<div dir="ltr">It would seem to me that if guest HA is highly-desired, and it is, requiring multiple flavors for multiple SLA requirements (and that's what we're really talking about) introduces a trade-off that conceivably isn't needed - double the flavor requirement for the same spec (512/1/10 and another for HA). I'd like to explore this a little further to define other possibilities.<div><br></div><div>I like the idea of instance HA; I like the idea of host HA way better because it protects every instance on it. And hosts with HA logic would obviously not be allowed to only host instances that use shared storage.</div><div><br></div><div>What are our options to continue discussing in Paris?</div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div><font><div style="font-family:arial;font-size:small"><b><i><br>Adam Lawson</i></b></div><div><font><font color="#666666" size="1"><div style="font-family:arial"><br></div><div style="font-family:arial;font-size:small">AQORN, Inc.</div><div style="font-family:arial;font-size:small">427 North Tatnall Street</div><div style="font-family:arial;font-size:small">Ste. 58461</div><div style="font-family:arial;font-size:small">Wilmington, Delaware 19801-2230</div><div style="font-family:arial;font-size:small">Toll-free: (844) 4-AQORN-NOW ext. 101</div><div style="font-family:arial;font-size:small">International: +1 302-387-4660</div></font><font color="#666666" size="1"><div style="font-family:arial;font-size:small">Direct: +1 916-246-2072</div></font></font></div></font></div><div style="font-family:arial;font-size:small"><img src="http://www.aqorn.com/images/logo.png" width="96" height="39"><br></div></div></div>
<br><div class="gmail_quote">On Wed, Oct 15, 2014 at 1:50 PM, Florian Haas <span dir="ltr"><<a href="mailto:florian@hastexo.com" target="_blank">florian@hastexo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Wed, Oct 15, 2014 at 9:58 PM, Jay Pipes <<a href="mailto:jaypipes@gmail.com">jaypipes@gmail.com</a>> wrote:<br>
> On 10/15/2014 03:16 PM, Florian Haas wrote:<br>
>><br>
>> On Wed, Oct 15, 2014 at 7:20 PM, Russell Bryant <<a href="mailto:rbryant@redhat.com">rbryant@redhat.com</a>><br>
>> wrote:<br>
>>><br>
>>> On 10/13/2014 05:59 PM, Russell Bryant wrote:<br>
>>>><br>
>>>> Nice timing. I was working on a blog post on this topic.<br>
>>><br>
>>><br>
>>> which is now here:<br>
>>><br>
>>> <a href="http://blog.russellbryant.net/2014/10/15/openstack-instance-ha-proposal/" target="_blank">http://blog.russellbryant.net/2014/10/15/openstack-instance-ha-proposal/</a><br>
>><br>
>><br>
>> I am absolutely loving the fact that we are finally having a<br>
>> discussion in earnest about this. i think this deserves a Design<br>
>> Summit session.<br>
>><br>
>> If I may weigh in here, let me share what I've seen users do and what<br>
>> can currently be done, and what may be supported in the future.<br>
>><br>
>> Problem: automatically ensure that a Nova guest continues to run, even<br>
>> if its host fails.<br>
>><br>
>> (That's the general problem description and I don't need to go into<br>
>> further details explaining the problem, because Russell has done that<br>
>> beautifully in his blog post.)<br>
>><br>
>> Now, what are the options?<br>
>><br>
>> (1) Punt and leave it to the hypervisor.<br>
>><br>
>> This essentially means that you must use a hypervisor that already has<br>
>> HA built in, such as VMware with the VCenter driver. In that scenario,<br>
>> Nova itself neither deals with HA, nor exposes any HA switches to the<br>
>> user. Obvious downside: not generic, doesn't work with all<br>
>> hypervisors, most importantly doesn't work with the most popular one<br>
>> (libvirt/KVM).<br>
>><br>
>> (2) Deploy Nova nodes in pairs/groups, and pretend that they are one node.<br>
>><br>
>> You can already do that by overriding "host" in nova-compute.conf,<br>
>> setting resume_guests_state_on_host_boot, and using VIPs with<br>
>> Corosync/Pacemaker. You can then group these hosts in host aggregates,<br>
>> and the user's scheduler hint to point a newly scheduled guest to such<br>
>> a host aggregate becomes, effectively, the "keep this guest running at<br>
>> all times" flag. Upside: no changes to Nova at all, monitoring,<br>
>> fencing and recovery for free from Corosync/Pacemaker. Downsides:<br>
>> requires vendors to automate Pacemaker configuration in deployment<br>
>> tools (because you really don't want to do those things manually).<br>
>> Additional downside: you either have some idle hardware, or you might<br>
>> be overcommitting resources in case of failover.<br>
>><br>
>> (3) Automatic host evacuation.<br>
>><br>
>> Not supported in Nova right now, as Adam pointed out at the top of the<br>
>> thread, and repeatedly shot down. If someone were to implement this,<br>
>> it would *still* require that Corosync/Pacemaker be used for<br>
>> monitoring and fencing of nodes, because re-implementing this from<br>
>> scratch would be the reinvention of a wheel while painting a bikeshed.<br>
>><br>
>> (4) Per-guest HA.<br>
>><br>
>> This is the idea of just doing "nova boot --keep-this running", i.e.<br>
>> setting a per-guest flag that still means the machine is to be kept up<br>
>> at all times. Again, not supported in Nova right now, and probably<br>
>> even more complex to implement generically than (3), at the same or<br>
>> greater cost.<br>
>><br>
>> I have a suggestion to tackle this that I *think* is reasonably<br>
>> user-friendly while still bearable in terms of Nova development<br>
>> effort:<br>
>><br>
>> (a) Define a well-known metadata key for a host aggregate, say "ha".<br>
>> Define that any host aggregate that represents a highly available<br>
>> group of compute nodes should have this metadata key set.<br>
>><br>
>> (b) Then define a flavor that sets extra_specs "ha=true".<br>
>><br>
>> Granted, this places an additional burden on distro vendors to<br>
>> integrate highly-available compute nodes into their deployment<br>
>> infrastructure. But since practically all of them already include<br>
>> Pacemaker, the additional scaffolding required is actually rather<br>
>> limited.<br>
><br>
><br>
> Or:<br>
><br>
> (5) Let monitoring and orchestration services deal with these use cases and<br>
> have Nova simply provide the primitive API calls that it already does (i.e.<br>
> host evacuate).<br>
<br>
</div></div>That would arguably lead to an incredible amount of wheel reinvention<br>
for node failure detection, service failure detection, etc. etc.<br>
<span class="HOEnZb"><font color="#888888"><br>
Florian<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br></div>