| blob | 77586353c7ed8db5c8f63f5a2c80b9bda85cb7c0 |
1 /*
2 ctdb recovery daemon
4 Copyright (C) Ronnie Sahlberg 2007
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
33 /* List of SRVID requests that need to be processed */
37 };
41 };
45 TDB_DATA result)
46 {
47 /* Someone that sent srvid==0 does not want a reply */
51 }
62 }
65 }
69 TDB_DATA result)
70 {
75 }
77 /* Free the list structure... */
79 }
84 {
87 TDB_DATA result;
93 }
94 }
98 /* If *requests was just allocated above then free it */
101 }
103 }
110 nomem:
111 /* Failed to add the request to the list. Send a fail. */
118 }
123 };
125 /*
126 private state of recovery daemon
127 */
148 };
150 #define CONTROL_TIMEOUT() timeval_current_ofs(ctdb->tunable.recover_timeout, 0)
151 #define MONITOR_TIMEOUT() timeval_current_ofs(ctdb->tunable.recover_interval, 0)
153 static void ctdb_restart_recd(struct event_context *ev, struct timed_event *te, struct timeval t, void *private_data);
155 /*
156 ban a node for a period of time
157 */
159 {
167 }
178 }
180 }
182 enum monitor_result { MONITOR_OK, MONITOR_RECOVERY_NEEDED, MONITOR_ELECTION_NEEDED, MONITOR_FAILED};
185 /*
186 remember the trouble maker
187 */
189 {
196 }
198 /* If we are banned or stopped, do not set other nodes as culprits */
202 }
209 }
212 /* this was the first time in a long while this node
213 misbehaved so we will forgive any old transgressions.
214 */
216 }
221 }
223 /*
224 remember the trouble maker
225 */
227 {
229 }
232 /* this callback is called for every node that failed to execute the
233 recovered event
234 */
235 static void recovered_fail_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
236 {
239 DEBUG(DEBUG_ERR, (__location__ " Node %u failed the recovered event. Setting it as recovery fail culprit\n", node_pnn));
242 }
244 /*
245 run the "recovered" eventscript on all nodes
246 */
247 static int run_recovered_eventscript(struct ctdb_recoverd *rec, struct ctdb_node_map *nodemap, const char *caller)
248 {
262 DEBUG(DEBUG_ERR, (__location__ " Unable to run the 'recovered' event when called from %s\n", caller));
266 }
270 }
272 /* this callback is called for every node that failed to execute the
273 start recovery event
274 */
275 static void startrecovery_fail_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
276 {
279 DEBUG(DEBUG_ERR, (__location__ " Node %u failed the startrecovery event. Setting it as recovery fail culprit\n", node_pnn));
282 }
284 /*
285 run the "startrecovery" eventscript on all nodes
286 */
287 static int run_startrecovery_eventscript(struct ctdb_recoverd *rec, struct ctdb_node_map *nodemap)
288 {
300 NULL,
301 startrecovery_fail_callback,
303 DEBUG(DEBUG_ERR, (__location__ " Unable to run the 'startrecovery' event. Recovery failed.\n"));
306 }
310 }
312 static void async_getcap_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
313 {
315 DEBUG(DEBUG_ERR, (__location__ " Invalid length/pointer for getcap callback : %u %p\n", (unsigned)outdata.dsize, outdata.dptr));
317 }
320 }
324 }
325 }
327 /*
328 update the node capabilities for all connected nodes
329 */
331 {
348 }
352 }
354 static void set_recmode_fail_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
355 {
358 DEBUG(DEBUG_ERR,("Failed to freeze node %u during recovery. Set it as ban culprit for %d credits\n", node_pnn, rec->nodemap->num));
360 }
362 static void transaction_start_fail_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
363 {
366 DEBUG(DEBUG_ERR,("Failed to start recovery transaction on node %u. Set it as ban culprit for %d credits\n", node_pnn, rec->nodemap->num));
368 }
370 /*
371 change recovery mode on all nodes
372 */
373 static int set_recovery_mode(struct ctdb_context *ctdb, struct ctdb_recoverd *rec, struct ctdb_node_map *nodemap, uint32_t rec_mode)
374 {
375 TDB_DATA data;
382 /* freeze all nodes */
392 NULL,
393 set_recmode_fail_callback,
398 }
399 }
400 }
415 }
419 }
421 /*
422 change recovery master on all node
423 */
424 static int set_recovery_master(struct ctdb_context *ctdb, struct ctdb_node_map *nodemap, uint32_t pnn)
425 {
426 TDB_DATA data;
445 }
449 }
451 /* update all remote nodes to use the same db priority that we have
452 this can fail if the remove node has not yet been upgraded to
453 support this function, so we always return success and never fail
454 a recovery if this call fails.
