Cinder Volume Active/Active support - General description

Right now cinder-volume service can run only in Active/Passive HA fashion and this spec proposes a possible path to support Active/Active configurations in Cinder Volumes.

This spec will only provide a general description of the problem enumerating the different issues we have to resolve without actually going into too much detail. It’s more an eagle’s eye kind of view of the problem.

Each specific issue will have its own spec that gives a detailed description of the problem with proposed solution to the problem.

Problem description

Right now cinder-volume service only accepts Active/Passive High Availability configurations, and there are a number of things that need to change for it to support Active/Active configurations.

API Races

On API nodes given current code we are open to races in the code that affect resources on the database, and this will be exacerbated when working with Active/Active configurations.

Local Manager Locks

We have multiple local locks in the manager code of the volume nodes to prevent multiple green threads from accessing the same resource on specific operations.

This locking is local to the nodes and doesn’t extend to other nodes, so we need to solve mutual exclusion among volume nodes of the same cluster.

Job distribution

Cinder has no concept of clusters, only has the concept of hosts and each host implements a specific backend/service. A mechanism is needed to group hosts from the same cluster under the same conceptual unit while retaining the individual identities of the nodes belonging to the cluster for differentiation in the clean up of crashed nodes.


Right now only one node can work on a specific backend, and therefore on the resources that it contains, so the cleanup is done by the node itself on startup. And if the node does not come up and the resources are left on a stale state it is not a big deal.

It is different with an Active/Active deployment since multiple nodes are sharing the same storage back-end and a node can only do cleanup for the nodes he was working on when he died/failed.

It is also important to do proper cleanup even when a specific node does not come back to life, since other nodes from the same cluster can still manage those resources.

Data Corruption Prevention

Since multiple nodes will be accessing the same storage back-end we have to be extra careful not to access resources that are accessed by other nodes.

More relevant case is when we lose connection to the DB and we no longer can send Service Heartbeats, since Scheduler’s cleanup process (explained in Cleanup proposed changes) will come into place and we could have 2 different nodes accessing the same resource, one because it’s still working on it and the other because it is trying to do the cleanup.

Drivers’ Locks

Some drivers require mutual exclusion for certain operations or when accessing the same resources.

This mutual exclusion is currently being done using local locks in the same way the manager does and they need to be able to work when multiple nodes are accessing the same storage back-end.

Use Cases

Operators that have hard requirements, SLA or other reasons, to have their cloud operational at all times or have higher throughput requirements will want to have the possibility to configure their deployments with an Active/Active configuration.

Proposed change

API Races

Races on the API nodes will be removed used compare-and-swap updates to the DB.

Job distribution

Job distribution will add the concept of cluster to cinder and send jobs using a topic message queue using the cluster instead of the host like we are doing now.


Cleanup will keep track of resources that are have ongoing operations and will have cleanup mechanisms on the Scheduler as well as the Volume nodes.

Cleanup on the nodes will happen on initialization as it is doing now but we’ll also have an automatic cleanup job on the scheduler for the cases where a node with the same host name is not brought up.

Automatic cleanup mechanism will be disabled by default and it will be possible to trigger it manually.

Data Corruption Prevention

Stop listening to new jobs from the Message Broker and halt all ongoing operations so we are no longer accessing resources on the Storage Backend.

Manager Local Locks

Default solution will be using a DLM with TooZ as the abstraction layer:

An alternative solution, that will be initially left as nice to have, will be available for systems that don’t want to install a DLM solution and are using drivers that don’t require distributed locking for Active-Active configurations. This solution replaces local file locks on c-vol’s manager with a DB locking mechanism using workers DB table (introduced by Cleanup changes).

Drivers’ Locks

We will be using a DLM solution with TooZ as the abstraction layer:


There are quite a number of alternatives to not only each of the issues we need to fix, and they are discussed in the respective specs except for the Drivers’ lock alternative that creates a generic locking mechanism extending the locking mechanism implemented to remove Manager Local Locks.

Data model impact

Discussed in the respective specs.

REST API impact

Discussed in the respective specs.

Security impact


Notifications impact


Other end user impact


Performance Impact

Discussed in the respective specs.

Other deployer impact

Discussed in the respective specs.

Developer impact




Discussed in the respective specs.

Work Items

  • API Races

  • Job distribution

  • Cleanup

  • Data Corruption Prevention

  • Manager Local Locks

  • Drivers’ Locks




Discussed in the respective specs.

Documentation Impact

Discussed in the respective specs.