/mapper/xxx(aliases) is This is supported on a whole LUN and a partitioned LUN.


selected as lock LUN.

5.1.11 Setting Up and Running the Quorum Server


If you will be using a quorum server rather than a lock LUN, the Quorum Server software must be
installed on a system other than the nodes on which your cluster will be running, and must be
running during cluster configuration.
For detailed discussion, recommendations, and instructions for installing, updating, configuring,
and running the Quorum Server, see the HP Serviceguard Quorum Server Version A.04.00 Release
Notes at http://www.hp.com/go/hpux-serviceguard-docs (Select HP Serviceguard Quorum Server
Software). See also the discussion of the QS_HOST and QS_ADDR parameters under Cluster
Configuration Parameters (page 90).

5.1.12 Creating the Logical Volume Infrastructure


Serviceguard makes use of shared disk storage. This is set up to provide high availability by using
redundant data storage and redundant paths to the shared devices. Storage for a Serviceguard
package is logically composed of LVM Volume Groups that are activated on a node as part of
starting a package on that node. Storage is generally configured on logical units (LUNs).
Disk storage for Serviceguard packages is built on shared disks that are cabled to multiple cluster
nodes. These are separate from the private Linux root disks, which include the boot partition and
root file systems. To provide space for application data on shared disks, create disk partitions
using the fdisk, and build logical volumes with LVM.

5.1 Preparing Your Systems 145


You can build a cluster (next section) before or after defining volume groups for shared data
storage. If you create the cluster first, information about storage can be added to the cluster and
package configuration files after the volume groups are created.
See Volume Managers for Data Storage (page 71) for an overview of volume management in
HP Serviceguard for Linux. The sections that follow explain how to do the following tasks:
Displaying Disk Information (page 146)
Creating Partitions (page 147)
Enabling Volume Group Activation Protection (page 148)
Building Volume Groups: Example for Smart Array Cluster Storage (MSA 2000 Series)
(page 149)
Building Volume Groups and Logical Volumes (page 150)
Distributing the Shared Configuration to all Nodes (page 150)
Testing the Shared Configuration (page 151)
Storing Volume Group Configuration Data (page 152)
Setting up Disk Monitoring (page 153)

CAUTION: The minor numbers used by the LVM volume groups must be the same on all cluster
nodes. This means that if there are any non-shared volume groups in the cluster, create the same
number of them on all nodes, and create them before you define the shared storage. If possible,
avoid using private volume groups, especially LVM boot volumes. Minor numbers increment with
each logical volume, and mismatched numbers of logical volumes between nodes can cause a
failure of LVM (and boot, if you are using an LVM boot volume).

NOTE: Except as noted in the sections that follow, you perform the LVM configuration of shared
storage on only one node. The disk partitions will be visible on other nodes as soon as you reboot
those nodes. After youve distributed the LVM configuration to all the cluster nodes, you will be
able to use LVM commands to switch volume groups between nodes. (To avoid data corruption,
a given volume group must be active on only one node at a time).
For multipath information, see Multipath for Storage (page 82).

5.1.12.1 Displaying Disk Information


To display a list of configured disks, use the following command:
fdisk -l
You will see output such as the following:
Disk /dev/sda: 64 heads, 32 sectors, 8678 cylinders
Units = cylinders of 2048 * 512 bytes

Device Boot Start End Blocks Id System


/dev/sda1 * 1 1001 1025008 83 Linux
/dev/sda2 1002 8678 7861248 5 Extended
/dev/sda5 1002 4002 3073008 83 Linux
/dev/sda6 4003 5003 1025008 82 Linux swap
/dev/sda7 5004 8678 3763184 83 Linux

Disk /dev/sdb: 64 heads, 32 sectors, 8678 cylinders


Units = cylinders of 2048 * 512 bytes

Device Boot Start End Blocks Id System

Disk /dev/sdc: 255 heads, 63 sectors, 1106 cylinders


Units = cylinders of 16065 * 512 bytesDisk /dev/sdd: 255 heads, 63 sectors, 1106 cylinders
Units = cylinders of 16065 * 512 bytes

146 Building an HA Cluster Configuration


In this example, the disk described by device file /dev/sda has already been partitioned for
Linux, into partitions named /dev/sda1 - /dev/sda7. The second internal device /dev/sdb
and the two external devices /dev/sdc and /dev/sdd have not been partitioned.

NOTE: fdisk may not be available for SUSE on all platforms. In this case, using YAST2 to set
up the partitions is acceptable.

5.1.12.2 Creating Partitions


You must define a partition on each disk device (individual disk or LUN in an array) that you want
to use for your shared storage. Use the fdisk command for this.
The following steps create the new partition:
1. Run fdisk, specifying your device file name in place of <DeviceName>:
# fdisk <DeviceName>
Respond to the prompts as shown in the following table, to define a partition:

Prompt Response Action Performed

1. Command (m for help): n Create a new partition

2. Command action e extended p p Creation a primary partition


primary partition (1-4)

3. Partition number (1-4): 1 Create partition 1

4. First cylinder (1-nn, default 1): Enter Accept the default starting cylinder 1

5. Last cylinder or +size or +sizeM or Enter Accept the default, which is the last
+sizeK (1-nn, default nn): cylinder number

Command (m for help): p Display partition data

Command (m for help): w Write data to the partition table

The following example of the fdisk dialog shows that the disk on the device file /dev/sdc
is configured as one partition, and appears as follows:
fdisk /dev/sdc
Command (m for help): n
Command action
e extended
p primary partition (1-4) p
Partition number (1-4): 1
First cylinder (1-4067, default 1): Enter
Using default value 1Last cylinder or +size or +sizeM or +sizeK (1-4067, default 4067): Enter
Using default value 4067

Command (m for help): p


Disk /dev/sdc: 64 heads, 32 sectors, 4067 cylinders
Units = cylinders of 2048 * 512 bytes

Device Boot Start End Blocks Id System


/dev/sdc 1 4067 4164592 83 Linux

Command (m for help): w


The partition table has been altered!

2. Respond to the prompts as shown in the following table to set a partition type:

Prompt Response Action Performed

1. Command (m for help): t Set the partition type

2. Partition number (1-4): 1 Partition affected

3. Hex code (L to list codes): 8e Set partition to type to Linux LVM

5.1 Preparing Your Systems 147


Prompt Response Action Performed

Command (m for help): p Display partition data

Command (m for help): w Write data to the partition table

The following example of the fdisk dialog describes that the disk on the device file /dev/
sdc is set to Smart Array type partition, and appears as follows:
fdisk /dev/sdc
Command (m for help): t
Partition number (1-4): 1
HEX code (type L to list codes): 8e

Command (m for help): p


Disk /dev/sdc: 64 heads, 32 sectors, 4067 cylinders
Units = cylinders of 2048 * 512 bytes

Device Boot Start End Blocks Id System


/dev/sdc 1 4067 4164592 8e Linux LVM

Command (m for help): w


The partition table has been altered!
3. Repeat this process for each device file that you will use for shared storage.
fdisk /dev/sdd
fdisk /dev/sdf
fdisk /dev/sdg
4. If you will be creating volume groups for internal storage, make sure to create those partitions
as well, and create those volume groups before you define the shared storage.
fdisk /dev/sddb

NOTE: fdisk may not be available for SUSE on all platforms. In this case, using YAST2 to set
up the partitions is acceptable.

5.1.12.3 Enabling Volume Group Activation Protection


As of Serviceguard for Linux A.11.16.07, you can enable activation protection for logical volume
groups, preventing the volume group from being activated by more than one node at the same
time. Activation protection, if used, must be enabled on each cluster node.
Follow these steps to enable activation protection for volume groups on Red Hat and SUSE systems:

IMPORTANT: Perform this procedure on each node.


1. Edit /etc/lvm/lvm.conf and add the following line:
tags { hosttags = 1 }
2. Uncomment the line in /etc/lvm/lvm.conf that begins # volume_list =, and edit it
to include all of the node's "private" volume groups (those not shared with the other cluster
nodes), including the root volume group.
For example if the root volume group is vg00 and the node also uses vg01 and vg02 as
private volume groups, the line should look like this:
volume_list = [ "vg00", "vg01", "vg02" ]
3. Create the file /etc/lvm/lvm_$(uname -n).conf
4. Add the following line to the file you created in step 3:
activation { volume_list=[@node] }

148 Building an HA Cluster Configuration


where node is the value of uname -n.
5. Run vgscan:
vgscan

NOTE: At this point, the setup for volume-group activation protection is complete. Serviceguard
adds a tag matching the uname -n value of the owning node to each volume group defined
for a package when the package runs and deletes the tag when the package halts. The
command vgs -o +tags vgname will display any tags that are set for a volume group.
The sections that follow take you through the process of configuring volume groups and logical
volumes, and distributing the shared configuration. When you have finished that process, use
the procedure under Testing the Shared Configuration (page 151) to verify that the setup has
been done correctly.

5.1.12.4 Building Volume Groups: Example for Smart Array Cluster Storage (MSA 2000 Series)

NOTE: For information about setting up and configuring the MSA 2000 for use with Serviceguard,
see HP Serviceguard for Linux Version A.11.19 or later Deployment Guide at http://www.hp.com/
go/linux-serviceguard-docs.
Use Logical Volume Manager (LVM) on your system to create volume groups that can be activated
by Serviceguard packages. This section provides an example of creating Volume Groups on LUNs
created on MSA 2000 Series storage. For more information on LVM, see the Logical Volume
Manager How To, which you can find at http://tldp.org/HOWTO/HOWTO-INDEX/howtos.html.
Before you start, partition your LUNs and label them with a partition type of 8e (Linux LVM). Use
the type t parameter of the fdisk command to change from the default of 83 (Linux).
Do the following on one node:
1. Update the LVM configuration and create the /etc/lvmtab file. You can omit this step if
you have previously created volume groups on this node.
vgscan

NOTE: The files /etc/lvmtab and /etc/lvmtab.d may not exist on some distributions.
In that case, ignore references to these files.

2. Create LVM physical volumes on each LUN. For example:


pvcreate -f /dev/sda1
pvcreate -f /dev/sdb1
pvcreate -f /dev/sdc1
3. Check whether there are already volume groups defined on this node. Be sure to give each
volume group a unique name.
vgdisplay
4. Create separate volume groups for each Serviceguard package you will define. In the following
example, we add the LUNs /dev/sda1 and /dev/sdb1 to volume group vgpkgA, and
/dev/sdc1 to vgpkgB:
vgcreate --addtag $(uname -n) /dev/vgpkgA /dev/sda1 /dev/sdb1
vgcreate --addtag $(uname -n) /dev/vgpkgB /dev/sdc1

NOTE: Use vgchange --addtag only if you are implementing volume-group activation
protection. Remember that volume-group activation protection, if used, must be implemented
on each node.

5.1 Preparing Your Systems 149


5.1.12.5 Building Volume Groups and Logical Volumes
1. Use Logical Volume Manager (LVM) to create volume groups that can be activated by
Serviceguard packages.
For an example showing volume-group creation on LUNs, see Building Volume Groups:
Example for Smart Array Cluster Storage (MSA 2000 Series) (page 149). (For Fibre Channel
storage you would use device-file names such as those used in the section Creating Partitions
(page 147)).
2. On Linux distributions that support it, enable activation protection for volume groups. See
Enabling Volume Group Activation Protection (page 148).
3. To store data on these volume groups you must create logical volumes. The following creates
a 500 Megabyte logical volume named /dev/vgpkgA/lvol1 and a one Gigabyte logical
volume named /dev/vgpkgA/lvol2 in volume group vgpkgA:
lvcreate -L 500M vgpkgA
lvcreate -L 1G vgpkgA
4. Create a file system on one of these logical volumes, and mount it in a newly created directory:
mke2fs -j /dev/vgpkgA/lvol1
mkdir /extra
mount -t ext3 /dev/vgpkgA/lvol1 /extra

NOTE: For information about supported filesystem types, see the fs_type discussion on
(page 188).

5. To test that the file system /extra was created correctly and with high availability, you can
create a file on it, and read it.
echo "Test of LVM" >> /extra/LVM-test.conf
cat /extra/LVM-test.conf

NOTE: Be careful if you use YAST or YAST2 to configure volume groups, as that may cause
all volume groups on that system to be activated. After running YAST or YAST2, check to
make sure that volume groups for Serviceguard packages not currently running have not been
activated, and use LVM commands to deactivate any that have. For example, use the command
vgchange -a n /dev/sgvg00 to deactivate the volume group sgvg00.

5.1.12.6 Distributing the Shared Configuration to all Nodes


The goal in setting up a logical volume infrastructure is to build a set of volume groups that can
be activated on multiple nodes in the cluster. To do this, you need to build the same LVM volume
groups on any nodes that will be running the same package.

NOTE: The minor numbers used by the LVM volume groups must be the same on all cluster nodes.
They will if all the nodes have the same number of unshared volume groups.
To distribute the shared configuration, follow these steps:
1. Unmount and deactivate the volume group, and remove the tag if necessary. For example, to
deactivate only vgpkgA:
umount /extra
vgchange -a n vgpkgA
vgchange --deltag $(uname -n) vgpkgA

150 Building an HA Cluster Configuration


NOTE: Use vgchange --deltag only if you are implementing volume-group activation
protection. Remember that volume-group activation protection, if used, must be implemented
on each node.

2. To get the node ftsys10 to see the new disk partitioning that was done on ftsys9, reboot:
reboot
The partition table on the rebooted node is then rebuilt using the information placed on the
disks when they were partitioned on the other node.

NOTE: You must reboot at this time.

3. Run vgscan to make the LVM configuration visible on the new node and to create the LVM
database on/etc/lvmtab and /etc/lvmtab.d. For example, on ftsys10:
vgscan

5.1.12.7 Testing the Shared Configuration


When you have finished the shared volume group configuration, you can test that the storage is
correctly sharable as follows:
1. On ftsys9, activate the volume group, mount the file system that was built on it, write a file
in the shared file system and look at the result:
vgchange --addtag $(uname -n) vgpkgB

NOTE: If you are using the volume-group activation protection feature of Serviceguard for
Linux, you must use vgchange --addtag to add a tag when you manually activate a volume
group. Similarly, you must remove the tag when you deactivate a volume group that will be
used in a package (as shown at the end of each step).
Use vgchange --addtag and vgchange --deltag only if you are implementing
volume-group activation protection. Remember that volume-group activation protection, if used,
must be implemented on each node.
Serviceguard adds a tag matching the uname -n value of the owning node to each volume
group defined for a package when the package runs; the tag is deleted when the package
is halted. The command vgs -o +tags vgname will display any tags that are set for a
volume group.

vgchange -a y vgpkgB
mount /dev/vgpkgB/lvol1 /extra
echo Written by hostname on date > /extra/datestamp
cat /extra/datestamp
You should see something like the following, showing the date stamp written by the other
node:
Written by ftsys9.mydomain on Mon Jan 22 14:23:44 PST 2006
Now unmount the volume group again:
umount /extra
vgchange -a n vgpkgB
vgchange --deltag $(uname -n) vgpkgB

5.1 Preparing Your Systems 151


2. On ftsys10, activate the volume group, mount the file system, write a date stamp on to the
shared file, and then look at the content of the file:
vgchange --addtag $(uname -n) vgpkgB
vgchange -a y vgpkgB
mount /dev/vgpkgB/lvol1 /extra
echo Written by hostname on date >> /extra/datestamp
cat /extra/datestamp
You should see something like the following, including the date stamp written by the other
node:
Written by ftsys9.mydomain on Mon Jan 22 14:23:44 PST 2006
Written by ftsys10.mydomain on Mon Jan 22 14:25:27 PST 2006
Now unmount the volume group again, and remove the tag you added in step 1:
umount /extra
vgchange -a n vgpkgB
vgchange --deltag $(uname -n) vgpkgB

NOTE: The volume activation protection feature of Serviceguard for Linux requires that you
add the tag as shown at the beginning of the above steps when you manually activate a
volume group. Similarly, you must remove the tag when you deactivate a volume group that
will be used in a package (as shown at the end of each step). As of Serviceguard for Linux
A.11.16.07, a tag matching the uname -n value of the owning node is automatically added
to each volume group defined for a package when the package runs; the tag is deleted when
the package is halted. The command vgs -o +tags vgname will display any tags that are
set for a volume group.

5.1.12.8 Storing Volume Group Configuration Data


When you create volume groups, LVM creates a backup copy of the volume group configuration
on the configuration node. In addition, you should create a backup of configuration data on all
other nodes where the volume group might be activated by using the vgcfgbackup command:
vgcfgbackup vgpkgA vgpkgB
If a disk in a volume group must be replaced, you can restore the old disks metadata on the new
disk by using the vgcfgrestore command. See Replacing Disks in the Troubleshooting
chapter.

5.1.12.8.1 Preventing Boot-Time vgscan and Ensuring Serviceguard Volume Groups Are
Deactivated
By default, Linux will perform LVM startup actions whenever the system is rebooted. These include
a vgscan (on some Linux distributions) and volume group activation. This can cause problems for
volumes used in a Serviceguard environment (for example, a volume group for a Serviceguard
package that is not currently running may be activated). To prevent such problems, proceed as
follows on the various Linux versions.

NOTE: You do not need to perform these actions if you have implemented volume-group activation
protection as described under Enabling Volume Group Activation Protection (page 148).
SUSE Linux Enterprise Server
Prevent a vgscan at boot time by removing the /etc/rc.d/boot.d/S07boot.lvm file from
all cluster nodes.

152 Building an HA Cluster Configuration


NOTE: Be careful if you use YAST or YAST2 to configure volume groups, as that may cause all
volume groups to be activated. After running YAST or YAST2, check that volume groups for
Serviceguard packages not currently running have not been activated, and use LVM commands
to deactivate any that have. For example, use the command vgchange -a n /dev/sgvg00
to deactivate the volume group sgvg00.
Red Hat
It is not necessary to prevent vgscan on Red Hat.
To deactivate any volume groups that will be under Serviceguard control, add vgchange commands
to the end of /etc/rc.d/rc.sysinit; for example, if volume groups sgvg00 and sgvg01
are under Serviceguard control, add the following lines to the end of the file:
vgchange -a n /dev/sgvg00
vgchange -a n /dev/sgvg01
The vgchange commands activate the volume groups temporarily, then deactivate them; this is
expected behavior.

5.1.12.9 Setting up Disk Monitoring


HP Serviceguard for Linux includes a Disk Monitor which you can use to detect problems in disk
connectivity. This lets you fail a package over from one node to another in the event of a disk link
failure.
See Creating a Disk Monitor Configuration (page 198) for instructions on configuring disk
monitoring.

5.2 Configuring the Cluster


This section describes how to define the basic cluster configuration. This must be done on a system
that is not part of a Serviceguard cluster (that is, on which Serviceguard is installed but not
configured). You can do this in Serviceguard Manager, or from the command line as described
below.
Use the cmquerycl command to specify a set of nodes to be included in the cluster and to generate
a template for the cluster configuration file.

IMPORTANT: See NODE_NAME under Cluster Configuration Parameters (page 90) for important
information about restrictions on the node name.
Here is an example of the command (enter it all one line):
cmquerycl -v -C $SGCONF/clust1.conf -n ftsys9 -n ftsys10
This creates a template file, by default /usr/local/cmcluster/clust1.conf (for Red Hat
Enterprise Linux) and/opt/cmcluster/clust1.conf (for SUSE Linux Enterprise Server). In this
output file, keywords are separated from definitions by white space. Comments are permitted, and
must be preceded by a pound sign (#) in the far left column.

NOTE: HP strongly recommends that you modify the file so as to send heartbeat over all possible
networks.
The manpage for the cmquerycl command further explains the parameters that appear in this
file. Many are also described in Chapter 4: Planning and Documenting an HA Cluster (page 79).
Modify your /etc/cmcluster/clust1.configfile as needed.

5.2 Configuring the Cluster 153


5.2.1 cmquerycl Options
5.2.1.1 Speeding up the Process
In a larger or more complex cluster with many nodes, networks or disks, the cmquerycl command
may take several minutes to complete. To speed up the configuration process, you can direct the
command to return selected information only by using the -k and -w options:
-k eliminates some disk probing, and does not return information about potential cluster lock
volume groups and lock physical volumes.
-w local lets you specify local network probing, in which LAN connectivity is verified between
interfaces within each node only. This is the default when you use cmquerycl with the-C option.
(Do not use -w local if you need to discover nodes and subnets for a cross-subnet configuration;
see Full Network Probing).
-w none skips network querying. If you have recently checked the networks, this option will save
time.

5.2.1.2 Specifying the Address Family for the Cluster Hostnames


You can use the -a option to tell Serviceguard to resolve cluster node names (as well as Quorum
Server hostnames, if any) to IPv4 addresses only (-a ipv4) IPv6 addresses only (-a ipv6), or
both (-a any). You can also configure the address family by means of the
HOSTNAME_ADDRESS_FAMILY in the cluster configuration file.

IMPORTANT: See About Hostname Address Families: IPv4-Only, IPv6-Only, and Mixed Mode
(page 88) for a full discussion, including important restrictions for IPv6only and mixed modes.
If you use the -a option, Serviceguard will ignore the value of the HOSTNAME_ADDRESS_FAMILY
parameter in the existing cluster configuration, if any, and attempt to resolve the cluster and Quorum
Server hostnames as specified by the -a option:
If you specify -a ipv4, each of the hostnames must resolve to at least one IPv4 address;
otherwise the command will fail.
Similarly, if you specify -a ipv6, each of the hostnames must resolve to at least one IPv6
address; otherwise the command will fail.
If you specify -a any, Serviceguard will attempt to resolve each hostname to an IPv4 address,
then, if that fails, to an IPv6 address.
If you do not use the -a option:
If a cluster is already configured, Serviceguard will use the value configured for
HOSTNAME_ADDRESS_FAMILY, which defaults to IPv4.
If no cluster configured, and Serviceguard finds at least one IPv4 address that corresponds to
the local node's hostname (that is, the node on which you are running cmquerycl),
Serviceguard will attempt to resolve all hostnames to IPv4 addresses. If no IPv4 address is
found for a given hostname, Serviceguard will look for an IPv6 address. (This is the same
behavior as if you had specified -a any).

5.2.1.3 Specifying the Address Family for the Heartbeat


To tell Serviceguard to use only IPv4, or only IPv6, addresses for the heartbeat, use the -h option.
For example, to use only IPv6 addresses:

154 Building an HA Cluster Configuration


cmquerycl -v -h ipv6 -C $SGCONF/clust1.conf -n ftsys9 -n ftsys10
-h ipv4 tells Serviceguard to discover and configure only IPv4 subnets. If it does not find
any eligible subnets, the command will fail.
-h ipv6 tells Serviceguard to discover and configure only IPv6 subnets. If it does not find
any eligible subnets, the command will fail.
If you don't use the -h option, Serviceguard will choose the best available configuration to
meet minimum requirements, preferring an IPv4 LAN over IPv6 where both are available. The
resulting configuration could be IPv4 only, IPv6 only, or a mix of both. You can override
Serviceguard's default choices by means of the HEARTBEAT_IP parameter, discussed under
Cluster Configuration Parameters (page 90); that discussion also spells out the heartbeat
requirements.
The-h and -c options are mutually exclusive.

5.2.1.4 Specifying the Cluster Lock


You can use the cmquerycl command line to specify a cluster lock LUN (-L lock_lun_device) or
quorum server (-q quorum_server [qs_ip2]). For more details, see cmquerycl (1m)manpage.
For more information, see Specifying a Lock LUN (page 155) and Specifying a Quorum
Server (page 155) sections.

5.2.1.5 Full Network Probing


-w full lets you specify full network probing, in which actual connectivity is verified among all
LAN interfaces on all nodes in the cluster, whether or not they are all on the same subnet.

NOTE: This option must be used to discover actual or potential nodes and subnets in a cross-subnet
configuration. See Obtaining Cross-Subnet Information (page 156). It will also validate IP Monitor
polling targets; see Monitoring LAN Interfaces and Detecting Failure: IP Level (page 66), and
POLLING_TARGET under Cluster Configuration Parameters (page 90).

5.2.2 Specifying a Lock LUN


A cluster lock LUN or quorum server is required for two-node clusters. If you will be using a lock
LUN, be sure to specify the -L lock_lun_device option with the cmquerycl command. If the
name of the device is the same on all nodes, enter the option before the node names, as in the
following example (all on one line):
cmquerycl -v -L /dev/sda1 -n lp01 -n lp02 -C $SGCONF/lpcluster.conf
If the name of the device is different on the different nodes, specify each device file following each
node name, as in the following example (all on one line):
cmquerycl -v -n node1 -L /dev/sda1 -n node2 -L /dev/sda2 -C
$SGCONF/lpcluster.conf

NOTE: An iSCSI storage device does not support configuring a lock LUN.

5.2.3 Specifying a Quorum Server


IMPORTANT: The following are standard instructions. For special instructions that may apply to
your version of Serviceguard and the Quorum Server see Configuring Serviceguard to Use the
Quorum Server in the latest version HP Serviceguard Quorum Server Version A.04.00 Release
Notes, at http://www.hp.com/go/hpux-serviceguard-docs (Select HP Serviceguard Quorum Server
Software).

5.2 Configuring the Cluster 155


A cluster lock LUN or quorum server, is required for two-node clusters. To obtain a cluster
configuration file that includes Quorum Server parameters, use the -q option of the cmquerycl
command, specifying a Quorum Server hostname or IP address, for example (all on one line):
cmquerycl -q <QS_Host> -n ftsys9 -n ftsys10 -C <ClusterName>.conf
To specify an alternate hostname or IP address by which the Quorum Server can be reached, use
a command such as (all on one line):
cmquerycl -q <QS_Host> <QS_Addr> -n ftsys9 -n ftsys10 -C
<ClusterName>.conf
Enter the QS_HOST (IPv4 or IPv6 on SLES 11; IPv4 only on Red Hat 5 and Red Hat 6), optional
QS_ADDR (IPv4 or IPv6 on SLES 11; IPv4 only on Red Hat 5 and Red Hat 6) ,
QS_POLLING_INTERVAL, and optionally a QS_TIMEOUT_EXTENSION; and also check the
HOSTNAME_ADDRESS_FAMILY setting, which defaults to IPv4. See the parameter descriptions
under Cluster Configuration Parameters (page 90).
For important information, see also About Hostname Address Families: IPv4-Only, IPv6-Only, and
Mixed Mode (page 88); and What Happens when You Change the Quorum Configuration
Online (page 43)

5.2.4 Obtaining Cross-Subnet Information


As of Serviceguard A.11.18 or later it is possible to configure multiple IPv4 subnets, joined by a
router, both for the cluster heartbeat and for data, with some nodes using one subnet and some
another. See Cross-Subnet Configurations (page 27) for rules and definitions.
You must use the -w full option to cmquerycl to discover the available subnets.
For example, assume that you are planning to configure four nodes, NodeA, NodeB, NodeC, and
NodeD, into a cluster that uses the subnets 15.13.164.0, 15.13.172.0, 15.13.165.0,
15.13.182.0, 15.244.65.0, and 15.244.56.0.
The following command
cmquerycl w full n nodeA n nodeB n nodeB n nodeC n nodeD
will produce the output such as the following:
Node Names: nodeA
nodeB
nodeC
nodeD

Bridged networks (full probing performed):


1 lan3 (nodeA)
lan4 (nodeA)
lan3 (nodeB)
lan4 (nodeB)
2 lan1 (nodeA)
lan1 (nodeB)
3 lan2 (nodeA)
lan2 (nodeB)
4 lan3 (nodeC)
lan4 (nodeC)
lan3 (nodeD)
lan4 (nodeD)

5 lan1 (nodeC)
lan1 (nodeD)
6 lan2 (nodeC)
lan2 (nodeD)

IP subnets:
IPv4:

156 Building an HA Cluster Configuration


15.13.164.0 lan1 (nodeA)
lan1 (nodeB)
15.13.172.0 lan1 (nodeC)
lan1 (nodeD)
15.13.165.0 lan2 (nodeA)
lan2 (nodeB)
15.13.182.0 lan2 (nodeC)
lan2 (nodeD)
15.244.65.0 lan3 (nodeA)
lan3 (nodeB)
15.244.56.0 lan4 (nodeC)
lan4 (nodeD)

IPv6:

3ffe:1111::/64 lan3 (nodeA)


lan3 (nodeB)
3ffe:2222::/64 lan3 (nodeC)
lan3 (nodeD)

Possible Heartbeat IPs:


15.13.164.0
15.13.164.1 (nodeA)
15.13.164.2 (nodeB)
15.13.172.0 15.13.172.158 (nodeC)
15.13.172.159 (nodeD)
15.13.165.0 15.13.165.1 (nodeA)
15.13.165.2 (nodeB)
15.13.182.0 15.13.182.158 (nodeC)
15.13.182.159 (nodeD)
Route connectivity(full probing performed):

1 15.13.164.0
15.13.172.0
2 15.13.165.0
15.13.182.0
3 15.244.65.0
4 15.244.56.0
In the Route connectivity section, the numbers on the left (1-4) identify which subnets are
routed to each other (for example, 15.13.164.0 and 15.13.172.0).

IMPORTANT: Note that in this example subnet 15.244.65.0, used by NodeA and NodeB, is
not routed to 15.244.56.0, used by NodeC and NodeD.
But subnets 15.13.164.0 and 15.13.165.0, used by NodeA and NodeB, are routed respectively
to subnets 15.13.172.0 and 15.13.182.0, used by NodeC and NodeD. At least one such
routing among all the nodes must exist for cmquerycl to succeed.

For information about configuring the heartbeat in a cross-subnet configuration, see the
HEARTBEAT_IP parameter discussion under Cluster Configuration Parameters (page 90).

5.2.5 Identifying Heartbeat Subnets


The cluster configuration file includes entries for IP addresses on the heartbeat subnet. HP
recommends that you use a dedicated heartbeat subnet, and configure heartbeat on other subnets
as well, including the data subnet.
The heartbeat can be on an IPv4 or an IPv6 subnet.

5.2 Configuring the Cluster 157


The heartbeat can comprise multiple IPv4 subnets joined by a router. In this case at least two
heartbeat paths must be configured for each cluster node. See also the discussion of
HEARTBEAT_IP (page 95), and Cross-Subnet Configurations (page 27).

5.2.6 Specifying Maximum Number of Configured Packages


This value must be equal to or greater than the number of packages currently configured in the
cluster. The count includes all types of packages: failover, multi-node, and system multi-node. The
maximum number of packages per cluster is 300. The default is the maximum.

NOTE: Remember to tune kernel parameters on each node to ensure that they are set high enough
for the largest number of packages that will ever run concurrently on that node.

5.2.7 Modifying the MEMBER_TIMEOUT Parameter


The cmquerycl command supplies a default value of 14 seconds for the MEMBER_TIMEOUT
parameter. Changing this value will directly affect the clusters re-formation and failover times. You
may need to increase the value if you are experiencing cluster node failures as a result of heavy
system load or heavy network traffic; or you may need to decrease it if cluster re-formations are
taking a long time.
You can change MEMBER_TIMEOUT while the cluster is running.
For more information about node timeouts, see What Happens when a Node Times Out (page 75)
and the MEMBER_TIMEOUT parameter discussions under Cluster Configuration Parameters
(page 90), and Cluster Re-formations Caused by MEMBER_TIMEOUT Being Set too Low (page 264).

5.2.8 Controlling Access to the Cluster


Serviceguard access-control policies define cluster users administrative or monitoring capabilities.

5.2.8.1 A Note about Terminology


Although you will also sometimes see the term role-based access (RBA) in the output of Serviceguard
commands, the preferred set of terms, always used in this manual, is as follows:
Access-control policies - the set of rules defining user access to the cluster.
Access-control policy - one of these rules, comprising the three parameters USER_NAME,
USER_HOST, USER_ROLE. See Setting up Access-Control Policies (page 160).
Access roles - the set of roles that can be defined for cluster users (Monitor, Package Admin,
Full Admin).
Access role - one of these roles (for example, Monitor).

5.2.8.2 How Access Roles Work


Serviceguard daemons grant access to Serviceguard commands by matching the command users
hostname and username against the access control policies you define. Each user can execute
only the commands allowed by his or her role.
The diagram that shows the access roles and their capabilities. The innermost circle is the most
trusted; the outermost the least. Each role can perform its own functions and the functions in all of
the circles outside it. For example, Serviceguard Root can perform its own functions plus all the
functions of Full Admin, Package Admin and Monitor; Full Admin can perform its own functions
plus the functions of Package Admin and Monitor; and so on.

158 Building an HA Cluster Configuration


Figure 27 Access Roles

5.2.8.3 Levels of Access


Serviceguard recognizes two levels of access, root and non-root:
Root access: Full capabilities; only role allowed to configure the cluster.
As Figure 27 shows, users with root access have complete control over the configuration of
the cluster and its packages. This is the only role allowed to use the cmcheckconf,
cmapplyconf, cmdeleteconf, and cmmodnet -a commands.
In order to exercise this Serviceguard role, you must log in as the root user (superuser) on a
node in the cluster you want to administer. Conversely, the root user on any node in the cluster
always has full Serviceguard root access privileges for that cluster; no additional Serviceguard
configuration is needed to grant these privileges.

5.2 Configuring the Cluster 159


IMPORTANT: Users on systems outside the cluster can gain Serviceguard root access
privileges to configure the cluster only via a secure connection (rsh or ssh).

Non-root access: Other users can be assigned one of four roles:


Full Admin: Allowed to perform cluster administration, package administration, and cluster
and package view operations.
These users can administer the cluster, but cannot configure or create a cluster. Full Admin
includes the privileges of the Package Admin role.

(all-packages) Package Admin: Allowed to perform package administration, and use


cluster and package view commands.
These users can run and halt any package in the cluster, and change its switching
behavior, but cannot configure or create packages. Unlike single-package Package
Admin, this role is defined in the cluster configuration file. Package Admin includes the
cluster-wide privileges of the Monitor role.

(single-package) Package Admin: Allowed to perform package administration for a


specified package, and use cluster and package view commands.
These users can run and halt a specified package, and change its switching behavior,
but cannot configure or create packages. This is the only access role defined in the
package configuration file; the others are defined in the cluster configuration file.
Single-package Package Admin also includes the cluster-wide privileges of the Monitor
role.

Monitor: Allowed to perform cluster and package view operations.


These users have read-only access to the cluster and its packages.

IMPORTANT: A remote user (one who is not logged in to a node in the cluster, and is not
connecting via rsh or ssh) can have only Monitor access to the cluster.
(Full Admin and Package Admin can be configured for such a user, but this usage is
deprecated. As of Serviceguard A.11.18 configuring Full Admin or Package Admin for remote
users gives them Monitor capabilities. See Setting up Access-Control Policies (page 160) for
more information.)

5.2.8.4 Setting up Access-Control Policies


The root user on each cluster node is automatically granted the Serviceguard root access role on
all nodes. (See Configuring Root-Level Access (page 136) for more information.) Access-control
policies define non-root roles for other cluster users.

NOTE: For more information and advice, see the white paper Securing Serviceguard at http://
www.hp.com/go/hpux-serviceguard-docs (Select HP Serviceguard -> White Papers).
Define access-control policies for a cluster in the cluster configuration file; see Cluster Configuration
Parameters (page 90). To define access control for a specific package, use user_host (page 190)
and related parameters in the package configuration file. You can define up to 200 access policies
for each cluster. A root user can create or modify access control policies while the cluster is running.

NOTE: Once nodes are configured into a cluster, the access-control policies you set in the cluster
and package configuration files govern cluster-wide security; changes to the bootstrap
cmclnodelist file are ignored (see Allowing Root Access to an Unconfigured Node (page 136)).

160 Building an HA Cluster Configuration


Access control policies are defined by three parameters in the configuration file:
Each USER_NAME can consist either of the literal ANY_USER, or a maximum of 8 login names
from the /etc/passwd file on USER_HOST. The names must be separated by spaces or tabs,
for example:
# Policy 1:
USER_NAME john fred patrick
USER_HOST bit
USER_ROLE PACKAGE_ADMIN

USER_HOST is the node where USER_NAME will issue Serviceguard commands.

NOTE: The commands must be issued on USER_HOST but can take effect on other nodes;
for example, patrick can use bits command line to start a package on gryf (assuming
bit and gryf are in the same cluster).
Choose one of these three values for USER_HOST:

ANY_SERVICEGUARD_NODE - any node on which Serviceguard is configured, and which


is on a subnet with which nodes in this cluster can communicate (as reported
bycmquerycl -w full).

NOTE: If you set USER_HOST to ANY_SERVICEGUARD_NODE, set USER_ROLE to


MONITOR; users connecting from outside the cluster cannot have any higher privileges
(unless they are connecting via rsh or ssh; this is treated as a local connection).
Depending on your network configuration, ANY_SERVICEGUARD_NODE can provide
wide-ranging read-only access to the cluster.

CLUSTER_MEMBER_NODE - any node in the cluster

A specific node name - Use the hostname portion (the first part) of a fully-qualified domain
name that can be resolved by the name service you are using; it should also be in each
nodes /etc/hosts. Do not use an IP addresses or the fully-qualified domain name. If
there are multiple hostnames (aliases) for an IP address, one of those must match
USER_HOST. See Configuring Name Resolution (page 137) for more information.
USER_ROLE must be one of these three values:
MONITOR

FULL_ADMIN

PACKAGE_ADMIN
MONITOR and FULL_ADMIN can be set only in the cluster configuration file and they apply
to the entire cluster. PACKAGE_ADMIN can be set in the cluster configuration file or a package
configuration file. If it is set in the cluster configuration file, PACKAGE_ADMIN applies to all
configured packages; if it is set in a package configuration file, it applies to that package
only. These roles are not exclusive; for example, more than one user can have the
PACKAGE_ADMIN role for the same package.

NOTE: You do not have to halt the cluster or package to configure or modify access control
policies.
Here is an example of an access control policy:
USER_NAME john

5.2 Configuring the Cluster 161


USER_HOST bit
USER_ROLE PACKAGE_ADMIN
If this policy is defined in the cluster configuration file, it grants user john the PACKAGE_ADMIN
role for any package on node bit. User john also has the MONITOR role for the entire cluster,
because PACKAGE_ADMIN includes MONITOR. If the policy is defined in the package configuration
file for PackageA, then user john on node bit has the PACKAGE_ADMIN role only for PackageA.
Plan the clusters roles and validate them as soon as possible. If your organizations security policies
allow it, you may find it easiest to create group logins. For example, you could create a MONITOR
role for user operator1 from CLUSTER_MEMBER_NODE (that is, from any node in the cluster).
Then you could give this login name and password to everyone who will need to monitor your
clusters.

5.2.8.4.1 Role Conflicts


Do not configure different roles for the same user and host; Serviceguard treats this as a conflict
and will fail with an error when applying the configuration. Wildcards, such as ANY_USER and
ANY_SERVICEGUARD_NODE, are an exception: it is acceptable for ANY_USER and john to be
given different roles.

IMPORTANT: Wildcards do not degrade higher-level roles that have been granted to individual
members of the class specified by the wildcard. For example, you might set up the following policy
to allow root users on remote systems access to the cluster:
USER_NAME root
USER_HOST ANY_SERVICEGUARD_NODE
USER_ROLE MONITOR
This does not reduce the access level of users who are logged in as root on nodes in this cluster;
they will always have full Serviceguard root-access capabilities.

Consider what would happen if these entries were in the cluster configuration file:
# Policy 1:
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN

# Policy 2:
USER_NAME john
USER_HOST bit
USER_ROLE MONITOR

# Policy 3:
USER_NAME ANY_USER
USER_HOST ANY_SERVICEGUARD_NODE
USER_ROLE MONITOR
In the above example, the configuration would fail because user john is assigned two roles. (In
any case, Policy 2 is unnecessary, because PACKAGE_ADMIN includes the role of MONITOR).
Policy 3 does not conflict with any other policies, even though the wildcard ANY_USER includes
the individual user john.

NOTE: Check spelling especially carefully when typing wildcards, such as ANY_USER and
ANY_SERVICEGUARD_NODE. If they are misspelled, Serviceguard will assume they are specific
users or nodes.

162 Building an HA Cluster Configuration


5.2.8.5 Package versus Cluster Roles
Package configuration will fail if there is any conflict in roles between the package configuration
and the cluster configuration, so it is a good idea to have the cluster configuration file in front of
you when you create roles for a package; use cmgetconf to get a listing of the cluster configuration
file.
If a role is configured for a username/hostname in the cluster configuration file, do not specify a
role for the same username/hostname in the package configuration file; and note that there is no
point in assigning a package administration role to a user who is root on any node in the cluster;
this user already has complete control over the administration of the cluster and its packages.

5.2.9 Verifying the Cluster Configuration


If you have edited a cluster configuration template file, use the following command to verify the
content of the file:
cmcheckconf -v -C $SGCONF/clust1.conf
This command checks the following:
Network addresses and connections.
Quorum server connection.
All lock LUN device names on all nodes refer to the same physical disk area.
One and only one lock LUN device is specified per node.
A quorum server or lock LUN is configured, but not both.
Uniqueness of names.
Existence and permission of scripts specified in the command line.
If all nodes specified are in the same heartbeat subnet.
Correct configuration filename.
All nodes can be accessed.
No more than one CLUSTER_NAME, MEMBER_TIMEOUT, and AUTO_START_TIMEOUT are
specified.
The value for package run and halt script timeouts does not exceed the maximum.
The value for AUTO_START_TIMEOUT variables is greater than zero.
Heartbeat network minimum requirement. See HEARTBEAT_IP under Cluster Configuration
Parameters (page 90).
At least one NODE_NAME is specified.
Each node is connected to each heartbeat network.
All heartbeat networks are of the same type of LAN.
The network interface device files specified are valid LAN device files.
Other configuration parameters for the cluster and packages are valid.
If the cluster is online the cmcheckconf command also verifies that all the conditions for the
specific change in configuration have been met.

5.2.10 Cluster Lock Configuration Messages


The cmquerycl, cmcheckconf and cmapplyconf commands will return errors if the cluster
lock is not correctly configured. If there is no cluster lock in a cluster with two nodes, the following
message is displayed in the cluster configuration file:

5.2 Configuring the Cluster 163


# Warning: Neither a quorum server nor a lock lun was specificed.
# A Quorum Server or a lock lun is required for clusters of only two nodes.
If you attempt to configure both a quorum server and a lock LUN, the following message appears
on standard output when issuing the cmcheckconf or cmapplyconf command:
Duplicate cluster lock, line 55. Quorum Server already specified.

5.2.11 Distributing the Binary Configuration File


After specifying all cluster parameters, use the cmapplyconf command to apply the configuration.
This action distributes the binary configuration file to all the nodes in the cluster. HP recommends
doing this separately before you configure packages (described in the next chapter). In this way,
you can verify the quorum server, heartbeat networks, and other cluster-level operations by using
the cmviewcl command on the running cluster. Before distributing the configuration, ensure that
your security files permit copying among the cluster nodes. See Configuring Root-Level Access
(page 136).
The following command distributes the binary configuration file:
cmapplyconf -v -C $SGCONF/clust1.conf

5.3 Managing the Running Cluster


This section describes some approaches to routine management of the cluster. For more information,
see Chapter 7: Cluster and Package Maintenance (page 199). You can manage the cluster from
Serviceguard Manager, or by means of Serviceguard commands as described below.

5.3.1 Checking Cluster Operation with Serviceguard Commands


cmviewcl checks the status of the cluster and many of its components. A non-root user with
the role of Monitor can run this command from a cluster node or see status information in
Serviceguard Manager.
cmrunnode is used to start a node. A non-root user with the role of Full Admin, can run this
command from a cluster node or through Serviceguard Manager.
cmhaltnode is used to manually stop a running node. (This command is also used by
shutdown(1m)). A non-root user with the role of Full Admin can run this command from a
cluster node or through Serviceguard Manager.
cmruncl is used to manually start a stopped cluster. A non-root user with Full Admin access
can run this command from a cluster node, or through Serviceguard Manager.
cmhaltcl is used to manually stop a cluster. A non-root user with Full Admin access, can
run this command from a cluster node or through Serviceguard Manager.
You can use these commands to test cluster operation, as in the following:
1. If the cluster is not already running, start it:
cmruncl -v
By default, cmruncl will check the networks. Serviceguard will probe the actual network
configuration with the network information in the cluster configuration. If you do not need this
validation, use cmruncl -v -w none instead, to turn off validation and save time
2. When the cluster has started, make sure that cluster components are operating correctly:
cmviewcl -v
Make sure that all nodes and networks are functioning as expected. For more information,
refer to the chapter on Cluster and Package Maintenance.

