Instance High Availability¶
Include the URL of your launchpad blueprint:
https://blueprints.launchpad.net/tripleo/+spec/instance-ha
A very often requested feature by operators and customers is to be able to automatically resurrect VMs that were running on a compute node that failed (either due to hardware failures, networking issues or general server problems). Currently we have a downstream-only procedure which consists of many manual steps to configure Instance HA: https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/high-availability-for-compute-instances/chapter-1-overview
What we would like to implement here is basically an optional opt-in automatic deployment of a cloud that has Instance HA support.
Problem Description¶
Currently if a compute node has a hardware failure or a kernel panic all the instances that were running on the node, will be gone and manual intervention is needed to resurrect these instances on another compute node.
Proposed Change¶
Overview¶
The proposed change would be to add a few additional puppet-tripleo profiles that would help us configure the pacemaker resources needed for instance HA. Unlike in previous iterations we won’t need to move nova-compute resources under pacemaker’s management. We managed to achieve the same result without touching the compute nodes (except by setting up pacemaker_remote on the computes, but that support exists already)
Alternatives¶
There are a few specs that are modeling host recovery:
Host Recovery - https://review.openstack.org/#/c/386554/ Instances auto evacuation - https://review.openstack.org/#/c/257809
The first spec uses pacemaker in a very similar way but is too new and too high level to really be able to comment at this point in time. The second one has been stalled for a long time and it looks like there is no consensus yet on the approaches needed. The longterm goal is to morph the Instance HA deployment into the spec that gets accepted. We are actively working on both specs as well. In any case we have discussed the long-term plan with SuSe and NTT and we agreed on a long-term plan of which this spec is the first step for TripleO.
Security Impact¶
No additional security impact.
Other End User Impact¶
End users are not impacted except for the fact that VMs can be resurrected automatically on a non-failed compute node.
Performance Impact¶
There are no performance related impacts as compared to a current deployment.
Other Deployer Impact¶
So this change does not affect the default deployments. What it does it adds a boolean and some additional profiles so that a deployer can have a cloud configured with Instance HA support out of the box.
One top-level parameter to enable the Instance HA deployment
Although fencing configuration is already currently supported by tripleo, we will need to improve bits and pieces so that we won’t need an extra command to generate the fencing parameters.
Upgrades will be impacted by this change in the sense that we will need to make sure to test them when Instance HA is enabled.
Developer Impact¶
No developer impact is planned.
Implementation¶
Assignee(s)¶
- Primary assignee:
michele
- Other contributors:
cmsj, abeekhof
Work Items¶
Make the fencing configuration fully automated (this is mostly done already, we need oooq integration and some optimization)
Add the logic and needed resources on the control-plane
Test the upgrade path when Instance HA is configured
Testing¶
Testing this manually is fairly simple:
Deploy with Instance HA configured and two compute nodes
Spawn a test VM
Crash the compute node where the VM is running
Observe the VM being resurrected on the other compute node
Testing this in CI is doable but might be a bit more challenging due to resource constraints.
Documentation Impact¶
A section under advanced configuration is needed explaining the deployment of a cloud that supports Instance HA.