Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stretching A Wolfpack Cluster Of Servers For Disaster Tolerance Dick Wilkins Program Manager Hewlett-Packard Co. Redmond, WA

Published byElla Sharp Modified over 9 years ago

Similar presentations

Presentation on theme: "Stretching A Wolfpack Cluster Of Servers For Disaster Tolerance Dick Wilkins Program Manager Hewlett-Packard Co. Redmond, WA"— Presentation transcript:

1 Stretching A Wolfpack Cluster Of Servers For Disaster Tolerance Dick Wilkins Program Manager Hewlett-Packard Co. Redmond, WA dick_wilkins@hp.com

2 Motivation WWW access has made many businesses 24 by 7 operations. Critical sales and support functions commonly take place online. Downtime is likely result in losses of many millions of dollars an hour. A disaster that results in a week or two of critical application unavailability is likely to result in business failure.

3 Disaster Causes Environmental (fire, tornado, earthquake, flood, major power outage) Civil unrest, terrorist actions Major operational errors Etc.

4 Traditional Recovery Methods Recovery from offsite backups Warm/hot site restoration Remote mirroring Clusters (HA only, not disaster tolerant) Fault tolerant architectures (ditto)

5 How to obtain Disaster Tolerance Combine solutions In addition to routine backups, etc.  Use remote mirroring .... and clustering ........ and place cluster nodes at each site

6 The Internet Mirror Interconnect Local SiteRemote Site Cluster Node Remote Cluster Node Heartbeat Link

7 What makes this hard? 1)Mirroring is unidirectional 2)The quorum disk is special 3)Total loss of communications between sites can present protocol problems

8 Unidirectional mirroring Mirroring was not designed as a general purpose communications path. It just moves data from primary to secondary disk copies. MSCS is a “shared nothing” clustering system (vs. “shared disk”). When ownership of a disk is changed, mirror direction may need to be swapped.

9 The Quorum disk is special Used as a tie breaker to prevent “split- brain” –Where two (or more) nodes think the others are down and try to provide the same service Low level SCSI commands may be delivered at any time Therefore must accurately follow the SCSI Specification semantics for Reserve, Release and Bus/Device Reset

10 Preventing Split-Brain When all inter-site communications are lost… It’s hard to run a protocol between sites to decide to move control of the cluster 1.The remote site may be down (“disaster”) 2.It may have lost network connectivity 3.It may be up and providing service How to decide?

11 Wolfpack Background Two approaches to application data disks –“Shared Data”, all nodes see all disks –“Shared Nothing”, one node at a time Applications and their “resources” are packaged into “groups” –Disk(s) –IP address –Network name –The application itself

12 The “Resource DLL” Inserted into group bring up prior to disks Checks to see the mirroring status and direction Swap direction it if needed Mirror Direction

13 Other resource DLL functions The disk array allows for sync and async I/O to mirror volumes (LUN by LUN) Numerous options are available based on data-safety requirements The DLL must preserve and protect the selected level of data-safety (600+ rules) User supplied scripts can be run GUI is provided to setup and manage

14 Dealing with the Quorum disk We want the quorum disk mirrored in two places, but… It must continue to operate as a single drive in the face of failures We didn’t want to create more communications paths to rely on

15 Disk control protocol (simplified) 1.A node wanting to control a disk issues a Bus/Device Reset to the disk 2.It waits INTERVAL+ time 3.It issues a SCSI Reserve command 4.If the reserve fails, it assumes another node has defended its ownership 5.If it succeeds, it is the new disk owner and starts routine re-reservations every INTERVAL time

16 Disk protocol (cont.) MSCS also uses reads/write to probe the current reservation state We place a “filter driver” in the SCSI stack to intercept SCSI commands for the quorum disk A service program cooperates with the filter driver to insure correct behavior of the quorum disk pair We use three special disk pairs to “communicate” between servers and sites

17 The special disks 1.The first disk pair, synchronously mirrored, holds the current reservation state of the quorum disk 2.A second disk “pair” (not mirrored) is used to hold a exclusionary lock between local nodes 3.The third disk pair is used as a global lock. It’s pair state and direction indicates the ownership of the global lock.

18 The special disks (cont.) These disks are small (the smallest that can be created in the array) They are not part of the cluster configuration They are not assigned drive letters They do not contain file systems Also required are “Command Device” disks on each array used for array control commands

19 The Disks

20 One type of failures is hard! If all communications are lost between sites you need help to recover You need the quorum, but we “stretched” it An external arbitrator can help –Located with the application users –Is prepared to allow one and only one site proceed with cluster ops Arbiter location available from Active Directory (or config files)

21 How it works For the node that currently holds the quorum device –It detects the loss of communications –It creates a process –The process contacts the arbitrator –If it makes contact, it knows all is OK and exits –If it is unable to make contact, it assumes the communications failure has isolated it and shuts down clustering (also assuming the other site will restart clustering)

22 How it works (cont) When MSCS asks a node to take control of the quorum disk and the normal protocol finds a communications failure –It causes clustering to shut down –It creates a new process to see if recovery is needed –That process contacts the arbitrator –If the arbitrator tells it to proceed, it cleans up the metadata and restarts clustering locally, if not, it just exits