164 Building an HA Cluster Configuration


3. Verify that nodes leave and enter the cluster as expected using the following steps:
Halt the cluster. You can use Serviceguard Manager or the cmhaltnode command.
Check the cluster membership to verify that the node has left the cluster. You can use the
Serviceguard Manager main page or the cmviewcl command.
Start the node. You can use Serviceguard Manager or the cmrunnode command.
Verify that the node has returned to operation. You can use Serviceguard Manager or
the cmviewcl command again.
4. Bring down the cluster. You can use Serviceguard Manager or the cmhaltcl -v -f
command.
See the manpages for more information about these commands. See Chapter 8: Troubleshooting
Your Cluster (page 255) for more information about cluster testing.

5.3.2 Setting up Autostart Features


Automatic startup is the process in which each node individually joins a cluster; Serviceguard
provides a startup script to control the startup process. If a cluster already exists, the node attempts
to join it; if no cluster is running, the node attempts to form a cluster consisting of all configured
nodes. Automatic cluster start is the preferred way to start a cluster. No action is required by the
system administrator.
There are three cases:
The cluster is not running on any node, all cluster nodes must be reachable, and all must be
attempting to start up. In this case, the node attempts to form a cluster consisting of all
configured nodes.
The cluster is already running on at least one node. In this case, the node attempts to join that
cluster.
Neither is true: the cluster is not running on any node, and not all the nodes are reachable
and trying to start. In this case, the node will attempt to start for the AUTO_START_TIMEOUT
period. If neither of these things becomes true in that time, startup will fail.
To enable automatic cluster start, set the flag AUTOSTART_CMCLD to 1 in the $SGAUTOSTARTfile
($SGCONF/cmcluster.rc) on each node in the cluster; the nodes will then join the cluster at
boot time.
Here is an example of the $SGAUTOSTART file:
SGAUTOSTART=/usr/local/cmcluster/conf/cmcluster.rc
#*************************** CMCLUSTER *************************

# Highly Available Cluster configuration


#
# @(#) $Revision: 82.2 $
#
#
# AUTOSTART_CMCLD
#
# Automatic startup is the process in which each node individually
# joins a cluster. If a cluster already exists, the node attempts
# to join it; if no cluster is running, the node attempts to form
# a cluster consisting of all configured nodes. Automatic cluster
# start is the preferred way to start a cluster. No action is
# required by the system administrator. If set to 1, the node will
# attempt to join/form its CM cluster automatically as described
# above. If set to 0, the node will not attempt to join its CM
# cluster.

AUTOSTART_CMCLD=1

5.3 Managing the Running Cluster 165


NOTE: The /sbin/init.d/cmcluster file may call files that Serviceguard stores in$SGCONF/
rc. (See Understanding the Location of Serviceguard Files (page 135) for information about
Serviceguard directories on different Linux distributions.) This directory is for Serviceguard use
only! Do not move, delete, modify, or add files in this directory.

5.3.3 Changing the System Message


You may find it useful to modify the system's login message to include a statement such as the
following:
This system is a node in a high availability cluster.
Halting this system may cause applications and services to
start up on another node in the cluster.
You may want to include a list of all cluster nodes in this message, together with additional
cluster-specific information.
The /etc/motd file may be customized to include cluster-related information.

5.3.4 Managing a Single-Node Cluster


The number of nodes you will need for your cluster depends on the processing requirements of the
applications you want to protect.
In a single-node cluster, a quorum server is not required, since there is no other node in the cluster.
The output from the cmquerycl command omits the quorum server information area if there is
only one node.
You still need to have redundant networks, but you do not need to specify any heartbeat LANs,
since there is no other node to send heartbeats to. In the cluster configuration file, specify all LANs
that you want Serviceguard to monitor. For LANs that already have IP addresses, specify them
with the STATIONARY_IP parameter, rather than the HEARTBEAT_IP parameter.

5.3.4.1 Single-Node Operation


Single-node operation occurs in a single-node cluster, or in a multi-node cluster in which all but
one node has failed, or in which you have shut down all but one node, which will probably have
applications running. As long as the Serviceguard daemon cmcld is active, other nodes can rejoin
the cluster at a later time.
If the cmcld daemon fails during single-node operation, it will leave the single node up and your
applications running. (This is different from the failure of cmcld in a multi-node cluster, which
causes the node to halt with a reboot, and packages to be switched to adoptive nodes.)
It is not necessary to halt the single node in this case, since the applications are still running, and
no other node is currently available for package switching.

CAUTION: But you should not try to restart Serviceguard; data corruption might occur if another
node were to attempt to start up a new instance of an application that is still running on the single
node. Instead, choose an appropriate time to shut down and reboot the node. This will allow the
applications to shut down and Serviceguard to restart the cluster after the reboot.

5.3.5 Disabling identd


Ignore this section unless you have a particular need to disable identd.
You can configure Serviceguard not to use identd.

CAUTION: This is not recommended. Consult the white paper Securing Serviceguard at http://
www.hp.com/go/hpux-serviceguard-docs (Select HP Serviceguard -> White Papers) for more
information.

166 Building an HA Cluster Configuration


If you must disable identd, do the following on each node after installing Serviceguard but before
each node rejoins the cluster (For example, before issuing a cmrunnode or cmruncl).
For Red Hat and SUSE:
1. Change the value of the server_args parameter in the file /etc/xinetd.d/hacl-cfg
from -c to -c -i
2. Restart xinetd:
/etc/init.d/xinetd restart

5.3.6 Deleting the Cluster Configuration


You can delete a cluster configuration by means of the cmdeleteconf command. The command
prompts for a verification before deleting the files unless you use the -f option. You can delete
the configuration only when the cluster is down. The action removes the binary configuration file
from all the nodes in the cluster and resets all cluster-aware volume groups to be no longer
cluster-aware.

NOTE: The cmdeleteconf command removes only the cluster binary file $SGCONF/
cmclconfig. It does not remove any other files from the $SGCONF directory.
Although the cluster must be halted, all nodes in the cluster should be powered up and accessible
before you use the cmdeleteconf command. If a node is powered down, power it up and allow
it to boot. If a node is inaccessible, you will see a list of inaccessible nodes and the following
message:
Checking current status
cmdeleteconf: Unable to reach node lptest1.
WARNING: Once the unreachable node is up, cmdeleteconf
should be executed on the node to remove the configuration.

Delete cluster lpcluster anyway (y/[n])?


Reply Yes to remove the configuration. Later, if the inaccessible node becomes available, run
cmdeleteconf on that node to remove the configuration file.

5.4 Rebuilding the Deadman Driver


If you have upgraded the kernel to a new errata, the deadman driver must be rebuilt. The deadman
driver sources and associated files are located in the $SGROOT/drivers directory.
To rebuild the deadman driver:
1. Verify whether the deadman driver is already loaded:
# lsmod | grep deadman
2. Remove the deadman driver that is already loaded:
# rmmod deadman
3. To build and install the deadman driver module, run the following commands in the $SGROOT/
drivers directory:
a. # make modules
This command builds the module.
b. # make modules_install
This command installs the module.
c. # insmod deadman.ko
This command inserts the module.

5.4 Rebuilding the Deadman Driver 167


Table 8 describes the various scenarios for rebuilding the deadman driver:
Table 8 Rebuilding the Deadman Driver
Should the deadman
Scenario driver be rebuilt? Description

Online OS upgrade between minor Yes You must manually rebuild the deadman driver as the
releases. For example, RHEL 6.1 to OS upgrade process would have updated the kernel.
RHEL 6.2

Fresh installation of the OS No Whenever you install the OS for the first time,
Serviceguard must be installed afresh. This rebuilds
the deadman driver.

Kernel errata only update Yes You must manually rebuild the deadman driver as the
kernel update process would have updated the kernel.

Kernel errata only update No The Serviceguard update (patch) install process
Serviceguard update (patch) rebuilds the deadman driver.
installation

Fresh installation of Serviceguard No The Serviceguard install process rebuilds the deadman
driver.

168 Building an HA Cluster Configuration


6 Configuring Packages and Their Services
Serviceguard packages group together applications and the services and resources they depend
on.
The typical Serviceguard package is a failover package that starts on one node but can be moved
(failed over) to another if necessary. For more information, see What is Serviceguard for Linux?
(page 19), How the Package Manager Works (page 43), andPackage Configuration Planning
(page 104).
You can also create multi-node packages, which run on more than one node at the same time.
System multi-node packages, which run on all the nodes in the cluster, are supported only for
applications supplied by HP.
Creating or modifying a package requires the following broad steps, each of which is described
in the sections that follow:
1. Decide on the packages major characteristics and choose the modules you need to include
(page 169).
2. Generate the package configuration file (page 191).
3. Edit the configuration file (page 193).
4. Verify and apply the package configuration (page 196).
5. Add the package to the cluster (page 198).

NOTE: This is a new process for configuring packages, as of Serviceguard A.11.18. This manual
refers to packages created by this method as modular packages, and assumes that you will use it
to create new packages. It is simpler and more efficient than the older method, allowing you to
build packages from smaller modules, and eliminating the separate package control script and
the need to distribute it manually.
Packages created using Serviceguard A.11.16 or earlier are referred to as legacy packages. If
you need to reconfigure a legacy package (rather than create a new package), see Configuring
a Legacy Package (page 233).
It is also still possible to create new legacy packages by the method described in Configuring a
Legacy Package. If you are using a Serviceguard Toolkit, consult the documentation for that
product.
If you decide to convert a legacy package to a modular package, see Migrating a Legacy Package
to a Modular Package (page 240).
(Parameters that are in the package control script for legacy packages, but in the package
configuration file instead for modular packages, are indicated by (S) in the tables under Optional
Package Modules (page 172)).

6.1 Choosing Package Modules


IMPORTANT: Before you start, you need to do the package-planning tasks described under
Package Configuration Planning (page 104).
To choose the right package modules, you need to decide the following things about the package
you are creating:
What type of package it is; see Types of Package: Failover, Multi-Node, System Multi-Node
(page 170).
Which parameters need to be specified for the package (beyond those included in the base
type, which is normally failover, multi-node, or system-multi-node). See Package Modules
and Parameters (page 171).

6.1 Choosing Package Modules 169


When you have made these decisions, you are ready to generate the package configuration file;
see Generating the Package Configuration File (page 191).

6.1.1 Types of Package: Failover, Multi-Node, System Multi-Node


There are three types of packages:
Failover packages. This is the most common type of package. Failover packages run on one
node at a time. If there is a failure, Serviceguard (or a user) can halt them, and then start them
up on another node selected from the packages configuration list; see node_name (page 176).
To generate a package configuration file that creates a failover package, include-m
sg/failover on the cmmakepkg command line. See Generating the Package Configuration
File (page 191).
Multi-node packages. These packages run simultaneously on more than one node in the cluster.
Failures of package components such as applications, services, generic resource, or subnets,
will cause the package to be halted only on the node on which the failure occurred.
Relocatable IP addresses cannot be assigned to multi-node packages.

IMPORTANT: Multi-node packages must either use a clustered file system such as Red Hat
GFS (Red Hat GFS is not supported in Serviceguard A.11.20.00), or not use shared storage.
To generate a package configuration file that creates a multi-node package, include-m
sg/multi_node on the cmmakepkg command line. See Generating the Package
Configuration File (page 191).
System multi-node packages. System multi-node packages are supported only for applications
supplied by HP.

NOTE: The following parameters cannot be configured for multi-node packages:


failover_policy
failback_policy
ip_subnet
ip_address
Volume groups configured for packages of this type must be activated in shared mode.

For more information about types of packages and how they work, see How the Package Manager
Works (page 43). For information on planning a package, see Package Configuration Planning
(page 104).
When you have decided on the type of package you want to create, the next step is to decide
what additional package-configuration modules you need to include; see Package Modules and
Parameters (page 171).

6.1.2 Differences between Failover and Multi-Node Packages


Note the following important differences in behavior between multi-node and failover packages:
If a multi-node package has auto_run disabled (set to no in the package configuration file)
it will not start when the cluster is started. You can use cmmodpkg to enable package switching

170 Configuring Packages and Their Services


and start the package for the first time. But if you then halt the multi-node package via
cmhaltpkg, it can be re-started only by means of cmrunpkg, not cmmodpkg.
If a multi-node package is halted via cmhaltpkg, package switching is not disabled. This
means that the halted package will start to run on a rebooted node, if it is configured to run
on that node and its dependencies are met.
When a multi-node package is started the first time (either at cluster startup, or subsequently
if auto_run is set to no, and package switching is then enabled) any dependent package
will start on its primary node. But if a multi-node package is halted along with its dependent
packages, and the multi-node package is then restarted, dependent packages which have
had package switching re-enabled will start on the first eligible node on which an instance of
the multi-node package comes up; this may not be the dependent packages primary node.
To ensure that dependent failover packages restart on their primary node if the multi-node
packages they depend on need to be restarted, make sure the dependent packages package
switching is not re-enabled before the multi-node packages are restarted. You can then either
restart the dependent failover packages with cmrunpkg, specifying the node you want them
to start on, or enable package switching for these packages after the multi-node package
startup is complete.

6.1.3 Package Modules and Parameters


The table that follows shows the package modules and the configuration parameters each module
includes. Read this section in conjunction with the discussion under Package Configuration Planning
(page 104).
Use this information, and the parameter explanations that follow (page 174) to decide which modules
(if any) you need to add to the failover, multi-node, or system multi-node module, to create your
package. If you are used to creating legacy packages, you will notice that parameters from the
package control script (or their equivalents) are now in the package configuration file; these
parameters are marked (S) in the table.
You can use cmmakepkg -l (letter l) to see a list of all available modules, including
non-Serviceguard modules such as those supplied in the HP Toolkits.

NOTE: If you are going to create a complex package that contains many modules, you may
want to skip the process of selecting modules, and simply create a configuration file that contains
all the modules:
cmmakepkg -m sg/all $SGCONF/pkg_sg_complex
(The output will be written to $SGCONF/pkg_sg_complex.)

6.1.3.1 Base Package Modules


At least one base module (or default or all, which include the base module) must be specified
on the cmmakepkg command line. Parameters marked with an asterisk (*) are new or changed
as of Serviceguard A.11.18, A.11.19, A.11.20.00, A.11.20.10, or A.11.20.20 (S) indicates
that the parameter (or its equivalent) has moved from the package control script to the package
configuration file for modular packages. See the Package Parameter Explanations (page 174) for
more information.

6.1 Choosing Package Modules 171


Table 9 Base Modules
Module Name Parameters (page) Comments

failover package_name (page 175) * Base module. Use as primary


module_name (page 175) * building block for failover
module_version (page 175) * packages.
package_type (page 175) Cannot be used if package_type
package_description (page 175) * (page 175) is multi_node or
node_name (page 176) system_multi_node
auto_run (page 176)
node_fail_fast_enabled (page 176)
run_script_timeout (page 177)
halt_script_timeout (page 177)
successor_halt_script_timeout (page 178)
*

script_log_file (page 178)


*
operation_sequence (page 178)
log_level (page 178) *
failover_policy (page 178)
failback_policy (page 179)
priority (page 179) *

multi_node package_name (page 175) * Base module. Use as primary


module_name (page 175) * building block for multi-node
module_version (page 175) * packages.
package_type (page 175) Cannot be used if package_type
node_name (page 176) (page 175) is failover or
auto_run (page 176) system_multi_node.
node_fail_fast_enabled (page 176)
run_script_timeout (page 177)
halt_script_timeout (page 177)
*
successor_halt_timeout (page 178)
script_log_file (page 178)
operation_sequence (page 178) *
log_level (page 178) *
priority (page 179) *

system_multi_node package_name (page 175) * Base module. Primary building


module_name (page 175) * block for system multi-node
module_version (page 175) * packages. System multi-node
package_type (page 175) packages are supported only for
node_name (page 176) applications supplied by HP.
auto_run (page 176)
node_fail_fast_enabled (page 176)
run_script_timeout (page 177)
halt_script_timeout (page 177)
*
successor_halt_timeout (page 178)
script_log_file (page 178) *
operation_sequence (page 178) *
log_level (page 178) *
priority (page 179) *

6.1.3.2 Optional Package Modules


Add optional modules to a base module if you need to configure the functions in question.
Parameters marked with an asterisk (*) are new or changed as of Serviceguard A.11.18, A.11.19,
A.11.20.00, A.11.20.10, or A.11.20.20. (S) indicates that the parameter (or its equivalent) has
moved from the package control script to the package configuration file for modular packages.
See the Package Parameter Explanations (page 174) for more information.

172 Configuring Packages and Their Services


Table 10 Optional Modules
Module Name Parameters (page) Comments

dependency dependency_name (page 180) * Add to a base module to create a


dependency_condition (page 180) package that depends on one or
dependency_location (page 180) more other packages.

weight weight_name (page 181) * Add to a base module to create a


weight value (page 181) * package that has weight that will
be counted against a node's
capacity.

monitor_subnet monitored_subnet (page 181) * Add to a base module to configure


monitored_subnet_access (page 182)* subnet monitoring for the package.

package_ip ip_subnet (page 182) * (S) Add to failover module to


ip_subnet_node (page 183) * assign relocatable IP addresses to
ip_address (page 183) * (S) a failover package.

service service_name (page 183) * (S) Add to a base module to create a


service_cmd (page 183) (S) package that runs an application
service_restart (page 184) * (S) or service.
service_fail_fast_enabled (page 184)
service_halt_timeout (page 184)

generic_resource generic_resource_name (page 184) Add to a base module to create a


generic_resource_evaluation_type package with generic resources
(page 185) that can be used to monitor critical
generic_resource_up_criteria (page 185) resources through custom monitors
by configuring them as
user-defined services.
*
volume_group vgchange_cmd (page 186) (S) Add to a base module if the
vg (page 186) (S) package needs to mount file
systems (other than Red Hat GFS)
on LVM volumes.
Red Hat GFS is not supported in
Serviceguard A.11.20.00.

filesystem concurrent_fsck_operations (page 187) (S) Add to a base module to configure


fs_mount_retry_count (page 187) (S) filesystem options for the package.
fs_umount_retry_count (page 187) * (S)
fs_name (page 187) * (S)
fs_directory (page 188) * (S)
fs_type (page 188) (S)
fs_mount_opt (page 189) (S)
fs_umount_opt (page 189) (S)
fs_fsck_opt (page 189) (S)

*
pev pev_ (page 190) Add to a base module to configure
environment variables to be
passed to an external script.
*
external_pre external_pre_script (page 190) Add to a base module to specify
additional programs to be run
before volume groups are
activated while the package is
starting and after they are
deactivated while the package is
halting.
*
external external_script (page 190) Add to a base module to specify
additional programs to be run
during package start and halt time.

6.1 Choosing Package Modules 173


Table 10 Optional Modules (continued)
Module Name Parameters (page) Comments

acp user_name (page 191) Add to a base module to configure


user_host (page 190) Access Control Policies for the
user_role (page 191) package.

all all parameters Use if you are creating a complex


package that requires most or all
of the optional parameters; or if
you want to see the specifications
and comments for all available
parameters.

multi_node_all all parameters that can be used by a multi-node Use if you are creating a
package; includes multi_node, dependency, multi-node package that requires
monitor_subnet, service, volume_group, most or all of the optional
filesystem, pev, external_pre, external, parameters that are available for
and acp modules. this type of package.

default (all parameters) A symbolic link to the all module;


used if a base module is not
specified on the cmmakepkg
command line; see cmmakepkg
Examples (page 192).

pr_cntl Add to a base module to enable


the Persistent Reservation in a
package.

xdc/xdc Use if you are configuring


serviceguard-xdc packages that
require Host-based mirroring in
Extended Distance Cluster
(serviceguard-xdc) environment.
For information about xdc/xdc
module attributes, see HP
Serviceguard Extended Distance
Cluster for Linux A.11.20.20
Deployment Guide.
NOTE: The xdc/xdc module is
compatible only with sg/
failover and is not compatible
with sg/multi_node and sg/
system_multinode.

NOTE: The default form for parameter names in the modular package configuration file is lower
case; for legacy packages the default is upper case. There are no compatibility issues; Serviceguard
is case-insensitive as far as the parameter names are concerned. This manual uses lower case,
unless the parameter in question is used only in legacy packages, or the context refers exclusively
to such a package.

6.1.4 Package Parameter Explanations


Brief descriptions of the package configuration parameters follow.

174 Configuring Packages and Their Services


NOTE: For more information, see the comments in the editable configuration file output by the
cmmakepkg command, and the cmmakepkg (1m) manpage.
If you are going to browse these explanations deciding which parameters you need, you may
want to generate and print out a configuration file that has the comments for all of the parameters;
you can create such a file as follows:
cmmakepkg -m sg/all $SGCONF/sg-all
or simply
cmmakepkg $SGCONF/sg-all
This creates a file $SGCONF/sg-all that contains all the parameters and comments. (See
Understanding the Location of Serviceguard Files (page 135) for the location of $SGCONF on your
version of Linux.)
More detailed instructions for running cmmakepkg are in the next section, Generating the Package
Configuration File (page 191).
See also Package Configuration Planning (page 104).

6.1.4.1 package_name
Any name, up to a maximum of 39 characters, that:
starts and ends with an alphanumeric character
otherwise contains only alphanumeric characters or dot (.), dash (-), or underscore (_)
is unique among package names in this cluster

IMPORTANT: Restrictions on package names in previous Serviceguard releases were less


stringent. Packages whose names do not conform to the above rules will continue to run, but
if you reconfigure them, you will need to change the name; cmcheckconf and cmapplyconf
will enforce the new rules.

6.1.4.2 module_name
The module name. Do not change it. Used in the form of a relative path (for example, sg/
failover) as a parameter to cmmakepkg specify modules to be used in configuring the package.
(The files reside in the $SGCONF/modules directory; see Understanding the Location of
Serviceguard Files (page 135) for the location of $SGCONF on your version of Linux.)
New for modular packages.

6.1.4.3 module_version
The module version. Do not change it.
New for modular packages.

6.1.4.4 package_type
The type can be failover, multi_node, or system multi_node. You can configure only
failover or multi-node packages; see Types of Package: Failover, Multi-Node, System Multi-Node
(page 170).
Packages of one type cannot include the base module for another; for example, if package_type
is failover, the package cannot include the multi_node, or system_multi_node module.

6.1.4.5 package_description
The application that the package runs. This is a descriptive parameter that can be set to any value
you choose, up to a maximum of 80 characters. Default value is Serviceguard Package.

6.1 Choosing Package Modules 175


6.1.4.6 node_name
The node on which this package can run, or a list of nodes in order of priority, or an asterisk (*)
to indicate all nodes. The default is *. For system multi-node packages, you must specify node_name
*.
If you use a list, specify each node on a new line, preceded by the literal node_name, for example:
node_name <node1>
node_name <node2>
node_name <node3>
The order in which you specify the node names is important. First list the primary node name (the
node where you normally want the package to start), then the first adoptive node name (the best
candidate for failover), then the second adoptive node name, followed by additional node names
in order of preference.
In case of a failover, control of the package will be transferred to the next adoptive node name
listed in the package configuration file, or (if that node is not available or cannot run the package
at that time) to the next node in the list, and so on.
If a package is configured with a site_preferred or site_preferred_manual failover
policy and if you want to modify the default NODE_NAME, ensure that the NODE_NAME entries
are grouped by sites. For example, in the following configuration, a package with
site_preferred policy can have NODE_NAME entries in the order node2 , node1 , node 4,
node3 but not node2, node3, node1 and node4.

SITE_NAME A
NODE STATUS STATE
node1 up running
node2 up running

SITE_NAME B
NODE STATUS STATE
node3 up running
node4 up running

IMPORTANT: See Cluster Configuration Parameters (page 90) for important information about
node names.
See About Cross-Subnet Failover (page 130) for considerations when configuring cross-subnet
packages, which are further explained under Cross-Subnet Configurations (page 27).

6.1.4.7 auto_run
Can be set to yes or no. The default is yes.
For failover packages, yes allows Serviceguard to start the package (on the first available node
listed under node_name) on cluster start-up, and to automatically restart it on an adoptive node
if it fails. no prevents Serviceguard from automatically starting the package, and from restarting
it on another node.
This is also referred to as package switching, and can be enabled or disabled while the package
is running, by means of the cmmodpkg command.
auto_run should be set to yes if the package depends on another package, or is depended on;
see About Package Dependencies (page 113).
For system multi-node packages, auto_run must be set to yes. In the case of a multi-node package,
setting auto_run to yes allows an instance to start on a new node joining the cluster; no means
it will not.

6.1.4.8 node_fail_fast_enabled
Can be set to yes or no. The default is no.

176 Configuring Packages and Their Services


yes means the node on which the package is running will be halted (reboot) if the package fails;
no means Serviceguard will not halt the system.
If this parameter is set to yes and one of the following events occurs, Serviceguard will halt the
system (reboot) on the node where the control script fails:
A package subnet fails and no backup network is available
A generic resource fails
Serviceguard is unable to execute the halt function
The start or halt function times out

NOTE: If the package halt function fails with exit 1, Serviceguard does not halt the node,
but sets no_restart for the package, which disables package switching, setting auto_run
(page 176) to no and thereby preventing the package from starting on any adoptive node.
Setting node_fail_fast_enabled to yes prevents Serviceguard from repeatedly trying (and
failing) to start the package on the same node.
Setting node_fail_fast_enabled to yes ensures that the package can fail over to another
node even if the package cannot halt successfully. Be careful when using
node_fail_fast_enabled, as it will cause all packages on the node to halt abruptly. For more
information, see Responses to Failures (page 75) and Responses to Package and Service
Failures (page 77).
For system multi-node packages, node_fail_fast_enabled must be set to yes.

6.1.4.9 run_script_timeout
The amount of time, in seconds, allowed for the package to start; or no_timeout. The default is
no_timeout. The maximum is 4294.
If the package does not complete its startup in the time specified by run_script_timeout,
Serviceguard will terminate it and prevent it from switching to another node. In this case, if
node_fail_fast_enabled is set to yes, the node will be halted (rebooted).
If no timeout is specified (no_timeout), Serviceguard will wait indefinitely for the package to
start.
If a timeout occurs:
Switching will be disabled.
The current node will be disabled from running the package.

NOTE: If no_timeout is specified, and the script hangs, or takes a very long time to complete,
during the validation step (cmcheckconf (1m)), cmcheckconf will wait 20 minutes to allow
the validation to complete before giving up.

6.1.4.10 halt_script_timeout
The amount of time, in seconds, allowed for the package to halt; or no_timeout. The default is
no_timeout. The maximum is 4294.
If the packages halt process does not complete in the time specified by halt_script_timeout,
Serviceguard will terminate the package and prevent it from switching to another node. In this
case, if node_fail_fast_enabled (page 176) is set to yes, the node will be halted (reboot).
If a halt_script_timeout is specified, it should be greater than the sum of all the values set
for service_halt_timeout (page 184) for this package.
If a timeout occurs:

6.1 Choosing Package Modules 177


Switching will be disabled.
The current node will be disabled from running the package.
If a halt-script timeout occurs, you may need to perform manual cleanup. See Chapter 8:
Troubleshooting Your Cluster (page 255).

6.1.4.11 successor_halt_timeout
Specifies how long, in seconds, Serviceguard will wait for packages that depend on this package
to halt, before halting this package. Can be 0 through 4294, or no_timeout. The default is
no_timeout.
no_timeout means that Serviceguard will wait indefinitely for the dependent packages to
halt.
0 means Serviceguard will not wait for the dependent packages to halt before halting this
package.
New as of A.11.18 (for both modular and legacy packages). See also About Package
Dependencies (page 113).

6.1.4.12 script_log_file
The full pathname of the packages log file. The default is$SGRUN/log/<package_name>.log.
(See Understanding the Location of Serviceguard Files (page 135) for more information about
Serviceguard pathnames.) See also log_level.

6.1.4.13 operation_sequence
Defines the order in which the scripts defined by the packages component modules will start up.
See the package configuration file for details.
This parameter is not configurable; do not change the entries in the configuration file.
New for modular packages.

6.1.4.14 log_level
Determines the amount of information printed to stdout when the package is validated, and to
the script_log_file when the package is started and halted. Valid values are 0 through 5,
but you should normally use only the first two (0 or 1); the remainder (2 through 5) are intended
for use by HP Support.
0 - informative messages
1 - informative messages with slightly more detail
2 - messages showing logic flow
3 - messages showing detailed data structure information
4 - detailed debugging information
5 - function call flow
New for modular packages.

6.1.4.15 failover_policy
Specifies how Serviceguard decides where to start the package, or restart it if it fails. Can be set
to configured_node, min_package_node, site_preferred, or
site_preferred_manual. The default is configured_node.

178 Configuring Packages and Their Services


configured_node means Serviceguard will attempt to start the package on the first available
node in the list you provide under node_name (page 176).
min_package_node means Serviceguard will start the package on whichever node in the
node_name list has the fewest packages running at the time.
site_preferred means Serviceguard will try all the eligible nodes on the local SITE before
failing the package over to a node on another SITE. This policy can be configured only in
a Metrocluster with site aware failover configuration; see the documents listed under
Cross-Subnet Configurations (page 27) for more information.
site_preferred_manual means Serviceguard will try to fail the package over to a node
on the local SITE. If there are no eligible nodes on the local SITE, the package will halt with
global switching enabled. You can then restart the package locally, when a local node is
available, or start it on another SITE. This policy can be configured only in a Metrocluster
with site aware failover configuration; see the documents listed under Cross-Subnet
Configurations (page 27) for more information.

NOTE:
For site_preferred or site_preferred_manual failover_policy to be effective
define the policy in the packages running or configured to run on the cluster with more than
one site configured or more than one site nodes.
When site_preferred or site_preferred_manual failover_policy is defined
in a package, cmrunpkg -a option cannot be used to run the package.
This parameter can be set for failover packages only. If this package will depend on another
package or vice versa, see also About Package Dependencies (page 113).

6.1.4.16 failback_policy
Specifies whether or not Serviceguard will automatically move a package that is not running on
its primary node (the first node on its node_name list) when the primary node is once again
available. Can be set to automatic or manual. The default is manual.
manual means the package will continue to run on the current node.
automatic means Serviceguard will move the package to the primary node as soon as that
node becomes available, unless doing so would also force a package with a higher priority
to move.

CAUTION: When the failback_policy is automatic and you set the NODE_NAME to '*',
if you add, delete, or rename a node in the cluster, the primary node for the package might change
resulting in the automatic failover of that package.

NOTE: When the failover_policy is site_preferred or site_preferred_manual,


failback_policy cannot be set to automatic.
This parameter can be set for failover packages only. If this package will depend on another
package or vice versa, see also About Package Dependencies (page 113).

6.1.4.17 priority
Assigns a priority to a failover package whose failover_policy is configured_node. Valid
values are 1 through 3000, or no_priority. The default is no_priority. See also the
dependency_ parameter descriptions (page 180).
priority can be used to satisfy dependencies when a package starts, or needs to fail over or
fail back: a package with a higher priority than the packages it depends on can force those
packages to start or restart on the node it chooses, so that its dependencies are met.

6.1 Choosing Package Modules 179


If you assign a priority, it must be unique in this cluster. A lower number indicates a higher priority,
and a numerical priority is higher than no_priority. HP recommends assigning values in
increments of 20 so as to leave gaps in the sequence; otherwise you may have to shuffle all the
existing priorities when assigning priority to a new package.

IMPORTANT: Because priority is a matter of ranking, a lower number indicates a higher priority
(20 is a higher priority than 40). A numerical priority is higher than no_priority.
New as of A.11.18 (for both modular and legacy packages). See About Package Dependencies
(page 113) for more information.

6.1.4.18 dependency_name
A unique identifier for a particular dependency (see dependency_condition) that must be met
in order for this package to run (or keep running). It must be unique among this package's
dependency_names. The length and formal restrictions for the name are the same as for
package_name (page 175).

IMPORTANT: Restrictions on dependency names in previous Serviceguard releases were less


stringent. Packages that specify dependency_names that do not conform to the above rules will
continue to run, but if you reconfigure them, you will need to change the dependency_name;
cmcheckconf and cmapplyconf will enforce the new rules.
Configure this parameter, along with dependency_condition and dependency_location,
and optionally priority (page 179), if this package depends on another package; for example,
if this package depends on a package named pkg2:
dependency_name pkg2dep
dependency_condition pkg2 = UP
dependency_location same_node
For more information about package dependencies, see About Package Dependencies (page 113).

6.1.4.19 dependency_condition
The condition that must be met for this dependency to be satisfied. As of Serviceguard A.11.18,
the only condition that can be set is that another package must be running.
The syntax is: <package_name> = UP, where <package_name> is the name of the package
depended on. The type and characteristics of the current package (the one we are configuring)
impose the following restrictions on the type of package it can depend on:
If the current package is a multi-node package, <package_name> must identify a multi-node
or system multi-node package.
If the current package is a failover package and its failover_policy (page 178) is
min_package_node, <package_name> must identify a multi-node or system multi-node
package.
If the current package is a failover package and configured_node is its
failover_policy, <package_name> must identify a multi-node or system multi-node
package, or a failover package whose failover_policy is configured_node.
See also About Package Dependencies (page 113).

6.1.4.20 dependency_location
Specifies where the dependency_condition must be met. The only legal value is same_node.

180 Configuring Packages and Their Services


6.1.4.21 weight_name, weight_value
These parameters specify a weight for a package; this weight is compared to a node's available
capacity (defined by the CAPACITY_NAME and CAPACITY_VALUE parameters in the cluster
configuration file) to determine whether the package can run there.
Both parameters are optional, but if weight_value is specified, weight_name must also be
specified, and must come first. You can define up to four weights, corresponding to four different
capacities, per cluster. To specify more than one weight for this package, repeat weight_name
and weight_value.

NOTE: But if weight_name is package_limit, you can use only that one weight and capacity
throughout the cluster. package_limit is a reserved value, which, if used, must be entered
exactly in that form. It provides the simplest way of managing weights and capacities; see Simple
Method (page 121) for more information.
The rules for forming weight_name are the same as those for forming package_name (page 175).
weight_name must exactly match the corresponding CAPACITY_NAME.
weight_value is an unsigned floating-point value between 0 and 1000000 with at most three
digits after the decimal point.
You can use these parameters to override the cluster-wide default package weight that corresponds
to a given node capacity. You can define that cluster-wide default package weight by means of
the WEIGHT_NAME and WEIGHT_DEFAULT parameters in the cluster configuration file (explicit
default). If you do not define an explicit default (that is, if you define a CAPACITY_NAME in the
cluster configuration file with no corresponding WEIGHT_NAME and WEIGHT_DEFAULT), the
default weight is assumed to be zero (implicit default). Configuring weight_name and
weight_value here in the package configuration file overrides the cluster-wide default (implicit
or explicit), and assigns a particular weight to this package.
For more information, see About Package Weights (page 120). See also the discussion of the
relevant parameters under Cluster Configuration Parameters (page 90), in the cmmakepkg
(1m) and cmquerycl (1m) manpages, and in the cluster configuration and package
configuration template files.

6.1.4.22 monitored_subnet
The LAN subnet that is to be monitored for this package. Replaces legacy SUBNET which is still
supported in the package configuration file for legacy packages; see Configuring a Legacy
Package (page 233).
You can specify multiple subnets; use a separate line for each.
If you specify a subnet as a monitored_subnet the package will not run on any node not
reachable via that subnet. This normally means that if the subnet is not up, the package will not
run. (For cross-subnet configurations, in which a subnet may be configured on some nodes and
not on others, see monitored_subnet_access below, ip_subnet_node (page 183), and
About Cross-Subnet Failover (page 130).)
Typically you would monitor the ip_subnet, specifying it here as well as in the ip_subnet
parameter (page 182), but you may want to monitor other subnets as well; you can specify any
subnet that is configured into the cluster (via the STATIONARY_IP parameter in the cluster
configuration file). See Stationary and Relocatable IP Addresses and Monitored Subnets (page 62)
for more information.
If any monitored_subnet fails, Serviceguard will switch the package to any other node specified
by node_name (page 176) which can communicate on all the monitored_subnets defined for
this package. See the comments in the configuration file for more information and examples.

6.1 Choosing Package Modules 181


6.1.4.23 monitored_subnet_access
In cross-subnet configurations, specifies whether each monitored_subnet is accessible on all
nodes in the packages node_name list (page 176), or only some. Valid values are PARTIAL,
meaning that at least one of the nodes has access to the subnet, but not all; and FULL, meaning
that all nodes have access to the subnet. The default is FULL, and it is in effect if
monitored_subnet_access is not specified.
See also ip_subnet_node (page 183) and About Cross-Subnet Failover (page 130).
New for modular packages. For legacy packages, see Configuring Cross-Subnet Failover
(page 239).

6.1.4.24 ip_subnet
Specifies an IP subnet used by the package. Replaces SUBNET, which is still supported in the
package control script for legacy packages.

CAUTION: HP recommends that this subnet be configured into the cluster. You do this in the
cluster configuration file by specifying a HEARTBEAT_IP or STATIONARY_IP under a
NETWORK_INTERFACE on the same subnet, for each node in this package's NODE_NAME list. For
example, an entry such as the following in the cluster configuration file configures subnet
192.10.25.0 (lan1) on node ftsys9:
NODE_NAME ftsys9
NETWORK_INTERFACE lan1
HEARTBEAT_IP 192.10.25.18
SeeCluster Configuration Parameters (page 90) for more information.
If the subnet is not configured into the cluster, Serviceguard cannot manage or monitor it, and in
fact cannot guarantee that it is available on all nodes in the package's node-name list (page 176)
. Such a subnet is referred to as an external subnet, and relocatable addresses on that subnet are
known as external addresses. If you use an external subnet, you risk the following consequences:
If the subnet fails, the package will not fail over to an alternate node.
Even if the subnet remains intact, if the package needs to fail over because of some other type
of failure, it could fail to start on an adoptive node because the subnet is not available on that
node.

For each subnet used, specify the subnet address on one line and, on the following lines, the
relocatable IP addresses that the package uses on that subnet. These will be configured when the
package starts and unconfigured when it halts.
For example, if this package uses subnet 192.10.25.0 and the relocatable IP addresses
192.10.25.12 and 192.10.25.13, enter:
ip_subnet 192.10.25.0
ip_address 192.10.25.12
ip_address 192.10.25.13
If you want the subnet to be monitored, specify it in the monitored_subnet parameter (page 181)
as well.
In a cross-subnet configuration, you also need to specify which nodes the subnet is configured on;
see ip_subnet_node below. See also monitored_subnet_access (page 182) and About
Cross-Subnet Failover (page 130).
This parameter can be set for failover packages only.

182 Configuring Packages and Their Services


6.1.4.25 ip_subnet_node
In a cross-subnet configuration, specifies which nodes an ip_subnet is configured on. If no
ip_subnet_nodes are listed under an ip_subnet, it is assumed to be configured on all nodes
in this packages node_name list (page 176).
Can be added or deleted while the package is running, with these restrictions:
The package must not be running on the node that is being added or deleted.
The node must not be the first to be added to, or the last deleted from, the list of
ip_subnet_nodes for this ip_subnet.
See also monitored_subnet_access (page 182) and About Cross-Subnet Failover (page 130).
New for modular packages. For legacy packages, see Configuring Cross-Subnet Failover
(page 239).

6.1.4.26 ip_address
A relocatable IP address on a specified ip_subnet. Replaces IP, which is still supported in the
package control script for legacy packages.
For more information about relocatable IP addresses, see Stationary and Relocatable IP Addresses
and Monitored Subnets (page 62).
This parameter can be set for failover packages only.

6.1.4.27 service_name
A service is a program or function which Serviceguard monitors as long the package is up.
service_name identifies this function and is used by the cmrunserv and cmhaltserv
commands. You can configure a maximum of 30 services per package and 900 services per
cluster.
The length and formal restrictions for the name are the same as for package_name (page 175).
service_name must be unique among all packages in the cluster.

IMPORTANT: Restrictions on service names in previous Serviceguard releases were less stringent.
Packages that specify services whose names do not conform to the above rules will continue to
run, but if you reconfigure them, you will need to change the name; cmcheckconf and
cmapplyconf will enforce the new rules.
Each service is defined by five parameters: service_name, service_cmd, service_restart,
service_fail_fast_enabled, and service_halt_timeout. See the descriptions that
follow.
The following is an example of fully defined service:
service_name patricks-package4-ping]
service_cmd "/usr/sbin/ping hasupt22"
service_restart unlimited
service_fail_fast_enabled no
service_halt_timeout 300
See the package configuration template file for more examples.
For legacy packages, this parameter is in the package control script as well as the package
configuration file.

6.1.4.28 service_cmd
The command that runs the program or function for this service_name, for example,
/usr/bin/X11/xclock -display 15.244.58.208:0
An absolute pathname is required; neither the PATH variable nor any other environment variable
is passed to the command. The default shell is /bin/sh.

6.1 Choosing Package Modules 183


NOTE: Be careful when defining service run commands. Each run command is executed in the
following way:
The cmrunserv command executes the run command.
Serviceguard monitors the process ID (PID) of the process the run command creates.
When the command exits, Serviceguard determines that a failure has occurred and takes
appropriate action, which may include transferring the package to an adoptive node.
If a run command is a shell script that runs some other command and then exits, Serviceguard
will consider this normal exit as a failure.
Make sure that each run command is the name of an actual service and that its process remains
alive until the actual service stops. One way to manage this is to configure a package such that
the service is actually a monitoring program that checks the health of the application that constitutes
the main function of the package, and exits if it finds the application has failed. The application
itself can be started by an external_script (page 190).

This parameter is in the package control script for legacy packages.

6.1.4.29 service_restart
The number of times Serviceguard will attempt to re-run the service_cmd. Valid values are
unlimited, none or any positive integer value. Default is none.
If the value is unlimited, the service will be restarted an infinite number of times. If the value is
none, the service will not be restarted.
This parameter is in the package control script for legacy packages.

6.1.4.30 service_fail_fast_enabled
Specifies whether or not Serviceguard will halt the node (reboot) on which the package is running
if the service identified by service_name fails. Valid values are yes and no. Default is no,
meaning that failure of this service will not cause the node to halt.

6.1.4.31 service_halt_timeout
The length of time, in seconds, Serviceguard will wait for the service to halt before forcing
termination of the services process. The maximum value is 4294.
The value should be large enough to allow any cleanup required by the service to complete.
If no value is specified, a zero timeout will be assumed, meaning that Serviceguard will not wait
any time before terminating the process.

6.1.4.32 generic_resource_name
Defines the logical name used to identify a generic resource in a package. This name corresponds
to the generic resource name used by the cmgetresource(1m) and cmsetresource(1m)
commands.
Multiple generic_resource_name entries can be specified in a package.
The length and formal restrictions for the name are the same as for package_name (page 175).
Each name must be unique within a package, but a single resource can be specified across multiple
packages.
You can configure a maximum of 100 generic resources per cluster.
Each generic resource is defined by three parameters:

184 Configuring Packages and Their Services


generic_resource_name
generic_resource_evaluation_type
generic_resource_up_criteria
See the descriptions that follow.
The following is an example of defining generic resource parameters:
generic_resource_name cpu_monitor
generic_resource_evaluation_type during_package_start
generic_resource_up_criteria <50
See the package configuration file for more examples.

6.1.4.33 generic_resource_evaluation_type
Defines when the status of a generic resource is evaluated.
Valid values are during_package_start and before_package_start. The default is
during_package_start.
The resources that will be available during the course of start of the package must be configured
with an evaluation_type as during_package_start.
Monitoring for these generic resources can be started and stopped as a part of the package, and
the monitoring script can be configured as a service. This can be achieved by configuring a
service_name and a service_cmd containing the full path name of the monitoring
executable/script. The monitoring of the generic resource starts only when the monitoring scripts
are started and not at the start of the package.
For information on monitoring scripts, see Monitoring Script for Generic Resources (page 303).
If there is a common generic resource that needs to be monitored as a part of multiple packages,
then the monitoring script for that resource can be launched as part of one package and all other
packages can use the same monitoring script. There is no need to launch multiple monitors for a
common resource. If the package that has started the monitoring script fails or is halted, then all
the other packages that are using this common resource also fail.
These resources will usually be of the evaluation_type before_package_start and it is
recommended to configure the monitoring script in a multi-node package.
These resources must be available (status must be 'up') in order to start the package and the
monitoring scripts for these resources must be configured outside of the application package.

6.1.4.34 generic_resource_up_criteria
Defines a criterion to determine whether the status of a generic resource identified by
generic_resource_name is up.
Attribute requires a logical operator and a value. The operators ==, !=, >, <, >=, and <= are
allowed. Values must be positive integer values ranging from 1 to 2147483647.

