NAME
cman_tool − Cluster Management Tool
SYNOPSIS
cman_tool join | leave | kill | expected | votes | version | wait | status | nodes | services | debug [options]
DESCRIPTION
cman_tool
is a program that manages the cluster management subsystem
CMAN. cman_tool can be used to join the node to a cluster,
leave the cluster, kill another cluster node or change the
value of expected votes of a cluster.
Be careful that you understand the consequences of the
commands issued via cman_tool as they can affect all nodes
in your cluster. Most of the time the cman_tool will only be
invoked from your startup and shutdown scripts.
SUBCOMMANDS
join |
This is the main use of cman_tool. It instructs the cluster manager to attempt to join an existing cluster or (if no existing cluster exists) then to form a new one on its own. |
If no options are given to this command then it will take the cluster configuration information from cluster.conf. However, it is possible to provide all the information on the command-line or to override cluster.conf values by using the command line.
leave |
Tells CMAN to leave the cluster. You cannot do this if there are subsystems (eg DLM, GFS) active. You should dismount all GFS filesystems, shutdown CLVM, fenced and anything else using the cluster manager before using cman_tool leave. Look at ’cman_tool status’ and group_tool to see how many (and which) subsystems are active. |
When a node leaves the cluster, the remaining nodes recalculate quorum and this may block cluster activity if the required number of votes is not present. If this node is to be down for an extended period of time and you need to keep the cluster running, add the remove option, and the remaining nodes will recalculate quorum such that activity can continue.
kill |
Tells CMAN to kill another node in the cluster. This will cause the local node to send a "KILL" message to that node and it will shut down. Recovery will occur for the killed node as if it had failed. This is a sort of remote version of "leave force" so only use if if you really know what you are doing. |
expected
Tells CMAN a new value of
expected votes and instructs it to recalculate quorum based
on this value.
Use this option if your cluster has lost quorum due to nodes
failing and you need to get it running again in a hurry.
version
Used alone this will report the
major, minor, patch and config versions used by CMAN (also
displayed in ’cman_tool status’). It can also be
used with -r to tell cluster members to update.
The argument to -r is the version number that cman should
look for. If that version is not currently available then
cman will poll for it. If a version of 0 is specified then
cman will read the configuration file, validate it,
distribute it around the cluster (if necessary) and activate
it.
The -D flag can disable the validation stage. This is NOT
recommended.
wait |
Waits until the node is a member of the cluster and then returns. | ||
status |
Displays the local view of the cluster status. | ||
nodes |
Displays the local view of the cluster nodes. |
services
Displays the local view of subsystems using cman (deprecated, group_tool should be used instead).
debug |
Sets the debug level of the running cman daemon. Debug output will be sent to syslog level LOG_DEBUG. the -d switch specifies the new logging level. This is the same bitmask used for cman_tool join -d |
LEAVE OPTIONS
-w |
Normally, "cman_tool leave" will fail if the cluster is in transition (ie another node is joining or leaving the cluster). By adding the -w flag, cman_tool will wait and retry the leave operation repeatedly until it succeeds or a more serious error occurs. |
-t <seconds>
If -w is also specified then -t dictates the maximum amount of time cman_tool is prepared to wait. If the operation times out then a status of 2 is returned.
force |
Shuts down the cluster manager without first telling any of the subsystems to close down. Use this option with extreme care as it could easily cause data loss. | ||
remove |
Tells the rest of the cluster to recalculate quorum such that activity can continue without this node. |
EXPECTED OPTIONS
-e <expected-votes>
The new value of expected votes to use. This will usually be enough to bring the cluster back to life. Values that would cause incorrect quorum will be rejected.
KILL OPTIONS
-n <nodename>
The node name of the node to be killed. This should be the unqualified node name as it appears in ’cman_tool nodes’.
VERSION OPTIONS
-r <config_version>
Update config version. You
don’t need to use this when adding a new node, the new
cman node will tell the rest of the cluster to read the
latest version of the config file automatically.
In fact the argument to -r might look as though it is
ignored. Its presence simply tells cman to re-read the
configuration file and look for that version in the file.
cman will keep re-reading the file until a version number
>= the passed version is found.
cman_tool version on its own will always show the current
version and not the one being looked for. So be aware that
the display will possible not update immediately after you
have run cman_tool version -r.