455 */
459 {
462 /* step through all local databases */
468 ret = ctdb_ctrl_get_db_priority(ctdb, CONTROL_TIMEOUT(), CTDB_CURRENT_NODE, dbmap->dbs[db].dbid, &db_prio.priority);
470 DEBUG(DEBUG_ERR,(__location__ " Failed to read database priority from local node for db 0x%08x\n", dbmap->dbs[db].dbid));
472 }
474 DEBUG(DEBUG_INFO,("Update DB priority for db 0x%08x to %u\n", dbmap->dbs[db].dbid, db_prio.priority));
481 }
482 }
485 }
487 /*
488 ensure all other nodes have attached to any databases that we have
489 */
490 static int create_missing_remote_databases(struct ctdb_context *ctdb, struct ctdb_node_map *nodemap,
492 {
496 /* verify that all other nodes have all our databases */
498 /* we dont need to ourself ourselves */
501 }
502 /* dont check nodes that are unavailable */
505 }
512 }
514 /* step through all local databases */
522 }
523 }
524 /* the remote node already have this database */
527 }
528 /* ok so we need to create this database */
535 }
543 }
544 }
545 }
548 }
551 /*
552 ensure we are attached to any databases that anyone else is attached to
553 */
554 static int create_missing_local_databases(struct ctdb_context *ctdb, struct ctdb_node_map *nodemap,
556 {
560 /* verify that we have all database any other node has */
562 /* we dont need to ourself ourselves */
565 }
566 /* dont check nodes that are unavailable */
569 }
576 }
578 /* step through all databases on the remote node */
585 }
586 }
587 /* we already have this db locally */
590 }
591 /* ok so we need to create this database and
592 rebuild dbmap
593 */
600 }
606 }
611 }
612 }
613 }
616 }
619 /*
620 pull the remote database contents from one node into the recdb
621 */
624 {
626 TDB_DATA outdata;
638 }
646 }
655 TDB_DATA existing;
668 }
670 /* fetch the existing record, if any */
681 }
687 }
688 }
694 }
695 }
700 }
707 };
709 static void pull_seqnum_cb(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
710 {
715 DEBUG(DEBUG_ERR, ("Got seqnum from node %d but we have already failed the entire operation\n", node_pnn));
717 }
723 }
726 DEBUG(DEBUG_ERR, ("Error when reading pull seqnum from node %d, got %d bytes but expected %d\n", node_pnn, (int)outdata.dsize, (int)sizeof(uint64_t)));
729 }
737 }
738 }
740 static void pull_seqnum_fail_cb(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
741 {
746 }
752 {
755 TDB_DATA data;
772 }
782 pull_seqnum_cb,
783 pull_seqnum_fail_cb,
789 }
795 }
798 DEBUG(DEBUG_NOTICE, ("Failed to find a node with highest sequence numbers for DB 0x%08x\n", dbid));
801 }
803 DEBUG(DEBUG_NOTICE, ("Pull persistent db:0x%08x from node %d with highest seqnum:%lld\n", dbid, cb_data->pnn, (long long)cb_data->seqnum));
806 DEBUG(DEBUG_ERR, ("Failed to pull higest seqnum database 0x%08x from node %d\n", dbid, cb_data->pnn));
809 }
813 }
816 /*
817 pull all the remote database contents into the recdb
818 */
824 {
832 }
833 }
835 /* pull all records from all other nodes across onto this node
836 (this merges based on rsn)
837 */
839 /* dont merge from nodes that are unavailable */
842 }
848 }
849 }
852 }
855 /*
856 update flags on all active nodes
857 */
858 static int update_flags_on_all_nodes(struct ctdb_context *ctdb, struct ctdb_node_map *nodemap, uint32_t pnn, uint32_t flags)
859 {
866 }
869 }
871 /*
872 ensure all nodes have the same vnnmap we do
873 */
876 {
879 /* push the new vnn map out to all the nodes */
881 /* dont push to nodes that are unavailable */
884 }
890 }
891 }
894 }
904 };
908 /*
909 called when a vacuum fetch has completed - just free it and do the next one
910 */
912 {
916 }
919 /*
920 process the next element from the vacuum list
921 */
923 {
929 TDB_DATA data;
944 /* ensure we don't block this daemon - just skip a record if we can't get
945 the chainlock */
948 }
954 }
960 }
964 /* its already local */
968 }
978 }
982 }
985 }
988 /*
989 destroy a vacuum info structure
990 */
992 {
995 }
998 /*
999 handler for vacuum fetch
1000 */
1003 {
1022 }
1028 /* we're already working on records from this node */
1031 }
1032 }
1034 /* work out if the database is persistent */
1040 }
1046 }
1047 }
1052 }
1054 /* find the name of this database */
1055 if (ctdb_ctrl_getdbname(ctdb, CONTROL_TIMEOUT(), CTDB_CURRENT_NODE, recs->db_id, tmp_ctx, &name) != 0) {
1059 }
1061 /* attach to it */
1067 }
1074 }
1085 }
1094 }
1097 /*
1098 * handler for database detach
1099 */
1102 {
1111 }
1116 /* database is not attached */
1118 }
1120 /* Stop any active vacuum fetch */
1127 }
1129 }
1136 }
1138 /*
1139 called when ctdb_wait_timeout should finish
1140 */
1143 {
1146 }
1148 /*
1149 wait for a given number of seconds
1150 */
1152 {
1155 event_add_timed(ctdb->ev, ctdb, timeval_current_ofs(secs, usecs), ctdb_wait_handler, &timed_out);
1158 }
1159 }
1161 /*
1162 called when an election times out (ends)
1163 */
1166 {
1172 }
1175 /*
1176 wait for an election to finish. It finished election_timeout seconds after
1177 the last election packet is received
1178 */
1180 {
1184 }
1185 }
1187 /*
1188 Update our local flags from all remote connected nodes.
1189 This is only run when we are or we belive we are the recovery master
1190 */
1192 {
1197 /* get the nodemap for all active remote nodes and verify
1198 they are the same as for this node
1199 */
1206 }
1209 }
1219 }
1221 /* We should tell our daemon about this so it
1222 updates its flags or else we will log the same
1223 message again in the next iteration of recovery.