6.1 Choosing Package Modules 185


NOTE: Operators other than the ones mentioned above are not supported. This attribute does
not accept more than one up criterion. For example, >> 10, << 100 are not valid.
Though values ranging from 1 to 2147483647 can be entered with the above mentioned operators,
the below four conditions are not allowed to be set:
< 1, > 2147483647, >= 1 and <= 2147483647
This is because:
If you specify generic_resource_up_criteria < 1 or > 2147483647, for the status
of a resource to be 'up' you cannot enter values to satisfy the up_criteria condition. Hence,
the resource can never be 'up'.
Similarly, if you specify generic_resource_up_criteria >= 1 or <= 2147483647,
the status will always be 'up' as the criteria is always met. You cannot enter values to dissatisfy
the up_criteria to bring the resource status to 'down'.

generic_resource_up_criteria is an optional attribute. It determines whether a given


generic resource is a simple generic resource or an extended generic resource.
It is not specified for a simple resource, but is required for an extended resource.
A single package can contain both simple and extended resources.
A given resource cannot be configured as a simple generic resource in one package and as
an extended generic resource in another package. It must be either simple or extended in all
packages.
A single package can have a combination of generic resources of evaluation type
before_package_start and during_package_start.

6.1.4.35 vgchange_cmd
Replaces VGCHANGE, which is still supported for legacy packages; see Configuring a Legacy
Package (page 233). Specifies the method of activation for each Logical Volume Manager (LVM)
volume group identified by a vg entry.
The default is vgchange -a y.

6.1.4.36 vg
Specifies an LVM volume group (one per vg, each on a new line) on which a file system (other
than Red Hat GFS; see fs_type) needs to be mounted. A corresponding vgchange_cmd (see
above) specifies how the volume group is to be activated. The package script generates the
necessary filesystem commands on the basis of the fs_ parameters (see File system parameters
).

6.1.4.37 File system parameters


A package can activate one or more storage groups on startup, and to mount logical volumes to
file systems. At halt time, the package script unmounts the file systems and deactivates each storage
group. All storage groups must be accessible on each target node.
For each file system (fs_name) you specify in the package configuration file, you must identify a
logical volume, the mount point, the mount, umount and fsck options, and the type of the file
system; for example:
fs_name /dev/vg01/lvol1
fs_directory /pkg01aa
fs_mount_opt "-o rw"
fs_umount_opt ""

186 Configuring Packages and Their Services


fs_fsck_opt ""
fs_type "ext3"
A logical volume must be built on an LVM volume group. Logical volumes can be entered in any
order.
A gfs file system can be configured using only the fs_name, fs_directory, and
fs_mount_opt parameters; see the configuration file for an example. Additional rules apply for
gfs as explained under fs_type.

NOTE: Red Hat GFS is not supported in Serviceguard A.11.20.00.


For an NFS-imported file system, see the discussion under fs_name (page 187) and fs_server
(page 188).
The parameter explanations that follow provide more detail.

6.1.4.38 concurrent_fsck_operations
The number of concurrent fsck operations allowed on file systems being mounted during package
startup. Not used for Red Hat GFS (see fs_type).
Legal value is any number greater than zero. The default is 1.
If the package needs to run fsck on a large number of file systems, you can improve performance
by carefully tuning this parameter during testing (increase it a little at time and monitor performance
each time).

6.1.4.39 fs_mount_retry_count
The number of mount retries for each file system. Legal value is zero or any greater number. The
default is zero. The only valid value for Red Hat GFS (see fs_type) is zero. Red Hat GFS is not
supported in Serviceguard A.11.20.00.
If the mount point is busy at package startup and fs_mount_retry_count is set to zero, package
startup will fail.
If the mount point is busy and fs_mount_retry_count is greater than zero, the startup script
will attempt to kill the user process responsible for the busy mount point (fuser -ku) and then
try to mount the file system again. It will do this the number of times specified by
fs_mount_retry_count.
If the mount still fails after the number of attempts specified by fs_mount_retry_count, package
startup will fail.
This parameter is in the package control script for legacy packages.

6.1.4.40 fs_umount_retry_count
The number of umount retries for each file system. Replaces FS_UMOUNT_COUNT, which is still
supported in the package control script for legacy packages; see Configuring a Legacy Package
(page 233).
Legal value is 1 or (for filesystem types other than Red Hat GFS) any greater number. The default
is 1. Operates in the same way as fs_mount_retry_count.

6.1.4.41 fs_name
This parameter, in conjunction with fs_directory, fs_type, fs_mount_opt,
fs_umount_opt, and fs_fsck_opt, specifies a filesystem that is to be mounted by the package.
Replaces LV, which is still supported in the package control script for legacy packages.
fs_name must specify the block devicefile for a logical volume.

6.1 Choosing Package Modules 187


For an NFS-imported file system, the additional parameters required are fs_server,
fs_directory, fs_type, and fs_mount_opt; see fs_server (page 188) for an example.

CAUTION: Before configuring an NFS-imported file system into a package, make sure you have
read and understood the rules and guidelines under Planning for NFS-mounted File Systems
(page 106), and configured the cluster parameter CONFIGURED_IO_TIMEOUT_EXTENSION,
described under Cluster Configuration Parameters (page 90).
File systems are mounted in the order you specify in the package configuration file, and unmounted
in the reverse order.
See File system parameters (page 186) and the comments in the FILESYSTEMS section of the
configuration file for more information and examples. See also Volume Manager Planning
(page 85), and the mount manpage.

NOTE: For filesystem types other than Red Hat GFS (see fs_type), a volume group must be
defined in this file (using vg; see (page 186)) for each logical volume specified by an fs_name
entry.

6.1.4.42 fs_server
The name or IP address (IPv4 or IPv6) of the NFS server for an NFS-imported file system. In this
case, you must also set fs_type to nfs, fs_mount_opt to -o llock on HPUX , and -o
local_lock = all on Linux. fs_name specifies the directory to be imported from fs_server,
and fs_directory specifies the local mount point.
For example:
fs_name /var/opt/nfs/share1
fs_server wagon
fs_directory /nfs/mnt/share1
fs_type nfs
#fs_mount_opt o local_lock =all
#fs_umount_opt
#fs_fsck_opt

NOTE: fs_umount_opt is optional and fs_fsck_opt is not used for an NFS-imported file
system. (Both are left commented out in this example.)

6.1.4.43 fs_directory
The root of the file system specified by fs_name. Replaces FS, which is still supported in the
package control script for legacy packages; see Configuring a Legacy Package (page 233).
See the mount manpage and the comments in the configuration file for more information.

6.1.4.44 fs_type
The type of the file system specified by fs_name. This parameter is in the package control script
for legacy packages.
For an NFS-imported file system, this must be set to nfs. See the example under fs_server
(page 188).
Table 11 lists the supported file system types and platforms.

188 Configuring Packages and Their Services


Table 11 File System Types and Platforms
File system type Supported platform

ext3 Red Hat Enterprise Linux 5


Red Hat Enterprise Linux 6
SUSE Linux Enterprise Server 11

ext4 Red Hat Enterprise Linux 51


Red Hat Enterprise Linux 6

XFS Red Hat Enterprise Linux 6


SUSE Linux Enterprise Server 11
1
This is supported from SGLX_00354.tar.shar patch and later.

Supported types are ext3, XFS file system (on Red Hat Enterprise Linux 6 and
later, and SUSE Linux Enterprise Server 11), ext4 (on Red Hat Enterprise
Linux 5 and later), reiserfs, and gfs.
Red Hat GFS and reiserfs are not supported in Serviceguard A.11.20.00 version.

WARNING! ext4 file system has a delayed allocation mechanism. Hence, the behavior of
writing files to disk is different from ext3. Unlike ext3, the ext4 file system does not write data
to disk on committing the transaction, so it takes longer for the data to be written to the disk. Your
program must use data integrity calls such as fsync() to ensure that data is written to the disk.

NOTE: A package using gfs (Red Hat Global File System, or GFS) cannot use any other file
systems of a different type. vg and vgchange_cmd (page 186) are not valid for GFS file systems.
For more information about using GFS with Serviceguard, see Clustering Linux Servers with the
Concurrent Deployment of HP Serviceguard for Linux and Red Hat Global File Systems for RHEL5
at http://www.hp.com/go/linux-serviceguard-docs.
See also concurrent_fsck_operations (page 187), fs_mount_retry_count and
fs_umount_retry_count (page 187), and fs_fsck_opt (page 189).

See the comments in the package configuration file template for more information.

6.1.4.45 fs_mount_opt
The mount options for the file system specified by fs_name. See the comments in the configuration
file for more information. This parameter is in the package control script for legacy packages.

6.1.4.46 fs_umount_opt
The umount options for the file system specified by fs_name. See the comments in the configuration
file for more information. This parameter is in the package control script for legacy packages.

6.1.4.47 fs_fsck_opt
The fsck options for the file system specified by fs_name. Not used for Red Hat GFS (Red Hat
GFS is not supported in Serviceguard A.11.20.00) (see fs_type). This parameter is in the package
control script for legacy packages.

NOTE: A package using XFS file system must use xfs_repair command options as fsck
command on XFS does not work.
For more information, see the fsck and xfs_repair manpage, and the comments in the
configuration file.

6.1 Choosing Package Modules 189


6.1.4.48 pv
Physical volume on which persistent reservations (PR) will be made if the device supports it.

IMPORTANT: This parameter is for use only by HP partners, who should follow the instructions
in the package configuration file.
For information about Serviceguard's implementation of PR, see About Persistent Reservations
(page 72).

6.1.4.49 pev_
Specifies a package environment variable that can be passed to external_pre_script,
external_script, or both, by means of the cmgetpkgenv command. New for modular
packages.
The variable name must be in the form pev_<variable_name> and contain only alphanumeric
characters and underscores. The letters pev (upper-case or lower-case) followed by the underscore
(_) are required.
The variable name and value can each consist of a maximum of MAXPATHLEN characters (4096
on Linux systems).
You can define more than one variable. See About External Scripts (page 127), as well as the
comments in the configuration file, for more information.

6.1.4.50 external_pre_script
The full pathname of an external script to be executed before volume groups and disk groups are
activated during package startup, and after they have been deactivated during package shutdown;
that is, effectively the first step in package startup and last step in package shutdown. New for
modular packages.
If more than one external_pre_script is specified, the scripts will be executed on package
startup in the order they are entered into the package configuration file, and in the reverse order
during package shutdown.
See About External Scripts (page 127), as well as the comments in the configuration file, for more
information and examples.

6.1.4.51 external_script
The full pathname of an external script. This script is often the means of launching and halting the
application that constitutes the main function of the package. New for modular packages.
The script is executed on package startup after volume groups and file systems are activated and
IP addresses are assigned, but before services are started; and during package shutdown after
services are halted but before IP addresses are removed and volume groups and file systems
deactivated.
If more than one external_script is specified, the scripts will be executed on package startup
in the order they are entered into this file, and in the reverse order during package shutdown.
See About External Scripts (page 127), as well as the comments in the configuration file, for more
information and examples. See also service_cmd (page 183).

6.1.4.52 user_host
The system from which a user specified by user_name (page 191) can execute
package-administration commands.
Legal values are any_serviceguard_node, or cluster_member_node, or a specific cluster
node. If you specify a specific node it must be the official hostname (the hostname portion, and

190 Configuring Packages and Their Services


only the hostname portion, of the fully qualified domain name). As with user_name, be careful
to spell the keywords exactly as given.

6.1.4.53 user_name
Specifies the name of a user who has permission to administer this package. See also user_host
(page 190) and user_role; these three parameters together define the access control policy for
this package (see Controlling Access to the Cluster (page 158)). These parameters must be defined
in this order: user_name, user_host, user_role.
Legal values for user_name are any_user or a maximum of eight login names from /etc/
passwd on user_host.

NOTE: Be careful to spell any_user exactly as given; otherwise Serviceguard will interpret it
as a user name.
Note that the only user_role that can be granted in the package configuration file is
package_admin for this particular package; you grant other roles in the cluster configuration
file. See Setting up Access-Control Policies (page 160) for further discussion and examples.

6.1.4.54 user_role
Must be package_admin, allowing the user access to the cmrunpkg, cmhaltpkg, and cmmodpkg
commands (and the equivalent functions in Serviceguard Manager) and to the monitor role for
the cluster. See Controlling Access to the Cluster (page 158) for more information.

6.1.4.55 Additional Parameters Used Only by Legacy Packages

IMPORTANT: The following parameters are used only by legacy packages. Do not try to use
them in modular packages. See Creating the Legacy Package Configuration (page 233) for more
information.
PATH Specifies the path to be used by the script.
SUBNET Specifies the IP subnets that are to be monitored for the
package.
RUN_SCRIPTand HALT_SCRIPT Use the full pathname of each script.
These two parameters allow you to separate package run
instructions and package halt instructions for legacy
packages into separate scripts if you need to. In this case,
make sure you include identical configuration information
(such as node names, IP addresses, etc.) in both scripts.
In most cases, though, HP recommends that you use the
same script for both run and halt instructions. (When the
package starts, the script is passed the parameter start;
when it halts, it is passed the parameter stop.)
LV The name of a logical volume hosting a file system that will
be mounted by the package.
FS The name of the mount point for a file system to be mounted
by the package.
VGCHANGE As vgchange_cmd (page 186).

6.2 Generating the Package Configuration File


When you have chosen the configuration modules your package needs (see Choosing Package
Modules (page 169)), you are ready to generate a package configuration file that contains those

6.2 Generating the Package Configuration File 191


modules. This file will consist of a base module (failover, multi-node or system multi-node) plus the
modules that contain the additional parameters you have decided to include.

6.2.1 Before You Start


Before you start building a package, create a subdirectory for it in the $SGCONF directory, for
example:
mkdir $SGCONF/pkg1
(See Understanding the Location of Serviceguard Files (page 135) for information about
Serviceguard pathnames.)

6.2.2 cmmakepkg Examples


The cmmakepkg command generates a package configuration file. Some examples follow; see
the cmmakepkg (1m) manpage for complete information. All the examples create an editable
configuration file pkg1.conf in the $SGCONF/pkg1 directory.

NOTE: If you do not include a base module (or default or all) on the cmmakepkg command
line, cmmakepkg will ignore the modules you specify and generate a default configuration file
containing all the parameters.
For a complex package, or if you are not yet sure which parameters you will need to set, the
default may be the best choice; see the first example below.
You can use the-v option with cmmakepkg to control how much information is displayed online
or included in the configuration file. Valid values are 0, 1 and 2. -v 0 removes all comments; -v
1 includes a brief heading for each parameter; -v 2 provides a full description of each parameter.
The default is level 2.

To generate a configuration file that contains all the optional modules:


cmmakepkg $SGCONF/pkg1/pkg1.conf

To create a generic failover package (that could be applied without editing):


cmmakepkg -n pkg1 -m sg/failover $SGCONF/pkg1/pkg1.conf

To generate a configuration file for a failover package that uses relocatable IP addresses and
runs an application that requires file systems to be mounted at run time (enter the command
all on one line):
cmmakepkg -m sg/failover -m sg/package_ip -m sg/service -m
sg/filesystem -m sg/volume_group $SGCONF/pkg1/pkg1.conf

To generate a configuration file adding the generic resources module to an existing


package (enter the command all on one line):
cmmakepkg -i $SGCONF/pkg1/pkg1.conf -m sg/generic_resource

To generate a configuration file for a failover package that runs an application that requires
another package to be up (enter the command all on one line):
cmmakepkg -m sg/failover -m sg/dependency -m sg/service
$SGCONF/pkg1/pkg1.conf

To generate a configuration file adding the services module to an existing package (enter
the command all on one line):
cmmakepkg -i $SGCONF/pkg1/pkg1.conf -m sg/service
$SGCONF/pkg1/pkg1_v2.conf

NOTE: You can add more than one module at a time.

192 Configuring Packages and Their Services


To generate a configuration file adding the Persistent Reservation module to an existing
package:
cmmakepkg -i $SGCONF/pkg1/pkg1.conf -m sg/pr_cntl

To create a serviceguard-xdc package in serviceguard-xdc environment:


cmmakepkg -m sg/all -m xdc/xdc pkg_xdc.conf
cmcheckconf -P pkg_xdc.conf
cmapplyconf -P pkg_xdc.conf

6.2.3 Next Step


The next step is to edit the configuration file you have generated; see Editing the Configuration
File (page 193).

6.3 Editing the Configuration File


When you have generated the configuration file that contains the modules your package needs
(see Generating the Package Configuration File (page 191)), you need to edit the file to set the
package parameters to the values that will make the package function as you intend.
It is a good idea to configure complex failover packages in stages, as follows:
1. Configure volume groups and mount points only.
2. Check and apply the configuration; see Verifying and Applying the Package Configuration
(page 196).
3. Run the package and ensure that it can be moved from node to node.

NOTE: cmcheckconf and cmapplyconf check for missing mount points, volume groups,
etc.

4. Halt the package.


5. Configure package IP addresses and application services.
6. Run the package and ensure that applications run as expected and that the package fails over
correctly when services are disrupted. See Testing the Package Manager (page 255).
Use the following bullet points as a checklist, referring to the Package Parameter Explanations
(page 174), and the comments in the configuration file itself, for detailed specifications for each
parameter.

NOTE: Optional parameters are commented out in the configuration file (with a # at the beginning
of the line). In some cases these parameters have default values that will take effect unless you
uncomment the parameter (remove the #) and enter a valid value different from the default. Read
the surrounding comments in the file, and the explanations in this chapter, to make sure you
understand the implications both of accepting and of changing a given default.
In all cases, be careful to uncomment each parameter you intend to use and assign it the value
you want it to have.

package_name. Enter a unique name for this package. Note that there are stricter formal
requirements for the name as of A.11.18.
package_type. Enter failover or multi_node. ( system_multi_node is reserved
for special-purpose packages supplied by HP.) Note that there are restrictions
if another package depends on this package; see About Package Dependencies (page 113).
See Types of Package: Failover, Multi-Node, System Multi-Node (page 170) for more
information.

6.3 Editing the Configuration File 193


node_name. Enter the name of each cluster node on which this package can run, with a
separate entry on a separate line for each node.
auto_run. For failover packages, enter yes to allow Serviceguard to start the package on
the first available node specified by node_name, and to automatically restart it later if it fails.
Enter no to keep Serviceguard from automatically starting the package.
node_fail_fast_enabled. Enter yes to cause the node to be halted (system halt) if the
package fails; otherwise enter no.
run_script_timeout and halt_script_timeout. Enter the number of seconds
Serviceguard should wait for package startup or shutdown, respectively, to complete; or leave
the default, no_timeout. See (page 177).
successor_halt_timeout. Used if other packages depend on this package; see About
Package Dependencies (page 113).
script_log_file (page 178).
log_level (page 178).
failover_policy (page 178). Enter configured_node or min_package_node.
(This parameter can be set for failover packages only.)
failback_policy (page 179) . Enter automatic or manual.
(This parameter can be set for failover packages only.)
If this package will depend on another package or packages, enter values for
dependency_name, dependency_condition, dependency_location, and optionally
priority.
See About Package Dependencies (page 113) for more information.

NOTE: The package(s) this package depends on must already be part of the cluster
configuration by the time you validate this package (via cmcheckconf; see Verifying and
Applying the Package Configuration (page 196)); otherwise validation will fail.

To configure package weights, use the weight_name and weight_value parameters


(page 181). See About Package Weights (page 120) for more information.
Use monitored_subnet to specify a subnet to be monitored for this package. If there are
multiple subnets, repeat the parameter as many times as needed, on a new line each time.
In a cross-subnet configuration, configure the additional monitored_subnet_access
parameter for each monitored_subnet as necessary; see About Cross-Subnet Failover
(page 130) for more information.
If your package will use relocatable IP addresses, enter the ip_subnet and ip_address
addresses. See the parameter descriptions (page 182) for rules and restrictions.
In a cross-subnet configuration, configure the additional ip_subnet_node parameter for
each ip_subnet as necessary; see About Cross-Subnet Failover (page 130) for more
information.
For each service the package will run:

enter the service_name (for example, a daemon or long-running process)

enter the service_cmd (for example, the command that starts the process)

194 Configuring Packages and Their Services


enter values for service_fail_fast_enabled and service_halt_timeout if
you need to change them from their defaults.
service_restart if you want the package to restart the service if it exits. (A value of
unlimited can be useful if you want the service to execute in a loop, rather than exit
and halt the package.)
Include a service entry for disk monitoring if the package depends on monitored disks. Use
entries similar to the following:
service_name=cmresserviced_Pkg1
service_cmd=$SGBIN/cmresserviced /dev/sdd1
service_restart=
See Creating a Disk Monitor Configuration (page 198) for more information.
To monitor a crucial resource as part of a package using generic resources, enter values for
the following parameters (page 184):
generic_resource_name to identify the generic resource in a package.

generic_resource_evaluation_type to define whether the status of the generic


resource must be evaluated during or before the package is started.
generic_resource_up_criteria to determine the status of a generic resource
based on the specified criterion.
See Configuring a Generic Resource (page 109) for more information.

If the package needs to activate LVM volume groups, configure vgchange_cmd, or leave the
default.
If the package needs to mount LVM volumes to file systems (other than Red Hat GFS; see
fs_type (page 188)), use the vg parameters to specify the names of the volume groups to be
activated, and select the appropriate vgchange_cmd.
Use the fs_ parameters (page 187) to specify the characteristics of file systems and how and
where to mount them. See the comments in the FILESYSTEMS section of the configuration
file for more information and examples.
Enter each volume group on a separate line, for example:
vg vg01
vg vg02

If your package mounts large number of file systems, consider increasing the values of the
following parameters:
concurrent_fsck_operationsspecifies the number of parallel fsck operations
that will be allowed at package startup (not used for Red Hat GFS).
Red Hat GFS is not supported in Serviceguard A.11.20.00.

Specify the filesystem mount and unmount retry options. For Red Hat GFS (see fs_type
(page 188)), use the default (zero).
You can use the pev_ parameter to specify a variable to be passed to external scripts. Make
sure the variable name begins with the upper-case or lower-case letters pev and an underscore
( _). You can specify more than one variable. See About External Scripts (page 127), and
the comments in the configuration file, for more information.
If you want the package to run an external pre-script during startup and shutdown, use the
external_pre_script parameter (see (page 190)) to specify the full pathname of the script,
for example, $SGCONF/pkg1/pre_script1.

6.3 Editing the Configuration File 195


If the package will run an external script, use the external_script parameter (see
(page 190)) to specify the full pathname of the script, for example, $SGCONF/pkg1/script1.
See About External Scripts (page 127), and the comments in the configuration file, for more
information.
Configure the Access Control Policy for up to eight specific users or any_user.
The only user role you can configure in the package configuration file is package_admin
for the package in question. Cluster-wide roles are defined in the cluster configuration file.
See Setting up Access-Control Policies (page 160) for more information.

6.4 Adding or Removing a Module from an Existing Package


To add a module to an existing package, use the cmmakepkg command to generate a new
configuration file. Then, include the parameters of the new module to the existing package
configuration file and re-apply the package configuration.
For example, to add an external_script module to an existing package, say pkg1:
1. Obtain a copy of the package configuration file:
cmgetconf -p pkg1 pkg1.conf
2. Generate a new configuration file adding the external_script module to the existing
package pkg1:
cmmakepkg -i pkg1.conf -m sg/external_script pkg1_v2.conf
3. Edit the package configuration file and specify the external_script parameter.
4. Re-apply the package configuration:
cmapplyconf -P pkg1_v2.conf
To remove a module from an existing package, use the cmmakepkg command to generate a new
configuration file excluding the module that you want to remove. Then, copy the remaining package
attributes from the old configuration file to the new configuration file and re-apply the package
configuration.

6.5 Verifying and Applying the Package Configuration


Serviceguard checks the configuration you enter and reports any errors.
Use a command such as the following to verify the content of the package configuration file you
have created, for example:
cmcheckconf -v -P $SGCONF/pkg1/pkg1.conf
Errors are displayed on the standard output. If necessary, re-edit the file to correct any errors, then
run cmcheckconf again until it completes without errors.
The following items are checked:
Package name is valid, and at least one node_name entry is included.
There are no duplicate parameter entries (except as permitted for multiple volume groups,
etc).
Values for all parameters are within permitted ranges.
Configured resources are available on cluster nodes.
File systems and volume groups are valid.
Services are executable.
Any package that this package depends on is already be part of the cluster configuration.

196 Configuring Packages and Their Services


For more information, see the manpage for cmcheckconf (1m) and Verifying Cluster and
Package Components (page 208).
When cmcheckconf has completed without errors, apply the package configuration, for example:
cmapplyconf -P $SGCONF/pkg1/pkg1.conf
This adds the package configuration information to the binary cluster configuration file in the
$SGCONF directory and distributes it to all the cluster nodes.

NOTE: For modular packages, you now need to distribute any external scripts identified by the
external_pre_script and external_script parameters.
But, if you are accustomed to configuring legacy packages, note that you do not have to create a
separate package control script for a modular package, or distribute it manually. (You do still have
to do this for legacy packages; see Configuring a Legacy Package (page 233).)

6.6 Alert Notification for Serviceguard Environment


Alert notification enhances Serviceguard capability by sending e-mail notification to configured
e-mail addresses in case of predefined set of events. E-mail addresses can be configured by editing
the email_id parameter in the package configuration file. This feature is applicable on Oracle,
NFS, Enterprise Database Postgres Plus Advanced Server (EDB PPAS) and Sybase Toolkits, and
serviceguard-xdc packages.

NOTE: This feature is supported only on modular style package and is not supported on legacy
style package.

Oracle and NFS Toolkits Environment


For information about alert notification on Oracle and NFS toolskits environment, see the following
documents at http://www.hp.com/go/linux-serviceguard-docs:
HP Serviceguard Toolkit for Oracle version A.05.01.10 on Linux User Guide
HP Serviceguard Toolkit for NFS version A.03.03.10 on Linux User Guide

serviceguard-xdc Environment
By default, this parameter is commented and is present in the package configuration file for the
serviceguard-xdc packages.
The email_id parameter must be used to provide e-mail addresses of the serviceguard-xdc alert
notification recipients. Each email_id parameter can have one of the following values:
A complete e-mail address
An alias
A distribution list
You can also include multiple recipients by repeating the email_id address.
The serviceguard-xdc package can send an alert e-mail:
when a mirror half of the MD device becomes inaccessible
when raid_monitor service cannot add back a mirror half of the MD device after the mirror
half becomes accessible.
For example, consider the following scenario:
If the xdcpkg package is running on node1 and the MD device configured in xdcpkg package
is /dev/md0. /dev/hpdev/my_disk1 and /dev/hpdev/my_disk2 are the mirror halves of
the MD /dev/md0, and for some reason /dev/hpdev/my_disk2 becomes inaccessible. If the

6.6 Alert Notification for Serviceguard Environment 197


email_id specified in the package configuration file is [email protected]. The following e-mail
notification is sent to [email protected]:
Date: Tue, 9 Oct 2012 23:18:01 -0700
From: root <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
Subject: Serviceguard Alert: Package xdcpkg has lost access to my_disk2 of md0 on node1

Hi,

There seems to be an issue in the package xdcpkg in your Serviceguard cluster.


For more information, check the package and system logs of node1.hp.com.

Time of failure : Tue Oct 9 23:18:01 PDT 2012


Cluster Name : node1_cluster
Node name : node1.hp.com
Location of package log: /usr/local/cmcluster/run/log/xdcpkg.log

The mirror half /dev/hpdev/my_disk2 of MD device /dev/md0, which is configured in package xdcpkg, is not
accessible from node node1. Please rectify the issue.
Thanks.

6.7 Adding the Package to the Cluster


You can add the new package to the cluster while the cluster is running, subject to the value of
max_configured_packages in the cluster configuration file. See Adding a Package to a
Running Cluster (page 242).

6.8 Creating a Disk Monitor Configuration


Serviceguard provides disk monitoring for the shared storage that is activated by packages in the
cluster. The monitor daemon on each node tracks the status of all the disks on that node that you
have configured for monitoring.
The configuration must be done separately for each node in the cluster, because each node monitors
only the group of disks that can be activated on that node, and that depends on which packages
are allowed to run on the node.
To set up monitoring, include a monitoring service in each package that uses disks you want to
track. Remember that service names must be unique across the cluster; you can use the package
name in combination with the string cmresserviced. The following shows an entry in the package
configuration file for pkg1:
service_name cmresserviced_pkg1
service_fail_fast_enabled yes
service_halt_timeout 300
service_cmd "cmresserviced /dev/sdd1 /dsv/sde1"
service_restart none

CAUTION: Because of a limitation in LVM, service_fail_fast_enabled must be set to


yes, forcing the package to fail over to another node if it loses its storage.

NOTE: The service_cmd entry must include the cmresserviced command.


It is also important to set service_restart to none.

198 Configuring Packages and Their Services


7 Cluster and Package Maintenance
This chapter describes the cmviewcl command, then shows how to start and halt a cluster or an
individual node, how to perform permanent reconfiguration, and how to start, halt, move, and
modify packages during routine maintenance of the cluster. Topics are as follows:
Reviewing Cluster and Package Status
Managing the Cluster and Nodes (page 211)
Managing Packages and Services (page 217)
Reconfiguring a Cluster (page 225)
Configuring a Legacy Package (page 233)
Reconfiguring a Package (page 240)
Responding to Cluster Events (page 253)
Single-Node Operation (page 253)
Removing Serviceguard from a System (page 254)

7.1 Reviewing Cluster and Package Status


You can check the status using Serviceguard Manager, or from a cluster nodes command line.

7.1.1 Reviewing Cluster and Package Status with the cmviewcl Command
Information about cluster status is stored in the status database, which is maintained on each
individual node in the cluster. You can display information contained in this database by means
of the cmviewcl command:
cmviewcl -v
You can use the cmviewcl command without root access; in clusters running Serviceguard version
A.11.16 or later, grant access by assigning the Monitor role to the users in question. In earlier
versions, allow access by adding <nodename> <nonrootuser> to the cmclnodelist file.
cmviewcl -v displays information about all the nodes and packages in a running cluster, together
with the settings of parameters that determine failover behavior.

TIP: Some commands take longer to complete in large configurations. In particular, you can
expect Serviceguards CPU usage to increase during cmviewcl -v as the number of packages
and services increases.
See the manpage for a detailed description of other cmviewcl options.

7.1.2 Viewing Package Dependencies


The cmviewcl -v command output lists dependencies throughout the cluster. For a specific
packages dependencies, use the -p<pkgname> option.

7.1.3 Cluster Status


The status of a cluster, as shown by cmviewcl, can be one of the following:
up - At least one node has a running cluster daemon, and reconfiguration is not taking place.
down - No cluster daemons are running on any cluster node.

7.1 Reviewing Cluster and Package Status 199


starting - The cluster is in the process of determining its active membership. At least one
cluster daemon is running.
unknown - The node on which the cmviewcl command is issued cannot communicate with
other nodes in the cluster.

7.1.4 Node Status and State


The status of a node is either up (active as a member of the cluster) or down (inactive in the cluster),
depending on whether its cluster daemon is running or not. Note that a node might be down from
the cluster perspective, but still up and running Linux.
A node may also be in one of the following states:
Failed. A node never sees itself in this state. Other active members of the cluster will see a
node in this state if the node is no longer active in the cluster, but is not shut down.
Reforming. A node is in this state when the cluster is re-forming. The node is currently running
the protocols which ensure that all nodes agree to the new membership of an active cluster.
If agreement is reached, the status database is updated to reflect the new cluster membership.
Running. A node in this state has completed all required activity for the last re-formation and
is operating normally.
Halted. A node never sees itself in this state. Other nodes will see it in this state after the
node has gracefully left the active cluster, for instance with a cmhaltnode command.
Unknown. A node never sees itself in this state. Other nodes assign a node this state if it has
never been an active cluster member.

7.1.5 Package Status and State


The status of a package can be one of the following:
up - The package master control script is active.
down - The package master control script is not active.
start_wait - A cmrunpkg command is in progress for this package. The package is waiting
for packages it depends on (predecessors) to start before it can start.
starting - The package is starting. The package master control script is running.
halting - A cmhaltpkg command is in progress for this package and the halt script is
running.
halt_wait -A cmhaltpkg command is in progress for this package. The package is
waiting to be halted, but the halt script cannot start because the package is waiting for
packages that depend on it (successors) to halt. The parameter description for
successor_halt_timeout (page 178) provides more information.
failing - The package is halting because it, or a package it depends on, has failed.
fail_wait - The package is waiting to be halted because the package or a package it
depends on has failed, but must wait for a package that depends on it to halt before it can
halt.
relocate_wait - The packages halt script has completed or Serviceguard is still trying to
place the package.
reconfiguring The node where this package is running is adjusting the package
configuration to reflect the latest changes that have been applied.
reconfigure_wait The node where this package is running is waiting to adjust the
package configuration to reflect the latest changes that have been applied.

200 Cluster and Package Maintenance


detached - A package is said to be detached from the cluster or node where it was running,
when the cluster or node is halted with d option. Serviceguard no longer monitors this
package. The last known status of the package before it is detached from the cluster was up.
unknown - Serviceguard could not determine the status at the time cmviewcl was run.
A system multi-node package is up when it is running on all the active cluster nodes. A multi-node
package is up if it is running on any of its configured nodes.
A system multi-node package can have a status of changing, meaning the package is in transition
on one or more active nodes.
The state of a package can be one of the following:
starting - The package is starting. The package master control script is running.
start_wait - A cmrunpkg command is in progress for this package. The package is waiting
for packages it depends on (predecessors) to start before it can start.
running - Services are active and being monitored.
halting - A cmhaltpkg command is in progress for this package and the halt script is
running.
halt_wait -A cmhaltpkg command is in progress for this package. The package is
waiting to be halted, but the halt script cannot start because the package is waiting for
packages that depend on it (successors) to halt. The parameter description for
successor_halt_timeout (page 178) provides more information.
halted - The package is down and halted.
halt_aborted The package is aborted during its normal halt sequence. For details, see
cmhaltpkg(1m) man page.
failing - The package is halting because it, or a package it depends on, has failed.
fail_wait - The package is waiting to be halted because the package or a package it
depends on has failed, but must wait for a package it depends on to halt before it can halt.
failed - The package is down and failed.
relocate_wait - The packages halt script has completed or Serviceguard is still trying to
place the package.
maintenance The package is in maintenance mode; see Maintaining a Package:
Maintenance Mode (page 220).
detached - A package is said to be detached from the cluster, when the cluster or node on
which it was running was halted with the -d option. All package components are up and
running when a package is detached. Serviceguard does not monitor the packages when in
detached state.
reconfiguring The node where this package is running is adjusting the package
configuration to reflect the latest changes that have been applied.
reconfigure_wait The node where this package is running is waiting to adjust the
package configuration to reflect the latest changes that have been applied.
unknown - Serviceguard could not determine the state at the time cmviewcl was run.
The following states are possible only for multi-node packages:
blocked - The package has never run on this node, either because a dependency has not
been met, or because auto_run is set to no.
changing - The package is in a transient state, different from the status shown, on some
nodes. For example, a status of starting with a state of changing would mean that the
package was starting on at least one node, but in some other, transitory condition (for example,
failing) on at least one other node.
7.1 Reviewing Cluster and Package Status 201
7.1.6 Package Switching Attributes
cmviewcl shows the following package switching information:
AUTO_RUN: Can be enabled or disabled. For failover packages, enabled means that
the package starts when the cluster starts, and Serviceguard can switch the package to another
node in the event of failure.
For system multi-node packages, enabled means an instance of the package can start on a
new node joining the cluster (disabled means it will not).

Switching Enabled for a Node: For failover packages, enabled means that the package can
switch to the specified node. disabled means that the package cannot switch to the specified
node until the node is enabled to run the package via the cmmodpkg command.
Every failover package is marked enabled or disabled for each node that is either a
primary or adoptive node for the package.
For multi-node packages, node switching disabled means the package cannot start on that
node.

7.1.7 Service Status


Services have only status, as follows:
Up. The service is being monitored.
Down. The service is not running. It may not have started, or have halted or failed.
Unknown. Serviceguard cannot determine the status.

7.1.8 Generic Resource Status


Generic resources have only status, as follows:
Up. The generic resource is up.
Down. The generic resource is down.
Unknown. Resource monitoring has not yet set the status of the resource.

7.1.9 Network Status


The network interfaces have only status, as follows:
Up.
Down.
Unknown. Serviceguard cannot determine whether the interface is up or down.

7.1.10 Failover and Failback Policies


Failover packages can be configured with one of two values for the failover_policy parameter
(page 178), as displayed in the output of cmviewcl -v:
configured_node. The package fails over to the next node in the node_name list in the
package configuration file (page 176).
min_package_node. The package fails over to the node in the cluster with the fewest running
packages on it.

202 Cluster and Package Maintenance


Failover packages can also be configured with one of two values for the failback_policy
parameter (page 179), and these are also displayed in the output of cmviewcl -v:
automatic: Following a failover, a package returns to its primary node when the primary
node becomes available again.
manual: Following a failover, a package will run on the adoptive node until moved back to
its original node by a system administrator.

7.1.11 Examples of Cluster and Package States


The following sample output from the cmviewcl -v command shows status for the cluster in the
sample configuration.

7.1.11.1 Normal Running Status


Everything is running normally; both nodes in the cluster are running, and the packages are in
their primary locations.
CLUSTER STATUS
example up
NODE STATUS STATE
ftsys9 up running

Network_Parameters:
INTERFACE STATUS NAME
PRIMARY up eth0
PRIMARY up eth1

PACKAGE STATUS STATE AUTO_RUN NODE


pkg1 up running enabled ftsys9

Policy_Parameters:
POLICY_NAME CONFIGURED_VALUE
Failover configured_node
Failback manual

Script_Parameters:
ITEM STATUS MAX_RESTARTS RESTARTS NAME
Service up 0 0 service1
Service up 0 0 sfm_disk_monitor
Subnet up 0 0 15.13.168.0
Generic Resource up sfm_disk

Node_Switching_Parameters:
NODE_TYPE STATUS SWITCHING NAME
Primary up enabled ftsys9 (current)
Alternate up enabled ftsys10

NODE STATUS STATE


ftsys10 up running

Network_Parameters:
INTERFACE STATUS NAME
PRIMARY up eth0
PRIMARY up eth1

PACKAGE STATUS STATE AUTO_RUN NODE


pkg2 up running enabled ftsys10

Policy_Parameters:
POLICY_NAME CONFIGURED_VALUE
Failover configured_node
Failback manual

Script_Parameters:
ITEM STATUS MAX_RESTARTS RESTARTS NAME
Service up 0 0 service2
Service up 0 0 sfm_disk_monitor 1
Subnet up 0 0 15.13.168.0
Generic Resource up sfm_disk1

Node_Switching_Parameters:
NODE_TYPE STATUS SWITCHING NAME
Primary up enabled ftsys10 (current)
Alternate up enabled ftsys9

7.1 Reviewing Cluster and Package Status 203


NOTE: The Script_Parameters section of the PACKAGE output of cmviewcl shows the
Subnet status only for the node that the package is running on. In a cross-subnet configuration,
in which the package may be able to fail over to a node on another subnet, that other subnet is
not shown (see Cross-Subnet Configurations (page 27)).

7.1.11.2 Quorum Server Status


If the cluster is using a quorum server for tie-breaking services, the display shows the server name,
state and status following the entry for each node, as in the following excerpt from the output of
cmviewcl -v:
CLUSTER STATUS
example up

NODE STATUS STATE


ftsys9 up running

Quorum Server Status:


NAME STATUS STATE
lp-qs up running
...

NODE STATUS STATE


ftsys10 up running

Quorum Server Status:


NAME STATUS STATE
lp-qs up running

7.1.11.3 Status After Halting a Package


After we halt pkg2 with the cmhaltpkg command, the output of cmviewcl-v is as follows:
CLUSTER STATUS
example up

NODE STATUS STATE


ftsys9 up running

Network_Parameters:
INTERFACE STATUS NAME
PRIMARY up eth0
PRIMARY up eth1

PACKAGE STATUS STATE AUTO_RUN NODE


pkg1 up running enabled ftsys9

Policy_Parameters:
POLICY_NAME CONFIGURED_VALUE
Failover configured_node
Failback manual

Script_Parameters:
ITEM STATUS MAX_RESTARTS RESTARTS NAME
Service up 0 0 service1
Service up 0 0 sfm_disk_monitor
Subnet up 0 0 15.13.168.0
Generic Resource up sfm_disk

Node_Switching_Parameters:
NODE_TYPE STATUS SWITCHING NAME
Primary up enabled ftsys9 (current)
Alternate up enabled ftsys10

NODE STATUS STATE


ftsys10 up running

Network_Parameters:
INTERFACE STATUS NAME
PRIMARY up eth0
PRIMARY up eth1

204 Cluster and Package Maintenance


UNOWNED_PACKAGES

PACKAGE STATUS STATE AUTO_RUN NODE


pkg2 down unowned disabled unowned

Policy_Parameters:
POLICY_NAME CONFIGURED_VALUE
Failover configured_node
Failback manual
Script_Parameters:
ITEM STATUS NODE_NAME NAME
Service down service2
Generic Resource up ftsys9 sfm_disk1
Subnet up 15.13.168.0
Generic Resource up ftsys10 sfm_disk1
Node_Switching_Parameters:
NODE_TYPE STATUS SWITCHING NAME
Primary up enabled ftsys10
Alternate up enabled ftsys9
pkg2 now has the status down, and it is shown as unowned, with package switching disabled.
Note that switching is enabled for both nodes, however. This means that once global switching is
re-enabled for the package, it will attempt to start up on the primary node.

NOTE: If you halt pkg2 with the cmhaltpkg command, and the package contains non-native
Serviceguard modules that failed during the normal halt process, then the package is moved to
the partially_down status and halt_aborted state. The command exits at this point. For
more information, see Handling Failures During Package Halt (page 218).

7.1.11.4 Status After Moving the Package to Another Node


If we use the following command:
cmrunpkg -n ftsys9 pkg2
the output of the cmviewcl -v command is as follows:
CLUSTER STATUS
example up

NODE STATUS STATE


ftsys9 up running

Network_Parameters:
INTERFACE STATUS NAME
PRIMARY up eth0
PRIMARY up eth1

PACKAGE STATUS STATE AUTO_RUN NODE


pkg1 up running enabled ftsys9

Policy_Parameters:
POLICY_NAME CONFIGURED_VALUE
Failover configured_node
Failback manual

Script_Parameters:
ITEM STATUS MAX_RESTARTS RESTARTS NAME
Service up 0 0 service1
Service up 0 0 sfm_disk_monitor
Subnet up 0 0 15.13.168.0
Generic Resource up sfm_disk

Node_Switching_Parameters:
NODE_TYPE STATUS SWITCHING NAME
Primary up enabled ftsys9 (current)
Alternate up enabled ftsys10

PACKAGE STATUS STATE AUTO_RUN NODE


pkg2 up running disabled ftsys9

7.1 Reviewing Cluster and Package Status 205


Policy_Parameters:
POLICY_NAME CONFIGURED_VALUE
Failover configured_node
Failback manual

Script_Parameters:
ITEM STATUS MAX_RESTARTS RESTARTS NAME
Service up 0 0 service2
Service up 0 0 sfm_disk_monitor
Subnet up 0 0 15.13.168.0
Generic Resource up sfm_disk

Node_Switching_Parameters:
NODE_TYPE STATUS SWITCHING NAME
Primary up enabled ftsys10
Alternate up enabled ftsys9 (current)

NODE STATUS STATE


ftsys10 up running

Network_Parameters:
INTERFACE STATUS NAME
PRIMARY up eth0
PRIMARY up eth1

7.1.11.5 Status After Package Switching is Enabled


The following command changes package status back to Auto Run Enabled:
cmmodpkg -e pkg2
The output of the cmviewcl command is now as follows:
CLUSTER STATUS
example up

NODE STATUS STATE


ftsys9 up running

PACKAGE STATUS STATE AUTO_RUN NODE


pkg1 up running enabled ftsys9
pkg2 up running enabled ftsys9

NODE STATUS STATE


ftsys10 up running
Both packages are now running on ftsys9 and pkg2 is enabled for switching. ftsys10 is
running the daemon and no packages are running on ftsys10.

7.1.11.6 Status After Halting a Node


After halting ftsys10, with the following command:
cmhaltnode ftsys10
the output of cmviewcl is as follows on ftsys9:
CLUSTER STATUS
example up

NODE STATUS STATE


ftsys9 up running

PACKAGE STATUS STATE AUTO_RUN NODE


pkg1 up running enabled ftsys9
pkg2 up running enabled ftsys9

NODE STATUS STATE


ftsys10 down halted
This output can be seen on both ftsys9 and ftsys10.