-D<option>
see "JOIN" options
WAIT OPTIONS
-q |
Waits until the cluster is quorate before returning. -t <seconds> Dictates the maximum amount of time cman_tool is prepared to wait. If the operation times out then a status of 2 is returned. |
JOIN OPTIONS
-c <clustername>
Provides a text name for the cluster. You can have several clusters on one LAN and they are distinguished by this name. Note that the name is hashed to provide a unique number which is what actually distinguishes the cluster, so it is possible that two different names can clash. If this happens, the node will not be allowed into the existing cluster and you will have to pick another name or use different port number for cluster communication.
-p <port>
UDP port number used for cluster communication. This defaults to 5405.
-v <votes>
Number of votes this node has in the cluster. Defaults to 1.
-e <expected votes>
Number of expected votes for the whole cluster. If different nodes provide different values then the highest is used. The cluster will only operate when quorum is reached - that is more than half the available votes are available to the cluster. The default for this value is the total number of votes for all nodes in the configuration file.
-2 |
Sets the cluster up for a special "two node only" mode. Because of the quorum requirements mentioned above, a two-node cluster cannot be valid. This option tells the cluster manager that there will only ever be two nodes in the cluster and relies on fencing to ensure cluster integrity. If you specify this you cannot add more nodes without taking down the existing cluster and reconfiguring it. Expected votes should be set to 1 for a two-node cluster. |
-n <nodename>
Overrides the node name. By default the unqualified hostname is used. This option is also used to specify which interface is used for cluster communication.
-N <nodeid>
Overrides the node ID for this node. Normally, nodes are assigned a node id in cluster.conf. If you specify an incorrect node ID here, the node might not be allowed to join the cluster. Setting node IDs in the configuration is a far better way to do this. Note that the node’s application to join the cluster may be rejected if you try to set the nodeid to one that has already been used, or if the node was previously a member of the cluster but with a different nodeid.
-o <nodename>
Override the name this node will have in the cluster. This will normally be the hostname or the first name specified by -n. Note how this differs from -n: -n tells cman_tool how to find the host address and/or the entry in the configuration file. -o simply changes the name the node will have in the cluster and has no bearing on the actual name of the machine. Use this option will extreme caution.
-m <multicast-address>
Specifies a multicast address to use for cluster communication. This is required for IPv6 operation. You should also specify an ethernet interface to bind to this multicast address using the -i option.
-w |
Join and wait until the node is a cluster member. | ||
-q |
Join and wait until the cluster is quorate. If the cluster join fails and -w (or -q) is specified, then it will be retried. Note that cman_tool cannot tell whether the cluster join was rejected by another node for a good reason or that it timed out for some benign reason; so it is strongly recommended that a timeout is also given with the wait options to join. If you don’t want join to retry on failure but do want to wait, use the cman_tool join command without -w followed by cman_tool wait. |
-k <keyfile>
All traffic sent out by cman/corosync is encrypted. By default the security key used is simply the cluster name. If you need more security you can specify a key file that contains the key used to encrypt cluster communications. Of course, the contents of the key file must be the same on all nodes in the cluster. It is up to you to securely copy the file to the nodes.
-t <seconds>
If -w or -q is also specified then -t dictates the maximum amount of time cman_tool is prepared to wait. If the operation times out then a status of 2 is returned. Note that just because cman_tool has given up, does not mean that cman itself has stopped trying to join a cluster.
-X |
Tells cman not to use the configuration file to get cluster information. If you use this option then cman will apply several defaults to the cluster to get it going. The cluster name will be "RHCluster", node IDs will default to the IP address of the node and remote node names will show up as Node<nodeid>. All of these, apart from the node names can be overridden on the cman_tool command-line if required. |
If you have to set up fence
devices, services or anything else in cluster.conf then this
option is probably not worthwhile to you - the extra
readability of sensible node names and numbers will make it
worth using cluster.conf for the cluster too. But for a
simple failover cluster this might save you some effort.
