Key Concepts

Each Sun Cluster data service has a fault monitor that periodically probes the data service to determine its health. A default monitor checks whether application daemons are running and that clients are being served. Based on the information returned through detection, pre-defined actions, such as restarting daemons or causing a failover, can be initiated.

Sun Cluster software supports disk-path monitoring (DPM). DPM improves the overall reliability of failover and switchover by reporting the failure of a secondary disk-path. You can use two methods for monitoring paths to disks. The first method is provided by running the scdpm command. This command enables you to monitor, unmonitor, or display the status of paths to disks in your cluster.

The second method is provided by the SunPlex Manager GUI. SunPlex Manager provides a topological view of the monitored paths to disks. The view is updated every 10 minutes to provide information about the number of failed force replies.

Each cluster node has its own IP network multipathing configuration, which may vary with cluster nodes. IP network multipathing monitors the following network communication failures:

• The transmit and receive path of network adapter has stopped transmitting packets.
• The network adapter is disconnected with links.
• Ports on switches do not transmit or receive packets.
• Physical interfaces in a group are unavailable during system boot.

The Sun Cluster system attempts to prevent data corruption and ensure data integrity. A cluster must never be split into separate zones that are active at the same time, because cluster nodes share data and resources. The CMM guarantees that only one cluster is operational at any time.

Two types of problems may arise from cluster partitions: split brain and amnesia. Split brain occurs when the cluster interconnection between nodes is lost, the cluster is partitioned into subclusters, and each subcluster believes that it is the unique partition. A subcluster that is not aware of other subclusters may cause a conflict in shared resources, such as duplicate network addresses and data corruption.

Amnesia occurs if all nodes leave the cluster in staggered groups. An example is a two-node cluster with nodes A and B. If the node A is shut down, only CCR configuration data stored in the node B instead of the node A is updated. If the node B is shut down and the node A is rebooted, the node A may run with original CCR configuration data. This state is called amnesia, which may cause the operation of a cluster based on original configuration data.

You can avoid split brain and amnesia by giving each node one vote and mandating a majority of votes for an operational cluster. A partition with a majority of votes takes up a quorum and is enabled to operate. This multi-vote mechanism applies to a cluster that contains more than two nodes. Most two-node clusters have two partitions. If such a cluster is partitioned, an external vote enables a partition to gain quorum. This external vote is provided by a quorum device. A quorum device can be any disk that is shared between two nodes.

Table 10-1 describes how the Sun Cluster software uses quorum to avoid split brain and amnesia.

A major issue for clusters is a failure that causes the partitioning of a cluster (called split brain). When this situation occurs, not all nodes can be used for communication. A single node or subset may attempt to form a separate cluster or subset. Each subset or partition may "believe" that it has the sole access and ownership to multiple host disks. Attempts by multiple nodes to write data to disks may cause data corruption.

Failure fencing limits node access to multiple host disks by preventing access to disks. When a node leaves a cluster that either fails or is partitioned, failure fencing ensures that the node cannot access disks any longer. Only the current member node has access to disks, ensuring data integrity.

The Sun Cluster system uses SCSI disk reservations to implement failure fencing. Failed nodes are "fenced" away from multiple host disks through SCSI reservations, preventing themselves from accessing those disks.

When a cluster member detects that another node does not interconnect with it, it initiates a failure fencing procedure to prevent the failed node from accessing shared disks. When this failure fencing occurs, the fenced node is out of service and a "reservation conflict" message is displayed on its console.

The failfast mechanism disables failed nodes but does not prevent failed nodes from being rebooted. Failed nodes may be rebooted and rejoined in a cluster after being disabled.

If a node disconnects with other nodes in a cluster and the node is not part of a partition that can achieve quorum, it is forcibly removed by another node from the cluster. Any node that is part of a partition that can achieve quorum places reservations on shared disks. Nodes whose quantity cannot reach a quorum are disabled based on the failfast mechanism.

The Sun Cluster system uses global devices to provide cluster-wide, highly available access to any device in a cluster from any node. Generally, if a node cannot be used to access a global device, Sun Cluster software switches the current path to another path to the device and redirects access to the path. This redirection is easy with global devices regardless of the path, because devices are provided with the same name. Accessing to a remote device is like accessing a local device of the same name. In addition, APIs used for accessing global devices in a cluster are the same as those for accessing local devices.

Sun Cluster global devices include disks, CD-ROMs, and tapes. However, disks are the unique multi-port global devices supported.

A cluster assigns a unique ID to a disk, CD-ROM, or tape. This assignment enables consistent access to each device from any node in a cluster.

Sun Cluster software manages global devices using a device ID (DID) driver. The driver automatically assigns a unique ID to each device in a cluster, such as multiple host disks, tape drives, and CD-ROMs.

The DID driver is an integral part of accessing global devices in a cluster. It can detect all cluster nodes and build a list of unique disk devices. Additionally, the DID driver assigns unique and consistent primary number and secondary number to each device in all cluster nodes. The DID driver assigns a unique DID instead of Solaris DID to access global devices.

Sun Cluster software also manages local devices. These local devices can only be accessed by nodes that are running and physically connect to the cluster. Local devices are superior to global devices in terms of performance, because they do not need to concurrently replicate the status information of multiple nodes. If a device domain fails, the device cannot be accessed until it is shared by multiple nodes.

Disk device groups enable volume manager disk groups to be global, because they provide multiple paths and hosts for the underlying disks. Each cluster node that physically connects to multiple host disks provides a path to disk device groups.

In the Sun Cluster system, you can control multiple host disks that use Sun Cluster software by registering multiple host disks as disk device groups. This makes the Sun Cluster system detect which volume manager disk group is mapped to a node. The Sun Cluster software creates a raw disk device group for each disk device and tape device in a cluster. These cluster device groups keep in the offline state until you access them as global devices either by mounting a global file system or accessing a raw database file.

A resource type is a collection of properties that describe applications in a cluster. The collection contains information about how to enable, disable, and monitor applications on a cluster node. Resource type also includes application-specific properties, which need to be defined when you run these applications in a cluster. Sun Cluster data services are pre-defined with multiple resource types. For example, the resource type of Sun Cluster HA for Oracle is SUNW.oracle-server. The resource type of Sun Cluster HA for Apache is SUNW.apache.

Resources are instances of resource types defined within a cluster range. You can install multiple application instances on a cluster based on resource types. When you initialize resources, RGM assigns values to application-specific properties and the resources inherit any property on the resource type level.

Data services utilize multiple types of resources. Applications, such as Apache Web Server or Sun Java System Web Server, utilize network IP addresses that they rely on, including logical host names and shared IP addresses. Applications and network resources form a basic unit managed by RGM.

Resources managed by RGM are stored in a resource group and managed as a unit. A resource group is a group consisting of associated or inter-dependent resources. For example, resources derived from SUNW.LogicalHostname may be stored in the same resource group together with resources derived from an Oracle database. If you enable failover or switchover of a resource group, the resource group is transplanted as a unit.

Data services enable applications to be highly available and scalable, preventing important cluster applications from being interrupted in case of a single point of failure.

When configuring a data service, you must configure it as one of the following types:

• Failover data service
• Scalable data service
• Parallel data service