206 Cluster and Package Maintenance


7.1.11.7 Viewing Information about Unowned Packages
The following example shows packages that are currently unowned, that is, not running on any
configured node.
UNOWNED_PACKAGES

PACKAGE STATUS STATE AUTO_RUN NODE


PKG3 down halted enabled unowned

Policy_Parameters:
POLICY_NAME CONFIGURED_VALUE
Failover min_package_node
Failback automatic

Script_Parameters:
ITEM STATUS NODE_NAME NAME
Subnet up manx 192.8.15.0
Generic Resource unknown manx sfm_disk
Subnet up burmese 192.8.15.0
Generic Resource unknown burmese sfm_disk
Subnet up tabby 192.8.15.0
Generic Resource unknown tabby sfm_disk
Subnet up persian 192.8.15.0
Generic Resource unknown persian sfm_disk

Node_Switching_Parameters:
NODE_TYPE STATUS SWITCHING NAME
Primary up enabled manx
Alternate up enabled burmese
Alternate up enabled tabby
Alternate up enabled persian

7.1.12 Checking the Cluster Configuration and Components


Serviceguard provides tools that allow you to verify the cluster configuration and the state of its
components. In earlier releases, thecmcheckconf command was used to verify the cluster or
package configuration. For more information, see Verifying the Cluster Configuration (page 163)
and Verifying the Package Configuration (page 238).
Starting Serviceguard A.11.20.20, the cmcheckconf command can be used at any time with
v or v 2 options to verify the state of the cluster and package components that are already
applied. For more information, see Verifying Cluster and Package Components (page 208) and
the cmcheckconf (1m) manpage.

7.1 Reviewing Cluster and Package Status 207


NOTE:
You can consider setting up a cron (1m) job to run the cmcheckconf command regularly.
For more information, see Setting up Periodic Cluster Verification (page 210).
These new checks are not done for legacy packages. For information about legacy and
modular packages, see Chapter 6: Configuring Packages and Their Services (page 169).
The cmapplyconf command performs the same verification as the cmcheckconf command.
The extent of logging can be controlled using the verbosity and log levels. Higher the level of
verbosity, higher is the extent of logging. For example, to verify the cluster configuration and
package files using the -v (verbosity) options use:
cmcheckconf -v OR cmcheckconf v 1 This command displays error and
warning messages (if any) for the type of checks being performed, such as storage,
network, and so on. It also displays the status of each check as OK or FAIL.
cmcheckconf -v 2 This command display errors and warning messages along
with informational and success message.
For more information, see the cmcheckconf (1m) manpage.

7.1.12.1 Verifying Cluster and Package Components


Table 12 describes how to verify each cluster and package component, the command or tool to
use and its description.
Table 12 Verifying Cluster and Package Components
Component (Context) Tool or Command; More Information Description

Volume groups (package) cmcheckconf (1m), cmapplyconf Verifies for the following:
(1m) existence
See also Verifying the Cluster
availability across all the nodes
Configuration (page 163).
where the package is
configured to run.
same physical volumes across
all the nodes where the
package is configured to run.
same volume group across all
the nodes where the package
is configured to run.
NOTE: The volume group
verifications are ignored in
serviceguard-xdc and Metrocluster
environment.

Volume group activation protection cmcheckconf (1m), cmapplyconf Verifies whether the volume group
(cluster) (1m) activation protection is enabled in
See also Verifying the Package the lvm.conf file. For more
Configuration (page 238). information, see Enabling Volume
Group Activation Protection
(page 148)

LVM physical volumes (package) cmcheckconf (1m), cmapplyconf Verifies for the consistency of the
(1m) volume groups and physical
volumes of the volume group
across all the nodes where the
package is configured to run.

208 Cluster and Package Maintenance


Table 12 Verifying Cluster and Package Components (continued)
Component (Context) Tool or Command; More Information Description

Quorum Server (cluster) cmcheckconf (1m), cmapplyconf These commands verify that the
(1m). quorum server, if used, is running
and all nodes are authorized to
access it; and, if more than one IP
address is specified, that the
quorum server is reachable from
all nodes through both the IP
addresses.

Lock LUN (cluster) cmcheckconf (1m), cmapplyconf These commands verify if all the
(1m) cluster nodes are configured to use
the same device as lock LUN and
that the lock LUN device file is a
block device file.

File consistency (cluster) cmcheckconf (1m), cmcompare (1m). To verify file consistency across all
the nodes in the cluster:
IMPORTANT: See the manpage for
differences in return codes from 1. Customize the $SGCONF/
cmcheckconf without options versus cmclfiles2check file.
cmcheckconf -C 2. Distribute it to all the nodes
using the cmsync (1m)
command.
3. Run the cmcheckconf, or
cmcheckconf -C, or
cmchekconf -v {1|2}
command.
For a subset of nodes, or to verify
only specific characteristics such
as ownership, content, and so on,
use the cmcompare (1m)
command.

Mount points (package) cmcheckconf (1m), cmapplyconf These commands verify that the
(1m) mount-point directories specified
See also Verifying the Package in the package configuration file
Configuration (page 238). exist on all nodes that can run the
package.

Service commands (package) cmcheckconf (1m), cmapplyconf These commands verify that files
(1m) specified by service commands
See also Verifying the Package exist and are executable. Service
Configuration (page 238). commands whose paths are nested
within an unmounted shared file
system are not checked.

Package IP addresses (package) cmcheckconf (1m), cmapplyconf


(1m)
See also Verifying the Package
Configuration (page 238).

File systems (package) cmcheckconf (1m), cmapplyconf For LVM only, commands verify
(1m) that file systems are on the logical
See also Verifying the Package volumes identified by the fs_name
Configuration (page 238). parameter (page 187).

7.1 Reviewing Cluster and Package Status 209


Table 12 Verifying Cluster and Package Components (continued)
Component (Context) Tool or Command; More Information Description

External scripts and pre-scripts cmcheckconf (1m), cmapplyconf A non-zero return value from any
(modular package) (1m) script results the commands to fail.

NFS server connectivity (package) cmcheckconf (1m), cmapplyconf If the package configuration file
(1m) contains NFS file system, it
validates the following:
Connectivity to the NFS server
from all the package nodes.
Export of share by the NFS
server.
The status of the NFS daemons
on the NFS server.
NOTE: For the NFS file
system mount to be successful,
the NFS daemon must be
running on the NFS server.

7.1.12.2 Setting up Periodic Cluster Verification


You can use cron (1m) to run cluster verification at a fixed time interval. Specify the commands
to run in a crontab file (For more information, see the crontab (1) manpage).

NOTE: The job must run on one of the nodes in the cluster. The crontab e command is used
to edit the crontab file. This must be run as the root user, because only the root user can run
cluster verification. The cron (1m) command sets the jobs user and group IDs to those of the
user who submitted the job.
For example, the following script runs cluster verification and sends an email to
[email protected] when verification fails.
#!/bin/sh

cmcheckconf -v >/tmp/cmcheckconf.output
if (( $? != 0 ))
then
mailx -s "Cluster verification failed" [email protected] 2>&1 </tmp/cmcheckconf.output

fi
To run this script from cron, use the crontab -e command and create an entry in he crontabs
file. For example, the following entry runs the script at 8 a.m. on 20th of every month:
0 8,20 * * * verification.sh
For more information, see the crontab (1) manpage.

7.1.12.3 Limitations
Serviceguard does not check for the following conditions:
Proper configuration of Access Control Policies. For more information about Access Control
Policies, see Controlling Access to the Cluster (page 158).
File systems configured to mount automatically on boot (that is, Serviceguard does not check
/etc/fstab)
Uniqueness of volume group major and minor numbers.
Proper functioning of redundant storage paths.
Consistency of Kernel parameters and driver configurations across nodes.
Mount point overlaps (such that one file system is obscured when another is mounted).

210 Cluster and Package Maintenance


Unreachable DNS server.
Consistency of settings in .rhosts.
Nested mount points.

7.2 Managing the Cluster and Nodes


This section describes the following tasks:
Starting the Cluster When all Nodes are Down (page 211)
Adding Previously Configured Nodes to a Running Cluster (page 212)
Removing Nodes from Participation in a Running Cluster (page 212)
Halting the Entire Cluster (page 213)
Automatically Restarting the Cluster (page 213)
Halting a Node or the Cluster while Keeping Packages Running (page 213)
In Serviceguard A.11.16 and later, these tasks can be performed by non-root users with the
appropriate privileges. See Controlling Access to the Cluster (page 158) for more information about
configuring access.
You can use Serviceguard Manager or the Serviceguard command line to start or stop the cluster,
or to add or halt nodes. Starting the cluster means running the cluster daemon on one or more of
the nodes in a cluster. You use different Serviceguard commands to start the cluster depending on
whether all nodes are currently down (that is, no cluster daemons are running), or whether you
are starting the cluster daemon on an individual node.
Note the distinction that is made in this chapter between adding an already configured node to
the cluster and adding a new node to the cluster configuration. An already configured node is one
that is already entered in the cluster configuration file; a new node is added to the cluster by
modifying the cluster configuration file.

NOTE: Manually starting or halting the cluster or individual nodes does not require access to the
quorum server, if one is configured. The quorum server is only used when tie-breaking is needed
following a cluster partition.

7.2.1 Starting the Cluster When all Nodes are Down


You can use Serviceguard Manager, or the cmruncl command as described in this section, to
start the cluster when all cluster nodes are down. Particular command options can be used to start
the cluster under specific circumstances.
The -v option produces the most informative output. The following starts all nodes configured in
the cluster without a connectivity check:
cmruncl -v
The above command performs a full check of LAN connectivity among all the nodes of the cluster.
Using -w none option will allow the cluster to start more quickly but will not test connectivity. The
following starts all nodes configured in the cluster without doing connectivity check:
cmruncl -v -w none
The -n option specifies a particular group of nodes. Without this option, all nodes will be started.
The following example starts up the locally configured cluster only onftsys9 and ftsys10. (This
form of the command should only be used when you are sure that the cluster is not already running
on any node.)

7.2 Managing the Cluster and Nodes 211


cmruncl -v -n ftsys9 -n ftsys10

CAUTION: HP Serviceguard cannot guarantee data integrity if you try to start a cluster with the
cmruncl -n command while a subset of the cluster's nodes are already running a cluster. If the
network connection is down between nodes, using cmruncl -n might result in a second cluster
forming, and this second cluster might start up the same applications that are already running on
the other cluster. The result could be two applications overwriting each other's data on the disks.

7.2.2 Adding Previously Configured Nodes to a Running Cluster


You can use Serviceguard Manager, or HP Serviceguard commands as shown, to bring a configured
node up within a running cluster.
Use the cmrunnode command to add one or more nodes to an already running cluster. Any node
you add must already be a part of the cluster configuration. The following example adds node
ftsys8 to the cluster that was just started with only nodes ftsys9 and ftsys10. The-v (verbose)
option prints out all the messages
cmrunnode -v ftsys8
By default, cmrunnode will do network validation, making sure the actual network setup matches
the configured network setup. This is the recommended method. If you have recently checked the
network and find the check takes a very long time, you can use the -w none option to bypass the
validation.
Since the node's cluster is already running, the node joins the cluster and packages may be started,
depending on the package configuration (see node_name (page 176)). If the node does not find
its cluster running, or the node is not part of the cluster configuration, the command fails.

7.2.3 Removing Nodes from Participation in a Running Cluster


You can use Serviceguard Manager, or Serviceguard commands as shown below, to remove
nodes from operation in a cluster. This operation removes the node from cluster operation by halting
the cluster daemon, but it does not modify the cluster configuration. To remove a node from the
cluster configuration permanently, you must recreate the cluster configuration file. See the next
section.
Halting a node is a convenient way of bringing it down for system maintenance while keeping its
packages available on other nodes. After maintenance, the package can be returned to its primary
node. See Moving a Failover Package (page 219).
To return a node to the cluster, use cmrunnode.

NOTE: HP recommends that you remove a node from participation in the cluster (by running
cmhaltnode as shown below, or Halt Node in Serviceguard Manger) before running the Linux
shutdown command, especially in cases in which a packaged application might have trouble
during shutdown and not halt cleanly.

7.2.3.1 Using Serviceguard Commands to Remove a Node from Participation in a Running Cluster
Use the cmhaltnode command to halt one or more nodes in a cluster. The cluster daemon on
the specified node stops, and the node is removed from active participation in the cluster.
To halt a node with a running package, use the -f option. If a package was running that can be
switched to an adoptive node, the switch takes place and the package starts on the adoptive node.
For example, the following command causes the Serviceguard daemon running on node ftsys9
in the sample configuration to halt and the package running on ftsys9 to move to ftsys10:
cmhaltnode -f -v ftsys9

212 Cluster and Package Maintenance


This halts any packages running on the node ftsys9 by executing the halt instructions in each
package's master control script. ftsys9 is halted and the packages start on the adoptive node,
ftsys10.

7.2.4 Halting the Entire Cluster


You can use Serviceguard Manager, or Serviceguard commands as shown below, to halt a running
cluster.
The cmhaltcl command can be used to halt the entire cluster. This command causes all nodes
in a configured cluster to halt their HP Serviceguard daemons. You can use the -f option to force
the cluster to halt even when packages are running. This command can be issued from any running
node. Example:
cmhaltcl -f -v
This halts all the cluster nodes.

7.2.5 Automatically Restarting the Cluster


You can configure your cluster to automatically restart after an event, such as a long-term power
failure, which brought down all nodes in the cluster. This is done by setting AUTOSTART_CMCLD
to 1 in the $SGAUTOSTART file (see Understanding the Location of Serviceguard Files (page 135)).

7.3 Halting a Node or the Cluster while Keeping Packages Running


There may be circumstances where you want to do maintenance that involves halting a node, or
the entire cluster, without halting or failing over the affected packages. Such maintenance might
consist of anything short of rebooting the node or nodes, but a likely case is networking changes
that will disrupt the heartbeat.
New command options in Serviceguard A.11.20.00 (collectively known as Live Application Detach
(LAD)) allows you to do this kind of maintenance while keeping the packages running. The packages
are no longer monitored by Serviceguard, but the applications continue to run. Packages in this
state are called detached packages.
When you have done the necessary maintenance, you can restart the node or cluster, and normal
monitoring will resume on the packages.

NOTE: Keep in mind that the purpose of the LAD capabilities is to allow you do maintenance
on one or more nodes, or the entire cluster. If you want to do maintenance on individual packages,
or on elements of the cluster configuration that affect only one package, or a few packages, you
should probably use package maintenance mode; see Maintaining a Package: Maintenance
Mode (page 220).

7.3.1 What You Can Do


Halt a node (cmhaltnode (1m) with the -d option) without causing its running packages
to halt or fail over.
Until you restart the node (cmrunnode (1m)) these packages remain detached and are not
monitored by Serviceguard.
Halt the cluster (cmhaltcl (1m) with the -d option) without causing its running packages
to halt.
Until you restart the cluster (cmruncl (1m)) these packages remain detached and are not
being monitored by Serviceguard.
Halt a detached package, including instances of detached multi-node packages.

7.3 Halting a Node or the Cluster while Keeping Packages Running 213
Restart normal package monitoring by restarting the node (cmrunnode) or the cluster ().
You can forcefully halt a detached node (cmhaltnode (1m)) with the -f option.

7.3.2 Rules and Restrictions


The following rules and restrictions apply.
All the nodes in the cluster must be running Serviceguard A.11.20.10 or later.
All the configured cluster nodes must be reachable by an available network.
You must be the root user (superuser) to halt or start a node or cluster with Live Application
Detach, and to halt a detached package.
Extended Distance Cluster (serviceguard-xdc) supports LAD for modular failover packages.
For more information, see Creating a serviceguard-xdc Modular Package in chapter 5 of
HP Serviceguard Extended Distance Cluster for Linux A.11.20.20 Deployment Guide at http://
www.hp.com/go/linux-serviceguard-docs.
Live Application Detach is supported only with modular failover packages and modular
multi-node packages.
You cannot use Live Application Detach if system multi-node packages are configured in
the cluster.
See Chapter 6 (page 169) for more information about package types.
You cannot detach package that is in maintenance mode, and you cannot place a package
into maintenance mode if any of its dependent packages are detached. Also, you cannot put
a detached package in maintenance mode.
For more information about maintenance mode, seeMaintaining a Package: Maintenance
Mode (page 220). For more information about dependencies, see About Package
Dependencies (page 113).
You cannot make configuration changes to a package or a cluster in which any packages
are detached.
cmapplyconf (1m) will fail.

You cannot halt detached packages while the cluster is down.


If you have halted a node and detached its packages, you can log in as superuser on any
other node still running in the cluster and halt any of the detached packages. But if you have
halted the cluster, you must restart it, re-attaching the packages, before you can halt any of
the packages.
cmeval (1m) does not support Live Application Detach.
See Previewing the Effect of Cluster Changes (page 226) for more information about cmeval.

In preview mode (-t) cmrunnode and cmruncl can provide only a partial assessment of
the effect of re-attaching packages.
The assessment may not accurately predict the placement of packages that depend on the
packages that will be re-attached. For more information about preview mode, see Previewing
the Effect of Cluster Changes (page 226).
cmmodpkg -e -t is not supported for a detached package.
You cannot run a package that has been detached.
This could come up if you detect that a package has failed while detached (and hence not
being monitored by Serviceguard). Before you could restart the package on another node,

214 Cluster and Package Maintenance


you would need to run cmhaltpkg (1m) to halt the package on the node where it is
detached.
You cannot halt a package that is in a transitory state such as STARTING or HALTING.
For more information about package states, see Package Status and State (page 200).
A package that is in a DETACHED or MAINTENANCE state cannot be moved to a
halt_aborted state or vice versa.
For more information, see Handling Failures During Package Halt (page 218).

7.3.3 Additional Points To Note


Keep the following points in mind:
When packages are detached, they continue to run, but without high availability protection.
Serviceguard does not detect failures of components of detached packages, and packages
are not failed over.

IMPORTANT: This means that you will need to detect any errors that occur while the package
is detached, and take corrective action by running cmhaltpkg to halt the detached package
and cmrunpkg (1m) to restart the package on another node.

When you restart a node or cluster whose packages have been detached, the packages are
re-attached; that is, Serviceguard begins monitoring them again.
At this point, Serviceguard checks the health of the packages that were detached and takes
any necessary corrective action for example, if a failover package has in fact failed while
it was detached, Serviceguard will halt it and restart it on another eligible node.

CAUTION: Serviceguard does not check LVM volume groups, mount points, and relocatable
IP addresses when re-attaching packages.

cmviewcl (1m) reports the status and state of detached packages as detached.
This is true even if a problem has occurred since the package was detached and some or all
of the package components are not healthy or not running.
Because Serviceguard assumes that a detached package has remained healthy, the package
is considered to be UP for dependency purposes.
This means, for example, that if you halt node1, detaching pkgA, and pkgB depends on
pkgA to be UP on ANY_NODE, pkgB on node2 will continue to run (or can start) while pkgA
is detached. See About Package Dependencies (page 113) for more information about
dependencies.
As always, packages cannot start on a halted node or in a halted cluster.

7.3 Halting a Node or the Cluster while Keeping Packages Running 215
When a node having detached packages is back up after a reboot they can:
Rejoin the cluster and the detached packages can move to "running" or "failed" state. If
the detached packages are moved to running state, then they must be halted and rerun
as they may have several inconsistencies post reboot.
Not rejoin the cluster and the detached packages remain detached. Such packages must
be halted and rerun to avoid any inconsistencies that can be caused due to the reboot.
If you halt a package and disable it before running cmhaltcl -d to detach other packages
running in the cluster, auto_run will be automatically re-enabled for this package when the
cluster is started again, forcing the package to start.
To prevent this behavior and keep the package halted and disabled after the cluster restarts,
change auto_run to no in the package configuration file (page 176), and re-apply the
package, before running cmhaltcl -d.

7.3.4 Halting a Node and Detaching its Packages


To halt a node and detach its packages, proceed as follows:
1. Make sure that the conditions spelled out under Rules and Restrictions (page 214) are met.
2. Halt any packages that do not qualify for Live Application Detach, such as legacy and system
multi-node packages.
For example:
cmhaltpkg -n node1 legpak1 legpak2

NOTE: If you do not do this, the cmhaltnode in the next step will fail.

3. Halt the node with the -d (detach) option:


cmhaltnode -d node1

NOTE: -d and -f are mutually exclusive. See cmhaltnode (1m) for more information.

To re-attach the packages, restart the node:


cmrunnode node1
You cannot halt or detach a node if any package on the given node is in the halt_aborted
state; cmhaltnode will fail. However, you can forcefully halt the node using cmhaltnode (1m)
with the -f option. The node is halted irrespective of the package state.

7.3.5 Halting a Detached Package


To halt a package that is detached on node1, proceed as follows:
1. Log in as superuser on another node that is still running in the cluster.
2. Halt the package; for example:
cmhaltpkg node1 pkg1

7.3.6 Halting the Cluster and Detaching its Packages


1. Make sure that the conditions spelled out under Rules and Restrictions (page 214) are met.
2. Halt any packages that do not qualify for Live Application Detach, such as legacy and system
multi-node packages.
For example:
cmhaltpkg legpak1 legpak2 legpak3 smnp1

216 Cluster and Package Maintenance


NOTE: If you do not do this, the cmhaltcl in the next step will fail.

3. Halt the cluster with the -d (detach) option:


cmhaltcl -d

NOTE: -d and -f are mutually exclusive. See cmhaltcl (1m) for more information.

To re-attach the packages, restart cluster:


cmrunnode node1

7.3.7 Example: Halting the Cluster for Maintenance on the Heartbeat Subnets
Suppose that you need to do networking maintenance that will disrupt all the cluster's heartbeat
subnets, but it is essential that the packages continue to run while you do it. In this example we'll
assume that packages pkg1 through pkg5 are unsupported for Live Application Detach, and pkg6
through pkgn are supported.
Proceed as follows:
1. Halt all the unsupported packages:
cmhaltpkg pkg1 pkg2 pkg3 pkg4 pkg5
2. Halt the cluster, detaching the remaining packages:
cmhaltcl -d
3. Upgrade the heartbeat networks as needed.
4. Restart the cluster, automatically re-attaching pkg6 through pkgn and starting any other
packages that have auto_run (page 176) set to yes in their package configuration file:
cmruncl
5. Start the remaining packages; for example:
cmmodpkg -e pkg1 pkg2 pkg3 pkg4 pkg5

7.4 Managing Packages and Services


This section describes the following tasks:
Starting a Package (page 217)
Halting a Package (page 218)
Moving a Failover Package (page 219)
Changing Package Switching Behavior (page 220)
Non-root users with the appropriate privileges can perform these tasks. See Controlling Access to
the Cluster (page 158) for information about configuring access.
You can use Serviceguard Manager or the Serviceguard command line to perform these tasks.

7.4.1 Starting a Package


Ordinarily, a package configured as part of the cluster will start up on its primary node when the
cluster starts up. You may need to start a package manually after it has been halted manually. You
can do this either in Serviceguard Manager, or with Serviceguard commands as described below.
The cluster must be running, and if the package is dependent on other packages, those packages
must be either already running, or started by the same command that starts this package (see the
subsection that follows, and About Package Dependencies (page 113).)

7.4 Managing Packages and Services 217


You can use Serviceguard Manager to start a package, or Serviceguard commands as shown
below.
Use the cmrunpkg command to run the package on a particular node, then use the cmmodpkg
command to enable switching for the package; for example:
cmrunpkg -n ftsys9 pkg1
cmmodpkg -e pkg1
This starts up the package on ftsys9, then enables package switching. This sequence is necessary
when a package has previously been halted on some node, since halting the package disables
switching.

7.4.1.1 Starting a Package that Has Dependencies


Before starting a package, it is a good idea to use the cmviewcl command to check for package
dependencies.
You cannot start a package unless all the packages that it depends on are running. If you try, youll
see a Serviceguard message telling you why the operation failed, and the package will not start.
If this happens, you can repeat the run command, this time including the package(s) this package
depends on; Serviceguard will start all the packages in the correct order.

7.4.2 Halting a Package


You halt a package when you want to stop the package but leave the node running.
Halting a package has a different effect from halting the node. When you halt the node, its packages
may switch to adoptive nodes (assuming that switching is enabled for them); when you halt the
package, it is disabled from switching to another node, and must be restarted manually on another
node or on the same node.
System multi-node packages run on all cluster nodes simultaneously; halting these packages stops
them running on all nodes. A multi-node package can run on several nodes simultaneously; you
can halt it on all the nodes it is running on, or you can specify individual nodes.
You can use Serviceguard Manager to halt a package, or cmhaltpkg; for example:
cmhaltpkg pkg1
This halts pkg1 and disables it from switching to another node.

7.4.2.1 Halting a Package that Has Dependencies


Before halting a package, it is a good idea to use the cmviewcl command to check for package
dependencies.
You cannot halt a package unless all the packages that depend on it are down. If you try, youll
see a Serviceguard message telling you why the operation failed, and the package will remain
up.
If this happens, you can repeat the halt command, this time including the dependent package(s);
Serviceguard will halt the all the packages in the correct order. First, use cmviewcl to be sure
that no other running package has a dependency on any of the packages you are halting.

7.4.2.2 Handling Failures During Package Halt


When you halt a package using cmhaltpkg, sometimes errors may occur for various reasons
resulting in the failure of the command. Serviceguard provides an option so that packages can be
halted in a way that when errors occur the halting process is aborted.
When you halt a package, if one of the non-native Serviceguard modules fails with an exit status
of 3, the halt is aborted and the package is moved to a partially_down status in a
halt_aborted state. For information about package status and state, see Package Status and
State (page 200).

218 Cluster and Package Maintenance


NOTE: Non-native Serviceguard modules are those that are not delivered with the Serviceguard
product. These are additional modules such as those supplied with HP Serviceguard toolkit modules
(for example, HP Serviceguard Contributed Toolkit Suite, Oracle, NFS toolkit, EDB PPAS, Sybase,
and so on).
This allows errors to be cleaned up manually during the halt process thus minimizing the risk of
other follow on errors and reducing package downtime.
When a package is in the halt_aborted state, you can do one of the following:
Fix the error manually in the module that caused the package halt to abort and re-run
cmhaltpkg <pkg_name>.
Run cmhaltpkg -f option to forcefully halt the package. When this command is run, it will
halt the package even if the package is in halt_aborted state.
For example, consider the following scenario:
You have a package pkgA that is up and running on a node. The package contains the following
modules:
sg-module1
sg-module2
non-sg-module1
non-sg-module2
sg-module3
sg-module4
Now, suppose you run the command cmhaltpkg pkgA, if a failure is detected in
non-sg-module2, then the package halt process is aborted at this point and the package is
moved to the halt_aborted state. The command exits and does not proceed further to halt the
sg-module3 and sg-module4 modules.
After fixing the error, if you re-run cmhaltpkg pkgA, halt begins from sg-module1 and proceeds.

NOTE: This error handling mechanism is applicable only for failover packages and not for
multi-node or system multi-node packages.
It is applicable only for modular packages and not for legacy packages.
If a package is in the detached or maintenance mode, the package cannot be in halt_aborted
state.

The following operations cannot be performed on a package which is in the partially_down


status:
Reconfigure a package
Run a package
Halt a node (however, you can forcefully halt a node using cmhaltnode -f option.)
Halt a cluster (however, you can forcefully halt a cluster using cmhaltcl -f option.)
Delete a package
Failover of a package automatically. You must halt the package completely and manually
failover the package.

7.4.3 Moving a Failover Package


You can use Serviceguard Manager to move a failover package from one node to another, or
Serviceguard commands as shown below.
Before you move a failover package to a new node, it is a good idea to run cmviewcl -v -l
package and look at dependencies. If the package has dependencies, be sure they can be met
on the new node.

7.4 Managing Packages and Services 219


To move the package, first halt it where it is running using the cmhaltpkg command. This action
not only halts the package, but also disables package switching.
After it halts, run the package on the new node using the cmrunpkg command, then re-enable
switching as described below.

7.4.4 Changing Package Switching Behavior


There are two options to consider:
Whether the package can switch (fail over) or not.
Whether the package can switch to a particular node or not.
For failover packages, if package switching is NO the package cannot move to any other node; if
node switching is NO, the package cannot move to that particular node. For multi-node packages,
if package switching is set to NO, the package cannot start on a new node joining the cluster; if
node switching is set to NO, the package cannot start on that node.
Both node switching and package switching can be changed dynamically while the cluster is
running. The initial setting for package switching is determined by the auto_run parameter,
which is set in the package configuration file (see page (page 176)). If auto_run is set to yes,
then package switching is enabled when the package first starts. The initial setting for node switching
is to allow switching to all nodes that are configured to run the package.
You can use Serviceguard Manager to change package switching behavior, or Serviceguard
commands as shown below.
You can change package switching behavior either temporarily or permanently using Serviceguard
commands.
To temporarily disable switching to other nodes for a running package, use the cmmodpkg
command. For example, if pkg1 is currently running, and you want to prevent it from starting up
on another node, enter the following:
cmmodpkg -d pkg1
This does not halt the package, but will prevent it from starting up elsewhere.
You can disable package switching to particular nodes by using the -n option of the cmmodpkg
command. The following prevents pkg1 from switching to node lptest3:
cmmodpkg -d -n lptest3 pkg1
To permanently disable switching so that the next time the cluster restarts, the change you made
in package switching is still in effect, change the auto_run flag in the package configuration
file, then re-apply the configuration. (See Reconfiguring a Package on a Running Cluster
(page 240).)

7.5 Maintaining a Package: Maintenance Mode


Serviceguard provides two ways to perform maintenance on components of a modular, failover
package while the package is running. (See Chapter 6 (page 169) for information about package
types and modules.) These two methods are called maintenance mode and partial-startup
maintenance mode.

NOTE: If you need to do maintenance that requires halting a node, or the entire cluster, you
should consider Live Application Detach; see Halting a Node or the Cluster while Keeping Packages
Running (page 213).

220 Cluster and Package Maintenance


Maintenance mode is chiefly useful for modifying networks while the package is running.
See Performing Maintenance Using Maintenance Mode (page 223).
Partial-startup maintenance mode allows you to work on package services, file systems, and
volume groups.
See Performing Maintenance Using Partial-Startup Maintenance Mode (page 224).
Neither maintenance mode nor partial-startup maintenance mode can be used for legacy
packages, multi-node packages, or system multi-node packages.
Package maintenance does not alter the configuration of the package, as specified in the
package configuration file.
For information about reconfiguring a package, see Reconfiguring a Package (page 240).

NOTE: In order to run a package in partial-startup maintenance mode, you must first put it in
maintenance mode. This means that packages in partial-startup maintenance mode share the
characteristics described below for packages in maintenance mode, and the same rules and
dependency rules apply. Additional rules apply to partial-startup maintenance mode, and the
procedure involves more steps, as explained underPerforming Maintenance Using Partial-Startup
Maintenance Mode.

7.5.1 Characteristics of a Package Running in Maintenance Mode or Partial-Startup


Maintenance Mode
Serviceguard treats a package in maintenance mode differently from other packages in important
ways. The following points apply to a package running in maintenance mode:
Serviceguard ignores failures reported by package services, subnets, generic resources, and
file systems; these will not cause the package to fail.

NOTE: But a failure in the package control script will cause the package to fail. The package
will also fail if an external script (or pre-script) cannot be executed or does not exist.

The package will not be automatically failed over, halted, or started.


A package in maintenance mode still has its configured (or default) weight, meaning that its
weight, if any, is counted against the node's capacity; this applies whether the package is
up or down. (See About Package Weights (page 120) for a discussion of weights and
capacities.)
Node-wide and cluster-wide events affect the package as follows:
If the node the package is running on is halted or crashes, the package will no longer
be in maintenance mode but will not be automatically started.
If the cluster is halted or crashes, the package will not be in maintenance mode when the
cluster comes back up. Serviceguard will attempt to start it if auto_run is set to yes in
the package configuration file.
If node_fail_fast_enabled (page 176) is set to yes, Serviceguard will not halt the node
under any of the following conditions:
Subnet failure

Generic resource failure

A script does not exist or cannot run because of file permissions

7.5 Maintaining a Package: Maintenance Mode 221


A script times out

The limit of a restart count is exceeded

7.5.1.1 Rules for a Package in Maintenance Mode or Partial-Startup Maintenance Mode

IMPORTANT: See the latest Serviceguard release notes for important information about version
requirements for package maintenance.

The package must have package switching disabled before you can put it in maintenance
mode.
You can put a package in maintenance mode only on one node.
The node must be active in the cluster and must be eligible to run the package (on the
package's node_name list).
If the package is not running, you must specify the node name when you run cmmodpkg
(1m) to put the package in maintenance mode.
If the package is running, you can put it into maintenance only on the node on which it
is running.
While the package is in maintenance mode on a node, you can run the package only
on that node.
You cannot put a package in maintenance mode, or take it out maintenance mode, if doing
so will cause another running package to halt.
Since package failures are ignored while in maintenance mode, you can take a running
package out of maintenance mode only if the package is healthy.
Serviceguard checks the state of the packages services and subnets to determine if the package
is healthy. If it is not, you must halt the package before taking it out of maintenance mode.
Generic resources configured in a package must be available (status 'up') before taking the
package out of maintenance mode.
You cannot do online configuration as described under Reconfiguring a Package (page 240).
You cannot configure new dependencies involving this package; that is, you cannot make it
dependent on another package, or make another package depend on it. See also Dependency
Rules for a Package in Maintenance Mode or Partial-Startup Maintenance Mode (page 223).
You cannot use the -t option of any command that operates on a package that is in
maintenance mode; see Previewing the Effect of Cluster Changes (page 226) for information
about the -t option.

7.5.1.1.1 Additional Rules for Partial-Startup Maintenance Mode


You must halt the package before taking it out of partial-startup maintenance mode.
To run a package normally after running it in partial-startup maintenance mode, you must take
it out of maintenance mode, and then restart it.

222 Cluster and Package Maintenance


7.5.1.2 Dependency Rules for a Package in Maintenance Mode or Partial-Startup Maintenance
Mode
You cannot configure new dependencies involving a package running in maintenance mode, and
in addition the following rules apply (we'll call the package in maintenance mode pkgA).
The packages that depend on pkgA must be down and disabled when you place pkgA in
maintenance mode. This applies to all types of dependency (including exclusionary
dependencies) as described under About Package Dependencies (page 113).
You cannot enable a package that depends on pkgA.

You cannot run a package that depends on pkgA, unless the dependent package itself
is in maintenance mode.
Dependency rules governing packages that pkgA depends on to be UP are bypassed so that
these packages can halt and fail over as necessary while pkgA is in maintenance mode.
If both packages in a dependency relationship are in maintenance mode, dependency rules
are ignored for those two packages.
For example, both packages in an exclusionary dependency can be run and halted in
maintenance mode at the same time.

NOTE: If you have a package configured with generic resources and you attempt to take it out
of the maintenance mode back to the running state, the status of generic resources are evaluated.
If any of the generic resources is 'down', the package cannot be taken out of the maintenance
mode.

7.5.2 Performing Maintenance Using Maintenance Mode


You can put a package in maintenance mode, perform maintenance, and take it out of maintenance
mode, whether the package is down or running.
This mode is mainly useful for making modifications to networking and generic resources
components. To modify other components of the package, such as services or storage, follow the
additional rules and instructions under Performing Maintenance Using Partial-Startup Maintenance
Mode (page 224).
If you want to reconfigure the package (using cmapplyconf (1m)) see Reconfiguring a Package
(page 240) and Allowable Package States During Reconfiguration (page 242).

7.5.2.1 Procedure
Follow these steps to perform maintenance on a package's networking components.
In this example, we'll call the package pkg1 and assume it is running on node1.
1. Place the package in maintenance mode:
cmmodpkg -m on -n node1 pkg1
2. Perform maintenance on the networks or resources and test manually that they are working
correctly.

NOTE: If you now run cmviewcl, you'll see that the STATUS of pkg1 is up and its STATE
is maintenance.

3. If everything is working as expected, take the package out of maintenance mode:


cmmodpkg -m off pkg1

7.5 Maintaining a Package: Maintenance Mode 223


7.5.3 Performing Maintenance Using Partial-Startup Maintenance Mode
To put a package in partial-startup maintenance mode, you put it in maintenance mode, then restart
it, running only those modules that you will not be working on.

7.5.3.1 Procedure
Follow this procedure to perform maintenance on a package. In this example, we'll assume a
package pkg1 is running on node1, and that we want to do maintenance on the package's
services.
1. Halt the package:
cmhaltpkg pkg1
2. Place the package in maintenance mode:
cmmodpkg -m on -n node1 pkg1

NOTE: The order of the first two steps can be reversed.

3. Run the package in maintenance mode.


In this example, we'll start pkg1 such that only the modules up to and including the
package_ip module are started. (See Package Modules and Parameters (page 171) for a
list of package modules. The modules used by a package are started in the order shown near
the top of its package configuration file.)
cmrunpkg -m sg/package_ip pkg1
4. Perform maintenance on the services and test manually that they are working correctly.

NOTE: If you now run cmviewcl, you'll see that the STATUS of pkg1 is up and its STATE
is maintenance.

5. Halt the package:


cmhaltpkg pkg1

NOTE: You can also use cmhaltpkg -s, which stops the modules started by cmrunpkg
-m in this case, all the modules up to and including package_ip.

6. Run the package to ensure everything is working correctly:


cmrunpkg pkg1

NOTE: The package is still in maintenance mode.

7. If everything is working as expected, bring the package out of maintenance mode:


cmmodpkg -m off pkg1
8. Restart the package:
cmrunpkg pkg1

7.5.3.2 Excluding Modules in Partial-Startup Maintenance Mode


In the example above, we used cmrunpkg -m to run all the modules up to and including
package_ip, but none of those after it. But you might want to run the entire package apart from
the module whose components you are going to work on. In this case you can use the -e option:
cmrunpkg -e sg/service pkg1
This runs all the package's modules except the services module.

224 Cluster and Package Maintenance


You can also use -e in combination with -m. This has the effect of starting all modules up to and
including the module identified by -m, except the module identified by -e. In this case the excluded
(-e) module must be earlier in the execution sequence (as listed near the top of the package's
configuration file) than the -m module. For example:
cmrunpkg -m sg/services -e sg/package_ip pkg1

NOTE: The full execution sequence for starting a package is:


1. The master control script itself
2. Persistent reservation

7.6 Reconfiguring a Cluster


You can reconfigure a cluster either when it is halted or while it is still running. Some operations
can only be done when the cluster is halted. The table that follows shows the required cluster state
for many kinds of changes.
Table 13 Types of Changes to the Cluster Configuration
Change to the Cluster Configuration Required Cluster State

Add a new node All cluster nodes must be running.

Delete a node A node can be deleted even though it is unavailable or


unreachable.

Change Maximum Configured Packages Cluster can be running.

Change Quorum Server Configuration Cluster can be running; seeWhat Happens when You Change
the Quorum Configuration Online (page 43).

Change Cluster Lock Configuration (lock LUN) Cluster can be running. See Updating the Cluster Lock LUN
Configuration Online (page 233) andWhat Happens when
You Change the Quorum Configuration Online (page 43).

Add NICs and their IP addresses to the cluster Cluster can be running. See Changing the Cluster Networking
configuration Configuration while the Cluster Is Running (page 230).

Delete NICs and their IP addresses, from the cluster Cluster can be running. SeeChanging the Cluster Networking
configuration Configuration while the Cluster Is Running (page 230).

Change the designation of an existing interface from Cluster can be running. See Changing the Cluster Networking
HEARTBEAT_IP to STATIONARY_IP, or vice versa Configuration while the Cluster Is Running (page 230).

Change an interface from IPv4 to IPv6, or vice versa Cluster can be running. See Changing the Cluster Networking
Configuration while the Cluster Is Running (page 230)

Reconfigure IP addresses for a NIC used by the cluster Must delete the interface from the cluster configuration,
reconfigure it, then add it back into the cluster configuration.
See What You Must Keep in Mind (page 230). Cluster can be
running throughout.

Change NETWORK_POLLING_INTERVAL Cluster can be running.

Change IP Monitor parameters: SUBNET, Cluster can be running. See the entries for these parameters
IP_MONITOR, POLLING TARGET under Cluster Configuration Parameters (page 90)for more
information.

Change MEMBER_TIMEOUT and Cluster can be running.


AUTO_START_TIMEOUT

Change Access Control Policy Cluster and package can be running.

Change SITE, SITE_NAME Node(s) associated with the corresponding SITE or


SITE_NAME entry must be down. When the cluster is running
you cannot add SITE or SITE_NAME entries.

7.6 Reconfiguring a Cluster 225


7.6.1 Previewing the Effect of Cluster Changes
Many variables affect package placement, including the availability of cluster nodes; the availability
of networks and other resources on those nodes; failover and failback policies; and package
weights, dependencies, and priorities, if you have configured them. You can preview the effect
on packages of certain actions or events before they actually occur.
For example, you might want to check to see if the packages are placed as you expect when the
cluster first comes up; or preview what happens to the packages running on a given node if the
node halts, or if the node is then restarted; or you might want to see the effect on other packages
if another, currently disabled, package is enabled, or if a package halts and cannot restart because
none of the nodes on its node_list is available.
Serviceguard provides two ways to do this: you can use the preview mode of Serviceguard
commands, or you can use the cmeval (1m) command to simulate different cluster states.
Alternatively, you might want to model changes to the cluster as a whole; cmeval allows you to
do this; see Using cmeval (page 227).

7.6.1.1 What You Can Preview


You can preview any of the following, or all of them simultaneously:
Cluster bring-up (cmruncl)
Cluster node state changes (cmrunnode, cmhaltnode)
Package state changes (cmrunpkg, cmhaltpkg)
Package movement from one node to another
Package switching changes (cmmodpkg -e)
Availability of package subnets, resources, and storage
Changes in package priority, node order, dependency, failover and failback policy, node
capacity and package weight

7.6.1.2 Using Preview mode for Commands in Serviceguard Manager


The following commands support the -t option, which allows you to run the command in preview
mode:
cmhaltnode [t] [f] <node_name>
cmrunnode [t] <node_name>
cmhaltpkg [t] <package_name>
cmrunpkg [t] [-n node_name] <package_name>
cmmodpkg { -e [-t] | -d } [-n node_name] <package_name>
cmruncl v [t]

NOTE: You cannot use the -t option with any command operating on a package in maintenance
mode; see Maintaining a Package: Maintenance Mode (page 220).
For more information about these commands, see their respective manpages. You can also perform
these preview functions in Serviceguard Manager: Select the Preview [] check box for the
action on the respective pages.
When you use the -t option, the command, rather than executing as usual, predicts the results
that would occur, sending a summary to $stdout. For example, assume that pkg1 is a high-priority
package whose primary node is node1, and which depends on pkg2 and pkg3 to run on the
same node. These are lower-priority packages which are currently running on node2. pkg1 is
down and disabled, and you want to see the effect of enabling it:

226 Cluster and Package Maintenance


cmmodpkg -e -t pkg1
You will see output something like this:
package:pkg3|node:node2|action:failing
package:pkg2|node:node2|action:failing
package:pkg2|node:node1|action:starting
package:pkg3|node:node1|action:starting
package:pkg1|node:node1|action:starting
cmmodpkg: Command preview completed successfully
This shows that pkg1, when enabled, will drag pkg2 and pkg3 to its primary node, node1. It
can do this because of its higher priority; see Dragging Rules for Simple Dependencies (page 115).
Running the preview confirms that all three packages will successfully start on node2 (assuming
conditions do not change between now and when you actually enable pkg1, and there are no
failures in the run scripts).

NOTE: The preview cannot predict run and halt script failures.
For more information about package dependencies and priorities, see About Package
Dependencies (page 113).

7.6.1.3 Using cmeval


You can use cmeval to evaluate the effect of cluster changes on Serviceguard packages. You can
also use it simply to preview changes you are considering making to the cluster as a whole.
You can use cmeval safely in a production environment; it does not affect the state of the cluster
or packages. Unlike command preview mode (the -t discussed above) cmeval does not require
you to be logged in to the cluster being evaluated, and in fact that cluster does not have to be
running, though it must use the same Serviceguard release and patch version as the system on
which you run cmeval.
Use cmeval rather than command preview mode when you want to see more than the effect of
a single command, and especially when you want to see the results of large-scale changes, or
changes that may interact in complex ways, such as changes to package priorities, node order,
dependencies and so on.
Using cmeval involves three major steps:
1. Use cmviewcl -v -f line to write the current cluster configuration out to a file.
2. Edit the file to include the events or changes you want to preview
3. Using the file from Step 2 as input, run cmeval to preview the results of the changes.
For example, assume that pkg1 is a high-priority package whose primary node is node1, and
which depends on pkg2 and pkg3 to be running on the same node. These lower-priority-packages
are currently running on node2. pkg1 is down and disabled, and you want to see the effect of
enabling it.
In the output of cmviewcl -v -f line, you would find the line
package:pkg1|autorun=disabled and change it to package:pkg1|autorun=enabled.
You should also make sure that the nodes the package is configured to run on are shown as
available; for example: package:pkg1|node:node1|available=yes. Then save the file (for
example, as newstate.in) and run cmeval:
cmeval -v newstate.in
You would see output something like this:
package:pkg3|node:node2|action:failing
package:pkg2|node:node2|action:failing
package:pkg2|node:node1|action:starting
package:pkg3|node:node1|action:starting
package:pkg1|node:node1|action:starting

7.6 Reconfiguring a Cluster 227


This shows that pkg1, when enabled, will drag pkg2 and pkg3 to its primary node, node1. It
can do this because of its higher priority; see Dragging Rules for Simple Dependencies (page 115).
Running cmeval confirms that all three packages will successfully start on node2 (assuming
conditions do not change between now and when you actually enable pkg1, and there are no
failures in the run scripts.)