On each node using this configuration you will need to have
the same authorization key installed. To create this key run
corosync-keygen
mv /etc/ais/authkey /etc/cluster/cman_authkey
then copy that file to all nodes you want to join the
cluster.
-C |
Overrides the default configuration module. Usually cman uses xmlconfig (cluster.conf) to load its configuration. If you have your configuration database held elsewhere (eg LDAP) and have a configuration plugin for it, then you should specify the name of the module (see the documentation for the module for the name of it - it’s not necessarily the same as the filename) here. |
It is possible to chain
configuration modules by separating them with colons. So to
add two modules (eg) ’ldapconfig’ and
’ldappreproc’ to the chain start cman with -C
ldapconfig:ldappreproc
The default value for this is ’xmlconfig’. Note
that if the -X is on the command-line then -C will be
ignored.
-A |
Don’t load openais services. Normally cman_tool join will load the configuration module ’openaisserviceenablestable’ which will load the services installed by openais. If you don’t want to use these services or have not installed openais then this switch will disable them. | ||
-D |
Tells cman_tool whether to validate the configuration before loading or reloading it. By default the configuration is validated, which is equivalent to -Dfail. |
-Dwarn will validate the
configuration and print any messages arising, but will
attempt to use it regardless of its validity.
-Dnone (or just -D) will skip the validation completely.
The -D switch does not take a space between -D and the
parameter. so ’-D fail’ will cause an error. Use
-Dfail.
NODES OPTIONS
-a |
Shows the IP address(es) the nodes are communicating on. |
-n <nodename>
Shows node information for a specific node. This should be the unqualified node name as it appears in ’cman_tool nodes’.
-F <format>
Specify the format of the output. The format string may contain one or more format options, each separated by a comma. Valid format options include: id, name, type, and addr.
DEBUG OPTIONS
-d <value>
The value is a bitmask of
2 Barriers
4 Membership messages
8 Daemon operation, including command-line interaction
16 Interaction with Corosync
32 Startup debugging (cman_tool join operations only)
NOTES
the
nodes subcommand shows a list of nodes known to cman.
the state is one of the following:
M The node is a member of the cluster
X The node is not a member of the cluster
d The node is known to the cluster but disallowed access to
it.
ENVIRONMENT VARIABLES
cman_tool removes most environment variables before forking and running Corosync, as well as adding some of its own for setting up configuration parameters that were overridden on the command-line, the exception to this is that variable with names starting COROSYNC_ will be passed down intact as they are assumed to be used for configuring the daemon.
DISALLOWED NODES
Occasionally
(but very infrequently I hope) you may see nodes marked as
"Disallowed" in cman_tool status or "d"
in cman_tool nodes. This is a bit of a nasty hack to get
around mismatch between what the upper layers expect of the
cluster manager and corosync.
If a node experiences a momentary lack of connectivity, but
one that is
long enough to trigger the token timeouts, then it will be
removed from
the cluster. When connectivity is restored corosync will
happily let it
rejoin the cluster with no fuss. Sadly the upper layers
don’t like this
very much. They may (indeed probably will have) have changed
their
internal state while the other node was away and there is no
straightforward way to bring the rejoined node up-to-date
with that
state. When this happens the node is marked
"Disallowed" and is not
permitted to take part in cman operations.
If the remainder of the cluster is quorate the the node will be sent a kill message and it will be forced to leave the cluster that way. Note that fencing should kick in to remove the node permanently anyway, but it may take longer than the network outage for this to complete.
If the remainder of the cluster is inquorate then we have a problem. The likelihood is that we will have two (or more) partitioned clusters and we cannot decide which is the "right" one. In this case we need to defer to the system administrator to kill an appropriate selection of nodes to restore the cluster to sensible operation.
The latter scenario should be very rare and may indicate a bug somewhere in the code. If the local network is very flaky or busy it may be necessary to increase some of the protocol timeouts for corosync. We are trying to think of better solutions to this problem.
Recovering from this state can, unfortunately, be complicated. Fortunately, in the majority of cases, fencing will do the job for you, and the disallowed state will only be temporary. If it persists, the recommended approach it is to do a cman tool nodes on all systems in the cluster and determine the largest common subset of nodes that are valid members to each other. Then reboot the others and let them rejoin correctly. In the case of a single-node disconnection this should be straightforward, with a large cluster that has experienced a network partition it could get very complicated!