23 How the arbitrator decides Upon request for arbitration, the arbitrator process attempts to contact the cluster’s general IP address –If the “cluster” responds (a operating node that holds the quorum device) it reports that the cluster is running –If it cannot contact the cluster’s IP, it reports that the cluster is down or isolated –If multiple nodes request this service, it only responds to the first

24 Software Installation Hardware configuration is done first Typical Microsoft Installer/InstallShield script setup is used One node at a time (quorum is moved ahead of each node’s setup) Same script installs the resource DLL Also installs the arbitrator on a node external to the cluster

25 Summary A stretched cluster significantly increases disaster tolerance It is possible to quickly and automatically recover from major failures Inter-site link technology doesn’t matter Cost is a small increment when clustering and distance mirroring are already present This implementation is hardware specific but the technology is portable to other distance mirroring solutions This implementation is Microsoft WHQL certified

26 Future Work New arrays (distance mirroring is all that is necessary) Windows.NET and Win64 Redundant Arbitrator New quorum technologies from Microsoft (SCSI persistent reservations, new quorum algorithms) Transportability to Unix clusters?

Download ppt "Stretching A Wolfpack Cluster Of Servers For Disaster Tolerance Dick Wilkins Program Manager Hewlett-Packard Co. Redmond, WA"

Similar presentations

How to Ensure Your Business Survives, Even if Your Server Crashes Backup Fast, Recover Faster Fast and Reliable Disaster Recovery, Data Protection, System.

How to Ensure Your Business Survives, Even if Your Server Crashes Backup Fast, Recover Faster Fast and Reliable Disaster Recovery, Data Protection, System.
NAS vs. SAN 10/2010 Palestinian Land Authority IT Department By Nahreen Ameen 1.

NAS vs. SAN 10/2010 Palestinian Land Authority IT Department By Nahreen Ameen 1.
Business Continuity Section 3(chapter 8) BC:ISMDR:BEIT:VIII:chap8:Madhu N PIIT1.

Business Continuity Section 3(chapter 8) BC:ISMDR:BEIT:VIII:chap8:Madhu N PIIT1.
Chapter 5: Server Hardware and Availability. Hardware Reliability and LAN The more reliable a component, the more expensive it is. Server hardware is.

Chapter 5: Server Hardware and Availability. Hardware Reliability and LAN The more reliable a component, the more expensive it is. Server hardware is.
© 2009 EMC Corporation. All rights reserved. Introduction to Business Continuity Module 3.1.

© 2009 EMC Corporation. All rights reserved. Introduction to Business Continuity Module 3.1.
High Availability 24 hours a day, 7 days a week, 365 days a year… Vik Nagjee Product Manager, Core Technologies InterSystems Corporation.

High Availability 24 hours a day, 7 days a week, 365 days a year… Vik Nagjee Product Manager, Core Technologies InterSystems Corporation.
1 © Copyright 2010 EMC Corporation. All rights reserved. EMC RecoverPoint/Cluster Enabler for Microsoft Failover Cluster.

1 © Copyright 2010 EMC Corporation. All rights reserved. EMC RecoverPoint/Cluster Enabler for Microsoft Failover Cluster.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 5: Planning, Configuring, And Troubleshooting DHCP.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 5: Planning, Configuring, And Troubleshooting DHCP.
The Google File System. Why? Google has lots of data –Cannot fit in traditional file system –Spans hundreds (thousands) of servers connected to (tens.

The Google File System. Why? Google has lots of data –Cannot fit in traditional file system –Spans hundreds (thousands) of servers connected to (tens.
Keith Burns Microsoft UK Mission Critical Database.

Keith Burns Microsoft UK Mission Critical Database.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
Lesson 1: Configuring Network Load Balancing

Lesson 1: Configuring Network Load Balancing
Implementing Disaster Protection www.microsoft.com.

Implementing Disaster Protection
Hands-On Microsoft Windows Server 2003 Networking Chapter 5 Dynamic Host Configuration Protocol.

Hands-On Microsoft Windows Server 2003 Networking Chapter 5 Dynamic Host Configuration Protocol.
1© Copyright 2011 EMC Corporation. All rights reserved. EMC RECOVERPOINT/ CLUSTER ENABLER FOR MICROSOFT FAILOVER CLUSTER.

1© Copyright 2011 EMC Corporation. All rights reserved. EMC RECOVERPOINT/ CLUSTER ENABLER FOR MICROSOFT FAILOVER CLUSTER.
Back Up and Recovery Sue Kayton February 2013.

Back Up and Recovery Sue Kayton February 2013.
National Manager Database Services

National Manager Database Services
High Availability Module 12.

High Availability Module 12.
11 SERVER CLUSTERING Chapter 6. Chapter 6: SERVER CLUSTERING2 OVERVIEW  List the types of server clusters.  Determine which type of cluster to use for.

11 SERVER CLUSTERING Chapter 6. Chapter 6: SERVER CLUSTERING2 OVERVIEW  List the types of server clusters.  Determine which type of cluster to use for.
Ronen Gabbay Microsoft Regional Director Yside / Hi-Tech College

Ronen Gabbay Microsoft Regional Director Yside / Hi-Tech College

Similar presentations

Ads by Google