NOTE: cmeval cannot predict run and halt script failures.


This is a simple example; you can use cmeval for much more complex scenarios; see What You
Can Preview (page 226).

IMPORTANT: For detailed information and examples, see the cmeval (1m) manpage.

7.6.2 Reconfiguring a Halted Cluster


You can make a permanent change in cluster configuration when the cluster is halted. This procedure
must be used for changes marked Cluster must not be running in Table 13, but it can be used
for any other cluster configuration changes as well.
Use the following steps:
1. Halt the cluster on all nodes.
2. On one node, reconfigure the cluster as described in Building an HA Cluster Configuration
(page 135). You can use cmgetconf to generate a template file, which you then edit.
3. Make sure that all nodes listed in the cluster configuration file are powered up and accessible.
Use cmapplyconf to copy the binary cluster configuration file to all nodes. This file overwrites
any previous version of the binary cluster configuration file.
4. Use cmruncl to start the cluster on all nodes, or on a subset of nodes.

7.6.3 Reconfiguring a Running Cluster


You can add new nodes to the cluster configuration or delete nodes from the cluster configuration
while the cluster is up and running. Note the following, however:
You cannot remove an active node from the cluster. You must halt the node first.
The only configuration change allowed while a node is unreachable (for example, completely
disconnected from the network) is to delete the unreachable node from the cluster configuration.
If there are also packages that depend upon that node, the package configuration must also
be modified to delete the node. This all must be done in one configuration request
(cmapplyconf command).
The access control list for the cluster can be changed while the cluster is running.
Changes to the package configuration are described in a later section.
The following sections describe how to perform dynamic reconfiguration tasks.

7.6.3.1 Adding Nodes to the Configuration While the Cluster is Running


Use the following procedure to add a node. For this example, nodes ftsys8 and ftsys9 are
already configured in a running cluster named cluster1, and you are adding node ftsys10.

NOTE: Before you start, make sure you have configured access to ftsys10 as described under
Configuring Root-Level Access (page 136).

228 Cluster and Package Maintenance


1. Use the following command to store a current copy of the existing cluster configuration in a
temporary file in case you need to revert to it:
cmgetconf -C temp.conf
2. Specify a new set of nodes to be configured and generate a template of the new configuration
(all on one line):
cmquerycl -C clconfig.conf -c cluster1 -n ftsys8 -n ftsys9 -n ftsys10
3. Edit clconfig.conf to check the information about the new node.
4. Verify the new configuration:
cmcheckconf -C clconfig.conf
5. Apply the changes to the configuration and send the new binary configuration file to all cluster
nodes:
cmapplyconf -C clconfig.conf
Use cmrunnode to start the new node, and, if you so decide, set the AUTOSTART_CMCLD
parameter to 1 in the $SGAUTOSTART file (see Understanding the Location of Serviceguard Files
(page 135)) to enable the new node to join the cluster automatically each time it reboots.

7.6.3.2 Removing Nodes from the Cluster while the Cluster Is Running
You can use Serviceguard Manager to delete nodes, or Serviceguard commands as shown below.
The following restrictions apply:
The node must be halted. See Removing Nodes from Participation in a Running Cluster
(page 212).
If the node you want to delete is unreachable (disconnected from the LAN, for example), you
can delete the node only if there are no packages which specify the unreachable node. If
there are packages that depend on the unreachable node, halt the cluster; see Halting the
Entire Cluster (page 213).
Use the following procedure to delete a node with Serviceguard commands. In this example, nodes
ftsys8, ftsys9 and ftsys10 are already configured in a running cluster named cluster1,
and you are deleting node ftsys10.

NOTE: If you want to remove a node from the cluster, run the cmapplyconf command from
another node in the same cluster. If you try to issue the command on the node you want removed,
you will get an error message.
1. Use the following command to store a current copy of the existing cluster configuration in a
temporary file:
cmgetconf -c cluster1 temp.conf
2. Specify the new set of nodes to be configured (omitting ftsys10) and generate a template
of the new configuration:
cmquerycl -C clconfig.conf -c cluster1 -n ftsys8 -n ftsys9
3. Edit the file clconfig.conf to check the information about the nodes that remain in the
cluster.
4. Halt the node you are going to remove (ftsys10in this example):
cmhaltnode -f -v ftsys10
5. Verify the new configuration:
cmcheckconf -C clconfig.conf

7.6 Reconfiguring a Cluster 229


6. From ftsys8 or ftsys9, apply the changes to the configuration and distribute the new
binary configuration file to all cluster nodes.:
cmapplyconf -C clconfig.conf

NOTE: If you are trying to remove an unreachable node on which many packages are configured
to run, you may see the following message:
The configuration change is too large to process while the cluster is running.
Split the configuration change into multiple requests or halt the cluster.
In this situation, you must halt the cluster to remove the node.

7.6.4 Changing the Cluster Networking Configuration while the Cluster Is Running
7.6.4.1 What You Can Do
Online operations you can perform include:
Add a network interface and its HEARTBEAT_IP or STATIONARY_IP.
Delete a network interface and its HEARTBEAT_IP or STATIONARY_IP.
Change a HEARTBEAT_IP or STATIONARY_IP interface from IPv4 to IPv6, or vice versa.
Change the designation of an existing interface from HEARTBEAT_IP to STATIONARY_IP,
or vice versa.
Change the NETWORK_POLLING_INTERVAL.
Change IP Monitor parameters: SUBNET, IP_MONITOR, POLLING TARGET; see the entries
for these parameters underCluster Configuration Parameters (page 90) for more information.
A combination of any of these in one transaction (cmapplyconf), given the restrictions below.

7.6.4.2 What You Must Keep in Mind


The following restrictions apply:
You must not change the configuration of all heartbeats at one time, or change or delete the
only configured heartbeat.
At least one working heartbeat must remain unchanged.
You cannot add interfaces or modify their characteristics unless those interfaces, and all other
interfaces in the cluster configuration, are healthy.
There must be no bad NICs or non-functional or locally switched subnets in the configuration,
unless you are deleting those components in the same operation.
You cannot change the designation of an existing interface from HEARTBEAT_IP to
STATIONARY_IP, or vice versa, without also making the same change to all peer network
interfaces on the same subnet on all other nodes in the cluster.
Similarly, you cannot change an interface from IPv4 to IPv6 without also making the same
change to all peer network interfaces on the same subnet on all other nodes in the cluster
You cannot change the designation of an interface from STATIONARY_IP to HEARTBEAT_IP
unless the subnet is common to all nodes.
Remember that the HEARTBEAT_IP must be an IPv4 address, and must be on the same subnet
on all nodes, except in cross-subnet configurations; see Cross-Subnet Configurations
(page 27)).

230 Cluster and Package Maintenance


You cannot delete a subnet or IP address from a node while a package that uses it (as a
monitored_subnet, ip_subnet, or ip_address) is configured to run on that node.
Information about these parameters begins at monitored_subnet (page 181).

You cannot change the IP configuration of an interface (NIC) used by the cluster in a single
transaction (cmapplyconf).
You must first delete the NIC from the cluster configuration, then reconfigure the NIC (using
ifconfig, for example), then add the NIC back into the cluster.
Examples of when you must do this include:

moving a NIC from one subnet to another

adding an IP address to a NIC

removing an IP address from a NIC

CAUTION: Do not add IP addresses to network interfaces that are configured into the Serviceguard
cluster, unless those IP addresses themselves will be immediately configured into the cluster as
stationary IP addresses. If you configure any address other than a stationary IP address on a
Serviceguard network interface, it could collide with a relocatable package address assigned by
Serviceguard.
Some sample procedures follow.

7.6.4.3 Example: Adding a Heartbeat LAN


Suppose that a subnet 15.13.170.0 is shared by nodes ftsys9 and ftsys10 in a two-node
cluster cluster1, and you want to add it to the cluster configuration as a heartbeat subnet.
Proceed as follows.
1. Run cmquerycl to get a cluster configuration template file that includes networking information
for interfaces that are available to be added to the cluster configuration:
cmquerycl -c cluster1 -C clconfig.conf

NOTE: As of Serviceguard A.11.18, cmquerycl -c produces output that includes


commented-out entries for interfaces that are not currently part of the cluster configuration, but
are available.
The networking portion of the resulting clconfig.conf file looks something like this:
NODE_NAME ftsys9
NETWORK_INTERFACE lan1
HEARTBEAT_IP 192.3.17.18
#NETWORK_INTERFACE lan0
#STATIONARY_IP 15.13.170.18
NETWORK_INTERFACE lan3
NODE_NAME ftsys10
NETWORK_INTERFACE lan1
HEARTBEAT_IP 192.3.17.19
#NETWORK_INTERFACE lan0
#STATIONARY_IP 15.13.170.19
NETWORK_INTERFACE lan3
2. Edit the file to uncomment the entries for the subnet that is being added (lan0 in this example),
and change STATIONARY_IP to HEARTBEAT_IP:
NODE_NAME ftsys9
NETWORK_INTERFACE lan1
HEARTBEAT_IP 192.3.17.18
NETWORK_INTERFACE lan0
HEARTBEAT_IP 15.13.170.18

7.6 Reconfiguring a Cluster 231


NETWORK_INTERFACE lan3
NODE_NAME ftsys10
NETWORK_INTERFACE lan1
HEARTBEAT_IP 192.3.17.19
NETWORK_INTERFACE lan0
HEARTBEAT_IP 15.13.170.19
NETWORK_INTERFACE lan3
3. Verify the new configuration:
cmcheckconf -C clconfig.conf
4. Apply the changes to the configuration and distribute the new binary configuration file to all
cluster nodes:
cmapplyconf -C clconfig.conf
If you were configuring the subnet for data instead, and wanted to add it to a package
configuration, you would now need to:
1. Halt the package
2. Add the new networking information to the package configuration file
3. In the case of a legacy package, add the new networking information to the package control
script if necessary
4. Apply the new package configuration, and redistribute the control script if necessary.
For more information, see Reconfiguring a Package on a Running Cluster (page 240).

7.6.4.4 Example: Deleting a Subnet Used by a Package


In this example, we are deleting subnet 15.13.170.0 (lan0). Proceed as follows.
1. Halt any package that uses this subnet and delete the corresponding networking information
(monitored_subnet, ip_subnet, ip_address; see the descriptions for these parameters
starting with monitored_subnet (page 181)).
See Reconfiguring a Package on a Running Cluster (page 240) for more information.
2. Run cmquerycl to get the cluster configuration file:
cmquerycl -c cluster1 -C clconfig.conf
3. Comment out the network interfaces lan0 and lan3 and their network interfaces, if any, on
all affected nodes. The networking portion of the resulting file looks something like this:
NODE_NAME ftsys9
NETWORK_INTERFACE lan1
HEARTBEAT_IP 192.3.17.18
# NETWORK_INTERFACE lan0
# STATIONARY_IP 15.13.170.18
# NETWORK_INTERFACE lan3
NODE_NAME ftsys10
NETWORK_INTERFACE lan1
HEARTBEAT_IP 192.3.17.19
# NETWORK_INTERFACE lan0
# STATIONARY_IP 15.13.170.19
# NETWORK_INTERFACE lan3
4. Verify the new configuration:
cmcheckconf -C clconfig.conf
5. Apply the changes to the configuration and distribute the new binary configuration file to all
cluster nodes:
cmapplyconf -C clconfig.conf

232 Cluster and Package Maintenance


7.6.5 Updating the Cluster Lock LUN Configuration Online
Proceed as follows.

IMPORTANT: See What Happens when You Change the Quorum Configuration Online
(page 43) for important information.
1. In the cluster configuration file, modify the value of CLUSTER_LOCK_LUN for each node.
2. Run cmcheckconf to check the configuration.
3. Run cmapplyconf to apply the configuration.
If you need to replace the physical device, see Replacing a Lock LUN (page 257).

7.6.6 Changing MAX_CONFIGURED_PACKAGES


As of Serviceguard A.11.18, you can change MAX_CONFIGURED_PACKAGES while the cluster
is running. The default for MAX_CONFIGURED_PACKAGES is the maximum number allowed in the
cluster. You can use Serviceguard Manager to change MAX_CONFIGURED_PACKAGES, or
Serviceguard commands as shown below.
Use the cmgetconf command to obtain a current copy of the cluster's existing configuration, for
example:
cmgetconf -C <cluster_name> clconfig.conf
Edit the clconfig.conf file to include the new value for MAX_CONFIGURED_PACKAGES. Then
use the cmcheckconf command to verify the new configuration. Using the -k or -K option can
significantly reduce the response time.
Use the cmapplyconf command to apply the changes to the configuration and send the new
configuration file to all cluster nodes. Using -k or -K can significantly reduce the response time.

7.7 Configuring a Legacy Package


IMPORTANT: You can still create a new legacy package. If you are using a Serviceguard Toolkit
such as Serviceguard NFS Toolkit, consult the documentation for that product.
Otherwise, use this section to maintain and re-work existing legacy packages rather than to create
new ones. The method described in Chapter 6: Configuring Packages and Their Services
(page 169), is simpler and more efficient for creating new packages, allowing packages to be built
from smaller modules, and eliminating the separate package control script and the need to distribute
it manually.
If you decide to convert a legacy package to a modular package, see Migrating a Legacy Package
to a Modular Package (page 240).

Creating or modifying a legacy package requires the following broad steps:


1. Generate the package configuration file
2. Edit the package configuration file
3. Generate the package control script
4. Edit the package control script
5. Distribute the control script to the cluster nodes
6. Apply the package configuration file
Each of these tasks is described in the sub-sections that follow.

7.7.1 Creating the Legacy Package Configuration


The package configuration process defines a set of application services that are run by the package
manager when a package starts up on a node in the cluster. The configuration also includes a

7.7 Configuring a Legacy Package 233


prioritized list of cluster nodes on which the package can run together with definitions of the
acceptable types of failover allowed for the package.

7.7.1.1 Using Serviceguard Manager to Configure a Package


You can create a legacy package and its control script in Serviceguard Manager; use the Help
for detailed instructions.

7.7.1.2 Using Serviceguard Commands to Configure a Package


Use the following procedure to create a legacy package.
1. Create a subdirectory for each package you are configuring in the $SGCONF directory:
mkdir $SGCONF/pkg1
You can use any directory names you like. (See Understanding the Location of Serviceguard
Files (page 135) for the name of Serviceguard directories on your version of Linux.)
2. Generate a package configuration file for each package, for example:
cmmakepkg -p $SGCONF/pkg1/pkg1.conf
You can use any file name you like for the configuration file.
3. Edit each configuration file to specify package name, prioritized list of nodes (with 39 bytes
or less in the name), the location of the control script, and failover parameters for each
package. Include the data you recorded on the Package Configuration Worksheet.

7.7.1.2.1 Configuring a Package in Stages


It is a good idea to configure failover packages in stages, as follows:
1. Configure volume groups and mount points only.
2. Distribute the control script to all nodes.
3. Apply the configuration.
4. Run the package and ensure that it can be moved from node to node.
5. Halt the package.
6. Configure package IP addresses and application services in the control script.
7. Distribute the control script to all nodes.
8. Run the package and ensure that applications run as expected and that the package fails over
correctly when services are disrupted.

7.7.1.2.2 Editing the Package Configuration File


Edit the file you generated in step 2 of Using Serviceguard Commands to Configure a Package
(page 234). Use the bullet points that follow as a checklist.
PACKAGE_TYPE. Enter the package type; see Types of Package: Failover, Multi-Node, System
Multi-Node (page 170) and package_type (page 175).

NOTE: For modular packages, the default form for parameter names and literal values in
the package configuration file is lower case; for legacy packages the default is upper case.
There are no compatibility issues; Serviceguard is case-insensitive as far as the parameter
names are concerned.
Because this section is intended to be used primarily when you reconfiguring an existing
legacy package, we are using the legacy parameter names (in upper case) for sake of
continuity. But if you generate the configuration file using cmmakepkg or cmgetconf, you
will see the parameter names as they appear in modular packages; see the notes below and
the Package Parameter Explanations (page 174) for details of the name changes.

FAILOVER_POLICY. For failover packages, enter the failover_policy (page 178).

234 Cluster and Package Maintenance


FAILBACK_POLICY. For failover packages, enter the failback_policy (page 179).
NODE_NAME. Enter the node or nodes on which the package can run; as described under
node_name (page 176).
AUTO_RUN. Configure the package to start up automatically or manually; as described under
auto_run (page 176).
NODE_FAIL_FAST_ENABLED. Enter the policy as described under
node_fail_fast_enabled (page 176).
RUN_SCRIPT and HALT_SCRIPT. Specify the pathname of the package control script
(described in the next section). No default is provided. Permissions on the file and directory
should be set to rwxr-xr-x or r-xr-xr-x (755 or 555).
(Script timeouts): Enter the run_script_timeout (page 177) and halt_script_timeout
(page 177).
SCRIPT_LOG_FILE. (optional). Specify the full pathname of the file where the RUN_SCRIPT
and HALT_SCRIPT will log messages. If you do not specify a path, Serviceguard will create
a file with .log appended to each script path, and put the messages in that file.
If your package has relocatable IP addresses, enter the SUBNET if you want it to be monitored
(this means the package will stop if the subnet fails).
This must be a subnet that is already specified in the cluster configuration, and it can be either
an IPv4 or an IPv6 subnet. It must not be a link-local subnet (link-local package IPs are not
allowed). See monitored_subnet (page 181).

IMPORTANT: Each subnet specified here must already be specified in the cluster configuration
file via the NETWORK_INTERFACE parameter and either the HEARTBEAT_IP or
STATIONARY_IP parameter. See Cluster Configuration Parameters (page 90) for more
information.
See also Stationary and Relocatable IP Addresses and Monitored Subnets (page 62) and
monitored_subnet (page 181).
IMPORTANT: For cross-subnet configurations, see Configuring Cross-Subnet Failover
(page 239).

If your package runs services, enter the SERVICE_NAME as described under service_name
(page 183) and values for SERVICE_FAIL_FAST_ENABLED as described under
service_fail_fast_enabled (page 184) and SERVICE_HALT_TIMEOUT as described
under service_halt_timeout (page 184). Enter a group of these three for each service.

IMPORTANT: Note that the rules for valid SERVICE_NAMEs are more restrictive as of
Serviceguard A.11.18.

ACCESS_CONTROL_POLICY. You can grant a non-root user PACKAGE_ADMIN privileges for


this package.
See the entries for user_name, user_host, and user_role user_name (page 191), and
Controlling Access to the Cluster (page 158), for more information.
If the package will depend on another package, enter values for DEPENDENCY_NAME,
DEPENDENCY_CONDITION, and DEPENDENCY_LOCATION.
For more information, see the corresponding parameter descriptions starting on (page 180),
and About Package Dependencies (page 113).

7.7 Configuring a Legacy Package 235


7.7.2 Creating the Package Control Script
For legacy packages, the package control script contains all the information necessary to run all
the services in the package, monitor them during operation, react to a failure, and halt the package
when necessary. You can use Serviceguard Manager, Serviceguard commands, or a combination
of both, to create or modify the package control script.
Each package must have a separate control script, which must be executable.
For security reasons, the control script must reside in a directory with the string cmcluster in the
path. The control script is placed in the package directory and is given the same name as specified
in the RUN_SCRIPT and HALT_SCRIPT parameters in the package configuration file. The package
control script template contains both the run instructions and the halt instructions for the package.
You can use a single script for both run and halt operations, or, if you wish, you can create separate
scripts.
Use cmmakepkg to create the control script, then edit the control script. Use the following procedure
to create the template for the sample failover package pkg1.
First, generate a control script template, for example:
cmmakepkg -s $SGCONF/pkg1/pkg1.sh
Next, customize the script; see Customizing the Package Control Script .

7.7.2.1 Customizing the Package Control Script


You need to customize as follows; see the relevant entries under Package Parameter Explanations
(page 174) for more discussion.
Update the PATH statement to reflect any required paths needed to start your services.
Specify the Remote Data Replication Method and Software RAID Data Replication method if
necessary.

CAUTION: If you are not using the serviceguard-xdc or CLX products, do not modify the
REMOTE DATA REPLICATION DEFINITION section. If you are using one of these products,
consult the products documentation.

If you are using LVM, enter the names of volume groups to be activated using the VG[] array
parameters, and select the appropriate options for the storage activation command, including
options for mounting and unmounting file systems, if necessary. See the fs_ parameter
descriptions starting with fs_mount_retry_count (page 187) for more information).

NOTE: Red Hat GFS and reiserfs are not supported in Serviceguard A.11.20.00.

Add the names of logical volumes and the file system that will be mounted on them.
Specify the filesystem mount and unmount retry options.
If your package uses a large number of volume groups or disk groups or mounts a large
number of file systems, consider increasing the number of concurrent vgchange,
mount/umount, and fsck operations;
Define IP subnet and IP address pairs for your package. IPv4 or IPv6 addresses are allowed.
Add service name(s).
Add service command(s)
Add a service restart parameter, if you so decide.
For more information about services, see the discussion of the service_ parameters starting
with service_name (page 183).

236 Cluster and Package Maintenance


7.7.2.2 Adding Customer Defined Functions to the Package Control Script
You can add additional shell commands to the package control script to be executed whenever
the package starts or stops. Enter these commands in the CUSTOMER DEFINED FUNCTIONS area
of the script.
If your package needs to run short-lived processes, such as commands to initialize or halt a
packaged application, you can also run these from the CUSTOMER DEFINED FUNCTIONS.
You can also use the CUSTOMER DEFINED FUNCTIONS to determine why a package has shut
down; see Determining Why a Package Has Shut Down (page 130).
An example of this portion of the script follows, showing the date and echo commands logging
starts and halts of the package to a file.
# START OF CUSTOMER DEFINED FUNCTIONS

# This function is a place holder for customer defined functions.


# You should define all actions you want to happen here, before the service is
# started. You can create as many functions as you need.

function customer_defined_run_cmds
{
# ADD customer defined run commands.
: # do nothing instruction, because a function must contain some command.
date >> /tmp/pkg1.datelog
echo 'Starting pkg1' >> /tmp/pkg1.datelog
test_return 51
}

# This function is a place holder for customer defined functions.


# You should define all actions you want to happen here, before the service is
# halted.

function customer_defined_halt_cmds
{
# ADD customer defined halt commands.
: # do nothing instruction, because a function must contain some command.
date >> /tmp/pkg1.datelog
echo 'Halting pkg1' >> /tmp/pkg1.datelog
test_return 52
}

# END OF CUSTOMER DEFINED FUNCTIONS

7.7.2.2.1 Adding Serviceguard Commands in Customer Defined Functions


You can add Serviceguard commands (such as cmmodpkg) in the Customer Defined Functions
section of a package control script. These commands must not interact with the package itself.
If a Serviceguard command interacts with another package, be careful to avoid command loops.
For instance, a command loop might occur under the following circumstances. Suppose pkg1 does
a cmmodpkg -d of pkg2, and pkg2 does a cmmodpkg -d of pkg1. If both pkg1 and pkg2
start at the same time, pkg1 tries to cmmodpkg pkg2. However, that cmmodpkg command has
to wait for pkg2 startup to complete. pkg2 tries to cmmodpkg pkg1, but pkg2 has to wait for
pkg1 startup to complete, thereby causing a command loop.
To avoid this situation, it is a good idea to always specify a RUN_SCRIPT_TIMEOUT and a
HALT_SCRIPT_TIMEOUT for all packages, especially packages that use Serviceguard commands
in their control scripts. If a timeout is not specified and your configuration has a command loop
as described above, inconsistent results can occur, including a hung cluster.

7.7.2.3 Support for Additional Products


The package control script template provides exits for use with additional products, including
Serviceguard Extended Distance Cluster (serviceguard-xdc) for Linux. Refer to the additional
products documentation for details about how to create a package using the hooks that are
provided in the control script.
7.7 Configuring a Legacy Package 237
7.7.3 Verifying the Package Configuration
Serviceguard checks the configuration you created and reports any errors.
For legacy packages, you can do this in Serviceguard Manager: click Check to verify the package
configuration you have done under any package configuration tab, or to check changes you have
made to the control script. Click Apply to verify the package as a whole. See the local Help for
more details.
If you are using the command line, use the following command to verify the content of the package
configuration you have created:
cmcheckconf -v -P $SGCONF/pkg1/pkg1.conf
Errors are displayed on the standard output. If necessary, edit the file to correct any errors, then
run the command again until it completes without errors.
The following items are checked (whether you use Serviceguard Manager or cmcheckconf
command):
Package name is valid, and at least one NODE_NAME entry is included.
There are no duplicate parameter entries.
Values for parameters are within permitted ranges.
Run and halt scripts exist on all nodes in the cluster and are executable.
Run and halt script timeouts are less than 4294 seconds.
Configured resources are available on cluster nodes.
If a dependency is configured, the dependency package must already be configured in the
cluster.

7.7.4 Distributing the Configuration


You can use Serviceguard Manager or Linux commands to distribute the binary cluster configuration
file among the nodes of the cluster.

7.7.4.1 Distributing the Configuration And Control Script with Serviceguard Manager
When you have finished creating a package in Serviceguard Manager, click Apply
Configuration. If the package configuration has no errors, it is converted to a binary file and
distributed to the cluster nodes.

7.7.4.2 Copying Package Control Scripts with Linux commands

IMPORTANT: In a cross-subnet configuration, you cannot use the same package control script
on all nodes if the package uses relocatable IP addresses. See Configuring Cross-Subnet Failover
(page 239).
Use Linux commands to copy package control scripts from the node where you created the files,
to the same pathname on all nodes which can possibly run the package. Use your favorite method
of file transfer (For example, scp or ftp). For example, from ftsys9, you can issue the scp
command to copy the package control script to ftsys10:
scp $SGCONF/pkg1/control.sh ftsys10:$SGCONF/pkg1/control.sh

238 Cluster and Package Maintenance


7.7.4.3 Distributing the Binary Cluster Configuration File with Linux Commands
Use the following steps from the node on which you created the cluster and package configuration
files:
Verify that the configuration file is correct. Use the following command:
cmcheckconf -C $SGCONF/cmcl.conf -P $SGCONF/pkg1/pkg1.conf

Generate the binary configuration file and distribute it across the nodes.
cmapplyconf -v -C $SGCONF/cmcl.conf -P $SGCONF/pkg1/pkg1.conf
The cmapplyconf command creates a binary version of the cluster configuration file and distributes
it to all nodes in the cluster. This action ensures that the contents of the file are consistent across
all nodes.

NOTE: You must use cmcheckconf and cmapplyconf again any time you make changes to
the cluster and package configuration files.

7.7.5 Configuring Cross-Subnet Failover


To configure a legacy package to fail over across subnets (see Cross-Subnet Configurations
(page 27)), you need to do some additional configuration.
Suppose that you want to configure a package, pkg1, so that it can fail over among all the nodes
in a cluster comprising NodeA, NodeB, NodeC, and NodeD.
NodeA and NodeB use subnet 15.244.65.0, which is not used by NodeC and NodeD; and
NodeC and NodeD use subnet 15.244.56.0, which is not used by NodeA and NodeB. (See
Obtaining Cross-Subnet Information (page 156) for sample cmquerycl output).

7.7.5.1 Configuring node_name


First you need to make sure that pkg1 will fail over to a node on another subnet only if it has to.
For example, if it is running on NodeA and needs to fail over, you want it to try NodeB, on the
same subnet, before incurring the cross-subnet overhead of failing over to NodeC or NodeD.

NOTE: If you are using a Metrocluster, you can configure site aware cluster using the SITE and
SITE_NAME parameters. For more information about SITE and SITE_NAME parameters, see
Cluster Configuration Parameters (page 90).
Assuming nodeA is pkg1s primary node (where it normally starts), create node_name entries in
the package configuration file as follows:
node_name nodeA
node_name nodeB
node_name nodeC
node_name nodeD

7.7.5.2 Configuring monitored_subnet_access


In order to monitor subnet 15.244.65.0 or 15.244.56.0, you would configure
monitored_subnet and monitored_subnet_access in pkg1s package configuration file
as follows:
monitored_subnet 15.244.65.0
monitored_subnet_access PARTIAL
monitored_subnet 15.244.56.0
monitored_subnet_access PARTIAL

7.7 Configuring a Legacy Package 239


NOTE: Configuring monitored_subnet_access as FULL (or not configuring
monitored_subnet_access) for either of these subnets will cause the package configuration
to fail, because neither subnet is available on all the nodes.

7.7.5.3 Creating Subnet-Specific Package Control Scripts


Now you need to create control scripts to run the package on the four nodes.

IMPORTANT: In a cross-subnet configuration, you cannot share a single package control script
among nodes on different subnets if you are using relocatable IP addresses. In this case you will
need to create a separate control script to be used by the nodes on each subnet.
In our example, you would create two copies of pkg1s package control script, add entries to
customize it for subnet 15.244.65.0 or 15.244.56.0, and copy one of the resulting scripts to
each node, as follows.

7.7.5.3.1 Control-script entries for nodeA and nodeB


IP[0] = 15.244.65.82
SUBNET[0] 15.244.65.0
IP[1] = 15.244.65.83
SUBNET[1] 15.244.65.0

7.7.5.3.2 Control-script entries for nodeC and nodeD


IP[0] = 15.244.56.100
SUBNET[0] = 15.244.56.0
IP[1] = 15.244.56.101
SUBNET[1] =15.244.56.0

7.8 Reconfiguring a Package


You reconfigure a package in much the same way as you originally configured it; for modular
packages, see Configuring Packages and Their Services (page 169); for older packages, see
Configuring a Legacy Package (page 233).
The cluster can be either halted or running during package reconfiguration, and in some cases
the package itself can be running; the types of change you can make and the times when they
take effect depend on whether the package is running or not.
For more information, see Allowable Package States During Reconfiguration (page 242)

7.8.1 Migrating a Legacy Package to a Modular Package


The Serviceguard command cmmigratepkg automates the process of migrating legacy packages
to modular packages as far as possible. Many, but not all, packages can be migrated in this way;
for details, see the white paper Package Migration from Legacy Style to Modular Style at http://
www.hp.com/go/hpux-serviceguard-docs (Select HP Serviceguard -> White Papers).

NOTE: The cmmigratepkg command requires Perl version 5.8.3 or higher on the system on
which you run the command.

7.8.2 Reconfiguring a Package on a Running Cluster


You can reconfigure a package while the cluster is running, and in some cases you can reconfigure
the package while the package itself is running; see Allowable Package States During

240 Cluster and Package Maintenance


Reconfiguration (page 242). You can do this in Serviceguard Manager (for legacy packages), or
use Serviceguard commands.
To modify the package with Serviceguard commands, use the following procedure (pkg1 is used
as an example):
1. Halt the package if necessary:
cmhaltpkg pkg1
See Allowable Package States During Reconfiguration to determine whether this step is
needed.
2. If it is not already available, you can obtain a copy of the package's configuration file by
using the cmgetconf command, specifying the package name.
cmgetconf -p pkg1 pkg1.conf
3. Edit the package configuration file.

IMPORTANT: Restrictions on package names, dependency names, and service names have
become more stringent as of A.11.18. Packages that have or contain names that do not
conform to the new rules (spelled out under package_name (page 175)) will continue to
run, but if you reconfigure these packages, you will need to change the names that do not
conform; cmcheckconf and cmapplyconf will enforce the new rules.

4. Verify your changes as follows:


cmcheckconf -v -P pkg1.conf
5. Distribute your changes to all nodes:
cmapplyconf -v -P pkg1.conf
6. If this is a legacy package, copy the package control script to all nodes that can run the
package.

7.8.3 Renaming or Replacing an External Script Used by a Running Package


In most cases, you can rename an external_script (page 190) while the package that uses it
is running, but you need to be careful; follow the instructions below.
1. Make a copy of the old script, save it with the new name, and edit the copy as needed.
2. Edit the package configuration file to use the new name.
3. Distribute the new script to all nodes that are configured for that package.
Make sure you place the new script in the correct directory with the proper file modes and
ownership.
4. Run cmcheckconf to validate the package configuration with the new external script.

CAUTION: If cmcheckconf fails, do not proceed to the next step until you have corrected
all the errors.

5. Run cmapplyconf on the running package.


This will stop any resources started by the original script, and then start any resources needed
by the new script.
6. You can now safely delete the original external script on all nodes that are configured to run
the package.

7.8.4 Reconfiguring a Package on a Halted Cluster


You can also make permanent changes in the package configuration while the cluster is not running.
Use the same steps as in Reconfiguring a Package on a Running Cluster .

7.8 Reconfiguring a Package 241


7.8.5 Adding a Package to a Running Cluster
You can create a new package and add it to the cluster configuration while the cluster is up and
while other packages are running. The number of packages you can add is subject to the value
of MAX_CONFIGURED_PACKAGES in the cluster configuration file.
To create the package, follow the steps in the chapter Chapter 6: Configuring Packages and Their
Services (page 169). Then use a command such as the following to verify the configuration of the
newly created pkg1 on a running cluster:
cmcheckconf -P $SGCONF/pkg1/pkg1conf.conf
Use a command such as the following to distribute the new package configuration to all nodes in
the cluster:
cmapplyconf -P $SGCONF/pkg1/pkg1conf.conf
If this is a legacy package, remember to copy the control script to the $SGCONF/pkg1 directory
on all nodes that can run the package.

7.8.6 Deleting a Package from a Running Cluster


Serviceguard will not allow you to delete a package if any other package is dependent on it. To
check for dependencies, use cmviewcl -v -l <package>. System multi-node packages cannot
be deleted from a running cluster.
You can use Serviceguard Manager to delete the package.
On the Serviceguard command line, you can (in most cases) delete a package from all cluster
nodes by using the cmdeleteconf command. This removes the package information from the
binary configuration file on all the nodes in the cluster. The command can only be executed when
the package is down; the cluster can be up.
The following example halts the failover package mypkg and removes the package configuration
from the cluster:
cmhaltpkg mypkg cmdeleteconf -p mypkg
The command prompts for a verification before deleting the files unless you use the -f option. The
directory $SGCONF/mypkg is not deleted by this command.

7.8.7 Resetting the Service Restart Counter


The service restart counter tracks the number of times a package service has been automatically
restarted. This value is used to determine when the package service has exceeded its maximum
number of allowable automatic restarts.
When a package service successfully restarts after several attempts, the package manager does
not automatically reset the restart count. You can reset the counter online using cmmodpkg -R
-s, for example:
cmmodpkg -R -s myservice pkg1
This sets the counter back to zero. The current value of the restart counter appears in the output of
cmviewcl -v.

7.8.8 Allowable Package States During Reconfiguration


In many cases, you can make changes to a packages configuration while the package is running.
The table that follows shows exceptions cases in which the package must not be running, or in
which the results might not be what you expect as well as differences between modular and
legacy packages.

242 Cluster and Package Maintenance


CAUTION: Be extremely cautious about changing a package's configuration while the package
is running.
If you reconfigure a package online (by executing cmapplyconf on a package while the package
itself is running) it is possible that the reconfiguration fails, even if the cmapplyconf succeeds,
validating the changes with no errors.
For example, if a file system is added to the package while the package is running, cmapplyconf
does various checks to verify that the file system and its mount point exist. But the actual file system
check and mount of the file system can be done only after cmapplyconf succeeds; and if one of
these tasks fails in a running package, the package reconfiguration fails.
Another example involves renaming, modifying, or replacing an external script while the package
that uses it is running. If the package depends on resources that are managed by the script, the
online recofiguration fails when you replace the script. See Renaming or Replacing an External
Script Used by a Running Package (page 241).

In general, you have greater scope for online changes to a modular than to a legacy package. In
some cases, though, the capability of legacy packages has been upgraded to match that of modular
packages as far as possible; these cases are shown in the table. For more information about legacy
and modular packages, see Chapter 6 (page 169).

NOTE: If neither legacy nor modular is called out under Change to the Package, the Required
Package State applies to both types of package. Changes that are allowed, but which HP does
not recommend, are labeled should not be running.

IMPORTANT: Actions not listed in the table can be performed for both types of package while
the package is running.
In all cases the cluster can be running, and packages other than the one being reconfigured can
be running. You can make changes to package configuration files at any time; but do not apply
them (using cmapplyconf or Serviceguard Manager) to a running package in the cases indicated
in the table.

NOTE: All the nodes in the cluster must be powered up and accessible when you make package
configuration changes.
Table 14 Types of Changes to Packages
Change to the Package Required Package State

Delete a package Package must not be running.


NOTE: You cannot delete a package if another package has a dependency on
it.

Change package type Package must not be running.

Add or delete a module: modular Package can be running.


package

Change run script contents: legacy Package can be running, but should not be starting.
package Timing problems may occur if the script is changed while the package is starting.

Change halt script contents: legacy Package can be running, but should not be halting.
package Timing problems may occur if the script is changed while the package is halting.

Add or delete a service: modular Package can be running.


package Serviceguard treats any change to service_name or service_cmd as deleting
the existing service and adding a new one, meaning that the existing service is
halted.

7.8 Reconfiguring a Package 243


Table 14 Types of Changes to Packages (continued)
Change to the Package Required Package State

Add or delete a service: legacy Package must not be running.


package

Change service_restart: Package can be running.


modular package Serviceguard will not allow the change if the new value is less than the current
restart count. (You can use cmmodpkg -R<service_name> <package> to
reset the restart count if you need to.)

Change SERVICE_RESTART: Package must not be running.


legacy package

Add or remove a SUBNET (in Package must not be running. (Also applies to cross-subnet configurations.)
control script) : legacy package Package must not be running. Subnet must already be configured into the cluster.

Add or remove an ip_subnet: Package can be running.


modular package See ip_subnet (page 182) for important information. Serviceguard will reject
the change if you are trying to add an ip_subnet that is not configured on all
the nodes on the package's node_name list.

Add or remove an ip_address: Package can be running.


modular package See ip_subnet (page 182) and ip_address (page 183) for important
information. Serviceguard will reject the change if you are trying to add an
ip_address that cannot be configured on the specified ip_subnet, or is on
a subnet that is not configured on all the nodes on the package's node_name
list.

Add or remove an IP (in control Package must not be running. (Also applies to cross-subnet configurations.)
script) : legacy package

Add or delete nodes from Package can be running.


packages ip_subnet_node Serviceguard will reject the change if you are trying to add a node on which the
list(page 183) in cross-subnet specified ip_subnet is not configured.
configurations

Add or remove monitoring for a Package can be running.


subnet: monitored_subnet for a Serviceguard will not allow the change if the subnet being added is down, as
modular package or SUBNET (in that would cause the running package to fail.
the package configuration file) for
a legacy package

Add, change, or delete a pv: Package must not be running.


modular package
NOTE: pv (page 190) is for use by HP partners only.

Add a volume group: modular Package can be running.


package

Add a volume group: legacy Package must not be running.


package

Remove a volume group: modular Package can be running.


package
CAUTION: Serviceguard ignores the change if the volume group is removed
and its associated logical volumes are in use by the same or different package
within the cluster.

Remove a volume group: legacy Package must not be running.


package

244 Cluster and Package Maintenance


Table 14 Types of Changes to Packages (continued)
Change to the Package Required Package State

Change a file system: modular Package should not be running (unless you are only changing fs_umount_opt).
package Changing file-system options other than fs_umount_opt may cause problems
because the file system must be unmounted (using the existing fs_umount_opt)
and remounted with the new options; the CAUTION under Remove a file system:
modular package applies in this case as well.
If only fs_umount_opt is being changed, the file system will not be unmounted;
the new option will take effect when the package is halted or the file system is
unmounted for some other reason.

Add a file system: modular package Package can be running.


During the package reconfiguration, if the fsck command on a file system fails,
the package does not start.
CAUTION: To avoid this issue, run the fsck command on the file system outside
the package, and then add the file system to the modular package.

Add or change a file system: legacy Package must not be running.


package

Remove a file system: modular Package can be running.


package
CAUTION: Removing a file system may cause problems if the file system cannot
be unmounted because it's in use by a running process. In this case Serviceguard
kills the process; this could cause the package to fail.

Remove a file system: legacy Package must not be running.


package

Change Package can be running.


concurrent_fsck_operations, These changes in themselves will not cause any file system to be unmounted.
, fs_mount_retry_count,
fs_umount_retry_count:
modular package

Change Package must not be running.


concurrent_fsck_operations,
, fs_mount_retry_count,
fs_umount_retry_count:
legacy package

Add, change, or delete external Package can be running.


scripts and pre-scripts: modular Changes take effect when applied, whether or not the package is running. If you
package add a script, Serviceguard validates it and then (if there are no errors) runs it
when you apply the change. If you delete a script, Serviceguard stops it when
you apply the change.

Change package auto_run Package can be either running or halted.


See Choosing Switching and Failover Behavior (page 107).

7.8 Reconfiguring a Package 245


Table 14 Types of Changes to Packages (continued)
Change to the Package Required Package State

Add or delete a configured Both packages can be either running or halted.


dependency Special rules apply to packages in maintenance mode; see Dependency Rules
for a Package in Maintenance Mode or Partial-Startup Maintenance Mode
(page 223).
For dependency purposes, a package being reconfigured is considered to be
UP. This means that if pkgA depends on pkgB, and pkgA is down and pkgB is
being reconfigured, pkgA will run if it becomes eligible to do so, even if pkgB's
reconfiguration is not yet complete.
HP recommends that you separate package dependency changes from changes
that affect resources and services that the newly dependent package will also
depend on; reconfigure the resources and services first and apply the changes,
then configure the package dependency.
For more information see About Package Dependencies (page 113).

Add a generic resource of Package can be running provided the status of the generic resource is not 'down'.
evaluation type For information on online changes to generic resources, see Online
during_package_start Reconfiguration of Generic Resources (page 112).

Add a generic resource of Package can be running if the status of generic resource is 'up', else package
evaluation type must be halted.
before_package_start

Remove a generic resource Package can be running.

Change the Package can be running if the status of generic resource is 'up'.
generic_resource_evaluation_type Not allowed if changing the generic_resource_evaluation_type causes the package
to fail.
For information on online changes to generic resources, see Online
Reconfiguration of Generic Resources (page 112).

Change the Package can be running for resources of evaluation type before_package_start
generic_resource_up_criteria or during_package_start provided the new up criteria does not cause the resource
status to evaluate to 'down'.
Not allowed if changing the generic_resource_up_criteria causes the package to
fail.
For information on online changes to generic resources, see Online
Reconfiguration of Generic Resources (page 112).

Change modular serviceguard-xdc Package can be running. See Online Reconfiguration of serviceguard-xdc
package parameters: Modular Package Parameters (page 112).
xdc/xdc/rpo_target
xdc/xdc/raid_monitor_interval
xdc/xdc/raid_device
xdc/xdc/device_0
xdc/xdc/device_1

Add, change, or delete an email Package can be running.


attribute
NOTE: Do not include the email module in the modular package. The
serviceguard-xdc and toolkit packages automatically includes the email module
in the modular package.

NOTE: Consider a configuration in which the volume group and the corresponding filesystem
are present in two different packages. To perform online reconfiguration of such packages, the
package with the volume group must be reconfigured before you reconfigure the filesystem package.
HP recommends that you do not perform online reconfiguration for both these packages in a single
command as it might cause one or more packages to fail.

246 Cluster and Package Maintenance


7.8.8.1 Changes that Will Trigger Warnings
Changes to the following will trigger warnings, giving you a chance to cancel, if the change would
cause the package to fail.

NOTE: You will not be able to cancel if you use cmapplyconf -f.

Package nodes
Package dependencies
Package weights (and also node capacity, defined in the cluster configuration file)
Package priority
auto_run
failback_policy

7.8.9 Online Reconfiguration of Modular package


To modify the online recofiguration of modular package while the package is up and running:
1. Obtain a copy of the package configuration file, if it is not already available:
#cmgetconf -p pkg1 pkg1.conf
2. Edit the package configuration file.
3. Verify the package configuration changes:
#cmcheckconf -v -P pkg1.conf
4. Apply the changes to the configuration:
#cmapplyconf -v -P pkg1.conf
Once the cmapplyconf command succeeds, verify the following:
a. Any failures logged in syslog and package log files.
b. If for some reason the online package reconfiguration fails, the Serviceguard sets the
online_modification_failed flag to "yes". Verify the flag status using cmviewcl
-f line output.
To handle the failure during online package reconfiguration, see Handling Failures During Online
Package Reconfiguration.

