| blob | e5b94540fecf59e4bb5c57964ee340317c0daaf0 |
1 /*
2 ctdb recovery daemon
4 Copyright (C) Ronnie Sahlberg 2007
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
26 #include <popt.h>
27 #include <talloc.h>
28 #include <tevent.h>
29 #include <tdb.h>
47 /* List of SRVID requests that need to be processed */
51 };
55 };
59 TDB_DATA result)
60 {
61 /* Someone that sent srvid==0 does not want a reply */
65 }
76 }
79 }
83 TDB_DATA result)
84 {
89 }
93 }
95 /* Free the list structure... */
97 }
102 {
105 TDB_DATA result;
111 }
112 }
116 /* If *requests was just allocated above then free it */
119 }
121 }
128 nomem:
129 /* Failed to add the request to the list. Send a fail. */
136 }
138 /* An abstraction to allow an operation (takeover runs, recoveries,
139 * ...) to be disabled for a given timeout */
144 };
147 {
153 }
156 }
159 {
161 }
164 {
169 }
173 }
176 {
178 }
181 {
183 }
186 {
188 }
193 {
199 }
204 {
209 }
215 }
220 /* Clear any old timers */
223 /* Arrange for the timeout to occur */
230 }
233 }
238 };
240 /*
241 private state of recovery daemon
242 */
262 };
264 #define CONTROL_TIMEOUT() timeval_current_ofs(ctdb->tunable.recover_timeout, 0)
265 #define MONITOR_TIMEOUT() timeval_current_ofs(ctdb->tunable.recover_interval, 0)
271 /*
272 ban a node for a period of time
273 */
275 {
283 }
294 }
296 }
298 enum monitor_result { MONITOR_OK, MONITOR_RECOVERY_NEEDED, MONITOR_ELECTION_NEEDED, MONITOR_FAILED};
301 /*
302 remember the trouble maker
303 */
305 {
312 }
314 /* If we are banned or stopped, do not set other nodes as culprits */
318 }
325 }
328 /* this was the first time in a long while this node
329 misbehaved so we will forgive any old transgressions.
330 */
332 }
337 }
339 /*
340 remember the trouble maker
341 */
343 {
345 }
348 /* this callback is called for every node that failed to execute the
349 recovered event
350 */
351 static void recovered_fail_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
352 {
355 DEBUG(DEBUG_ERR, (__location__ " Node %u failed the recovered event. Setting it as recovery fail culprit\n", node_pnn));
358 }
360 /*
361 run the "recovered" eventscript on all nodes
362 */
363 static int run_recovered_eventscript(struct ctdb_recoverd *rec, struct ctdb_node_map_old *nodemap, const char *caller)
364 {
378 DEBUG(DEBUG_ERR, (__location__ " Unable to run the 'recovered' event when called from %s\n", caller));
382 }
386 }
388 /* this callback is called for every node that failed to execute the
389 start recovery event
390 */
391 static void startrecovery_fail_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
392 {
395 DEBUG(DEBUG_ERR, (__location__ " Node %u failed the startrecovery event. Setting it as recovery fail culprit\n", node_pnn));
398 }
400 /*
401 run the "startrecovery" eventscript on all nodes
402 */
403 static int run_startrecovery_eventscript(struct ctdb_recoverd *rec, struct ctdb_node_map_old *nodemap)
404 {
416 NULL,
417 startrecovery_fail_callback,
419 DEBUG(DEBUG_ERR, (__location__ " Unable to run the 'startrecovery' event. Recovery failed.\n"));
422 }
426 }
428 /*
429 Retrieve capabilities from all connected nodes
430 */
433 {
450 }
455 (__location__
459 }
467 }
469 static void set_recmode_fail_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
470 {
473 DEBUG(DEBUG_ERR,("Failed to freeze node %u during recovery. Set it as ban culprit for %d credits\n", node_pnn, rec->nodemap->num));
475 }
477 static void transaction_start_fail_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
478 {
481 DEBUG(DEBUG_ERR,("Failed to start recovery transaction on node %u. Set it as ban culprit for %d credits\n", node_pnn, rec->nodemap->num));
483 }
485 /*
486 change recovery mode on all nodes
487 */
492 {
493 TDB_DATA data;
514 }
516 /* freeze all nodes */
525 NULL,
526 set_recmode_fail_callback,
531 }
532 }
533 }
537 }
539 /* update all remote nodes to use the same db priority that we have
540 this can fail if the remove node has not yet been upgraded to
541 support this function, so we always return success and never fail
542 a recovery if this call fails.