1224 Since we are the recovery master we can just as
1225 well update the flags on all nodes.
1226 */
1227 ret = ctdb_ctrl_modflags(ctdb, CONTROL_TIMEOUT(), nodemap->nodes[j].pnn, remote_nodemap->nodes[j].flags, ~remote_nodemap->nodes[j].flags);
1231 }
1233 /* Update our local copy of the flags in the recovery
1234 daemon.
1235 */
1240 }
1242 }
1245 }
1248 /* Create a new random generation ip.
1249 The generation id can not be the INVALID_GENERATION id
1250 */
1252 {
1260 }
1261 }
1264 }
1267 /*
1268 create a temporary working database
1269 */
1271 {
1276 /* open up the temporary recovery database */
1282 }
1288 }
1295 }
1300 }
1303 /*
1304 a traverse function for pulling all relevant records from recdb
1305 */
1313 };
1316 {
1321 /*
1322 * skip empty records - but NOT for persistent databases:
1323 *
1324 * The record-by-record mode of recovery deletes empty records.
1325 * For persistent databases, this can lead to data corruption
1326 * by deleting records that should be there:
1327 *
1328 * - Assume the cluster has been running for a while.
1329 *
1330 * - A record R in a persistent database has been created and
1331 * deleted a couple of times, the last operation being deletion,
1332 * leaving an empty record with a high RSN, say 10.
1333 *
1334 * - Now a node N is turned off.
1335 *
1336 * - This leaves the local database copy of D on N with the empty
1337 * copy of R and RSN 10. On all other nodes, the recovery has deleted
1338 * the copy of record R.
1339 *
1340 * - Now the record is created again while node N is turned off.
1341 * This creates R with RSN = 1 on all nodes except for N.
1342 *
1343 * - Now node N is turned on again. The following recovery will chose
1344 * the older empty copy of R due to RSN 10 > RSN 1.
1345 *
1346 * ==> Hence the record is gone after the recovery.
1347 *
1348 * On databases like Samba's registry, this can damage the higher-level
1349 * data structures built from the various tdb-level records.
1350 */
1353 }
1355 /* update the dmaster field to point to us */
1360 }
1362 /* add the record to the blob ready to send to the nodes */
1367 }
1369 params->allocated_len = rec->length + params->len + params->ctdb->tunable.pulldb_preallocation_size;
1371 }
1377 }
1384 }
1386 /*
1387 push the recdb database out to all nodes
1388 */
1392 {
1395 TDB_DATA outdata;
1419 }
1426 }
1443 }
1452 }
1455 /*
1456 go through a full recovery on one database
1457 */
1465 {
1469 TDB_DATA data;
1476 }
1478 /* pull all remote databases onto the recdb */
1483 }
1487 /* wipe all the remote databases. This is safe as we are in a transaction */
1503 }
1505 /* push out the correct database. This sets the dmaster and skips
1506 the empty records */
1511 }
1513 /* all done with this database */
1517 }
1523 {
1532 }
1534 }
1537 /* For readability */
1540 /* release any existing data */
1544 }
1548 }
1552 }
1554 /* Retrieve the list of known public IPs from the node */
1567 }
1569 }
1578 }
1580 /* Retrieve the list of available public IPs from the node */
1585 CTDB_PUBLIC_IP_FLAGS_ONLY_AVAILABLE,
1593 }
1595 }
1596 }
1599 }
1601 /* when we start a recovery, make sure all nodes use the same reclock file
1602 setting
1603 */
1605 {
1608 TDB_DATA data;
1617 }
1629 }
1633 }
1636 /*
1637 * this callback is called for every node that failed to execute ctdb_takeover_run()
1638 * and set flag to re-run takeover run.
1639 */
1640 static void takeover_fail_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
1641 {
1650 }
1651 }
1655 {
1664 }
1668 }
1676 /* Banning ourself? */
1679 }
1680 }
1681 }
1686 {
1689 TDB_DATA data;
1702 }
1706 /* If takeover runs are in disabled then fail... */
1712 }
1714 /* Disable IP checks (takeover runs, really) on other nodes
1715 * while doing this takeover run. This will stop those other
1716 * nodes from triggering takeover runs when think they should
1717 * be hosting an IP but it isn't yet on an interface. Don't
1718 * wait for replies since a failure here might cause some
1719 * noise in the logs but will not actually cause a problem.
1720 */
1729 /* Disable for 60 seconds. This can be a tunable later if
1730 * necessary.
1731 */
1735 CTDB_SRVID_DISABLE_TAKEOVER_RUNS,
1738 }
1739 }
1743 takeover_fail_callback,
1746 /* Reenable takeover runs and IP checks on other nodes */
1750 CTDB_SRVID_DISABLE_TAKEOVER_RUNS,
1753 }
1754 }
1760 }
1763 /* Takeover run was successful so clear force rebalance targets */
1769 }
1770 done:
1777 }
1780 /*
1781 we are the recmaster, and recovery is needed - start a recovery run
1782 */
1786 {
1791 TDB_DATA data;
1799 /* if recovery fails, force it again */
1806 }
1817 }
1820 }
1822 DEBUG(DEBUG_NOTICE, (__location__ " Recovery initiated due to problem with node %u\n", rec->last_culprit_node));
1824 /* get a list of all databases */
1829 }
1831 /* we do the db creation before we set the recovery mode, so the freeze happens
1832 on all databases we will be dealing with. */
1834 /* verify that we have all the databases any other node has */
1839 }
1841 /* verify that all other nodes have all our databases */
1846 }
1849 /* update the database priority for all remote databases */
1853 }
1857 /* update all other nodes to use the same setting for reclock files
1858 as the local recovery master.