Recommendations
HP recommends that you do modifications on one module at a time.
You must consider only one package for online reconfiguration.
If you are adding a new module or a parameter when the package is UP, make the changes
in the Serviceguard package and later configure the application to use the changes.
For example, to add a mount point:
a. Edit the package configuration file and add the mount point.
b. Verify the package configuration file:
#cmcheckconf -P <pkg_name>

7.8 Reconfiguring a Package 247


c. Apply the package configuration once the verification is successful:
#cmapplyconf -P <pkg_name>
d. Configure the application to use the mount point that is added.
If you are deleting a module or parameter from the module, you must remove the configuration
from the application and later delete from the Serviceguard.
For example, to delete a mount point:
a. Remove the mount point from the application.
b. Edit the package configuration file and remove the mount point.
c. Verify the package configuration file:
#cmcheckconf -P <pkg_name>
d. Apply the package configuration once the verification is successful:
#cmapplyconf -P <pkg_name>

For limitations on online reconfiguration of serviceguard-xdc package, see Online Reconfiguration


of serviceguard-xdc Modular Package Parameters.

7.8.9.1 Handling Failures During Online Package Reconfiguration


During online package reconfiguration, if there are any failure the
online_modification_failed flag is set to yes and the following restrictions apply to the
package:
The global switching of the package is disabled. This means, the package cannot failover to
the adoptive node. For more information, see cmviewcl (5) manpage.
Live application detach (LAD) of the node where the package reconfiguration has failed are
not allowed.
The package cannot be put into maintenance mode when an
online_modification_failed flag is set to yes.
You cannot modify the package configuration online. For more information, see cmapplyconf
(1m) manpage.
The online_modification_failed flag can be cleared in one of the following ways:
Halting the package using cmhaltpkg command. For more information, see cmhaltpkg
(1m) manpage.
A new option -f is introduced for cmmodpkg command that can be used to clear the flag.
The -f option must be used after fixing the errors found during the previous online
reconfiguration of the package. This option is applicable for both failover and multi-node
packages.
For example, if you enter a wrong fs_type value while adding a new filesystem to the pkg1.
*****************************
Package log during this time:
*****************************
Nov 28 23:41:19 [email protected] master_control_script.sh[23516]: ###### reconfiguring package pkg1 ######
Nov 28 23:41:20 [email protected] pr_util.sh[23621]: New VG vg_dd0
Nov 28 23:41:20 [email protected] pr_util.sh[23621]: sg_activate_pr: activating PR on /dev/sdc
Nov 28 23:41:21 [email protected] volume_group.sh[23687]: New VG vg_dd0
Nov 28 23:41:21 [email protected] volume_group.sh[23687]: Attempting to addtag to vg vg_dd0...
Nov 28 23:41:21 [email protected] volume_group.sh[23687]: addtag was successful on vg vg_dd0.
Nov 28 23:41:21 [email protected] volume_group.sh[23687]: Activating volume group vg_dd0 .
Nov 28 23:41:22 [email protected] filesystem.sh[23808]: FS added or changed /dev/vg_dd0/lvol3
Nov 28 23:41:22 [email protected] filesystem.sh[23808]: Checking filesystems:
/dev/vg_dd0/lvol3
e2fsck 1.41.12 (17-May-2010)
mount: wrong fs type, bad option, bad superblock on /dev/vg_dd0/lvol3,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
:
:

248 Cluster and Package Maintenance


:
Nov 28 23:41:22 [email protected]
master_control_script.sh[23516]:#########################################################################
Nov 28 23:41:22 [email protected] master_control_script.sh[23516]: ###### Package reconfigure completed
with failures for pkg1 ######
Nov 28 23:41:22 [email protected] master_control_script.sh[23516]: ###### Below is the summary of changes
for pkg1 ######
Nov 28 23:41:20 [email protected] pr_util.sh[23621]: SUCCESS: Successfully activated PR on /dev/sdc
Nov 28 23:41:22 [email protected] filesystem.sh[23808]: ERROR: Failed to fsck /dev/vg_dd0/lvol3.
Nov 28 23:41:22 [email protected] filesystem.sh[23808]: ERROR: Will not attempt to apply remaining changes
due to the error encountered
Nov 28 23:41:22 [email protected] filesystem.sh[23808]: WARNING: Not attempting to mount /dev/vg_dd0/lvol3
on /mnt1
Nov 28 23:41:22 [email protected] master_control_script.sh[23516]:
#########################################################################

************************
syslog during this time:
************************
Nov 28 23:41:22 test1 cmserviced[18979]: Package Script for pkg1 failed with an exit(18).
Nov 28 23:41:22 test1 cmcld[18900]: Reconfigured package pkg1 on node test1.
Nov 28 23:41:22 test1 cmcld[18900]: Online reconfiguration of package pkg1 on node test1 failed. Check the
package log file for complete information.
Nov 28 23:41:22 test1 cmcld[18900]: Request from node test1 to disable global switching for package pkg1.

To rectify the failures, do one of the following:


1. Halt the package.
2. Make the required changes.
3. Restart the package
or
1. Verify and fix the problem using fsck command.
2. Verify the filesystem before mounting the device:
#e2fsck /dev/vg_dd0/lvol3
3. Mount the filesystem:
#mount /dev/vg_dd0/lvol3 /mnt1
4. Clear the online_modification_failed flag:
#cmmodpkg -f pkg1
5. Enable the global switching for the package:
#cmmodpkg -e pkg1
Table 15 describes how to fix the errors in the affected modules that are encountered during online
addition of a package.

7.8 Reconfiguring a Package 249


Table 15 Modules affected during online addition
Description Modules affected during How to rectify the failures or Example
online addition apply those that are not
attempted

Extending MD ext/xdc(xdc.sh) If an MD added to the package To start the MD /dev/md1:


(for configuration has not started, use #mdadm -A -R /dev/md1
serviceguard-xdc the mdadm command to start the To stop and start the raid monitor
packages only) MD. For more information, see service:
mdadm (1m) manpage.
#cmhaltserv
Restart the raid monitor service <raid_monitor_service>
manually after starting the MD.
#cmrunserv
If one of the mirror halves of the <raid_monitor_service_name>
device replaced has not been
<raid_monitor_service_cmd>
removed from the MD, use the
mdadm command to remove this To replace the mirror half /dev/
mirror half and add the new mpath/mpatha in /dev/md1 with
mirror half to the MD. /dev/mpath/mpathb:
1. Stop the raid monitor service:
#cmhaltserv
<raid_monitor_service>
2. Remove the old mirror half:
#mdadm --fail /dev/md1
/dev/mpath/mpatha
#mdadm --r /dev/md1
/dev/mpath/mpatha
3. Add the new mirror half:
#mdadm --add /dev/md1
/dev/mpath/mpathb
4. Start the raid monitor service:
#cmrunserv
<raid_monitor_service_name>
<raid_monitor_service_cmd>

Adding an sg/external_pre_script If an external pre script which is To start the external pre script:
external pre (external.sh) added to the package #extern_pre_script.sh
script to the configuration failed to start, run start
package the script manually with start
option.
script_name start

250 Cluster and Package Maintenance


Table 15 Modules affected during online addition (continued)
Extending sg/filesystem If addition of storage has failed,To add PR keys, you must register
storage to the (filesystem.sh) ensure the following: on all the paths and then reserve on
package sg/volume_group
(volume_group.sh) Persistent reservation is added one path.
to the disk. To view all the paths:
sg/pr_cntl #multipath -ll
(pr_cntl.sh) Volume group is activated
with hosttags. To view the node PR keys:

Verify and repair the file NOTE: In this example, the


system. node_pr_key is 72810001.
The mount point is mounted. #cmviewcl -v -f line |
grep node_pr_key
For more information, see
sg_persist(1m), #sg_persist --out -G
vgchange(1m),fsck(1m), --param-sark=72810001
multipath (1m), and /dev/sde
mount(1m) manpage. #sg_persist --out -R
--param-rk=72810001
--prout-type=5 /dev/sde
Add hosttags for node
test1.ind.hp.com:
#vgchange --addtag
test1.ind.hp.com vg_dd1
Activate the disk:
#vgchange -a y vg_dd1
Run the following commands:
#e2fsck -y
/dev/vg_dd1/lvol1
#mount -t ext3
/dev/vg_dd1/lvol2 /mnt1

Adding an IP sg/package_ip If an IP address which is added To add the IP to the package


to the package (package_ip.sh) to the package configuration 10.149.2.5:
failed to add or not attempted, #cmmodnet -a -I 10.149.2.5
use the cmmodnet command to 10.149.2.0
add the IP address.
For more information, see
cmmodnet (1m) manpage.

Adding an sg/external_script If an external script which is To halt external pre script:


external script (external.sh) added to the package #extern_pre_script.sh stop
to the package configuration failed to start, run
the script manually with start
option.
script_name start

Adding a sg/service If a service which is added to the To run the process as service:
service to the (service.sh) package configuration failed to #cmrunserv db1
package start or not attempted, use the /var/opt/db/database1
cmrunserv command to start
the service
For more information, see
cmrunserv (1m) manpage.

Table 16 describes how to fix the errors in the affected modules that are encountered during online
deletion of a package.

7.8 Reconfiguring a Package 251


Table 16 Modules affected during online deletion
Description Modules affected during online How to fix the failures or apply Example
deletion those that are not attempted

Removing sg/service If a service which is deleted To halt the service db1:


service from (service.sh) from the package configuration #cmhaltserv db1
the package failed to halt or not attempted,
use cmhaltserv command to
start the service.
For more information, see
cmhaltserv (1m) manpage.

Removing sg/external_script If an external script which is To halt the external script:


external script (external.sh) deleted from the package #script:extern_script.sh
from the configuration failed or not stop
package attempted to stop, run the script
with stop option.
script_name stop

Removing IP sg/package_ip If an IP address which is deleted To remove the IP from the package
from the (package_ip.sh) to the package configuration 10.149.2.5:
package failed to remove or not #cmmodnet -r -I 10.149.2.5
attempted, use the cmmodnet 10.149.2.0
command to remove the IP
address.
For more information, see
cmmodnet (1m) manpage.

Removing sg/filesystem If storage deleted from the To unmount the mount point mnt1:
storage from (filesystem.sh) package has failed or not #umount /mnt1
the package sg/volume_group attempted, ensure the following:
(volume_group.sh) To delete the hostags from the
sg/pr_cntl The mount point is vg_dd0 on node test1.ind.hp.com:
(pr_cntl.sh) unmounted.
#vgchange --deltag
Delete the hosttagss from the test1.ind.hp.com vg_dd1
disk.
To remove the persistent reservation
Volume group is de-activated from the disk /dev/sde:
with hosttags.
#pr_cleanup -lun /dev/sde
Persistent reservation is
removed from the disk.
For more information, see
sg_persist(1m),
vgchange(1m),
pr_cleanup(1m),
multipath(1m), and
mount(1m) manpage.

252 Cluster and Package Maintenance


Table 16 Modules affected during online deletion (continued)
Removing sg/external_pre_script If an external pre script which is To halt the external pre script:
external pre (external.sh) deleted from the package #extern_pre_script.sh stop
script from the configuration failed or not
package attempted to stop, run the script
with stop option.
script_name stop

Removing MD ext/xdc If an MD removed from the To stop and start the raid monitor
from the (xdc.sh) package configuration has not service:
package (for been stopped, use the mdadm #cmhaltserv
XDC command to stop the MD. For <raid_monitor_service>
packages) more information, see mdadm
(1m) manpage. #cmrunserv
<raid_monitor_service_name>
Restart the raid monitor service <raid_monitor_service_cmd>
manually after stopping the MD.
To stop the MD /dev/md1:
#mdadm -S /dev/md1

7.9 Responding to Cluster Events


Serviceguard does not require much ongoing system administration intervention. As long as there
are no failures, your cluster will be monitored and protected. In the event of a failure, those packages
that you have designated to be transferred to another node will be transferred automatically. Your
ongoing responsibility as the system administrator will be to monitor the cluster and determine if
a transfer of package has occurred. If a transfer has occurred, you have to determine the cause
and take corrective actions.
The typical corrective actions to take in the event of a transfer of package include:
Determining when a transfer has occurred.
Determining the cause of a transfer.
Repairing any hardware failures.
Correcting any software problems.
Restarting nodes.
Transferring packages back to their original nodes.
Enabling package switching.

7.10 Single-Node Operation


In a multi-node cluster, you could have a situation in which all but one node has failed, or you
have shut down all but one node, leaving your cluster in single-node operation. This remaining
node will probably have applications running on it. As long as the Serviceguard daemon cmcld
is active, other nodes can rejoin the cluster.
If the Serviceguard daemon fails when the cluster is in single-node operation, it will leave the single
node up and your applications running

NOTE: This means that Serviceguard itself is no longer running.


It is not necessary to halt the single node in this scenario, since the application is still running, and
no other node is currently available for package switching. (This is different from the loss of the
Serviceguard daemon in a multi-node cluster, which halts the node (system reset), and causes
packages to be switched to adoptive nodes.)
You should not try to restart Serviceguard, since data corruption might occur if another node were
to attempt to start up a new instance of the application that is still running on the single node.

7.9 Responding to Cluster Events 253


Instead of restarting the cluster, choose an appropriate time to shut down the applications and
reboot the node; this will allow Serviceguard to restart the cluster after the reboot.

7.11 Removing Serviceguard from a System


If you want to disable a node permanently from Serviceguard, use the rpm -e command to delete
the software.

CAUTION: Remove the node from the cluster first. If you run the rpm -e command on a server
that is still a member of a cluster, it will cause that cluster to halt, and the cluster to be deleted.
To remove Serviceguard:
1. If the node is an active member of a cluster, halt the node first.
2. If the node is included in a cluster configuration, remove the node from the configuration.
3. If you are removing Serviceguard from more than one node, run rpm -eon one node at a
time.

254 Cluster and Package Maintenance


8 Troubleshooting Your Cluster
This chapter describes how to verify cluster operation, how to review cluster status, how to add
and replace hardware, and how to solve some typical cluster problems. Topics are as follows:
Testing Cluster Operation
Monitoring Hardware (page 256)
Replacing Disks (page 257)
Replacing LAN Cards (page 258)
Replacing a Failed Quorum Server System (page 259)
Troubleshooting Approaches (page 260)
Solving Problems (page 263)
Troubleshooting serviceguard-xdc package (page 268)
Troubleshooting Serviceguard Manager (page 269)

8.1 Testing Cluster Operation


Once you have configured your Serviceguard cluster, you should verify that the various components
of the cluster behave correctly in case of a failure. In this section, the following procedures test that
the cluster responds properly in the event of a package failure, a node failure, or a LAN failure.

CAUTION: In testing the cluster in the following procedures, be aware that you are causing
various components of the cluster to fail, so that you can determine that the cluster responds correctly
to failure situations. As a result, the availability of nodes and applications may be disrupted.

8.1.1 Testing the Package Manager


To test that the package manager is operating correctly, perform the following procedure for each
package on the cluster:
1. Obtain the PID number of a service in the package by entering
ps -ef | grep <service_cmd>
where service_cmd is the executable specified in the package configuration file (or legacy
control script) by means of the service_cmd parameter (page 183). The service selected must
have the default service_restart value (none).
2. To kill the service_cmd PID, enter
kill <PID>
3. To view the package status, enter
cmviewcl -v
The package should be running on the specified adoptive node.
4. Halt the package, then move it back to the primary node using the cmhaltpkg, cmmodpkg,
and cmrunpkg commands:
cmhaltpkg <PackageName>
cmmodpkg -e <PrimaryNode> <PackageName>
cmrunpkg -v <PackageName>
Depending on the specific databases you are running, perform the appropriate database
recovery.

8.1 Testing Cluster Operation 255


You can also test the package manager using generic resources. Perform the following procedure
for each package on the cluster:
1. Obtain the generic resource that is configured in a package by entering
cmviewcl -v -p <pkg_name>
2. Set the status of generic resource to DOWN using the following command:
cmsetresource -r <res1> s down
3. To view the package status, enter
cmviewcl -v
The package should be running on the specified adoptive node.
4. Move the package back to the primary node (see Moving a Failover Package (page 219)).

NOTE: If there was a monitoring script configured for this generic resource, then the monitoring
script would also be attempting to set the status of the generic resource.

8.1.2 Testing the Cluster Manager


To test that the cluster manager is operating correctly, perform the following steps for each node
on the cluster:
1. Turn off the power to the node.
2. To observe the cluster reforming, enter the following command on some other configured
node:
cmviewcl -v
You should be able to observe that the powered down node is halted, and that its packages
have been correctly switched to other nodes.
3. Turn on the power to the node.
4. To verify that the node is rejoining the cluster, enter the following command on any configured
node:
cmviewcl -v
The node should be recognized by the cluster, but its packages should not be running.
5. Move the packages back to the original node:
cmhaltpkg <pkgname>
cmmodpkg -e -n <originalnode>
cmrunpkg <pkgname>
Depending on the specific databases you are running, perform the appropriate database
recovery.
6. Repeat this procedure for all nodes in the cluster one at a time.

8.2 Monitoring Hardware


Good standard practice in handling a high availability system includes careful fault monitoring so
as to prevent failures if possible or at least to react to them swiftly when they occur. For information
about disk monitoring, see Creating a Disk Monitor Configuration (page 198). In addition, the
following should be monitored for errors or warnings of all kinds:
CPUs
Memory
NICs
Power sources

256 Troubleshooting Your Cluster


All cables
Disk interface cards
Some monitoring can be done through simple physical inspection, but for the most comprehensive
monitoring, you should examine the system log file (/var/log/messages) periodically for reports
on all configured HA devices. The presence of errors relating to a device will show the need for
maintenance.

8.3 Replacing Disks


The procedure for replacing a faulty disk mechanism depends on the type of disk configuration
you are using. Refer to your Smart Array documentation for issues related to your Smart Array.

8.3.1 Replacing a Faulty Mechanism in a Disk Array


You can replace a failed disk mechanism by simply removing it from the array and replacing it
with a new mechanism of the same type. The resynchronization is handled by the array itself.
There may be some impact on disk performance until the resynchronization is complete. For details
on the process of hot plugging disk mechanisms, refer to your disk array documentation.

8.3.2 Replacing a Lock LUN


You can replace an unusable lock LUN while the cluster is running. You can do this without any
cluster reconfiguration if you do not change the devicefile name; or, if you do need to change the
devicefile, you can do the necessary reconfiguration while the cluster is running.
If you need to use a different devicefile, you must change the name of the devicefile in the cluster
configuration file; see Updating the Cluster Lock LUN Configuration Online (page 233).

CAUTION: Before you start, make sure that all nodes have logged a message such as the following
in syslog:
WARNING: Cluster lock LUN /dev/sda1 is corrupt: bad label. Until this
situation is corrected, a single failure could cause all nodes in the
cluster to crash.

Once all nodes have logged this message, use a command such as the following to specify the
new cluster lock LUN:
cmdisklock reset /dev/sda1

CAUTION: You are responsible for determining that the device is not being used by LVM or any
other subsystem on any node connected to the device before using cmdisklock. If you use
cmdisklock without taking this precaution, you could lose data.

NOTE: cmdisklock is needed only when you are repairing or replacing a lock LUN; see the
cmdisklock (1m) manpage for more information.
Serviceguard checks the lock LUN every 75 seconds. After using the cmdisklock command,
review the syslog file of an active cluster node for not more than 75 seconds. By this time you
should see a message showing that the lock disk is healthy again.

8.4 Revoking Persistent Reservations after a Catastrophic Failure


For information about persistent reservations (PR) and how they work, see About Persistent
Reservations (page 72).
Under normal circumstances, Serviceguard clears all persistent reservations when a package halts.
In the case of a catastrophic cluster failure however, you may need to do the cleanup yourself as

8.3 Replacing Disks 257


part of the recovery. Use the $SGCONF/scripts/sg/pr_cleanup script to do this. (The script
is also in $SGCONF/bin/. See Understanding the Location of Serviceguard Files (page 135) for
the locations of Serviceguard directories on various Linux distributions.)
Invoke the script as follows, specifying either the device special file (DSF) of a LUN, or a file
containing a list of DSF names:
pr_cleanup lun -v -k <key> [-f <filename_path> | <list of DSFs>]
lun, if used, specifies that a LUN, rather than a volume group, is to be operated on.
-v, if used, specifies verbose output detailing the actions the script performs and their status.
-k <key>, if used, specifies the key to be used in the clear operation.
-f <filename_path>, if used, specifies that the name of the DSFs to be operated on are
listed in the file specified by <filename_path>. Each DSF must be listed on a separate line.
<list of DSFs> specifies one or more DSFs on the command line, if -f
<filename_path> is not used.

8.4.1 Examples
The following command will clear all the PR reservations registered with the key abc12 on the set
of LUNs listed in the file /tmp/pr_device_list
pr_cleanup -k abc12 lun -f /tmp/pr_device_list
pr_device_list contains entries such as the following:
/dev/sdb1
/dev/sdb2
Alternatively you could enter the device-file names on the command line:
pr_cleanup -k abc12 lun /dev/sdb1 /dev/sdb2
The next command clears all the PR reservations registered with the PR key abcde on the underlying
LUNs of the volume group vg01:
pr_cleanup -k abcde vg01

NOTE: Because the keyword lun is not included, the device is assumed to be a volume group.

8.5 Replacing LAN Cards


If you need to replace a LAN card, use the following steps. It is not necessary to bring the cluster
down to do this.
1. Halt the node using the cmhaltnode command.
2. Shut down the system:
shutdown -h
Then power off the system.
3. Remove the defective LAN card.
4. Install the new LAN card. The new card must be exactly the same card type, and it must be
installed in the same slot as the card you removed.
5. Power up the system.
6. As the system comes up, the kudzu program on Red Hat systems will detect and report the
hardware changes. Accept the changes and add any information needed for the new LAN
card. On SUSE systems, run YAST2 after the system boots and make adjustments to the NIC
setting of the new LAN card. If the old LAN card was part of a bond, the new LAN card
needs to be made part of the bond. See Implementing Channel Bonding (Red Hat) (page 140)
or Implementing Channel Bonding (SUSE) (page 142).

258 Troubleshooting Your Cluster


7. If necessary, add the node back into the cluster using the cmrunnode command.
(You can omit this step if the node is configured to join the cluster automatically.)
Now Serviceguard will detect that the MAC address (LLA) of the card has changed from the value
stored in the cluster binary configuration file, and it will notify the other nodes in the cluster of the
new MAC address. The cluster will operate normally after this.
HP recommends that you update the new MAC address in the cluster binary configuration file by
re-applying the cluster configuration. Use the following steps for online reconfiguration:
1. Use the cmgetconf command to obtain a fresh ASCII configuration file, as follows:
cmgetconf config.conf

2. Use the cmapplyconf command to apply the configuration and copy the new binary file to
all cluster nodes:
cmapplyconf -C config.conf

This procedure updates the binary file with the new MAC address and thus avoids data inconsistency
between the outputs of the cmviewconf and ifconfig commands.

8.6 Replacing a Failed Quorum Server System


When a quorum server fails or becomes unavailable to the clusters it is providing quorum services
for, this will not cause a failure on any cluster. However, the loss of the quorum server does increase
the vulnerability of the clusters in case there is an additional failure. Use the following procedure
to replace a defective quorum server system. If you use this procedure, you do not need to change
the configuration of any cluster nodes.

IMPORTANT: Make sure you read the latest version of the HP Serviceguard Quorum Server
Release Notes before you proceed. You can find them at http://www.hp.com/go/
hpux-serviceguard-docs (Select HP Serviceguard Quorum Server Software). You should also consult
the Quorum Server white papers at the same location.
1. Remove the old quorum server system from the network.
2. Set up the new system and configure it with the old quorum servers IP address and hostname.
3. Install and configure the quorum server software on the new system. Be sure to include in the
new QS authorization file (for example, /usr/local/qs/conf/qs_authfile) on all of
the nodes that were configured for the old quorum server. Refer to the qs(1) man page for
details about configuring the QS authorization file.

NOTE: The quorum server reads the authorization file at startup. Whenever you modify the
file qs_authfile, run the following command to force a re-read of the file. For example,
on a Red Hat distribution:
/usr/local/qs/bin/qs -update
On a SUSE distribution:
/opt/qs/bin/qs -update

8.6 Replacing a Failed Quorum Server System 259


4. Start the quorum server as follows:
Use the init q command to run the quorum server.
Or
Create a package in another cluster for the Quorum Server, as described in the Release
Notes for your version of Quorum Server. They can be found at http://www.hp.com/
go/hpux-serviceguard-docs (Select (HP Serviceguard Quorum Server Software).
5. All nodes in all clusters that were using the old quorum server will connect to the new quorum
server. Use the cmviewcl -v command from any cluster that is using the quorum server to
verify that the nodes in that cluster have connected to the QS.
6. The quorum server log file on the new quorum server will show a log message like the following
for each cluster that uses the quorum server:
Request for lock /sg/<ClusterName> succeeded. New lock owners: N1, N2
7. To check that the quorum server has been correctly configured and to verify the connectivity
of a node to the quorum server, you can execute the following command from your cluster
nodes as follows:
cmquerycl -q <QSHostName> -n <Node1> -n <Node2> ...
The command will output an error message if the specified nodes cannot communicate with
the quorum server.

CAUTION: Make sure that the old system does not rejoin the network with the old IP address.

NOTE: While the old quorum server is down and the new one is being set up:
The cmquerycl, cmcheckconf and cmapplyconf commands will not work
The cmruncl, cmhaltcl, cmrunnode, and cmhaltnode commands will work
If there is a node or network failure that creates a 50-50 membership split, the quorum server
will not be available as a tie-breaker, and the cluster will fail.

8.7 Troubleshooting Approaches


The following sections offer a few suggestions for troubleshooting by reviewing the state of the
running system and by examining cluster status data, log files, and configuration files. Topics
include:
Reviewing Package IP Addresses
Reviewing the System Log File
Reviewing Configuration Files
Reviewing the Package Control Script
Using cmquerycl and cmcheckconf
Using cmviewcl
Reviewing the LAN Configuration

8.7.1 Reviewing Package IP Addresses


The ifconfigcommand can be used to examine the LAN configuration. The command, if executed
on ftsys9 after the halting of node ftsys10, shows that the package IP addresses are assigned
to eth1:1 and eth1:2 along with the heartbeat IP address on eth1.
eth0 Link encap:Ethernet HWaddr 00:01:02:77:82:75
inet addr:15.13.169.106 Bcast:15.13.175.255 Mask:255.255.248.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70826196 errors:0 dropped:0 overruns:1 frame:0

260 Troubleshooting Your Cluster


TX packets:5741486 errors:1 dropped:0 overruns:1 carrier:896
collisions:26706 txqueuelen:100
Interrupt:9 Base address:0xdc00

eth1 Link encap:Ethernet HWaddr 00:50:DA:64:8A:7C


inet addr:192.168.1.106 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2337841 errors:0 dropped:0 overruns:0 frame:0
TX packets:1171966 errors:0 dropped:0 overruns:0 carrier:0
collisions:6 txqueuelen:100
Interrupt:9 Base address:0xda00

eth1:1 Link encap:Ethernet HWaddr 00:50:DA:64:8A:7C


inet addr:192.168.1.200 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:9 Base address:0xda00

eth1:2 Link encap:Ethernet HWaddr 00:50:DA:64:8A:7C


inet addr:192.168.1.201 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:9 Base address:0xda00

lo Link encap:Local Loopback


inet addr:127.0.0.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP LOOPBACK RUNNING MULTICAST MTU:3924 Metric:1
RX packets:2562940 errors:0 dropped:0 overruns:1 frame:0
TX packets:2562940 errors:1 dropped:0 overruns:1 carrier:896
collisions:0 txqueuelen:0

8.7.2 Reviewing the System Log File


Messages from the Cluster Manager and Package Manager are written to the system log file. The
default location of the log file may vary according to Linux distribution; the Red Hat default is
/var/log/messages. You can use a text editor, such as vi, or the more command to view the
log file for historical information on your cluster.
This log provides information on the following:
Commands executed and their outcome.
Major cluster events which may, or may not, be errors.
Cluster status information.

NOTE: Many other products running on Linux in addition to Serviceguard use the syslog file to
save messages. Refer to your Linux documentation for additional information on using the system
log.

8.7.2.1 Sample System Log Entries


The following sample entries from the syslog file show a package that failed to run because of
a problem in the pkg5_run script. You would look at the pkg5_run.log for details.
Dec 14 14:33:48 star04 cmcld[2048]: Starting cluster management protocols.
Dec 14 14:33:48 star04 cmcld[2048]: Attempting to form a new cluster
Dec 14 14:33:53 star04 cmcld[2048]: 3 nodes have formed a new cluster
Dec 14 14:33:53 star04 cmcld[2048]: The new active cluster membership is:
star04(id=1) , star05(id=2), star06(id=3)
Dec 14 17:33:53 star04 cmlvmd[2049]: Clvmd initialized successfully.
Dec 14 14:34:44 star04 CM-CMD[2054]: cmrunpkg -v pkg5
Dec 14 14:34:44 star04 cmcld[2048]: Request from node star04 to start
package pkg5 on node star04.
Dec 14 14:34:44 star04 cmcld[2048]: Executing '/usr/local/cmcluster/conf/pkg5/pkg5_run
start' for package pkg5.
Dec 14 14:34:45 star04 LVM[2066]: vgchange -a n /dev/vg02
Dec 14 14:34:45 star04 cmcld[2048]: Package pkg5 run script exited with
NO_RESTART.

8.7 Troubleshooting Approaches 261


Dec 14 14:34:45 star04 cmcld[2048]: Examine the file
/usr/local/cmcluster/pkg5/pkg5_run.log for more details.
The following is an example of a successful package starting:
Dec 14 14:39:27 star04 CM-CMD[2096]: cmruncl
Dec 14 14:39:27 star04 cmcld[2098]: Starting cluster management protocols.
Dec 14 14:39:27 star04 cmcld[2098]: Attempting to form a new cluster
Dec 14 14:39:27 star04 cmclconfd[2097]: Command execution message
Dec 14 14:39:33 star04 cmcld[2098]: 3 nodes have formed a new cluster
Dec 14 14:39:33 star04 cmcld[2098]: The new active cluster membership is:
star04(id=1), star05(id=2), star06(id=3)
Dec 14 17:39:33 star04 cmlvmd[2099]: Clvmd initialized successfully.
Dec 14 14:39:34 star04 cmcld[2098]: Executing '/usr/local/cmcluster/conf/pkg4/pkg4_run
start' for package pkg4.
Dec 14 14:39:34 star04 LVM[2107]: vgchange /dev/vg01
Dec 14 14:39:35 star04 CM-pkg4[2124]: cmmodnet -a -i 15.13.168.0 15.13.168.4
Dec 14 14:39:36 star04 CM-pkg4[2127]: cmrunserv Service4 /vg01/MyPing 127.0.0.1
>>/dev/null
Dec 14 14:39:36 star04 cmcld[2098]: Started package pkg4 on node star04.

8.7.3 Reviewing Configuration Files


Review the following ASCII configuration files:
Cluster configuration file.
Package configuration files.
Ensure that the files are complete and correct according to your configuration planning worksheets.

8.7.4 Reviewing the Package Control Script


For legacy packages, ensure that the package control script is found on all nodes where the
package can run and that the file is identical on all nodes. Ensure that the script is executable on
all nodes. Ensure that the name of the control script appears in the package configuration file, and
ensure that all services named in the package configuration file also appear in the package control
script.
Information about the starting and halting of each package can be found in the packages control
script log. This log provides the history of the operation of the package, including all package run
and halt activities. The location of the file is determined by the script_log_file parameter
(page 178) in the package configuration file. If you have written a separate run and halt script for
a legacy package, each script will have its own log.

8.7.5 Using the cmquerycl and cmcheckconf Commands


In addition, cmquerycl and cmcheckconf can be used to troubleshoot your cluster just as they
were used to verify its configuration. The following example shows the commands used to verify
the existing cluster configuration on ftsys9 and ftsys10:
cmquerycl -v -C $SGCONF/verify.conf -n ftsys9 -n ftsys10
cmcheckconf -v -C $SGCONF/verify.conf
cmcheckconf checks:
The network addresses and connections.
Quorum Server connectivity, if a quorum server is configured.
Lock LUN connectivity, if a lock LUN is used.
The validity of configuration parameters of the cluster and packages for:
The uniqueness of names.

The existence and permission of scripts.

262 Troubleshooting Your Cluster


It doesn't check:
The correct setup of the power circuits.
The correctness of the package configuration script.

8.7.6 Reviewing the LAN Configuration


The following networking commands can be used to diagnose problems:
ifconfig can be used to examine the LAN configuration. This command lists all IP addresses
assigned to each LAN interface card.
arp -a can be used to check the arp tables.
cmscancl can be used to test IP-level connectivity between network interfaces in the cluster.
cmviewcl -v shows the status of primary LANs.
Use these commands on all nodes.

8.8 Solving Problems


Problems with Serviceguard may be of several types. The following is a list of common categories
of problem:
Serviceguard Command Hangs.
Cluster Re-formations.
System Administration Errors.
Package Control Script Hangs.
Package Movement Errors.
Node and Network Failures.
Quorum Server Messages.

8.8.1 Name Resolution Problems


Many Serviceguard commands, including cmviewcl, depend on name resolution services to look
up the addresses of cluster nodes. When name services are not available (for example, if a name
server is down), Serviceguard commands may hang, or may return a network-related error message.
If this happens, use the host command on each cluster node to see whether name resolution is
correct. For example:
host ftsys9
ftsys9.cup.hp.com has address 15.13.172.229
If the output of this command does not include the correct IP address of the node, then check your
name resolution services further.

8.8.1.1 Networking and Security Configuration Errors


In many cases, a symptom such as Permission denied... or Connection refused...
is the result of an error in the networking or security configuration. Most such problems can be
resolved by correcting the entries in /etc/hosts. See Configuring Name Resolution (page 137)
for more information.

8.8.2 Halting a Detached Package


When you attempt to halt a detached package using the cmhaltpkg and the given node is not
reachable, you will get an error message as follows:

8.8 Solving Problems 263


Unable to halt the detached package <package_name> on node <node_name>
as the node is not reachable. Retry once the node is reachable.
In such a case, the node should be powered up and be accessible. You must then rerun the
cmhaltpkg command.

8.8.3 Cluster Re-formations Caused by Temporary Conditions


You may see Serviceguard error messages, such as the following, which indicate that a node is
having problems:
Member node_name seems unhealthy, not receiving heartbeats from it.
This may indicate a serious problem, such as a node failure, whose underlying cause is probably
a too-aggressive setting for the MEMBER_TIMEOUT parameter; see the next section, Cluster
Re-formations Caused by MEMBER_TIMEOUT Being Set too Low. Or it may be a transitory problem,
such as excessive network traffic or system load.
What to do: If you find that cluster nodes are failing because of temporary network or system-load
problems (which in turn cause heartbeat messages to be delayed in network or during processing),
you should solve the networking or load problem if you can. Failing that, you can increase the
value of MEMBER_TIMEOUT, as described in the next section.

8.8.4 Cluster Re-formations Caused by MEMBER_TIMEOUT Being Set too Low


If you have set the MEMBER_TIMEOUT parameter too low, the cluster demon, cmcld, will write
warnings to syslog that indicate the problem. There are three in particular that you should watch
for:
1. Warning: cmcld was unable to run for the last <n.n> seconds. Consult
the Managing Serviceguard manual for guidance on setting
MEMBER_TIMEOUT, and information on cmcld.
This means that cmcld was unable to get access to a CPU for a significant amount of time.
If this occurred while the cluster was re-forming, one or more nodes could have failed. Some
commands (such as cmhaltnode (1m), cmrunnode (1m), cmapplyconf (1m)), cause
the cluster to re-form, so there's a chance that running one of these commands could precipitate
a node failure; that chance is greater the longer the hang.
What to do: If this message appears once a month or more often, increase MEMBER_TIMEOUT
to more than 10 times the largest reported delay. For example, if the message that reports the
largest number says that cmcld was unable to run for the last 1.6 seconds, increase
MEMBER_TIMEOUT to more than 16 seconds.
2. This node is at risk of being evicted from the running cluster.
Increase MEMBER_TIMEOUT.
This means that the hang was long enough for other nodes to have noticed the delay in
receiving heartbeats and marked the node unhealthy. This is the beginning of the process
of evicting the node from the cluster; see What Happens when a Node Times Out (page 75)
for an explanation of that process.
What to do: In isolation, this could indicate a transitory problem, as described in the previous
section. If you have diagnosed and fixed such a problem and are confident that it won't recur,
you need take no further action; otherwise you should increase MEMBER_TIMEOUT as instructed
in item 1.
3. Member node_name seems unhealthy, not receiving heartbeats from it.
This is the message that indicates that the node has been found unhealthy as described in
the previous bullet.
What to do: See item 2.

264 Troubleshooting Your Cluster


For more information, including requirements and recommendations, see the MEMBER_TIMEOUT
discussion under Cluster Configuration Parameters (page 90).

8.8.5 System Administration Errors


There are a number of errors you can make when configuring Serviceguard that will not show up
when you start the cluster. Your cluster can be running, and everything appears to be fine, until
there is a hardware or software failure and control of your packages are not transferred to another
node as you would have expected.
These are errors caused specifically by errors in the cluster configuration file and package
configuration scripts. Examples of these errors include:
Volume groups not defined on adoptive node.
Mount point does not exist on adoptive node.
Network errors on adoptive node (configuration errors).
User information not correct on adoptive node.
You can use the following commands to check the status of your disks:
df - to see if your packages volume group is mounted.
vgdisplay -v - to see if all volumes are present.
strings /etc/lvmconf/*.conf - to ensure that the configuration is correct.
fdisk -v /dev/sdx - to display information about a disk.

8.8.5.1 Package Control Script Hangs or Failures


When a RUN_SCRIPT_TIMEOUT or HALT_SCRIPT_TIMEOUT value is set, and the control script
hangs, causing the timeout to be exceeded, Serviceguard kills the script and marks the package
Halted. Similarly, when a package control script fails, Serviceguard kills the script and marks
the package Halted. In both cases, the following also take place:
Control of the package will not be transferred.
The run or halt instructions may not run to completion.
Global switching will be disabled.
The current node will be disabled from running the package.
Following such a failure, since the control script is terminated, some of the packages resources
may be left activated. Specifically:
Volume groups may be left active.
File systems may still be mounted.
IP addresses may still be installed.
Services may still be running.
In this kind of situation, Serviceguard will not restart the package without manual intervention. You
must clean up manually before restarting the package. Use the following steps as guidelines:
1. Perform application specific cleanup. Any application specific actions the control script might
have taken should be undone to ensure successfully starting the package on an alternate node.
This might include such things as shutting down application processes, removing lock files,
and removing temporary files.
2. Ensure that package IP addresses are removed from the system. This step is accomplished via
the cmmodnet(1m) command. First determine which package IP addresses are installed by
inspecting the output resulting from running the ifconfig command. If any of the IP addresses

8.8 Solving Problems 265


specified in the package control script appear in the ifconfig output under the inet addr:
in the ethX:Y block, use cmmodnet to remove them:
cmmodnet -r -i <ip-address> <subnet>
where <ip-address> is the address indicated above and <subnet> is the result of masking
the <ip-address> with the mask found in the same line as the inet address in the
ifconfig output.
3. Ensure that package volume groups are deactivated. First unmount any package logical
volumes which are being used for file systems. This is determined by inspecting the output
resulting from running the command df -l. If any package logical volumes, as specified by
the LV[] array variables in the package control script, appear under the Filesystem column,
use umount to unmount them:
fuser -ku <logical-volume>
umount <logical-volume>
Next, deactivate the package volume groups. These are specified by the VG[] array entries
in the package control script.
vgchange -a n <volume-group>
4. Finally, re-enable the package for switching.
cmmodpkg -e <package-name>
If after cleaning up the node on which the timeout occurred it is desirable to have that node
as an alternate for running the package, remember to re-enable the package to run on the
node:
cmmodpkg -e -n <node-name> <package-name>

The default Serviceguard control scripts are designed to take the straightforward steps needed to
get an application running or stopped. If the package administrator specifies a time limit within
which these steps need to occur and that limit is subsequently exceeded for any reason, Serviceguard
takes the conservative approach that the control script logic must either be hung or defective in
some way. At that point the control script cannot be trusted to perform cleanup actions correctly,
thus the script is terminated and the package administrator is given the opportunity to assess what
cleanup steps must be taken.
If you want the package to switch automatically in the event of a control script timeout, set the
node_fail_fast_enabled parameter (page 176) to YES. In this case, Serviceguard will cause
a reboot on the node where the control script timed out. This effectively cleans up any side effects
of the packages run or halt attempt. In this case the package will be automatically restarted on
any available alternate node for which it is configured.

8.8.6 Package Movement Errors (Legacy Packages)


These errors are similar to the system administration errors except they are caused specifically by
errors in the package control script. The best way to prevent these errors is to test your package
control script before putting your high availability application on line.
Adding a set -x statement in the second line of your control script will give you details on where
your script may be failing.
Package startup failure due to uncleaned LVM2 hosttags
When LVM2 hosttags feature is used in Volumegroup, Serviceguard ensures that the hosttags are
cleaned up on every package halt process. However, in case of Node power failure or crash
initiated by SERVICE_FAIL_FAST / NODE_FAIL_FAST feature, hosttags will not be cleaned up. In
such cases, hosttags have to be manually cleaned up before starting the package on other node.
Following messages can be seen in the package log where package failed to startup on other
node and it also provides procedure to clean up the hosttags.
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: ERROR: Function activation_check:
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: Error vg01 may still be activated on xyz.hp.com

266 Troubleshooting Your Cluster


Feb 11 17:18:36 [email protected] volume_group.sh[1871]: To correct this situation, logon to "xyz.hp.com " and
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: execute the following commands:
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: vgchange -a n vg01
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: vgchange --deltag xyz.hp.com vg01
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: Once "vg01" has been deactivated from xyz.hp.com",
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: this package may be restarted via either cmmodpkg (1M)
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: or cmrunpkg(1M).
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: In the event that "xyz.hp.com" is either powered off
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: or unable to boot, then "vg01" must be forced
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: to be activated on this node.
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: ******************* WARNING ***************************
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: Forcing activation can lead to data corruption if
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: "xyz.hp.com" is still running and has "vg01"
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: active. It is imperative to positively determine that
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: "xyz.hp.com" is not running prior to performing
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: this operation.
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: *******************************************************
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: To force activate "vg01", execute the following
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: command on the local system:
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: vgchange --deltag xyz.hp.com vg01
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: The package may then be restarted via either
Feb 11 17:18:36 [email protected] volume_group.sh[1871]: cmmodpkg (1M) or cmrunpkg (1M) commands.

8.8.7 Node and Network Failures


These failures cause Serviceguard to transfer control of a package to another node. This is the
normal action of Serviceguard, but you have to be able to recognize when a transfer has taken
place and decide to leave the cluster in its current condition or to restore it to its original condition.
Possible node failures can be caused by the following conditions:
reboot
Kernel Oops
Hangs
Power failures
You can use the following commands to check the status of your network and subnets:
ifconfig - to display LAN status and check to see if the package IP is stacked on the LAN
card.
arp -a - to check the arp tables.
Since your cluster is unique, there are no cookbook solutions to all possible problems. But if you
apply these checks and commands and work your way through the log files, you will be successful
in identifying and solving problems.

8.8.8 Troubleshooting the Quorum Server


NOTE: See the HP Serviceguard Quorum Server Version A.04.00 Release Notes for information
about configuring the Quorum Server. Do not proceed without reading the Release Notes for your
version.

8.8.8.1 Authorization File Problems


The following kind of message in a Serviceguard nodes syslog file or in the output of cmviewcl
-v may indicate an authorization problem:
Access denied to quorum server 192.6.7.4
The reason may be that you have not updated the authorization file. Verify that the node is included
in the file, and try using /usr/lbin/qs -update to re-read the quorum server authorization
file.