Example:
In this example
we have a five node cluster that has experienced a network
partition. Here is the output of cman_tool nodes from all
systems:
Node Sts Inc Joined Name
1 M 2372 2007-11-05 02:58:55 node-01.example.com
2 d 2376 2007-11-05 02:58:56 node-02.example.com
3 d 2376 2007-11-05 02:58:56 node-03.example.com
4 M 2376 2007-11-05 02:58:56 node-04.example.com
5 M 2376 2007-11-05 02:58:56 node-05.example.com
Node Sts Inc
Joined Name
1 d 2372 2007-11-05 02:58:55 node-01.example.com
2 M 2376 2007-11-05 02:58:56 node-02.example.com
3 M 2376 2007-11-05 02:58:56 node-03.example.com
4 d 2376 2007-11-05 02:58:56 node-04.example.com
5 d 2376 2007-11-05 02:58:56 node-05.example.com
Node Sts Inc
Joined Name
1 d 2372 2007-11-05 02:58:55 node-01.example.com
2 M 2376 2007-11-05 02:58:56 node-02.example.com
3 M 2376 2007-11-05 02:58:56 node-03.example.com
4 d 2376 2007-11-05 02:58:56 node-04.example.com
5 d 2376 2007-11-05 02:58:56 node-05.example.com
Node Sts Inc
Joined Name
1 M 2372 2007-11-05 02:58:55 node-01.example.com
2 d 2376 2007-11-05 02:58:56 node-02.example.com
3 d 2376 2007-11-05 02:58:56 node-03.example.com
4 M 2376 2007-11-05 02:58:56 node-04.example.com
5 M 2376 2007-11-05 02:58:56 node-05.example.com
Node Sts Inc
Joined Name
1 M 2372 2007-11-05 02:58:55 node-01.example.com
2 d 2376 2007-11-05 02:58:56 node-02.example.com
3 d 2376 2007-11-05 02:58:56 node-03.example.com
4 M 2376 2007-11-05 02:58:56 node-04.example.com
5 M 2376 2007-11-05 02:58:56 node-05.example.com
In this scenario we should kill the node node-02 and
node-03. Of course, the 3 node cluster of node-01, node-04
& node-05 should remain quorate and be able to fenced
the two rejoined nodes anyway, but it is possible that the
cluster has a qdisk setup that precludes this.
CONFIGURATION SYSTEMS
This section
details how the configuration systems work in cman. You
might need to know this if you are using the -C option to
cman_tool, or writing your own configuration subsystem.
By default cman uses two configuration plugins to corosync.
The first, ’xmlconfig’, reads the configuration
information stored in cluster.conf and stores it in an
internal database, in the same schema as it finds in
cluster.conf. The second plugin,
’cmanpreconfig’, takes the information in that
the database, adds several cman defaults, determines the
corosync node name and nodeID and formats the information in
a similar manner to corosync.conf(5). Corosync then reads
those keys to start the cluster protocol. cmanpreconfig also
reads several environment variables that might be set by
cman_tool which can override information in the
configuration.
In the absence of xmlconfig, ie when ’cman_tool
join’ is run with -X switch (this removes xmlconfig
from the module list), cmanpreconfig also generates several
defaults so that the cluster can be got running without any
configuration information - see above for the details.
Note that cmanpreconfig will not overwrite corosync keys
that are explicitly set in the configuration file, allowing
you to provide custom values for token timeouts etc, even
though cman has its own defaults for some of those values.
The exception to this is the node name/address and multicast
values, which are always taken from the cman configuration
keys.
Most of the extra keys that cmanpreconfig adds are outside
of the /cluster/ tree and will only be seen if you dump the
whole of corosync’s object database. However it does
add some keys into /cluster/cman that you would not normally
see in a normal cluster.conf file. These are harmless,
though could be confusing. The most obvious of these is the
"nodename" option which is passed from
cmanpreconfig to the name cman module, to save it
recalculating the node name again.