1859 */
1862 /* set recovery mode to active on all nodes */
1867 }
1869 /* execute the "startrecovery" event script on all nodes */
1874 }
1876 /*
1877 update all nodes to have the same flags that we have
1878 */
1882 }
1891 }
1892 }
1893 }
1897 /* pick a new generation number */
1900 /* change the vnnmap on this node to use the new generation
1901 number but not on any other nodes.
1902 this guarantees that if we abort the recovery prematurely
1903 for some reason (a node stops responding?)
1904 that we can just return immediately and we will reenter
1905 recovery shortly again.
1906 I.e. we deliberately leave the cluster with an inconsistent
1907 generation id to allow us to abort recovery at any stage and
1908 just restart it from scratch.
1909 */
1915 }
1924 NULL,
1925 transaction_start_fail_callback,
1931 NULL,
1932 NULL,
1935 }
1937 }
1949 }
1950 }
1954 /* commit all the changes */
1962 }
1967 /* update the capabilities for all nodes */
1972 }
1974 /* build a new vnn map with all the currently active and
1975 unbanned nodes */
1986 }
1988 /* this node can not be an lmaster */
1991 }
1998 }
2005 }
2007 /* update to the new vnnmap on all nodes */
2012 }
2016 /* update recmaster to point to us for all nodes */
2021 }
2025 /* disable recovery mode */
2030 }
2034 /* Fetch known/available public IPs from each active node */
2038 culprit));
2041 }
2045 /* execute the "recovered" event script on all nodes */
2048 DEBUG(DEBUG_ERR, (__location__ " Unable to run the 'recovered' event on cluster. Recovery process failed.\n"));
2050 }
2054 /* send a message to all clients telling them that the cluster
2055 has been reconfigured */
2061 }
2067 /* we managed to complete a full recovery, make sure to forgive
2068 any past sins by the nodes that could now participate in the
2069 recovery.
2070 */
2077 }
2082 }
2085 }
2088 /* We just finished a recovery successfully.
2089 We now wait for rerecovery_timeout before we allow
2090 another recovery to take place.
2091 */
2092 DEBUG(DEBUG_NOTICE, ("Just finished a recovery. New recoveries will now be supressed for the rerecovery timeout (%d seconds)\n", ctdb->tunable.rerecovery_timeout));
2094 DEBUG(DEBUG_NOTICE, ("The rerecovery timeout has elapsed. We now allow recoveries to trigger again.\n"));
2097 }
2100 /*
2101 elections are won by first checking the number of connected nodes, then
2102 the priority time, then the pnn
2103 */
2109 };
2111 /*
2112 form this nodes election data
2113 */
2115 {
2129 }
2137 }
2138 }
2140 /* we shouldnt try to win this election if we cant be a recmaster */
2144 }
2147 }
2149 /*
2150 see if the given election data wins
2151 */
2153 {
2159 /* we cant win if we dont have the recmaster capability */
2162 }
2164 /* we cant win if we are banned */
2167 }
2169 /* we cant win if we are stopped */
2172 }
2174 /* we will automatically win if the other node is banned */
2177 }
2179 /* we will automatically win if the other node is banned */
2182 }
2184 /* try to use the most connected node */
2187 }
2189 /* then the longest running node */
2192 }
2196 }
2199 }
2201 /*
2202 send out an election request
2203 */
2205 {
2207 TDB_DATA election_data;
2220 /* first we assume we will win the election and set
2221 recoverymaster to be ourself on the current node
2222 */
2227 }
2230 /* send an election message to all active nodes */
2233 }
2235 /*
2236 this function will unban all nodes in the cluster
2237 */
2239 {
2248 }
2255 NODE_FLAGS_BANNED);
2258 }
2259 }
2260 }
2263 }
2266 /*
2267 we think we are winning the election - send a broadcast election request
2268 */
2269 static void election_send_request(struct event_context *ev, struct timed_event *te, struct timeval t, void *p)
2270 {
2277 }
2281 }
2283 /*
2284 handler for memory dumps
2285 */
2288 {
2298 }
2306 }
2312 }
2321 }
2324 }
2326 /*
2327 handler for getlog
2328 */
2331 {
2333 pid_t child;
2338 }
2345 }
2350 DEBUG(DEBUG_CRIT, (__location__ "ERROR: failed to switch log collector child into client mode.\n"));
2352 }
2355 }
2356 }
2358 /*
2359 handler for clearlog
2360 */
2363 {
2365 }
2367 /*
2368 handler for reload_nodes
2369 */
2372 {
2378 }
2384 {
2391 }
2396 }
2402 {
2411 }
2414 DEBUG(DEBUG_ERR,(__location__ " Incorrect size of node rebalance message. Was %zd but expected %zd bytes\n", data.dsize, sizeof(uint32_t)));
2416 }
2422 /* Copy any existing list of nodes. There's probably some
2423 * sort of realloc variant that will do this but we need to
2424 * make sure that freeing the old array also cancels the timer
2425 * event for the timeout... not sure if realloc will do that.
2426 */
2431 /* This allows duplicates to be added but they don't cause
2432 * harm. A call to add a duplicate PNN arguably means that
2433 * the timeout should be reset, so this is the simplest
2434 * solution.