8.8.8.2 Timeout Problems


The following kinds of message in a Serviceguard nodes syslog file may indicate timeout
problems:

8.8 Solving Problems 267


Unable to set client version at quorum server 192.6.7.2: reply timed
out
Probe of quorum server 192.6.7.2 timed out
These messages could be an indication of an intermittent network problem; or the default quorum
server timeout may not be sufficient. You can set the QS_TIMEOUT_EXTENSION to increase the
timeout, or you can increase the MEMBER_TIMEOUT value. See Cluster Configuration Parameters
(page 90)for more information about these parameters.
A message such as the following in a Serviceguard nodes syslog file indicates that the node
did not receive a reply to its lock request on time. This could be because of delay in communication
between the node and the Quorum Server or between the Quorum Server and other nodes in the
cluster:
Attempt to get lock /sg/cluser1 unsuccessful. Reason:
request_timedout

8.8.8.3 Messages
The coordinator node in Serviceguard sometimes sends a request to the quorum server to set the
lock state. (This is different from a request to obtain the lock in tie-breaking.) If the quorum servers
connection to one of the cluster nodes has not completed, the request to set may fail with a two-line
message like the following in the quorum servers log file:
Oct 008 16:10:05:0: There is no connection to the applicant
2 for lock /sg/lockTest1
Oct 08 16:10:05:0:Request for lock /sg/lockTest1 from
applicant 1 failed: not connected to all applicants.
This condition can be ignored. The request will be retried a few seconds later and will succeed.
The following message is logged:
Oct 008 16:10:06:0: Request for lock /sg/lockTest1
succeeded. New lock owners: 1,2.

8.8.9 Lock LUN Messages


If the lock LUN device fails, the following message will be entered in the syslog file:
Oct 008 16:10:05:0: WARNING: Cluster lock lun /dev/sdc1 has failed.

8.9 Troubleshooting serviceguard-xdc package


For information about how to troubleshoot issues related to serviceguard-xdc package, see HP
Serviceguard Extended Distance Cluster for Linux A.11.20.20 Deployment Guide at http://
www.hp.com/go/linux-serviceguard-docs.

268 Troubleshooting Your Cluster


8.10 Troubleshooting Serviceguard Manager
The following section describes how to troubleshoot issues related to Serviceguard Manager

Problem Solution

Service Temporarily Unavailable when trying to launch Ensure that a loop back address is mentioned in the /etc/
Serviceguard Manager hosts file 127.0.0.1 localhost.localdomain
localhost

Tomcat process has not started by any chance Run the Tomcat startup command
/opt/hp/hpsmh/tomcat/bin/startup.sh

The following message is displayed when erviceguard 1. Install the pre-requisite version of Java(1.6 or later) and
Manager is launched from HP System Management Home Tomcat(5.x or 6.x)
(SMH) web page, if Java and/or Tomcat versions are not 2. Ensure /usr/bin/java is pointing to supported
as per the pre-requisite: version of Java ("ll /usr/bin/java" ). Otherwise, unlink
Service Temporarily Unavailable or Http unlink /usr/bin/java and create a new link ln
status 500 proxy error or SMH can't find the -s <full path of JAVA installation
requested page directory> /usr/bin/java
3. Ensure /usr/share/sgmgr-tomcat points to tomcat
installation directory, that is, catalina_home ( "ll
/usr/share/sgmgr-tomcat"). Otherwise, unlink
unlink /usr/share/sgmgr-tomcat and create
a new link ln -s <full path of Tomcat
installation directory>
/usr/share/sgmgr-tomcat
4. Ensure Serviceguard-manager-tomcat rpm is
installed ("serviceguard-manager-tomcat-01.00-0"
should be listed in execution of the command "rpm -qa
| grep serviceguard")
5. Run /opt/hp/hpsmh/tomcat/bin/tomcat_cfg
script

8.10 Troubleshooting Serviceguard Manager 269


270
A Designing Highly Available Cluster Applications
This appendix describes how to create or port applications for high availability, with emphasis on
the following topics:
Automating Application Operation
Controlling the Speed of Application Failover (page 272)
Designing Applications to Run on Multiple Systems (page 275)
Restoring Client Connections (page 278)
Handling Application Failures (page 279)
Minimizing Planned Downtime (page 280)
Designing for high availability means reducing the amount of unplanned and planned downtime
that users will experience. Unplanned downtime includes unscheduled events such as power
outages, system failures, network failures, disk crashes, or application failures. Planned downtime
includes scheduled events such as scheduled backups, system upgrades to new OS revisions, or
hardware replacements.
Two key strategies should be kept in mind:
1. Design the application to handle a system reboot or panic. If you are modifying an existing
application for a highly available environment, determine what happens currently with the
application after a system panic. In a highly available environment there should be defined
(and scripted) procedures for restarting the application. Procedures for starting and stopping
the application should be automatic, with no user intervention required.
2. The application should not use any system-specific information such as the following if such
use would prevent it from failing over to another system and running properly:
The application should not refer to uname() or gethostname().
The application should not refer to the SPU ID.
The application should not refer to the MAC (link-level) address.

A.1 Automating Application Operation


Can the application be started and stopped automatically or does it require operator intervention?
This section describes how to automate application operations to avoid the need for user intervention.
One of the first rules of high availability is to avoid manual intervention. If it takes a user at a
terminal, console or GUI interface to enter commands to bring up a subsystem, the user becomes
a key part of the system. It may take hours before a user can get to a system console to do the
work necessary. The hardware in question may be located in a far-off area where no trained users
are available, the systems may be located in a secure datacenter, or in off hours someone may
have to connect via modem.
There are two principles to keep in mind for automating application relocation:
Insulate users from outages.
Applications must have defined startup and shutdown procedures.
You need to be aware of what happens currently when the system your application is running on
is rebooted, and whether changes need to be made in the application's response for high
availability.

A.1.1 Insulate Users from Outages


Wherever possible, insulate your end users from outages. Issues include the following:
Do not require user intervention to reconnect when a connection is lost due to a failed server.
Where possible, warn users of slight delays due to a failover in progress.

A.1 Automating Application Operation 271


Minimize the reentry of data.
Engineer the system for reserve capacity to minimize the performance degradation experienced
by users.

A.1.2 Define Application Startup and Shutdown


Applications must be restartable without manual intervention. If the application requires a switch
to be flipped on a piece of hardware, then automated restart is impossible. Procedures for
application startup, shutdown and monitoring must be created so that the HA software can perform
these functions automatically.
To ensure automated response, there should be defined procedures for starting up the application
and stopping the application. In Serviceguard these procedures are placed in the package control
script. These procedures must check for errors and return status to the HA control software. The
startup and shutdown should be command-line driven and not interactive unless all of the answers
can be predetermined and scripted.
In an HA failover environment, HA software restarts the application on a surviving system in the
cluster that has the necessary resources, such as access to the necessary disk drives. The application
must be restartable in two aspects:
It must be able to restart and recover on the backup system (or on the same system if the
application restart option is chosen).
It must be able to restart if it fails during the startup and the cause of the failure is resolved.
Application administrators need to learn to startup and shutdown applications using the appropriate
HA commands. Inadvertently shutting down the application directly will initiate an unwanted
failover. Application administrators also need to be careful that they don't accidently shut down
a production instance of an application rather than a test instance in a development environment.
A mechanism to monitor whether the application is active is necessary so that the HA software
knows when the application has failed. This may be as simple as a script that issues the command
ps -ef | grep xxx for all the processes belonging to the application.
To reduce the impact on users, the application should not simply abort in case of error, since
aborting would cause an unneeded failover to a backup system. Applications should determine
the exact error and take specific action to recover from the error rather than, for example, aborting
upon receipt of any error.

A.2 Controlling the Speed of Application Failover


What steps can be taken to ensure the fastest failover?
If a failure does occur causing the application to be moved (failed over) to another node, there
are many things the application can do to reduce the amount of time it takes to get the application
back up and running. The topics covered are as follows:
Replicate Non-Data File Systems
Use Raw Volumes
Evaluate the Use of a journaled file system
Minimize Data Loss
Use Restartable Transactions
Use Checkpoints
Design for Multiple Servers
Design for Replicated Data Sites

A.2.1 Replicate Non-Data File Systems


Non-data file systems should be replicated rather than shared. There can only be one copy of the
application data itself. It will be located on a set of disks that is accessed by the system that is

272 Designing Highly Available Cluster Applications


running the application. After failover, if these data disks are filesystems, they must go through
filesystems recovery (fsck) before the data can be accessed. To help reduce this recovery time,
the smaller these filesystems are, the faster the recovery will be. Therefore, it is best to keep anything
that can be replicated off the data filesystem. For example, there should be a copy of the application
executables on each system rather than having one copy of the executables on a shared filesystem.
Additionally, replicating the application executables makes them subject to a rolling upgrade if
this is desired.

A.2.2 Evaluate the Use of a Journaled Filesystem (JFS)


If a file system must be used, a JFS offers significantly faster file system recovery than an HFS.
However, performance of the JFS may vary with the application. An example of an appropriate
JFS is the Reiser FS ( reiserfs is not supported in Serviceguard A.11.20.00.), ext3, ext4, or XFS.

A.2.3 Minimize Data Loss


Minimize the amount of data that might be lost at the time of an unplanned outage. It is impossible
to prevent some data from being lost when a failure occurs. However, it is advisable to take certain
actions to minimize the amount of data that will be lost, as explained in the following discussion.

A.2.3.1 Minimize the Use and Amount of Memory-Based Data


Any in-memory data (the in-memory context) will be lost when a failure occurs. The application
should be designed to minimize the amount of in-memory data that exists unless this data can be
easily recalculated. When the application restarts on the standby node, it must recalculate or
reread from disk any information it needs to have in memory.
One way to measure the speed of failover is to calculate how long it takes the application to start
up on a normal system after a reboot. Does the application start up immediately? Or are there a
number of steps the application must go through before an end-user can connect to it? Ideally, the
application can start up quickly without having to reinitialize in-memory data structures or tables.
Performance concerns might dictate that data be kept in memory rather than written to the disk.
However, the risk associated with the loss of this data should be weighed against the performance
impact of posting the data to the disk.
Data that is read from a shared disk into memory, and then used as read-only data can be kept
in memory without concern.

A.2.3.2 Keep Logs Small


Some databases permit logs to be buffered in memory to increase online performance. Of course,
when a failure occurs, any in-flight transaction will be lost. However, minimizing the size of this
in-memory log will reduce the amount of completed transaction data that would be lost in case of
failure.
Keeping the size of the on-disk log small allows the log to be archived or replicated more frequently,
reducing the risk of data loss if a disaster were to occur. There is, of course, a trade-off between
online performance and the size of the log.

A.2.3.3 Eliminate Need for Local Data


When possible, eliminate the need for local data. In a three-tier, client/server environment, the
middle tier can often be dataless (i.e., there is no local data that is client specific or needs to be
modified). This application server tier can then provide additional levels of availability,
load-balancing, and failover. However, this scenario requires that all data be stored either on the
client (tier 1) or on the database server (tier 3).

A.2.4 Use Restartable Transactions


Transactions need to be restartable so that the client does not need to re-enter or back out of the
transaction when a server fails, and the application is restarted on another system. In other words,
if a failure occurs in the middle of a transaction, there should be no need to start over again from

A.2 Controlling the Speed of Application Failover 273


the beginning. This capability makes the application more robust and reduces the visibility of a
failover to the user.
A common example is a print job. Printer applications typically schedule jobs. When that job
completes, the scheduler goes on to the next job. If, however, the system dies in the middle of a
long job (say it is printing paychecks for 3 hours), what happens when the system comes back up
again? Does the job restart from the beginning, reprinting all the paychecks, does the job start
from where it left off, or does the scheduler assume that the job was done and not print the last
hours worth of paychecks? The correct behavior in a highly available environment is to restart
where it left off, ensuring that everyone gets one and only one paycheck.
Another example is an application where a clerk is entering data about a new employee. Suppose
this application requires that employee numbers be unique, and that after the name and number
of the new employee is entered, a failure occurs. Since the employee number had been entered
before the failure, does the application refuse to allow it to be re-entered? Does it require that the
partially entered information be deleted first? More appropriately, in a highly available environment
the application will allow the clerk to easily restart the entry or to continue at the next data item.

A.2.5 Use Checkpoints


Design applications to checkpoint complex transactions. A single transaction from the user's
perspective may result in several actual database transactions. Although this issue is related to
restartable transactions, here it is advisable to record progress locally on the client so that a
transaction that was interrupted by a system failure can be completed after the failover occurs.
For example, suppose the application being used is calculating PI. On the original system, the
application has gotten to the 1,000th decimal point, but the application has not yet written anything
to disk. At that moment in time, the node crashes. The application is restarted on the second node,
but the application is started up from scratch. The application must recalculate those 1,000 decimal
points. However, if the application had written to disk the decimal points on a regular basis, the
application could have restarted from where it left off.

A.2.5.1 Balance Checkpoint Frequency with Performance


It is important to balance checkpoint frequency with performance. The trade-off with checkpointing
to disk is the impact of this checkpointing on performance. Obviously if you checkpoint too often
the application slows; if you don't checkpoint often enough, it will take longer to get the application
back to its current state after a failover. Ideally, the end-user should be able to decide how often
to checkpoint. Applications should provide customizable parameters so the end-user can tune the
checkpoint frequency.

A.2.6 Design for Multiple Servers


If you use multiple active servers, multiple service points can provide relatively transparent service
to a client. However, this capability requires that the client be smart enough to have knowledge
about the multiple servers and the priority for addressing them. It also requires access to the data
of the failed server or replicated data.
For example, rather than having a single application which fails over to a second system, consider
having both systems running the application. After a failure of the first system, the second system
simply takes over the load of the first system. This eliminates the start up time of the application.
There are many ways to design this sort of architecture, and there are also many issues with this
sort of design. This discussion will not go into details other than to give a few examples.
The simplest method is to have two applications running in a master/slave relationship where the
slave is simply a hot standby application for the master. When the master fails, the slave on the
second system would still need to figure out what state the data was in (i.e., data recovery would
still take place). However, the time to fork the application and do the initial startup is saved.
Another possibility is having two applications that are both active. An example might be two
application servers which feed a database. Half of the clients connect to one application server
and half of the clients connect to the second application server. If one server fails, then all the
clients connect to the remaining application server.

274 Designing Highly Available Cluster Applications


A.2.7 Design for Replicated Data Sites
Replicated data sites are a benefit for both fast failover and disaster recovery. With replicated
data, data disks are not shared between systems. There is no data recovery that has to take place.
This makes the recovery time faster. However, there may be performance trade-offs associated
with replicating data. There are a number of ways to perform data replication, which should be
fully investigated by the application designer.
Many of the standard database products provide for data replication transparent to the client
application. By designing your application to use a standard database, the end-user can determine
if data replication is desired.

A.3 Designing Applications to Run on Multiple Systems


If an application can be failed to a backup node, how will it work on that different system?
The previous sections discussed methods to ensure that an application can be automatically restarted.
This section will discuss some ways to ensure the application can run on multiple systems. Topics
are as follows:
Avoid Node Specific Information
Assign Unique Names to Applications
Use Uname(2) With Care
Bind to a Fixed Port
Bind to a Relocatable IP Addresses
Give Each Application its Own Volume Group
Use Multiple Destinations for SNA Applications
Avoid File Locking

A.3.1 Avoid Node Specific Information


Typically, when a new system is installed, an IP address must be assigned to each active network
interface. This IP address is always associated with the node and is called a stationary IP address.
The use of packages containing highly available applications adds the requirement for an additional
set of IP addresses, which are assigned to the applications themselves. These are known as
relocatable application IP addresses. Serviceguards network sensor monitors the nodes access
to the subnet on which these relocatable application IP addresses reside. When packages are
configured in Serviceguard, the associated subnetwork address is specified as a package
dependency, and a list of nodes on which the package can run is also provided. When failing a
package over to a remote node, the subnetwork must already be active on the target node.
Each application or package should be given a unique name as well as a relocatable IP address.
Following this rule separates the application from the system on which it runs, thus removing the
need for user knowledge of which system the application runs on. It also makes it easier to move
the application among different systems in a cluster for load balancing or other reasons. If two
applications share a single IP address, they must move together. Instead, using independent names
and addresses allows them to move separately.
For external access to the cluster, clients must know how to refer to the application. One option is
to tell the client which relocatable IP address is associated with the application. Another option is
to think of the application name as a host, and configure a name-to-address mapping in the Domain
Name System (DNS). In either case, the client will ultimately be communicating via the applications
relocatable IP address. If the application moves to another node, the IP address will move with it,
allowing the client to use the application without knowing its current location. Remember that each
network interface must have a stationary IP address associated with it. This IP address does not
move to a remote system in the event of a network failure.

A.3 Designing Applications to Run on Multiple Systems 275


A.3.1.1 Obtain Enough IP Addresses
Each application receives a relocatable IP address that is separate from the stationary IP
address assigned to the system itself. Therefore, a single system might have many IP addresses,
one for itself and one for each of the applications that it normally runs. Therefore, IP addresses in
a given subnet range will be consumed faster than without high availability. It might be necessary
to acquire additional IP addresses.
Multiple IP addresses on the same network interface are supported only if they are on the same
subnetwork.

A.3.1.2 Allow Multiple Instances on Same System


Applications should be written so that multiple instances, each with its own application name and
IP address, can run on a single system. It might be necessary to invoke the application with a
parameter showing which instance is running. This allows distributing the users among several
systems under normal circumstances, but it also allows all of the users to be serviced in the case
of a failure on a single system.

A.3.2 Avoid Using SPU IDs or MAC Addresses


Design the application so that it does not rely on the SPU ID or MAC (link-level) addresses. The
SPU ID is a unique hardware ID contained in non-volatile memory, which cannot be changed. A
MAC address (also known as a NIC id) is a link-specific address associated with the LAN hardware.
The use of these addresses is a common problem for license servers, since for security reasons they
want to use hardware-specific identification to ensure the license isn't copied to multiple nodes.
One workaround is to have multiple licenses; one for each node the application will run on. Another
way is to have a cluster-wide mechanism that lists a set of SPU IDs or node names. If your application
is running on a system in the specified set, then the license is approved.
Previous generation HA software would move the MAC address of the network card along with
the IP address when services were moved to a backup system. This is no longer allowed in
Serviceguard.
There were a couple of reasons for using a MAC address, which have been addressed below:
Old network devices between the source and the destination such as routers had to be manually
programmed with MAC and IP address pairs. The solution to this problem is to move the MAC
address along with the IP address in case of failover.
Up to 20 minute delays could occur while network device caches were updated due to timeouts
associated with systems going down. This is dealt with in current HA software by broadcasting
a new ARP translation of the old IP address with the new MAC address.

A.3.3 Assign Unique Names to Applications


A unique name should be assigned to each application. This name should then be configured in
DNS so that the name can be used as input to gethostbyname(3), as described in the following
discussion.

A.3.3.1 Use DNS


DNS provides an API which can be used to map hostnames to IP addresses and vice versa. This
is useful for BSD socket applications such as telnet which are first told the target system name. The
application must then map the name to an IP address in order to establish a connection. However,
some calls should be used with caution.
Applications should not reference official hostnames or IP addresses. The official hostname and
corresponding IP address for the hostname refer to the primary LAN card and the stationary IP
address for that card. Therefore, any application that refers to, or requires the hostname or primary
IP address may not work in an HA environment where the network identity of the system that
supports a given application moves from one system to another, but the hostname does not move.
One way to look for problems in this area is to look for calls to gethostname(2) in the
application. HA services should use gethostname() with caution, since the response may change

276 Designing Highly Available Cluster Applications


over time if the application migrates. Applications that use gethostname() to determine the
name for a call to gethostbyname(3) should also be avoided for the same reason. Also, the
gethostbyaddr() call may return different answers over time if called with a stationary IP
address.
Instead, the application should always refer to the application name and relocatable IP address
rather than the hostname and stationary IP address. It is appropriate for the application to call
gethostbyname(3), specifying the application name rather than the hostname.
gethostbyname(3) will pass in the IP address of the application. This IP address will move with
the application to the new node.
However, gethostbyname(3) should be used to locate the IP address of an application only if
the application name is configured in DNS. It is probably best to associate a different application
name with each independent HA service. This allows each application and its IP address to be
moved to another node without affecting other applications. Only the stationary IP addresses should
be associated with the hostname in DNS.

A.3.4 Use uname(2) With Care


Related to the hostname issue discussed in the previous section is the application's use of uname(2),
which returns the official system name. The system name is unique to a given system whatever the
number of LAN cards in the system. By convention, the uname and hostname are the same, but
they do not have to be. Some applications, after connection to a system, might call uname(2) to
validate for security purposes that they are really on the correct system. This is not appropriate in
an HA environment, since the service is moved from one system to another, and neither the uname
nor the hostname are moved. Applications should develop alternate means of verifying where
they are running. For example, an application might check a list of hostnames that have been
provided in a configuration file.

A.3.5 Bind to a Fixed Port


When binding a socket, a port address can be specified or one can be assigned dynamically.
One issue with binding to random ports is that a different port may be assigned if the application
is later restarted on another cluster node. This may be confusing to clients accessing the application.
The recommended method is using fixed ports that are the same on all nodes where the application
will run, instead of assigning port numbers dynamically. The application will then always return
the same port number regardless of which node is currently running the application. Application
port assignments should be put in /etc/services to keep track of them and to help ensure that
someone will not choose the same port number.

A.3.6 Bind to Relocatable IP Addresses


When sockets are bound, an IP address is specified in addition to the port number. This indicates
the IP address to use for communication and is meant to allow applications to limit which interfaces
can communicate with clients. An application can bind to INADDR_ANY as an indication that
messages can arrive on any interface.
Network applications can bind to a stationary IP address, a relocatable IP address, or INADDR_ANY.
If the stationary IP address is specified, then the application may fail when restarted on another
node, because the stationary IP address is not moved to the new system. If an application binds
to the relocatable IP address, then the application will behave correctly when moved to another
system.
Many server-style applications will bind to INADDR_ANY, meaning that they will receive requests
on any interface. This allows clients to send to the stationary or relocatable IP addresses. However,
in this case the networking code cannot determine which source IP address is most appropriate
for responses, so it will always pick the stationary IP address.
For TCP stream sockets, the TCP level of the protocol stack resolves this problem for the client since
it is a connection-based protocol. On the client, TCP ignores the stationary IP address and continues
to use the previously bound relocatable IP address originally used by the client.

A.3 Designing Applications to Run on Multiple Systems 277


With UDP datagram sockets, however, there is a problem. The client may connect to multiple
servers utilizing the relocatable IP address and sort out the replies based on the source IP address
in the servers response message. However, the source IP address given in this response will be
the stationary IP address rather than the relocatable application IP address. Therefore, when
creating a UDP socket for listening, the application must always call bind(2) with the appropriate
relocatable application IP address rather than INADDR_ANY.

A.3.6.1 Call bind() before connect()


When an application initiates its own connection, it should first call bind(2), specifying the
application IP address before calling connect(2). Otherwise the connect request will be sent
using the stationary IP address of the system's outbound LAN interface rather than the desired
relocatable application IP address. The client will receive this IP address from the accept(2) call,
possibly confusing the client software and preventing it from working correctly.

A.3.7 Give Each Application its Own Volume Group


Use separate volume groups for each application that uses data. If the application doesn't use
disk, it is not necessary to assign it a separate volume group. A volume group (group of disks) is
the unit of storage that can move between nodes. The greatest flexibility for load balancing exists
when each application is confined to its own volume group, i.e., two applications do not share
the same set of disk drives. If two applications do use the same volume group to store their data,
then the applications must move together. If the applications data stores are in separate volume
groups, they can switch to different nodes in the event of a failover.
The application data should be set up on different disk drives and if applicable, different mount
points. The application should be designed to allow for different disks and separate mount points.
If possible, the application should not assume a specific mount point.

A.3.8 Use Multiple Destinations for SNA Applications


SNA is point-to-point link-oriented; that is, the services cannot simply be moved to another
system, since that system has a different point-to-point link which originates in the mainframe.
Therefore, backup links in a node and/or backup links in other nodes should be configured so
that SNA does not become a single point of failure. Note that only one configuration for an SNA
link can be active at a time. Therefore, backup links that are used for other purposes should be
reconfigured for the primary mission-critical purpose upon failover.

A.3.9 Avoid File Locking


In an NFS environment, applications should avoid using file-locking mechanisms, where the file to
be locked is on an NFS Server. File locking should be avoided in an application both on local
and remote systems. If local file locking is employed and the system fails, the system acting as the
backup system will not have any knowledge of the locks maintained by the failed system. This may
or may not cause problems when the application restarts.
Remote file locking is the worst of the two situations, since the system doing the locking may be
the system that fails. Then, the lock might never be released, and other parts of the application will
be unable to access that data. In an NFS environment, file locking can cause long delays in case
of NFS client system failure and might even delay the failover itself.

A.4 Restoring Client Connections


How does a client reconnect to the server after a failure?
It is important to write client applications to specifically differentiate between the loss of a connection
to the server and other application-oriented errors that might be returned. The application should
take special action in case of connection loss.
One question to consider is how a client knows after a failure when to reconnect to the newly
started server. The typical scenario is that the client must simply restart their session, or relog in.
However, this method is not very automated. For example, a well-tuned hardware and application
system may fail over in 5 minutes. But if users, after experiencing no response during the failure,

278 Designing Highly Available Cluster Applications


give up after 2 minutes and go for coffee and don't come back for 28 minutes, the perceived
downtime is actually 30 minutes, not 5. Factors to consider are the number of reconnection attempts
to make, the frequency of reconnection attempts, and whether or not to notify the user of connection
loss.
There are a number of strategies to use for client reconnection:
Design clients which continue to try to reconnect to their failed server.
Put the work into the client application rather than relying on the user to reconnect. If the server
is back up and running in 5 minutes, and the client is continually retrying, then after 5 minutes,
the client application will reestablish the link with the server and either restart or continue the
transaction. No intervention from the user is required.
Design clients to reconnect to a different server.
If you have a server design which includes multiple active servers, the client could connect to
the second server, and the user would only experience a brief delay.
The problem with this design is knowing when the client should switch to the second server.
How long does a client retry to the first server before giving up and going to the second server?
There are no definitive answers for this. The answer depends on the design of the server
application. If the application can be restarted on the same node after a failure (see Handling
Application Failures following), the retry to the current server should continue for the amount
of time it takes to restart the server locally. This will keep the client from having to switch to
the second server in the event of a application failure.
Use a transaction processing monitor or message queueing software to increase robustness.
Use transaction processing monitors such as Tuxedo or DCE/Encina, which provide an interface
between the server and the client. Transaction processing monitors (TPMs) can be useful in
creating a more highly available application. Transactions can be queued such that the client
does not detect a server failure. Many TPMs provide for the optional automatic rerouting to
alternate servers or for the automatic retry of a transaction. TPMs also provide for ensuring
the reliable completion of transactions, although they are not the only mechanism for doing
this. After the server is back online, the transaction monitor reconnects to the new server and
continues routing it the transactions.
Queue Up Requests
As an alternative to using a TPM, queue up requests when the server is unavailable. Rather
than notifying the user when a server is unavailable, the user request is queued up and
transmitted later when the server becomes available again. Message queueing software
ensures that messages of any kind, not necessarily just transactions, are delivered and
acknowledged.
Message queueing is useful only when the user does not need or expect response that the
request has been completed (that is, the application is not interactive).

A.5 Handling Application Failures


What happens if part or all of an application fails?
All of the preceding sections have assumed the failure in question was not a failure of the
application, but of another component of the cluster. This section deals specifically with application
problems. For instance, software bugs may cause an application to fail, or system resource issues
(such as low swap/memory space) may cause an application to die. The section deals with how
to design your application to recover after these types of failures.

A.5.1 Create Applications to be Failure Tolerant


An application should be tolerant to failure of a single component. Many applications have multiple
processes running on a single node. If one process fails, what happens to the other processes? Do
they also fail? Can the failed process be restarted on the same node without affecting the remaining
pieces of the application?

A.5 Handling Application Failures 279


Ideally, if one process fails, the other processes can wait a period of time for that component to
come back online. This is true whether the component is on the same system or a remote system.
The failed component can be restarted automatically on the same system and rejoin the waiting
processing and continue on. This type of failure can be detected and restarted within a few seconds,
so the end user would never know a failure occurred.
Another alternative is for the failure of one component to still allow bringing down the other
components cleanly. If a database SQL server fails, the database should still be able to be brought
down cleanly so that no database recovery is necessary.
The worse case is for a failure of one component to cause the entire system to fail. If one component
fails and all other components need to be restarted, the downtime will be high.

A.5.2 Be Able to Monitor Applications


All components in a system, including applications, should be able to be monitored for their health.
A monitor might be as simple as a display command or as complicated as a SQL query. There
must be a way to ensure that the application is behaving correctly. If the application fails and it
is not detected automatically, it might take hours for a user to determine the cause of the downtime
and recover from it.

A.6 Minimizing Planned Downtime


Planned downtime (as opposed to unplanned downtime) is scheduled; examples include backups,
systems upgrades to new operating system revisions, or hardware replacements. For planned
downtime, application designers should consider:
Reducing the time needed for application upgrades/patches.
Can an administrator install a new version of the application without scheduling downtime?
Can different revisions of an application operate within a system? Can different revisions of
a client and server operate within a system?
Providing for online application reconfiguration.
Can the configuration information used by the application be changed without bringing down
the application?
Documenting maintenance operations.
Does an operator know how to handle maintenance operations?
When discussing highly available systems, unplanned failures are often the main point of discussion.
However, if it takes 2 weeks to upgrade a system to a new revision of software, there are bound
to be a large number of complaints.
The following sections discuss ways of handling the different types of planned downtime.

A.6.1 Reducing Time Needed for Application Upgrades and Patches


Once a year or so, a new revision of an application is released. How long does it take for the
end-user to upgrade to this new revision? This answer is the amount of planned downtime a user
must take to upgrade their application. The following guidelines reduce this time.

A.6.1.1 Provide for Rolling Upgrades


Provide for a rolling upgrade in a client/server environment. For a system with many components,
the typical scenario is to bring down the entire system, upgrade every node to the new version of
the software, and then restart the application on all the affected nodes. For large systems, this
could result in a long downtime. An alternative is to provide for a rolling upgrade. A rolling upgrade
rolls out the new software in a phased approach by upgrading only one component at a time. For
example, the database server is upgraded on Monday, causing a 15 minute downtime. Then on
Tuesday, the application server on two of the nodes is upgraded, which leaves the application
servers on the remaining nodes online and causes no downtime. On Wednesday, two more
application servers are upgraded, and so on. With this approach, you avoid the problem where
everything changes at once, plus you minimize long outages.
280 Designing Highly Available Cluster Applications
The trade-off is that the application software must operate with different revisions of the software.
In the above example, the database server might be at revision 5.0 while the some of the application
servers are at revision 4.0. The application must be designed to handle this type of situation.

A.6.1.2 Do Not Change the Data Layout Between Releases


Migration of the data to a new format can be very time intensive. It also almost guarantees that
rolling upgrade will not be possible. For example, if a database is running on the first node, ideally,
the second node could be upgraded to the new revision of the database. When that upgrade is
completed, a brief downtime could be scheduled to move the database server from the first node
to the newly upgraded second node. The database server would then be restarted, while the first
node is idle and ready to be upgraded itself. However, if the new database revision requires a
different database layout, the old data will not be readable by the newly updated database. The
downtime will be longer as the data is migrated to the new layout.

A.6.2 Providing Online Application Reconfiguration


Most applications have some sort of configuration information that is read when the application
is started. If to make a change to the configuration, the application must be halted and a new
configuration file read, downtime is incurred.
To avoid this downtime use configuration tools that interact with an application and make dynamic
changes online. The ideal solution is to have a configuration tool which interacts with the application.
Changes are made online with little or no interruption to the end-user. This tool must be able to do
everything online, such as expanding the size of the data, adding new users to the system, adding
new users to the application, etc. Every task that an administrator needs to do to the application
system can be made available online.

A.6.3 Documenting Maintenance Operations


Standard procedures are important. An application designer should make every effort to make
tasks common for both the highly available environment and the normal environment. If an
administrator is accustomed to bringing down the entire system after a failure, he or she will
continue to do so even if the application has been redesigned to handle a single failure. It is
important that application documentation discuss alternatives with regards to high availability for
typical maintenance operations.

A.6 Minimizing Planned Downtime 281


282
B Integrating HA Applications with Serviceguard
The following is a summary of the steps you should follow to integrate an application into the
Serviceguard environment:
1. Read the rest of this book, including the chapters on cluster and package configuration, and
the appendix Designing Highly Available Cluster Applications.
2. Define the clusters behavior for normal operations:
What should the cluster look like during normal operation?
What is the standard configuration most people will use? (Is there any data available
about user requirements?)
Can you separate out functions such as database or application server onto separate
machines, or does everything run on one machine?
3. Define the clusters behavior for failover operations:
Does everything fail over together to the adoptive node?
Can separate applications fail over to the same node?
Is there already a high availability mechanism within the application other than the features
provided by Serviceguard?
4. Identify problem areas
What does the application do today to handle a system reboot or panic?
Does the application use any system-specific information such as uname() or
gethostname(), SPU_ID or MAC address which would prevent it from failing over to
another system?

B.1 Checklist for Integrating HA Applications


This section contains a checklist for integrating HA applications in both single and multiple systems.

B.1 Checklist for Integrating HA Applications 283


B.1.1 Defining Baseline Application Behavior on a Single System
1. Define a baseline behavior for the application on a standalone system:
Install the application, database, and other required resources on one of the systems. Be
sure to follow Serviceguard rules in doing this:
Install all shared data on separate external volume groups.
Use a Journaled filesystem (JFS) as appropriate.
Perform some sort of standard test to ensure the application is running correctly. This test
can be used later in testing with Serviceguard. If possible, try to connect to the application
through a client.
Crash the standalone system, reboot it, and test how the application starts up again. Note
the following:
Are there any manual procedures? if so, document them.
Can everything start up from rc scripts?
Try to write a simple script which brings everything up without having to do any keyboard
typing. Figure out what the administrator would do at the keyboard, then put that into
the script.
Try to write a simple script to bring down the application. Again, figure out what the
administrator would do at the keyboard, then put that into the script.

B.1.2 Integrating HA Applications in Multiple Systems


1. Install the application on a second system.
Create the LVM infrastructure on the second system.
Add the appropriate users to the system.
Install the appropriate executables.
With the application not running on the first system, try to bring it up on the second
system. You might use the script you created in the step above. Is there anything different
that you must do? Does it run?
Repeat this process until you can get the application to run on the second system.
2. Configure the Serviceguard cluster:
Create the cluster configuration.
Create a package.
Create the package script.
Use the simple scripts you created in earlier steps as the customer defined functions in
the package control script.
3. Start the cluster and verify that applications run as planned.

B.1.3 Testing the Cluster


1. Test the cluster:
Have clients connect.
Provide a normal system load.
Halt the package on the first node and move it to the second node:
# cmhaltpkg pkg1
# cmrunpkg -n node2 pkg1
# cmmodpkg -e pkg1

Move it back.

284 Integrating HA Applications with Serviceguard


# cmhaltpkg pkg1
# cmrunpkg -n node1 pkg1
# cmmodpkg -e pkg1

Fail one of the systems. For example, turn off the power on node 1. Make sure the package
starts up on node 2.
Repeat failover from node 2 back to node 1.
2. Be sure to test all combinations of application load during the testing. Repeat the failover
processes under different application states such as heavy user load versus no user load, batch
jobs versus online transactions, etc.
3. Record timelines of the amount of time spent during the failover for each application state. A
sample timeline might be 45 seconds to reconfigure the cluster, 15 seconds to run fsck on
the filesystems, 30 seconds to start the application and 3 minutes to recover the database.

B.1 Checklist for Integrating HA Applications 285


286
C Blank Planning Worksheets
This appendix reprints blank versions of the planning worksheets described in the Planning
chapter. You can duplicate any of these worksheets that you find useful and fill them in as a part
of the planning process. The worksheets included in this appendix are as follows:
Hardware Worksheet (page 287)
Power Supply Worksheet (page 287)
Quorum Server Worksheet (page 288)
Volume Group and Physical Volume Worksheet (page 288)
Cluster Configuration Worksheet (page 289)
Package Configuration Worksheet (page 289)
Package Control Script Worksheet (Legacy) (page 290)

C.1 Hardware Worksheet


=============================================================================
SPU Information:

Host Name ____________________ Server Series____________

Memory Capacity ____________ Number of I/O Slots ____________


=============================================================================
LAN Information:

Name of Name of Node IP Traffic


Master _________ Interface __________ Addr________________ Type ________

Name of Name of Node IP Traffic


Master __________ Interface __________ Addr________________ Type ________

Name of Name of Node IP Traffic


Master _________ Interface __________ Addr_______________ Type __________

===============================================================================

Quorum Server Name: __________________ IP Address: ____________________

=============================================================================

Disk I/O Information for Shared Disks:

Bus Type ______ Slot Number ____ Address ____ Disk Device File _________

Bus Type ______ Slot Number ___ Address ____ Disk Device File __________

Bus Type ______ Slot Number ___ Address ____ Disk Device File _________

Bus Type ______ Slot Number ___ Address ____ Disk Device File _________

C.2 Power Supply Worksheet


============================================================================
SPU Power:

Host Name ____________________ Power Supply _____________________

Host Name ____________________ Power Supply _____________________

============================================================================
Disk Power:

Disk Unit __________________________ Power Supply _______________________

C.1 Hardware Worksheet 287


Disk Unit __________________________ Power Supply _______________________

Disk Unit __________________________ Power Supply _______________________

Disk Unit __________________________ Power Supply _______________________

Disk Unit __________________________ Power Supply _______________________

Disk Unit __________________________ Power Supply _______________________

============================================================================
Tape Backup Power:

Tape Unit __________________________ Power Supply _______________________

Tape Unit __________________________ Power Supply _______________________

============================================================================
Other Power:

Unit Name __________________________ Power Supply _______________________

Unit Name __________________________ Power Supply _______________________

C.3 Quorum Server Worksheet


Quorum Server Data:
==============================================================================

QS Hostname: _________________IP Address: ______________________

OR

Cluster Name: _________________

Package Name: ____________ Package IP Address: ___________________

Hostname Given to Package by Network Administrator: _________________

==============================================================================

Quorum Services are Provided for:

Cluster Name: ___________________________________________________________

Host Names ____________________________________________

Host Names ____________________________________________

Cluster Name: ___________________________________________________________

Host Names ____________________________________________

Host Names ____________________________________________

Cluster Name: ___________________________________________________________

Host Names ____________________________________________

Host Names ____________________________________________

C.4 Volume Group and Physical Volume Worksheet


==============================================================================

Volume Group Name: ___________________________________

288 Blank Planning Worksheets


Physical Volume Name: _________________

Physical Volume Name: _________________

Physical Volume Name: _________________

=============================================================================

Volume Group Name: ___________________________________

Physical Volume Name: _________________

Physical Volume Name: _________________

Physical Volume Name: _________________

C.5 Cluster Configuration Worksheet


===============================================================================
Name and Nodes:
===============================================================================
Cluster Name: ______________________________

Node Names: ________________________________________________

Maximum Configured Packages: ______________


===============================================================================
Cluster Lock Data:
================================================================================
If using a quorum server:
Quorum Server Host Name or IP Address: ____________________

Quorum Server Polling Interval: ______________ microseconds

Quorum Server Timeout Extension: _______________ microseconds


==============================================================================
If using a lock lun:
Lock LUN Name on Node 1: __________________
Lock LUN Name on Node 2: __________________
Lock LUN Name on Node 3: __________________
Lock LUN Name on Node 4: __________________
===============================================================================
Subnets:
===============================================================================
Heartbeat Subnet: __________________________

Monitored Non-heartbeat Subnet: __________________

Monitored Non-heartbeat Subnet: ___________________


===============================================================================
Timing Parameters:
===============================================================================
Heartbeat Interval: __________
===============================================================================
Node Timeout: ______________
===============================================================================
Network Polling Interval: __________
===============================================================================
Autostart Delay: _____________
Access Policies
User: ________ Host: ________ Role: ________
User: _________ Host: _________ Role: __________

C.6 Package Configuration Worksheet


=============================================================================
Package Configuration File Data:
==========================================================================
Package Name: __________________Package Type:______________
Primary Node: ____________________ First Failover Node:__________________
Additional Failover Nodes:__________________________________
Run Script Timeout: _____ Halt Script Timeout: _____________

C.5 Cluster Configuration Worksheet 289


Package AutoRun Enabled? ______
Node Failfast Enabled? ________
Failover Policy:_____________ Failback_policy:___________________________________
Access Policies:
User:_________________ From node:_______ Role:_____________________________
User:_________________ From node:_______ Role:______________________________________________
Log level____ Log file:_______________________________________________________________________________________
Priority_____________ Successor_halt_timeout____________
dependency_name _____ dependency_condition _____
dependency_location _______
==========================================================================
LVM Volume Groups:
vg____vg01___________vg________________vg________________vg________________
vgchange_cmd:
__________________________________________________________________________________________________
Logical Volumes and File Systems:
fs_name___________________ fs_directory________________
fs_mount_opt_______________fs_umount_opt______________
fs_fsck_opt________________fs_type_________________
fs_name____________________fs_directory________________
fs_mount_opt_______________fs_umount_opt_____________
fs_fsck_opt________________fs_type_________________
fs_name____________________fs_directory________________
fs_mount_opt_______________fs_umount_opt_____________
fs_fsck_opt________________fs_type_________________
fs_mount_retry_count: ____________
fs_umount_retry_count:___________________
Concurrent mount/umount operations: ______________________________________
Concurrent fsck operations:
______________________________________________===============================================================================
Network Information:
IP ________ IP__________IP___________subnet __________
IP__________IP__________IP___________subnet___________
Monitored subnet:_______________________________________________________________
===============================================================================
Service Name: _______ Command: _________ Restart:___ Fail Fast enabled:____
Service Name: _______ Command: _________ Restart: __ Fail Fast enabled:_____
Service Name: _______ Command: _________ Restart: __ Fail Fast enabled:_____
================================================================================
Package environment variable:________________________________________________
Package environment variable:________________________________________________
External pre-script:_________________________________________________________
External
script:_____________________________________________________________================================================================================

C.7 Package Control Script Worksheet (Legacy)


PACKAGE CONTROL SCRIPT WORKSHEET Page ___ of ___
================================================================================
Package Control Script Data:
================================================================================

PATH______________________________________________________________
VGCHANGE_________________________________

VG[0]__________________LV[0]______________________FS[0]____________________

VG[1]__________________LV[1]______________________FS[1]____________________

VG[2]__________________LV[2]______________________FS[2]____________________

FS Umount Count: ____________FS Mount Retry Count:_________________________

IP[0] ______________________________ SUBNET ________________________

IP[1] ______________________________ SUBNET ________________________

Service Name: __________ Command: ______________________ Restart: ________

Service Name: __________ Command: ______________________ Restart: ________

NOTE: MD, RAIDTAB, and RAIDSTART are deprecated and should not be used. See Multipath
for Storage (page 82).

290 Blank Planning Worksheets


D IPv6 Network Support
This appendix describes some of the characteristics of IPv6 network addresses, specifically:
IPv6 Address Types
Network Configuration Restrictions (page 294)
Configuring IPv6 on Linux (page 294)

D.1 IPv6 Address Types


Several IPv6 types of addressing schemes are specified in the RFC 2373 (IPv6 Addressing
Architecture). IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces. There are
various address formats for IPv6 defined by the RFC 2373. IPv6 addresses are broadly classified
as unicast, anycast, and multicast.
The following table explains the three types.
Table 17 IPv6 Address Types
Unicast An address for a single interface. A packet sent to a unicast address is delivered to the interface
identified by that address.

Anycast An address for a set of interfaces. In most cases these interfaces belong to different nodes. A
packet sent to an anycast address is delivered to one of these interfaces identified by the address.
Since the standards for using anycast addresses are still evolving, they are not supported in Linux
at present.

Multicast An address for a set of interfaces (typically belonging to different nodes). A packet sent to a
multicast address will be delivered to all interfaces identified by that address.

Unlike IPv4, IPv6 has no broadcast addresses; their functions are superseded by multicast.

D.1.1 Textual Representation of IPv6 Addresses


There are three conventional forms for representing IPv6 addresses as text strings:
The first form is x:x:x:x:x:x:x:x, where the xs are the hexadecimal values of the eight
16-bit pieces of the 128-bit address. Example:
2001:fecd:ba23:cd1f:dcb1:1010:9234:4088.
Some of the IPv6 addresses may contain a long strings of zero bits. In order to make it easy
for representing such addresses textually a special syntax is available. The use of :: indicates
that there are multiple groups of 16-bits of zeros. The :: can appear only once in an address
and it can be used to compress the leading, trailing, or contiguous sixteen-bit zeroes in an
address. Example:
fec0:1:0:0:0:0:0:1234 can be represented as fec0:1::1234.
In a mixed environment of IPv4 and IPv6 nodes an alternative form of IPv6 address will be
used. It is x:x:x:x:x:x:d.d.d.d, where the xs are the hexadecimal values of higher
order 96 bits of IPv6 address and the ds are the decimal values of the 32-bit lower order
bits. Typically IPv4 Mapped IPv6 addresses and IPv4 Compatible IPv6 addresses will be
represented in this notation. These addresses are discussed in later sections.
Examples:
0:0:0:0:0:0:10.1.2.3
and
::10.11.3.123

D.1 IPv6 Address Types 291


D.1.2 IPv6 Address Prefix
IPv6 Address Prefix is similar to CIDR in IPv4 and is written in CIDR notation. An IPv6 address
prefix is represented by the notation:
IPv6-address/prefix-length where ipv6-address is an IPv6 address in any notation
listed above and prefix-length is a decimal value representing how many of the leftmost
contiguous bits of the address comprise the prefix. Example:
fec0:0:0:1::1234/64
The first 64-bits of the address fec0:0:0:1 forms the address prefix. An address prefix is used
in IPv6 addresses to denote how many bits in the IPv6 address represent the subnet.