2435 */
2440 }
2447 /* If configured, setup a deferred takeover run to make sure
2448 * that certain nodes get IPs rebalanced to them. This will
2449 * be cancelled if a successful takeover run happens before
2450 * the timeout. Assign tunable value to variable for
2451 * readability.
2452 */
2458 }
2459 }
2465 {
2472 }
2475 DEBUG(DEBUG_ERR,(__location__ " Incorrect size of recd update ip message. Was %zd but expected %zd bytes\n", data.dsize, sizeof(struct ctdb_public_ip)));
2477 }
2482 }
2486 {
2488 }
2493 {
2498 }
2503 {
2508 TDB_DATA result;
2511 /* Validate input data */
2517 }
2521 }
2531 }
2538 }
2542 /* Clear any old timers */
2545 /* When this is non-NULL it indicates that takeover runs are
2546 * disabled. This context also holds the timeout timer.
2547 */
2553 }
2555 /* Arrange for the timeout to occur */
2558 reenable_takeover_runs,
2559 rec);
2561 /* Returning our PNN tells the caller that we succeeded */
2563 done:
2567 }
2569 /* Backward compatibility for this SRVID - call
2570 * disable_takeover_runs_handler() instead
2571 */
2574 {
2577 TDB_DATA data2;
2585 }
2589 }
2602 CTDB_SRVID_DISABLE_TAKEOVER_RUNS,
2604 }
2606 /*
2607 handler for ip reallocate, just add it to the list of requests and
2608 handle this later in the monitor_cluster loop so we do not recurse
2609 with other requests to takeover_run()
2610 */
2613 {
2621 }
2626 }
2630 {
2631 TDB_DATA result;
2638 /* Only process requests that are currently pending. More
2639 * might come in while the takeover run is in progress and
2640 * they will need to be processed later since they might
2641 * be in response flag changes.
2642 */
2646 /* update the list of public ips that a node can handle for
2647 all connected nodes
2648 */
2652 culprit));
2654 }
2660 }
2661 }
2667 }
2670 /*
2671 handler for recovery master elections
2672 */
2675 {
2681 /* Ignore election packets from ourself */
2684 }
2686 /* we got an election packet - update the timeout for the election */
2689 fast_start ?
2696 /* someone called an election. check their election data
2697 and if we disagree and we would rather be the elected node,
2698 send a new election message to all other nodes
2699 */
2705 }
2707 /*unban_all_nodes(ctdb);*/
2709 }
2711 /* we didn't win */
2716 /* release the recmaster lock */
2722 }
2723 }
2725 /* ok, let that guy become recmaster then */
2731 }
2735 }
2738 /*
2739 force the start of the election process
2740 */
2743 {
2749 /* set all nodes to recovery mode to stop all internode traffic */
2754 }
2758 fast_start ?
2767 }
2769 /* wait for a few seconds to collect all responses */
2771 }
2775 /*
2776 handler for when a node changes its flags
2777 */
2780 {
2792 }
2802 }
2807 }
2813 }
2816 DEBUG(DEBUG_NOTICE,("Node %u has changed flags - now 0x%x was 0x%x\n", c->pnn, c->new_flags, c->old_flags));
2817 }
2829 }
2834 /* Only do the takeover run if the perm disabled or unhealthy
2835 flags changed since these will cause an ip failover but not
2836 a recovery.
2837 If the node became disconnected or banned this will also
2838 lead to an ip address failover but that is handled
2839 during recovery
2840 */
2843 }
2844 }
2847 }
2849 /*
2850 handler for when we need to push out flag changes ot all other nodes
2851 */
2854 {
2862 /* find the recovery master */
2868 }
2870 /* read the node flags from the recmaster */
2876 }
2881 }
2883 /* send the flags update to all connected nodes */
2895 }
2898 }
2904 };
2907 {
2908 struct verify_recmode_normal_data *rmdata = talloc_get_type(state->async.private_data, struct verify_recmode_normal_data);
2911 /* one more node has responded with recmode data*/
2914 /* if we failed to get the recmode, then return an error and let
2915 the main loop try again.
2916 */
2920 }
2922 }
2924 /* if we got a response, then the recmode will be stored in the
2925 status field
2926 */
2928 DEBUG(DEBUG_NOTICE, ("Node:%u was in recovery mode. Start recovery process\n", state->c->hdr.destnode));
2930 }
2933 }
2936 /* verify that all nodes are in normal recovery mode */
2937 static enum monitor_result verify_recmode(struct ctdb_context *ctdb, struct ctdb_node_map *nodemap)
2938 {
2950 /* loop over all active nodes and send an async getrecmode call to
2951 them*/
2955 }
2960 /* we failed to send the control, treat this as
2961 an error and try again next iteration
2962 */
2966 }
2968 /* set up the callback functions */
2972 /* one more control to wait for to complete */
2974 }
2977 /* now wait for up to the maximum number of seconds allowed
2978 or until all nodes we expect a response from has replied
2979 */
2982 }
2987 }
2995 };
2998 {
2999 struct verify_recmaster_data *rmdata = talloc_get_type(state->async.private_data, struct verify_recmaster_data);
3002 /* one more node has responded with recmaster data*/
3005 /* if we failed to get the recmaster, then return an error and let
3006 the main loop try again.
3007 */
3011 }
3013 }
3015 /* if we got a response, then the recmaster will be stored in the
3016 status field
3017 */
3019 DEBUG(DEBUG_ERR,("Node %d thinks node %d is recmaster. Need a new recmaster election\n", state->c->hdr.destnode, state->status));
3022 }
3025 }
3028 /* verify that all nodes agree that we are the recmaster */
3029 static enum monitor_result verify_recmaster(struct ctdb_recoverd *rec, struct ctdb_node_map *nodemap, uint32_t pnn)
3030 {
3045 /* loop over all active nodes and send an async getrecmaster call to
3046 them*/
3050 }
3055 /* we failed to send the control, treat this as
3056 an error and try again next iteration
3057 */
3061 }
3063 /* set up the callback functions */
3067 /* one more control to wait for to complete */
3069 }
3072 /* now wait for up to the maximum number of seconds allowed
3073 or until all nodes we expect a response from has replied
3074 */
3077 }
3082 }
3086 {
3093 /* Read the interfaces from the local node */
3097 /* We could return an error. However, this will be
3098 * rare so we'll decide that the interfaces have
3099 * actually changed, just in case.
3100 */
3103 }
3106 /* We haven't been here before so things have changed */
3110 /* Number of interfaces has changed */
3115 /* See if interface names or link states have changed */
3125 }
3133 }
3134 }
3135 }
3142 }
3144 /* called to check that the local allocation of public ip addresses is ok.
3145 */
3146 static int verify_local_ip_allocation(struct ctdb_context *ctdb, struct ctdb_recoverd *rec, uint32_t pnn, struct ctdb_node_map *nodemap)
3147 {
3160 }
3165 pnn));
3167 }
3175 }
3177 /* skip the check if the startrecovery time has changed */
3180 DEBUG(DEBUG_NOTICE, (__location__ " last recovery time changed while we read the public ip list. skipping public ip address check\n"));
3183 }
3185 /* skip the check if the endrecovery time has changed */
3188 DEBUG(DEBUG_NOTICE, (__location__ " last recovery time changed while we read the public ip list. skipping public ip address check\n"));
3191 }
3193 /* skip the check if we have started but not finished recovery */
3196 DEBUG(DEBUG_INFO, (__location__ " in the middle of recovery or ip reallocation. skipping public ip address check\n"));
3200 }
3202 /* verify that we have the ip addresses we should have
3203 and we dont have ones we shouldnt have.
3204 if we find an inconsistency we set recmode to
3205 active on the local node and wait for the recmaster
3206 to do a full blown recovery.
3207 also if the pnn is -1 and we are healthy and can host the ip
3208 we also request a ip reallocation.
3209 */
3213 /* read the *available* IPs from the local node */
3214 ret = ctdb_ctrl_get_public_ips_flags(ctdb, CONTROL_TIMEOUT(), CTDB_CURRENT_NODE, mem_ctx, CTDB_PUBLIC_IP_FLAGS_ONLY_AVAILABLE, &ips);
3219 }
3227 }
3228 }
3232 /* read the *known* IPs from the local node */
3233 ret = ctdb_ctrl_get_public_ips_flags(ctdb, CONTROL_TIMEOUT(), CTDB_CURRENT_NODE, mem_ctx, 0, &ips);
3238 }
3246 }
3251 DEBUG(DEBUG_CRIT,("We are still serving a public IP '%s' that we should not be serving. Removing it\n",
3256 }
3257 }
3258 }
3259 }
3260 }
3264 TDB_DATA data;
3275 DEBUG(DEBUG_ERR,(__location__ " Failed to send ipreallocate to recmaster :%d\n", (int)rec->recmaster));
3276 }
3277 }
3280 }
3283 static void async_getnodemap_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
3284 {
3290 }
3292 remote_nodemaps[node_pnn] = (struct ctdb_node_map *)talloc_steal(remote_nodemaps, outdata.dptr);
3294 }
3299 {
3306 async_getnodemap_callback,
3307 NULL,
3312 }
3315 }
3322 pid_t child;
3326 };
3328 /* when we free the reclock state we must kill any child process.
3329 */
3331 {
3334 ctdb_ctrl_report_recd_lock_latency(ctdb, CONTROL_TIMEOUT(), timeval_elapsed(&state->start_time));
3339 }
3343 }
3346 }
3348 /*
3349 called if our check_reclock child times out. this would happen if
3350 i/o to the reclock file blocks.
3351 */
3354 {
3358 DEBUG(DEBUG_ERR,(__location__ " check_reclock child process hung/timedout CFS slow to grant locks?\n"));
3360 }
3362 /* this is called when the child process has completed checking the reclock
3363 file and has written data back to us through the pipe.
3364 */
3367 {
3373 /* we got a response from our child process so we can abort the
3374 timeout.
3375 */
3385 }
3389 }
3392 {
3400 }
3416 }
3427 }
3439 }
3442 /* make sure we die when our parent dies */
3445 }
3447 }
3452 DEBUG(DEBUG_DEBUG, (__location__ " Created PIPE FD:%d for check_recovery_lock\n", state->fd[0]));
3462 }
3465 EVENT_FD_READ,
3466 reclock_child_handler,
3473 }
3478 }
3486 }
3490 }
3493 {
3497 if (ctdb_ctrl_getreclock(ctdb, CONTROL_TIMEOUT(), CTDB_CURRENT_NODE, tmp_ctx, &reclockfile) != 0) {
3501 }
3511 }
3512 }
3516 }
3523 }
3526 }
3532 }
3540 }
3544 }
3548 {
3560 /* verify that the main daemon is still running */
3564 }
3566 /* ping the local daemon to tell it we are alive */
3570 /* an election is in progress */
3572 }
3574 /* read the debug level from the parent and update locally */
3579 }
3582 /* get relevant tunables */
3587 }
3589 /* get the current recovery lock file from the server */
3593 }
3595 /* Make sure that if recovery lock verification becomes disabled when
3596 we close the file
3597 */
3602 }
3603 }
3607 /* get the vnnmap */
3612 }
3615 /* get number of nodes */
3620 }
3625 }
3628 /* remember our own node flags */
3635 }
3637 /* if the local daemon is STOPPED or BANNED, we verify that the databases are
3638 also frozen and that the recmode is set to active.