D.1.3 Unicast Addresses


IPv6 unicast addresses are classified into different types. They are: global aggregatable unicast
address, site-local address and link-local address. Typically a unicast address is logically divided
as follows:
Table 18
n bits 128-n bits

Subnet prefix Interface ID

Interface identifiers in a IPv6 unicast address are used to identify the interfaces on a link. Interface
identifiers are required to be unique on that link. The link is generally identified by the subnet
prefix.
A unicast address is called an unspecified address if all the bits in the address are zero. Textually
it is represented as ::.
The unicast address ::1 or 0:0:0:0:0:0:0:1 is called the loopback address. It is used by a
node to send packets to itself.

D.1.4 IPv4 and IPv6 Compatibility


There are a number of techniques for using IPv4 addresses within the framework of IPv6 addressing.

D.1.4.1 IPv4 Compatible IPv6 Addresses


The IPv6 transition mechanisms use a technique for tunneling IPv6 packets over the existing IPv4
infrastructure. IPv6 nodes that support such mechanisms use a special kind of IPv6 addresses that
carry IPv4 addresses in their lower order 32-bits. These addresses are called IPv4 Compatible IPv6
addresses. They are represented as follows:
Table 19
80 bits 16 bits 32 bits

zeros 0000 IPv4 address

Example:
::192.168.0.1

D.1.4.2 IPv4 Mapped IPv6 Address


There is a special type of IPv6 address that holds an embedded IPv4 address. This address is used
to represent the addresses of IPv4-only nodes as IPv6 addresses. These addresses are used especially
by applications that support both IPv6 and IPv4. These addresses are called as IPv4 Mapped IPv6
Addresses. The format of these address is as follows:

292 IPv6 Network Support


Table 20
80 bits 16 bits 32 bits

zeros FFFF IPv4 address

Example:
::ffff:192.168.0.1

D.1.4.3 Aggregatable Global Unicast Addresses


The global unicast addresses are globally unique IPv6 addresses. This address format is very well
defined in the RFC 2374 (An IPv6 Aggregatable Global Unicast Address Format). The format is:
Table 21
3 13 8 24 16 64 bits

FP TLA ID RES NLA ID SLA ID Interface ID

where
FP = Format prefix. Value of this is 001 for Aggregatable Global unicast addresses.
TLA ID = Top-level Aggregation Identifier.
RES = Reserved for future use.
NLA ID = Next-Level Aggregation Identifier.
SLA ID = Site-Level Aggregation Identifier.
Interface ID = Interface Identifier.

D.1.4.4 Link-Local Addresses


Link-local addresses have the following format:
Table 22
10 bits 54 bits 64 bits

1111111010 0 interface ID

Link-local address are supposed to be used for addressing nodes on a single link. Packets originating
from or destined to a link-local address will not be forwarded by a router.

D.1.4.5 Site-Local Addresses


Site-local addresses have the following format:
Table 23
10 bits 38 bits 16 bits 64 bits

1111111011 0 subnet ID interface ID

Link-local address are supposed to be used within a site. Routers will not forward any packet with
site-local source or destination address outside the site.

D.1.4.6 Multicast Addresses


A multicast address is an identifier for a group of nodes. Multicast addresses have the following
format:
Table 24
8 bits 4 bits 4 bits 112 bits

11111111 flags scop group ID

D.1 IPv6 Address Types 293


FF at the beginning of the address identifies the address as a multicast address.
The flags field is a set of 4 flags 000T. The higher order 3 bits are reserved and must be zero.
The last bit T indicates whether it is permanently assigned or not. A value of zero indicates that
it is permanently assigned otherwise it is a temporary assignment.
The scop field is a 4-bit field which is used to limit the scope of the multicast group. For example,
a value of 1 indicates that it is a node-local multicast group. A value of 2 indicates that the
scope is link-local. A value of 5 indicates that the scope is site-local.
The group ID field identifies the multicast group. Some frequently used multicast groups are the
following:
All Node Addresses = FF02:0:0:0:0:0:0:1 (link-local)
All Router Addresses = FF02:0:0:0:0:0:0:2 (link-local)
All Router Addresses = FF05:0:0:0:0:0:0:2 (site-local)

D.2 Network Configuration Restrictions


Serviceguard supports IPv6 for data and heartbeat IP.
The restrictions on support for IPv6 in Serviceguard for Linux are:
Auto-configured IPv6 addresses are not supported in Serviceguard. as HEARTBEAT_IP or
STATIONARY_IP addresses. IPv6 addresses that are part of a Serviceguard cluster
configuration must not be auto-configured through router advertisements. Instead, they must
be manually configured in /etc/sysconfig/network-scripts/ifcfg-<eth-ID> on
Red Hat or /etc/sysconfig/network/ifcfg-<eth-ID> on SUSE. See Configuring
IPv6 on Linux (page 294) for instructions and examples.
Link-local IP addresses are not supported, as package IPs, HEARTBEAT_IPs, or
STATIONARY_IPs. Depending on the requirements, the package IP address could be of type
site-local or global.
Serviceguard supports only one IPv6 address belonging to each scope type (site-local and
global) on each network interface (that is, restricted multi-netting). This means that a maximum
of two IPv6 HEARTBEAT_IP or STATIONARY_IP addresses can be listed in the cluster
configuration file for a NETWORK_INTERFACE:, one being the site-local IPv6 address, and
the other being the global IPv6 address.
NOTE: This restriction applies to cluster configuration, not package configuration: it does
not affect the number of IPv6 relocatable addresses of the same scope type (site-local or global)
that a package can use on an interface.

Bonding is supported for IPv6 addresses, but only in active-backup mode.


Serviceguard supports IPv6 only on the Ethernet networks, including 10BT, 100BT, and Gigabit
Ethernet.
IMPORTANT: For important information, see also Cross-Subnet Configurations (page 27), the
description of the HOSTNAME_ADDRESS_FAMILY, QS_HOST and QS_ADDR parameters under
Cluster Configuration Parameters (page 90), and Configuring Name Resolution (page 137).
For special instructions that may apply to using IPv6 addresses to connect your version of
Serviceguard for Linux and the Quorum Server, see Configuring Serviceguard to Use the Quorum
Server in the latest version HP Serviceguard Quorum Server Version A.04.00 Release Notes, at
http://www.hp.com/go/hpux-serviceguard-docs (Select HP Serviceguard Quorum Server Software).

D.3 Configuring IPv6 on Linux


Red Hat Enterprise Linux and SUSE Linux Enterprise Server already have the proper IPv6 tools
installed, including the /sbin/ip command. This section explains how to configure IPv6 stationary
IP addresses on these systems.

294 IPv6 Network Support


D.3.1 Enabling IPv6 on Red Hat Linux
Add the following lines to /etc/sysconfig/network:
NETWORKING_IPV6=yes # Enable global IPv6 initialization
IPV6FORWARDING=no # Disable global IPv6 forwarding
IPV6_AUTOCONF=no # Disable global IPv6 autoconfiguration
IPV6_AUTOTUNNEL=no # Disable automatic IPv6 tunneling

D.3.2 Adding persistent IPv6 Addresses on Red Hat Linux


This can be done by modifying the system configuration script, for example, /etc/sysconfig/
network-scripts/ifcfg-eth1:
DEVICE=eth1BOOTPROTO=static
BROADCAST=192.168.1.255
IPADDR=192.168.1.10
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=3ffe:ffff:0000:f101::10/64
IPV6ADDR_SECONDARIES=fec0:0:0:1::10/64
IPV6_MTU=1280

D.3.3 Configuring a Channel Bonding Interface with Persistent IPv6 Addresses on


Red Hat Linux
Configure the following parameters in /etc/sysconfig/network-scripts/ifcfg-bond0:
DEVICE=bond0
IPADDR=12.12.12.12
NETMASK=255.255.255.0
NETWORK=12.12.12.0
BROADCAST=12.12.12.255
IPV6INIT=yes
IPV6ADDR=3ffe:ffff:0000:f101::10/64
IPV6ADDR_SECONDARIES=fec0:0:0:1::10/64
IPV6_MTU=1280
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
Add the following two lines to /etc/modprobe.conf to cause the bonding driver to be loaded
on reboot:
alias bond0 bonding
options bond0 miimon=100 mode=1 # active-backup mode

D.3.4 Adding Persistent IPv6 Addresses on SUSE


This can be done by modifying the system configuration script, for example, /etc/sysconfig/
network/ifcfg-eth1:
BOOTPROTO=static
BROADCAST=10.10.18.255
IPADDR=10.10.18.18
MTU=""
NETMASK=255.255.255.0
NETWORK=10.10.18.0
REMOTE_IPADDR=""
STARTMODE=onboot
IPADDR1=3ffe::f101:10/64
IPADDR2=fec0:0:0:1::10/64

D.3 Configuring IPv6 on Linux 295


D.3.5 Configuring a Channel Bonding Interface with Persistent IPv6 Addresses on
SUSE
Configure the following parameters in /etc/sysconfig/network/ifcfg-bond0:
BOOTPROTO=static
BROADCAST=10.0.2.255
IPADDR=10.0.2.10
NETMASK=255.255.0.0
NETWORK=0.0.2.0
REMOTE_IPADDR=""
STARTMODE=onboot
IPADDR1=3ffe::f101:10/64IPADDR2=fec0:0:0:1::10/64
BONDING_MASTER=yes
BONDING_MODULE_OPTS="mode=active-backup miimon=100"
BONDING_SLAVE0=eth1BONDING_SLAVE1=eth2
For each additional IPv6 address, specify an additional parameter with IPADDR<num> in the
configuration file.
Bonding module options are specified in each of the bond device files, so nothing needs to specified
in/etc/modprobe.conf

296 IPv6 Network Support


E Using Serviceguard Manager
HP Serviceguard Manager is a web-based, HP System Management Homepage (HP SMH) tool
that replaces the functionality of the earlier Serviceguard management tools. Serviceguard Manager
allows you to monitor, administer and configure a Serviceguard cluster from any system with a
supported web browser.
The Serviceguard Manager Main Page provides you with a summary of the health of the cluster
including the status of each node and its packages.
See the Release Notes for your version of Serviceguard for Linux for information about the latest
release of Serviceguard Manager, as well as installation and configuration instructions.

E.1 About the Online Help System


Once Serviceguard Manager is running, use the Serviceguard Manager tooltips by moving your
mouse over a field from the read-only property pages for a brief definition for each field. You can
also open the online help by clicking the button in the upper-right hand corner of the screen.
Start with the help topic Understanding the HP Serviceguard Manager Main Page. You should
also read the help topic About Security, as it explains HP Serviceguard Manager Access Control
Policies, as well as root privileges.

E.2 Launching Serviceguard Manager


This section provides information about two common scenarios.

TIP: To prevent an Out of Memory error reported by Tomcat (Exception in thread "main"
java.lang.OutOfMemoryError: Java heap space), which may occur especially if the
server is under heavy load or Serviceguard Manager is managing a large cluster (4 nodes with
300 packages), do the following from the command line:
1. Stop hpsmhd
/etc/init.d/hpsmhd -stop
2. Modify the /opt/hp/hpsmh/tomcat/bin/startup.sh file, and add the following line
in the export statements section:
export CATALINA_OPTS="-Xms512m -Xmx512m"
3. Save the file and restart hpsmhd
/etc/init.d/hpsmhd -start

E.2.1 Scenario 1 - Single cluster management


Scenario 1 applies if you are:
Managing a single cluster, and
Have installed Serviceguard version A.11.19 or later.

NOTE: SMH access roles constrain a user's cluster-management capabilities:


A user with HP SMH Administrator access has full cluster management capabilities.
A user with HP SMH Operator access can monitor the cluster and has restricted cluster
management capabilities as defined by the users Serviceguard role-based access configuration.
A user with HP SMH User access does not have any cluster management capabilities.

E.1 About the Online Help System 297


1. Enter the standard URL http://<full hostname of server>:2301/.
For example, http://clusternode1.cup.hp.com:2301/
2. When the System Management Homepage login screen appears, enter your login credentials
and click Sign In.
The System Management Homepage for the selected server appears.
3. From the Serviceguard Cluster box, click the name of the cluster.

NOTE: If a cluster is not yet configured, you will not see the Serviceguard Cluster section on this
screen. To create a cluster, from the SMH Tools menu, click the Serviceguard Manager link in the
Serviceguard box first, then click Create Cluster.
The figure below shows a browser session at the HP Serviceguard Manager Main Page.

Figure 28 System Management Homepage with Serviceguard Manager

Number What is it? Description

1 Cluster and Displays information about the Cluster status, alerts and general information.
Overall status
NOTE: The System Tools menu item is not available in this version of Serviceguard
and alerts
Manager.

2 Menu tool bar The menu tool bar is available from the HP Serviceguard Manager Homepage, and
from any cluster, node or package view-only property page. Menu option availability
depends on which type of property page (cluster, node or package) you are currently
viewing.

3 Tab bar The default Tab bar allows you to view additional cluster-related information. The Tab
bar displays different content when you click on a specific node or package.

4 Node Displays information about the Node status, alerts and general information.
information

5 Package Displays information about the Package status, alerts and general information.
information

E.2.2 Scenario 2- Multi-Cluster Management


Open a separate browser session to administer, manage or monitor multiple clusters.
Scenario 2 applies if you have:
One or more clusters with Serviceguard version A.11.15.01 through A.11.20.20.
Serviceguard Manager version A.05.03 with HP SIM 5.10 or later installed on a server

298 Using Serviceguard Manager


NOTE: Serviceguard Manager can be launched by HP Systems Insight Manager version
5.10 or later if Serviceguard Manager is installed on an HP Systems Insight Manager Central
Management Server.
For a Serviceguard A.11.19 cluster, Systems Insight Manager will attempt to launch
Serviceguard Manager B.02.00 from one of the nodes in the cluster; for a Serviceguard
A.11.18 cluster, Systems Insight Manager will attempt to launch Serviceguard Manager
B.01.01 from one of the nodes in the cluster.
For a Serviceguard A.11.20.10 cluster, Systems Insight Manager will attempt to launch
Serviceguard Manager B.03.31.00 from one of the nodes in the cluster.
For a Serviceguard A.11.16 cluster or earlier, Serviceguard Manager A.05.01 will be launched
via Java Web Start. You must ensure that the hostname for each Serviceguard node can be
resolved by DNS. For more information about this older version of Serviceguard Manager,
see the Serviceguard Manager Version A.05.01 Release Notes at http://www.hp.com/go/
hpux-serviceguard-docs (Select Serviceguard Manager).

1. Enter the standard URL, https://<full hostname of SIM server>:50000/


For example, https://SIMserver.cup.hp.com:50000/
2. When the Systems Insight Manager login screen appears, enter your login credentials and click
Sign In.
3. From the left-hand panel, expand Cluster by Type.

Figure 29 Cluster by Type

4. Expand HP Serviceguard, and click on a Serviceguard cluster.

NOTE: If you click on a cluster running an earlier Serviceguard release, the page will display a
link that will launch Serviceguard Manager A.05.01 (if installed) via Java Webstart.

E.2 Launching Serviceguard Manager 299


300
F Maximum and Minimum Values for Parameters
Table 25 shows the range of possible values for cluster configuration parameters.
Table 25 Minimum and Maximum Values of Cluster Configuration Parameters
Cluster Parameter Minimum Value Maximum Value Default Value Notes

Member Timeout See See 14,000,000


MEMBER_TIMEOUT MEMBER_TIMEOUT microseconds
under Cluster under Cluster
Configuration Configuration
Parameters in Parameters in
Chapter 4. Chapter 4.

AutoStart Timeout 60,000,000 No Limit 600,000,000


microseconds (ULONG_MAX) microseconds

Network Polling 100,000 No Limit 2,000,000


Interval microseconds (ULONG_MAX) microseconds

Maximum 0 300 300


Configured
Packages

ULONG_MAX is a number equal to 4,294,967,295, which is therefore a practical limit.


Table 26 shows the range of possible values for package configuration parameters.
Table 26 Minimum and Maximum Values of Package Configuration Parameters
Package Minimum Value Maximum Value Default Value Notes
Parameter

Run Script 10 seconds 4294 seconds if a 0 (NO_TIMEOUT) This is a recommended


Timeout non-zero value is value.
specified

Halt Script 10 seconds 4294 seconds if a 0 (NO_TIMEOUT) This is a recommended


Timeout non-zero value is value, but note that the Halt
specified Timeout value must be
greater than the sum of all
Service Timeout values

Service Halt 0 seconds 4294 seconds 0 (no time waited before


Timeout the service is terminated)

301
302
G Monitoring Script for Generic Resources
Monitoring scripts are the scripts written by an end-user and must contain the core logic to monitor
a resource and set the status of a generic resource. These scripts are started as a part of the
package start.
You can set the status/value of a simple/extended resource respectively using the
cmsetresource(1m) command.
You can define the monitoring interval in the script.
The monitoring scripts can be launched within the Serviceguard environment by configuring
them as services, or outside of Serviceguard environment. It is recommended to launch the
monitoring scripts by configuring them as services.
For more information, see Launching Monitoring Scripts (page 303).

Template Scripts
HP provides a monitoring script template. The template provided by HP is:
generic_resource_monitor.template
This is located in the /usr/local/cmcluster/conf/examples/ directory.
See the template (page 305) to get an idea about how to write a monitoring script.
How to monitor a resource is at the discretion of an end-user and the script logic must be written
accordingly. HP does not suggest the content that goes into the monitoring script. However, the
following recommendations might be useful:
Choose the monitoring interval based on how quick the failures must be detected by the
application packages configured with a generic resource.
Get the status/value of a generic resource using cmgetresource before setting its
status/value.
Set the status/value only if it has changed.
See Getting and Setting the Status/Value of a Simple/Extended Generic Resource (page 111)
and the cmgetresource(1m) and cmsetresource(1m) manpages.
See Using the Generic Resources Monitoring Service (page 53).

G.1 Launching Monitoring Scripts


Monitoring scripts can be launched in the following ways:
For resources of evaluation_type: during_package_start
Monitoring scripts can be launched through the services functionality that is available in
packages, as indicated by service_name, service_cmd, and service_halt_timeout.
This makes the scripts highly available, since Serviceguard monitors them and is the
recommended approach.
Monitoring scripts can also be launched through external_script or external_pre_script as part
of the package.
Monitoring scripts can also be launched outside of the Serviceguard environment, init, rc
scripts, etc. (Serviceguard does not monitor them)
It is not mandatory to have the same name for a generic resource and its monitoring script,
i.e., service_name and generic_resource_name. However, it is good practice to have
the same name, so that it is easier to identify the monitor.
A common resource specified across multiple packages can be monitored using one monitoring
script.

G.1 Launching Monitoring Scripts 303


For resources of evaluation_type: before_package_start
Monitoring scripts can also be launched outside of the Serviceguard environment, init, rc
scripts, etc. (Serviceguard does not monitor them).
The monitoring scripts for all the resources in a cluster of type before_package_start
can be configured in a single multi-node package by using the services functionality and any
packages that require the resources can mention the generic resource name in their package
configuration file.
This makes the scripts highly available, since Serviceguard monitors them and is the
recommended approach. The monitoring script has to be configured to run on all the nodes
the package is configured to run on. See the recommendation and an example below.
For explanation of generic resource parameters, see under Package Parameter Explanations
(page 174).
HP recommends you to:
Create a single multi-node package and configure all the monitoring scripts for generic
resources of type before_package_start in this multi-node package using the services
functionality.
Mention the generic resource name in the application package and configure the generic
resource as before_package_start.
Configure a dependency for better readability, where the application package is dependent
on this multi-node package.
For example:
package_name generic_resource_monitors
package_type multi_node

service_name lan1_monitor
service_cmd $SGCONF/generic_resource_monitors/lan1.sh

service_name cpu_monitor
service_cmd $SGCONF/generic_resource_monitors/cpu_monitor.sh
The above example shows a sample multi-node package named generic_resource_monitors
and has two monitoring scripts configured one each to monitor a LAN and CPU. These monitoring
scripts will monitor the LAN interface, CPU and sets the status of the generic resources defined in
them accordingly.
Consider a package pkg1 having the LAN resource configured as before_package_start
and the monitoring script for this is running in the multi-node package
generic_resource_monitors. A dependency is created such that the multi-node package
must be UP in order to start the package pkg1. Once the multi-node package is started, the
monitoring of resource 'lan1' is started as part of the monitoring script 'lan1.sh'. The script will set
the status of the generic resource 'lan1' and once the is UP, the package pkg1 is eligible to be
started.
package_name pkg1
package_type failover

generic_resource_name lan1
generic_resource_evaluation_type before_package_start

dependency_name generic_resource_monitors
dependency_condition generic_resource_monitors = up
dependency_location same_node
Similarly, consider another package pkg2 that requires the 'CPU' to be configured as
before_package_start.
package_name pkg2
package_type failover

generic_resource_name cpu

304 Monitoring Script for Generic Resources


generic_resource_evaluation_type before_package_start

generic_resource_name lan1
generic_resource_evaluation_type before_package_start

dependency_name generic_resource_monitors
dependency_condition generic_resource_monitors = up
dependency_location same_node
Thus, the monitoring scripts for all the generic resources of type before_package_start are
configured in one single multi-node package and any package that requires this generic resource
can just configure the generic resource name.
If a common resource has to be monitored in multiple packages, the monitoring scripts can be
configured in the multi-node package described above and multiple packages can define the same
generic resource name in their package configuration files as seen for the generic resource 'lan1'
in the above example.
Figure 30 depicts a multi-node package containing two monitoring scripts configured one to
monitor a lan and other to monitor a CPU. The two packages are configured with the generic
resource names and are dependent on the multi-node package.

Figure 30 Multi-node package configured with all the monitoring scripts for generic resources of
type before_package_start

G.2 Template of a Monitoring Script


Monitoring Script Template
/usr/local/cmcluster/conf/examples/generic_resource_monitor.template

# **********************************************************************
# * *
# * This script is a template that can be used as a service when *
# * creating a customer defined sample monitor script for *
# * generic resource(s). *
# * *
# * Once created, this script can be configured into the package *
# * configuration file as a service with the "service_name", *
# * "service_cmd" and "service_halt_timeout" parameters. *
# * Note that the respective "sg/service" and the *
# * "sg/generic_resource" modules need to be specified in the package *
# * configuraton file in order to configure these parameters. *
# * *
# * *
# * --------------------------------- *
# * U T I L I T Y F U N C T I O N S *

G.2 Template of a Monitoring Script 305


# * --------------------------------- *
# * The following utility functions are sourced in from $SG_UTILS *
# * ($SGCONF/scripts/mscripts/utils.sh) and available for use: *
# * *
# * sg_log <log level> <log msg> *
# * *
# * By default, only log messages with a log level of 0 will *
# * be output to the log file. If parameter "log_level" is *
# * configured in the package configuration file, then log *
# * messages that have a log level that is equal to or *
# * greater than the configured log level will be output. *
# * *
# * In addition, the format of the time stamp is prefixed in *
# * front of the log message. *
# * *
# * *
# **********************************************************************
#
###################################################################

###########################################
# Initialize the variables & command paths
###########################################
#set the path for the command rm
<RM= PATH>
###########################
# Source utility functions.
###########################

if [[ -z $SG_UTILS ]]
then
. /etc/cmcluster.conf
SG_UTILS=$SGCONF/scripts/mscripts/utils.sh
fi

if [[ -f ${SG_UTILS} ]]
then
. ${SG_UTILS}
if (( $? != 0 ))
then
echo "ERROR: Unable to source package utility functions file: ${SG_UTILS}"
exit 1
fi
else
echo "ERROR: Unable to find package utility functions file: ${SG_UTILS}"
exit 1
fi

###########################################
# Source the package environment variables.
###########################################

typeset postfix=$(date +"%H.%M.%S")


SG_ENV_FILE=/var/tmp/${SG_PACKAGE}.$postfix.$$.tmp
$SGSBIN/cmgetpkgenv $SG_PACKAGE > $SG_ENV_FILE
if (( $? != 0 ))
then
echo "ERROR: Unable to retrieve package attributes."
exit 1
fi
. $SG_ENV_FILE
$RM -f $SG_ENV_FILE

#########################################################################
#
# start_command
#
# This function should define actions to take when the package starts
#
#########################################################################

function start_command

306 Monitoring Script for Generic Resources


{

sg_log 5 "start_command"

# ADD your service start steps here

return 0
}

#########################################################################
#
# stop_command
#
# This function should define actions to take when the package halts
#
#
#########################################################################

function stop_command
{

sg_log 5 "stop_command"

# ADD your halt steps here

exit 1
}

################
# main routine
################

sg_log 5 "customer defined monitor script"

#########################################################################
#
# Customer defined monitor script should be doing following
# functionality.
#
# When the package is halting, cmhaltpkg will issue a SIGTERM signal to
# the service(s) configured in package. Use SIGTERM handler to stop
# the monitor script.
#
# Monitor the generic resource configured in package using customer
# defined tools and set the status or value to generic resource by using
# "cmsetresource" command. When setting the status or value get the current
# status or value using "cmgetresource" and set only if they are different.
#
#########################################################################

start_command $*

# SIGTERM signal handler to stop the monitor script


trap "stop_command" SIGTERM

while [ 1 ]
do

# Using customer defined tools get the status or value


# of generic resource(s) which are configured in package.

# Set the status or value of the generic resource using


# "cmsetresource" command. Before setting the stauts or value
# compare the new status or value by getting the existing status or
# value using "cmgetresource" and set only if they are different.

# Wait for customer defined interval to check the status or value


# for next time.

G.2 Template of a Monitoring Script 307


308
H HP Serviceguard Toolkit for Linux
The HP Serviceguard Toolkits such as, Contributed Toolkit, NFS, EDB PPAS, Sybase, and Oracle
Toolkits are used for the integration of applications such as, Apache, MySQL, NFS, Oracle
database, EDB PPAS, Sybase, and so on with the Serviceguard for Linux environment. The Toolkit
documentation describes how to customize the package for your needs. For more information, see
the Release Notes of these toolkits at http://www.hp.com/go/linux-serviceguard-docs.

309
310
Index
bridged net
A defined, 25
Access Control Policies, 158 broadcast storm
active node, 20 and possible TOC, 99
adding a package to a running cluster, 242 building a cluster
adding cluster nodes identifying heartbeat subnets, 157
advance planning, 132 identifying quorum server, 155
adding nodes to a running cluster, 212 logical volume infrastructure, 145
adding packages on a running cluster, 198 verifying the cluster configuration, 163
administration bus type
adding nodes to a running cluster, 212 hardware planning, 83
halting a package, 218
halting the entire cluster, 213 C
moving a package, 219 CAPACITY_NAME
of packages and services, 217 defined, 97
of the cluster, 211 CAPACITY_VALUE
reconfiguring a package while the cluster is running, definedr, 97
240 changes in cluster membership, 40
reconfiguring a package with the cluster offline, 241 changes to cluster allowed while the cluster is running,
reconfiguring the cluster, 228 228
removing nodes from operation in a running cluster, changes to packages allowed while the cluster is running,
212 243
responding to cluster events, 253 checkpoints, 274
reviewing configuration files, 262 client connections
starting a package, 217 restoring in applications, 278
troubleshooting, 260 cluster
adoptive node, 20 configuring with commands, 153
alter notification redundancy of components, 25
oracle and nfs toolkits environment, 197 Serviceguard, 19
serviceguard-xdc environment, 197 typical configuration, 19
applications understanding components, 25
automating, 271 cluster administration, 211
checklist of steps for integrating with Serviceguard, 283 solving problems, 263
handling failures, 279 cluster and package maintenance, 199
writing HA services for networks, 272 cluster configuration
ARP messages file on all nodes, 38
after switching, 70 identifying cluster-aware volume groups, 157
AUTO_START planning, 86
effect of default value, 76 planning worksheet, 104
AUTO_START_TIMEOUT verifying the cluster configuration, 163
parameter in the cluster configuration file, 100 cluster configuration file
AUTO_START_TIMEOUT (autostart delay) Autostart Delay parameter (AUTO_START_TIMEOUT),
parameter in cluster manager configuration, 100 100
automatic failback cluster coordinator
configuring with failover policies, 50 defined, 38
automatic restart of cluster, 39 cluster lock
automatically restarting the cluster, 213 4 or more nodes, 42
automating application operation, 271 and cluster reformation, example, 76
autostart delay and power supplies, 30
parameter in the cluster configuration file, 100 identifying in configuration file, 155
autostart for clusters no lock, 42
setting up, 165 two nodes, 40, 41
use in re-forming a cluster, 40, 41
B cluster manager
binding automatic restart of cluster, 39
in network applications, 277 blank planning worksheet, 289

311
cluster node parameter, 91, 92, 93 in package configuration, 236
defined, 38 pathname parameter in package configuration, 191
dynamic re-formation, 40 support for additional productss, 237
heartbeat subnet parameter, 95 troubleshooting, 262
initial configuration of the cluster, 38 controlling the speed of application failover, 272
main functions, 38 creating the package configuration, 233
maximum configured packages parameter, 104 customer defined functions
member timeout parameter, 99 adding to the control script, 237
monitored non-heartbeat subnet, 96
network polling interval parameter, 100, 104 D
planning the configuration, 90 data
quorum server parameter, 92 disks, 29
testing, 256 data congestion, 39
cluster node deciding when and where to run packages, 44
parameter in cluster manager configuration, 91, 92, deleting a package configuration
93 using cmdeleteconf, 242
cluster parameters deleting a package from a running cluster, 242
initial configuration, 38 deleting nodes while the cluster is running, 229
cluster re-formation deleting the cluster configuration
scenario, 75 using cmdeleteconf, 167
cluster startup dependencies
manual, 39 configuring, 113
cmapplyconf, 228, 239 designing applications to run on multiple systems, 275
cmapplyconf command, 196 disk
cmcheckconf, 163, 196, 238 data, 29
troubleshooting, 262 interfaces, 29
cmcheckconf command, 196 root, 29
cmcld daemon sample configurations, 30
and node reboot, 34 disk I/O
and node TOC, 34 hardware planning, 83
and safety timer, 34 disk layout
cmclnodelist bootstrap file, 136 planning, 85
cmdeleteconf disk logical units
deleting a package configuration, 242 hardware planning, 83
deleting the cluster configuration, 167 disk monitoring
cmmakepkg configuring, 198
examples, 192 disks
cmmodnet in Serviceguard, 29
assigning IP addresses in control scripts, 62 replacing, 257
cmnetassist daemon, 35 supported types in Serviceguard, 29
cmnetd daemon, 33 distributing the cluster and package configuration, 196,
cmquerycl 238
troubleshooting, 262 DNS services, 139
cmsnmpd daemon, 34 down time
configuration minimizing planned, 280
basic tasks and steps, 23 dynamic cluster re-formation, 40
cluster planning, 86
of the cluster, 38 E
package, 169 Easy deployment
package planning, 104 cmpreparecl, 86
service, 169 enclosure for disks
configuration file replacing a faulty mechanism, 257
for cluster manager, 38 error handling during package halt, 218
troubleshooting, 262 Ethernet
CONFIGURED_IO_TIMEOUT_EXTENSION redundant configuration, 26
defined, 101 exclusive access
configuring packages and their services, 169 relinquishing via TOC, 76
control script expanding the cluster
adding customer defined functions, 237 planning ahead, 79

312 Index
expansion H
planning for, 107 HALT_SCRIPT
explanations parameter in package configuration, 191
package parameters, 174 HALT_SCRIPT_TIMEOUT (halt script timeout)
parameter in package configuration, 191
F halting a cluster, 213
failback policy halting a package, 218
used by package manager, 50 halting the entire cluster, 213
FAILBACK_POLICY parameter handling application failures, 279
used by package manager, 50 hardware
failover monitoring, 256
controlling the speed in applications, 272 power supplies, 30
defined, 20 hardware failures
failover behavior response to, 76
in packages, 107 hardware planning
failover package, 43, 170 blank planning worksheet, 287
failover policy Disk I/O Bus Type, 83
used by package manager, 47 disk I/O information for shared disks, 83
FAILOVER_POLICY parameter host IP address, 82, 85
used by package manager, 47 host name, 81
failure I/O bus addresses, 83
kinds of responses, 75 I/O slot numbers, 83
network communication, 78 LAN interface name, 82, 85
response to hardware failures, 76 LAN traffic type, 82
responses to package and service failures, 77 memory capacity, 81
restarting a service after failure, 78 number of I/O slots, 81
failures planning the configuration, 81
of applications, 279 S800 series number, 81
FibreChannel, 29 SPU information, 81
figures subnet, 82, 85
mirrored disks connected for high availability, 30 worksheet, 83
redundant LANs, 27 heartbeat messages, 20
Serviceguard software components, 33 defined, 39
tasks in configuring an Serviceguard cluster, 23 heartbeat subnet address
typical cluster after failover, 21 parameter in cluster configuration, 95
typical cluster configuration, 20 HEARTBEAT_IP
file locking, 278 parameter in cluster configuration, 95
file system name parameter in package control script, 191 high availability, 19
file systems HA cluster defined, 25
planning, 85 objectives in planning, 79
floating IP address host IP address
defined, 62 hardware planning, 82, 85
floating IP addresses host name
in Serviceguard packages, 62 hardware planning, 81
FS, 191 HOSTNAME_ADDRESS_FAMILY
in sample package control script, 236 defined, 91
FS_MOUNT_OPT discussion and restrictions, 88
in sample package control script, 236 how the cluster manager works, 38
how the network manager works, 62
G
general planning, 79 I
Generic Resources I/O bus addresses
monitoring package resources with, 53 hardware planning, 83
monitoring script, 303 I/O slots
Generic resources hardware planning, 81, 83
sample monitoring script, 305 identifying cluster-aware volume groups, 157
generic resources monitoring service Installing Serviceguard, 135
using, 53 installing software
gethostbyname(), 276 quorum server, 145

313
integrating HA applications with Serviceguard, 283 planning, 85
introduction
Serviceguard at a glance, 19 M
understanding Serviceguard hardware, 25 MAC addresses, 276
understanding Serviceguard software, 33 managing the cluster and nodes, 211
IP manual cluster startup, 39
in sample package control script, 236 MAX_CONFIGURED_PACKAGES
IP address parameter in cluster manager configuration, 104
adding and deleting in packages, 63 maximum number of nodes, 25
for nodes and packages, 62 MEMBER_TIMEOUT
hardware planning, 82, 85 and safety timer, 34
portable, 62 configuring, 99
reviewing for packages, 260 defined, 98
switching, 45, 46, 70 maximum and minimum values , 98
IP_MONITOR membership change
defined, 102 reasons for, 40
iSCSI, 29 memory capacity
hardware planning, 81
J memory requirements
JFS, 273 lockable memory for Serviceguard, 79
minimizing planned down time, 280
K mirrored disks connected for high availability
kernel figure, 30
hang, and TOC, 75 monitor cluster with Serviceguard commands, 164
safety timer, 34 monitored non-heartbeat subnet
kernel consistency parameter in cluster configuration, 96
in cluster configuration, 140 monitored resource failure
kernel interrupts Serviceguard behavior, 25
and possible TOC, 99 monitoring disks, 198
monitoring hardware, 256
L Monitoring script
LAN launching, 303
heartbeat, 39 template, sample, 305
interface name, 82, 85 Monitoring Script for Generic Resources, 303
LAN failure moving a package, 219
Serviceguard behavior, 25 multi-node package, 44, 170
LAN interfaces multiple systems
primary and secondary, 25 designing applications for, 275
LAN planning
host IP address, 82, 85 N
traffic type, 82 name resolution services, 139
Launching Monitoring Scripts, 303 network
link-level addresses, 276 adding and deleting package IP addresses, 63
load sharing with IP addresses, 63 load sharing with IP addresses, 63
local switching, 63 local interface switching, 63
lock OTS/9000 support, 301
cluster locks and power supplies, 30 redundancy, 26
use of the cluster lock, 41 remote system switching, 69
use of the cluster lock disk, 40 network communication failure, 78
lock volume group, reconfiguring, 228 network components
logical volume parameter in package control script, 191 in Serviceguard, 25
logical volumes network manager
creating the infrastructure, 145 adding and deleting package IP addresses, 63
planning, 85 main functions, 62
LV, 191 network planning
in sample package control script, 236 subnet, 82, 85
LVM network polling interval (NETWORK_POLLING_INTERVAL)
commands for cluster use, 145 parameter in cluster manager configuration, 100, 104
disks, 29 network time protocol (NTP)

314 Index
for clusters, 140 planning, 104
networking run and halt script timeout parameters, 191
redundant subnets, 81 step by step, 169
networks subnet parameter, 191
binding to IP addresses, 277 using Serviceguard commands, 234
binding to port addresses, 277 verifying, 196
IP addresses and naming, 275 verifying the configuration, 196, 238
node and package IP addresses, 62 writing the package control script, 236
packages using IP addresses, 276 package configuration file, 174
supported types in Serviceguard, 25 editing, 193
writing network applications as HA services, 272 generating, 191
no cluster lock package dependency paramters, 180
choosing, 42 successor_halt_timeout, 178
node package configuration parameters, 174
basic concepts, 25 package control script
halt (TOC), 75 FS parameter, 191
in Serviceguard cluster, 19 LV parameter, 191
IP addresses, 62 package coordinator
timeout and TOC example, 76 defined, 39
node types package dependency
active, 20 parameters, 180
primary, 20 successor_halt_timeou, 178
NODE_FAIL_FAST_ENABLED package failover behavior, 107
effect of setting, 77 package failures
NODE_NAME responses, 77
parameter in cluster configuration, 93 package halt administration
parameter in cluster manager configuration, 91, 92, error handling, 218
93 package IP address
nodetypes defined, 62
primary, 20 package IP addresses
NTP defined, 62
time protocol for clusters, 140 reviewing, 260
package manager
O blank planning worksheet, 289, 290
OTS/9000 support, 301 testing, 255
outages package modules, 171
insulating users from, 271 base, 171
optional, 172
P package switching behavior
package changing, 220
adding and deleting package IP addresses, 63 packages
basic concepts, 25 deciding where and when to run, 44
blank planning worksheet, 289, 290 managed by cmcld, 34
changes allowed while the cluster is running, 243 parameter explanations, 174
error handling, 218 parameters, 174
halting, 218 types, 170
in Serviceguard cluster, 19 parameters
local interface switching, 63 for failover, 107
moving, 219 pacakge configuration, 174
reconfiguring while the cluster is running, 240 parameters for cluster manager
reconfiguring with the cluster offline, 241 initial configuration, 38
remote switching, 69 PATH, 191
starting, 217 physical volume
package administration, 217 for cluster lock, 40, 41
solving problems, 263 physical volumes
package and cluster maintenance, 199 blank planning worksheet, 288
package configuration planning, 85
applying, 196 planning
distributing the configuration file, 196, 238 cluster configuration, 86

315
cluster lock and cluster expansion, 85 redundancy in network interfaces, 25
cluster manager configuration, 90 redundant Ethernet configuration, 26
disk I/O information, 83 redundant LANS
for expansion, 107 figure, 27
hardware configuration, 81 redundant networks
high availability objectives, 79 for heartbeat, 20
overview, 79 relocatable IP address
package configuration, 104 defined, 62
power, 84 relocatable IP addresses
quorum server, 85 in Serviceguard packages, 62
SPU information, 81 remote switching, 69
volume groups and physical volumes, 85 removing nodes from operation in a running cluster, 212
worksheets, 83 removing packages on a running cluster, 198
planning and documenting an HA cluster, 79 removing Serviceguard from a system, 254
planning for cluster expansion, 79 replacing disks, 257
planning worksheets resources
blanks, 287 disks, 29
point of failure responses
in networking, 26 to cluster events, 253
POLLING_TARGET to package and service failures, 77
defined, 103 responses to failures, 75
ports responses to hardware failures, 76
dual and single aggregated, 65 restart
power planning automatic restart of cluster, 39
power sources, 84 following failure, 78
worksheet, 84, 288 restartable transactions, 273
power supplies restarting the cluster automatically, 213
blank planning worksheet, 287 restoring client connections in applications, 278
power supply rotating standby
and cluster lock, 30 configuring with failover policies, 47
UPS, 30 setting package policies, 47
primary LAN interfaces RUN_SCRIPT
defined, 25 parameter in package configuration, 191
primary node, 20 RUN_SCRIPT_TIMEOUT (run script timeout)
parameter in package configuration, 191
Q running cluster
QS_ADDR adding or removing packages, 198
parameter in cluster manager configuration, 92
quorum S
and cluster reformation, 75 S800 series number
quorum server hardware planning, 81
and safety timer, 34 safety timer
installing, 145 and node TOC, 34
parameters in cluster manager configuration, 92 and syslog, 34
planning, 85 duration, 34
sample disk configurations, 30
R Sample monitoring script for generic resources, 305
re-formation service administration, 217
of cluster, 40 service configuration
reconfiguring a package step by step, 169
while the cluster is running, 240 service failures
reconfiguring a package with the cluster offline, 241 responses, 77
reconfiguring a running cluster, 228 service restarts, 78
reconfiguring the entire cluster, 228 SERVICE_CMD
reconfiguring the lock volume group, 228 in sample package control script, 236
recovery time, 86 SERVICE_FAIL_FAST_ENABLED
redundancy and node TOC, 77
in networking, 26 SERVICE_NAME
of cluster components, 25 in sample package control script, 236

316 Index
SERVICE_RESTART supported disks in Serviceguard, 29
in sample package control script, 236 supported networks in Serviceguard, 25
Serviceguard switching
install, 135 ARP messages after switching, 70
introduction, 19 local interface switching, 63
Serviceguard at a Glance, 19 remote system switching, 69
Serviceguard behavior switching IP addresses, 45, 46, 70
in LAN failure, 25 system log, 257
in monitored resource failure, 25 system log file
in software failure, 25 troubleshooting, 261
Serviceguard commands system message
to configure a package, 234 changing for clusters, 166
Serviceguard Manager, 22 system multi-node package, 43, 170
overview, 22
Serviceguard software components T
figure, 33 tasks in Serviceguard configuration
serviceguard WBEM provider, 37 figure, 23
shared disks testing
planning, 83 cluster manager, 256
shutdown and startup package manager, 255
defined for applications, 272 testing cluster operation, 255
single point of failure time protocol (NTP)
avoiding, 19 for clusters, 140
single-node operation, 166, 253 TOC
size of cluster and package availability, 76
preparing for changes, 132 and safety timer, 99
SMN package, 43 and the safety timer, 34
SNA applications, 278 when a node fails, 75
software failure traffic type
Serviceguard behavior, 25 LAN hardware planning, 82
software planning troubleshooting
LVM, 85 approaches, 260
solving problems, 263 monitoring hardware, 256
SPU information replacing disks, 257
planning, 81 reviewing control scripts, 262
standby LAN interfaces reviewing package IP addresses, 260
defined, 25 reviewing system log file, 261
starting a package, 217 using cmquerycl and cmcheckconf, 262
startup and shutdown troubleshooting your cluster, 255
defined for applications, 272 typical cluster after failover
startup of cluster figure, 21
manual, 39 typical cluster configuration
stationary IP addresses, 62 figure, 20
STATIONARY_IP
parameter in cluster configuration, 96 U
status uname(2), 277
cmviewcl, 199 understanding network components in Serviceguard, 25
package IP address, 260 UPS
system log file, 261 in power planning, 84
stopping a cluster, 213 power supply, 30
SUBNET use of the cluster lock, 40, 41
in sample package control script, 236
parameter in package configuration, 191 V
subnet verifying cluster configuration, 163
hardware planning, 82, 85 verifying the cluster and package configuration, 196, 238
parameter in package configuration, 191 VG
SUBNET (for IP Monitor) in sample package control script, 236
defined, 102 vgcfgbackup
successor_halt_timeout parameter, 178 using to back up volume group configuration, 152

317
VGCHANGE
in package control script, 236
VGChange, 191
volume group
for cluster lock, 40, 41
planning, 85
volume group and physical volume planning, 85

W
WEIGHT_DEFAULT
defined, 103
WEIGHT_NAME
defined, 103
What is Serviceguard?, 19
worksheet
blanks, 287
cluster configuration, 104, 289
hardware configuration, 83, 287
package configuration, 289, 290
power supply configuration, 84, 287, 288
use in planning, 79

318 Index

You might also like