3639 */
3641 /* If this node has become inactive then we want to
3642 * reduce the chances of it taking over the recovery
3643 * master role when it becomes active again. This
3644 * helps to stabilise the recovery master role so that
3645 * it stays on the most stable node.
3646 */
3649 ret = ctdb_ctrl_getrecmode(ctdb, mem_ctx, CONTROL_TIMEOUT(), CTDB_CURRENT_NODE, &ctdb->recovery_mode);
3652 }
3654 DEBUG(DEBUG_ERR,("Node is stopped or banned but recovery mode is not active. Activate recovery mode and lock databases\n"));
3660 }
3663 DEBUG(DEBUG_ERR,(__location__ " Failed to activate recovery mode in STOPPED or BANNED state\n"));
3666 }
3667 }
3669 /* If this node is stopped or banned then it is not the recovery
3670 * master, so don't do anything. This prevents stopped or banned
3671 * node from starting election and sending unnecessary controls.
3672 */
3674 }
3676 /* check which node is the recovery master */
3681 }
3683 /* If we are not the recmaster then do some housekeeping */
3685 /* Ignore any IP reallocate requests - only recmaster
3686 * processes them
3687 */
3689 /* Clear any nodes that should be force rebalanced in
3690 * the next takeover run. If the recovery master role
3691 * has moved then we don't want to process these some
3692 * time in the future.
3693 */
3695 }
3697 /* This is a special case. When recovery daemon is started, recmaster
3698 * is set to -1. If a node is not started in stopped state, then
3699 * start election to decide recovery master
3700 */
3705 }
3707 /* update the capabilities for all nodes */
3712 }
3714 /*
3715 * If the current recmaster does not have CTDB_CAP_RECMASTER,
3716 * but we have, then force an election and try to become the new
3717 * recmaster.
3718 */
3727 }
3729 /* count how many active nodes there are */
3738 }
3739 }
3742 }
3743 }
3746 /* verify that the recmaster node is still active */
3750 }
3751 }
3757 }
3759 /* if recovery master is disconnected we must elect a new recmaster */
3761 DEBUG(DEBUG_NOTICE, ("Recmaster node %u is disconnected. Force reelection\n", nodemap->nodes[j].pnn));
3764 }
3766 /* get nodemap from the recovery master to check if it is inactive */
3773 }
3778 DEBUG(DEBUG_NOTICE, ("Recmaster node %u no longer available. Force reelection\n", nodemap->nodes[j].pnn));
3779 /*
3780 * update our nodemap to carry the recmaster's notion of
3781 * its own flags, so that we don't keep freezing the
3782 * inactive recmaster node...
3783 */
3787 }
3789 /* verify that we have all ip addresses we should have and we dont
3790 * have addresses we shouldnt have.
3791 */
3796 }
3797 }
3800 /* if we are not the recmaster then we do not need to check
3801 if recovery is needed
3802 */
3805 }
3808 /* ensure our local copies of flags are right */
3814 }
3818 }
3821 DEBUG(DEBUG_ERR, (__location__ " ctdb->num_nodes (%d) != nodemap->num (%d) reloading nodes file\n", ctdb->num_nodes, nodemap->num));
3824 }
3826 /* verify that all active nodes agree that we are the recmaster */
3829 /* can not happen */
3838 }
3842 /* a previous recovery didn't finish */
3845 }
3847 /* verify that all active nodes are in normal mode
3848 and not in recovery mode
3849 */
3857 /* can not happen */
3860 }
3864 /* we should have the reclock - check its not stale */
3871 }
3872 }
3875 /* if there are takeovers requested, perform it and notify the waiters */
3879 }
3881 /* get the nodemap for all active remote nodes
3882 */
3887 }
3890 }
3894 }
3896 /* verify that all other nodes have the same nodemap as we have
3897 */
3901 }
3904 DEBUG(DEBUG_ERR,(__location__ " Did not get a remote nodemap for node %d, restarting monitoring\n", j));
3908 }
3910 /* if the nodes disagree on how many nodes there are
3911 then this is a good reason to try recovery
3912 */
3914 DEBUG(DEBUG_ERR, (__location__ " Remote node:%u has different node count. %u vs %u of the local node\n",
3919 }
3921 /* if the nodes disagree on which nodes exist and are
3922 active, then that is also a good reason to do recovery
3923 */
3926 DEBUG(DEBUG_ERR, (__location__ " Remote node:%u has different nodemap pnn for %d (%u vs %u).\n",
3931 vnnmap);
3933 }
3934 }
3935 }
3937 /*
3938 * Update node flags obtained from each active node. This ensure we have
3939 * up-to-date information for all the nodes.
3940 */
3944 }
3946 }
3951 }
3953 /* verify the flags are consistent
3954 */
3958 }
3961 DEBUG(DEBUG_ERR, (__location__ " Remote node:%u has different flags for node %u. It has 0x%02x vs our 0x%02x\n",
3967 DEBUG(DEBUG_ERR,("Use flags 0x%02x from remote node %d for cluster update of its own flags\n", remote_nodemaps[j]->nodes[i].flags, j));
3968 update_flags_on_all_nodes(ctdb, nodemap, nodemap->nodes[i].pnn, remote_nodemaps[j]->nodes[i].flags);
3971 vnnmap);
3974 DEBUG(DEBUG_ERR,("Use flags 0x%02x from local recmaster node for cluster update of node %d flags\n", nodemap->nodes[i].flags, i));
3978 vnnmap);
3980 }
3981 }
3982 }
3983 }
3986 /* There must be the same number of lmasters in the vnn map as
3987 * there are active nodes with the lmaster capability... or
3988 * do a recovery.
3989 */
3991 DEBUG(DEBUG_ERR, (__location__ " The vnnmap count is different from the number of active lmaster nodes: %u vs %u\n",
3996 }
3998 /* verify that all active nodes in the nodemap also exist in
3999 the vnnmap.
4000 */
4004 }
4007 }
4012 }
4013 }
4015 DEBUG(DEBUG_ERR, (__location__ " Node %u is active in the nodemap but did not exist in the vnnmap\n",
4020 }
4021 }
4024 /* verify that all other nodes have the same vnnmap
4025 and are from the same generation
4026 */
4030 }
4033 }
4041 }
4043 /* verify the vnnmap generation is the same */
4045 DEBUG(DEBUG_ERR, (__location__ " Remote node %u has different generation of vnnmap. %u vs %u (ours)\n",
4050 }
4052 /* verify the vnnmap size is the same */
4054 DEBUG(DEBUG_ERR, (__location__ " Remote node %u has different size of vnnmap. %u vs %u (ours)\n",
4059 }
4061 /* verify the vnnmap is the same */
4068 vnnmap);
4070 }
4071 }
4072 }
4074 /* we might need to change who has what IP assigned */
4080 /* update the list of public ips that a node can handle for
4081 all connected nodes
4082 */
4086 culprit));
4089 }
4091 /* execute the "startrecovery" event script on all nodes */
4098 }
4100 /* If takeover run fails, then the offending nodes are
4101 * assigned ban culprit counts. And we re-try takeover.
4102 * If takeover run fails repeatedly, the node would get
4103 * banned.
4104 *
4105 * If rec->need_takeover_run is not set to true at this
4106 * failure, monitoring is disabled cluster-wide (via
4107 * startrecovery eventscript) and will not get enabled.
4108 */
4111 }
4113 /* execute the "recovered" event script on all nodes */
4115 #if 0
4116 // we cant check whether the event completed successfully
4117 // since this script WILL fail if the node is in recovery mode
4118 // and if that race happens, the code here would just cause a second
4119 // cascading recovery.
4121 DEBUG(DEBUG_ERR, (__location__ " Unable to run the 'recovered' event on cluster. Update of public ips failed.\n"));
4124 }
4125 #endif
4126 }
4127 }
4129 /*
4130 the main monitoring loop
4131 */
4133 {
4147 /* register a message port for sending memory dumps */
4150 /* register a message port for requesting logs */
4153 /* register a message port for clearing logs */
4156 /* register a message port for recovery elections */
4159 /* when nodes are disabled/enabled */
4162 /* when we are asked to puch out a flag change */
4165 /* register a message port for vacuum fetch */
4168 /* register a message port for reloadnodes */
4171 /* register a message port for performing a takeover run */
4174 /* register a message port for disabling the ip check for a short while */
4175 ctdb_client_set_message_handler(ctdb, CTDB_SRVID_DISABLE_IP_CHECK, disable_ip_check_handler, rec);
4177 /* register a message port for updating the recovery daemons node assignment for an ip */
4180 /* register a message port for forcing a rebalance of a node next
4181 reallocation */
4182 ctdb_client_set_message_handler(ctdb, CTDB_SRVID_REBALANCE_NODE, recd_node_rebalance_handler, rec);
4184 /* Register a message port for disabling takeover runs */
4186 CTDB_SRVID_DISABLE_TAKEOVER_RUNS,
4189 /* register a message port for detaching database */
4191 CTDB_SRVID_DETACH_DATABASE,
4203 }
4209 /* we only check for recovery once every second */
4214 }
4215 }
4216 }
4218 /*
4219 event handler for when the main ctdbd dies
4220 */
4223 {
4226 }
4228 /*
4229 called regularly to verify that the recovery daemon is still running
4230 */
4233 {
4237 DEBUG(DEBUG_ERR,("Recovery daemon (pid:%d) is no longer running. Trying to restart recovery daemon.\n", (int)ctdb->recoverd_pid));
4243 }
4248 }
4254 {
4255 // struct ctdb_context *ctdb = talloc_get_type(private_data, struct ctdb_context);
4263 DEBUG(DEBUG_ERR, (__location__ " waitpid() returned error. errno:%s(%d)\n", strerror(errno),errno));
4264 }
4266 }
4269 }
4270 }
4271 }
4273 /*
4274 startup the recovery daemon as a child of the main ctdb daemon
4275 */
4277 {
4284 }
4291 }
4303 }
4309 /* Clear the log ringbuffer */
4314 DEBUG(DEBUG_CRIT, (__location__ "ERROR: failed to switch recovery daemon into client mode. shutting down.\n"));
4316 }
4324 /* set up a handler to pick up sigchld */
4327 recd_sig_child_handler,
4328 ctdb);
4332 }
4338 }
4340 /*
4341 shutdown the recovery daemon
4342 */
4344 {
4347 }
4354 }
4358 {
4364 }