543 */
547 {
550 /* step through all local databases */
556 ret = ctdb_ctrl_get_db_priority(ctdb, CONTROL_TIMEOUT(), CTDB_CURRENT_NODE, dbmap->dbs[db].db_id, &db_prio.priority);
558 DEBUG(DEBUG_ERR,(__location__ " Failed to read database priority from local node for db 0x%08x\n", dbmap->dbs[db].db_id));
560 }
562 DEBUG(DEBUG_INFO,("Update DB priority for db 0x%08x to %u\n", dbmap->dbs[db].db_id, db_prio.priority));
569 }
570 }
573 }
575 /*
576 ensure all other nodes have attached to any databases that we have
577 */
578 static int create_missing_remote_databases(struct ctdb_context *ctdb, struct ctdb_node_map_old *nodemap,
580 {
584 /* verify that all other nodes have all our databases */
586 /* we don't need to ourself ourselves */
589 }
590 /* don't check nodes that are unavailable */
593 }
600 }
602 /* step through all local databases */
610 }
611 }
612 /* the remote node already have this database */
615 }
616 /* ok so we need to create this database */
623 }
631 }
632 }
633 }
636 }
639 /*
640 ensure we are attached to any databases that anyone else is attached to
641 */
642 static int create_missing_local_databases(struct ctdb_context *ctdb, struct ctdb_node_map_old *nodemap,
644 {
648 /* verify that we have all database any other node has */
650 /* we don't need to ourself ourselves */
653 }
654 /* don't check nodes that are unavailable */
657 }
664 }
666 /* step through all databases on the remote node */
673 }
674 }
675 /* we already have this db locally */
678 }
679 /* ok so we need to create this database and
680 rebuild dbmap
681 */
688 }
694 }
699 }
700 }
701 }
704 }
707 /*
708 pull the remote database contents from one node into the recdb
709 */
712 {
714 TDB_DATA outdata;
726 }
734 }
743 TDB_DATA existing;
756 }
758 /* fetch the existing record, if any */
769 }
776 }
777 }
783 }
784 }
789 }
796 };
798 static void pull_seqnum_cb(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
799 {
804 DEBUG(DEBUG_ERR, ("Got seqnum from node %d but we have already failed the entire operation\n", node_pnn));
806 }
812 }
815 DEBUG(DEBUG_ERR, ("Error when reading pull seqnum from node %d, got %d bytes but expected %d\n", node_pnn, (int)outdata.dsize, (int)sizeof(uint64_t)));
818 }
826 }
827 }
829 static void pull_seqnum_fail_cb(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
830 {
835 }
841 {
844 TDB_DATA data;
861 }
871 pull_seqnum_cb,
872 pull_seqnum_fail_cb,
878 }
884 }
887 DEBUG(DEBUG_NOTICE, ("Failed to find a node with highest sequence numbers for DB 0x%08x\n", dbid));
890 }
892 DEBUG(DEBUG_NOTICE, ("Pull persistent db:0x%08x from node %d with highest seqnum:%lld\n", dbid, cb_data->pnn, (long long)cb_data->seqnum));
895 DEBUG(DEBUG_ERR, ("Failed to pull higest seqnum database 0x%08x from node %d\n", dbid, cb_data->pnn));
898 }
902 }
905 /*
906 pull all the remote database contents into the recdb
907 */
913 {
921 }
922 }
924 /* pull all records from all other nodes across onto this node
925 (this merges based on rsn)
926 */
928 /* don't merge from nodes that are unavailable */
931 }
937 }
938 }
941 }
944 /*
945 update flags on all active nodes
946 */
947 static int update_flags_on_all_nodes(struct ctdb_context *ctdb, struct ctdb_node_map_old *nodemap, uint32_t pnn, uint32_t flags)
948 {
955 }
958 }
960 /*
961 ensure all nodes have the same vnnmap we do
962 */
963 static int update_vnnmap_on_all_nodes(struct ctdb_context *ctdb, struct ctdb_node_map_old *nodemap,
965 {
968 /* push the new vnn map out to all the nodes */
970 /* don't push to nodes that are unavailable */
973 }
979 }
980 }
983 }
986 /*
987 called when a vacuum fetch has completed - just free it and do the next one
988 */
990 {
992 }
995 /**
996 * Process one elements of the vacuum fetch list:
997 * Migrate it over to us with the special flag
998 * CTDB_CALL_FLAG_VACUUM_MIGRATION.
999 */
1003 {
1005 TDB_DATA data;
1017 /* ensure we don't block this daemon - just skip a record if we can't get
1018 the chainlock */
1021 }
1027 }
1033 }
1037 /* its already local */
1041 }
1050 }
1055 }
1058 /*
1059 handler for vacuum fetch
1060 */
1063 {
1080 }
1082 /* work out if the database is persistent */
1087 }
1093 }
1094 }
1098 }
1100 /* find the name of this database */
1101 if (ctdb_ctrl_getdbname(ctdb, CONTROL_TIMEOUT(), CTDB_CURRENT_NODE, recs->db_id, tmp_ctx, &name) != 0) {
1104 }
1106 /* attach to it */
1111 }
1120 }
1124 }
1126 done:
1128 }
1131 /*
1132 * handler for database detach
1133 */
1136 {
1145 }
1150 /* database is not attached */
1152 }
1159 }
1161 /*
1162 called when ctdb_wait_timeout should finish
1163 */
1167 {
1170 }
1172 /*
1173 wait for a given number of seconds
1174 */
1176 {
1183 }
1184 }
1186 /*
1187 called when an election times out (ends)
1188 */
1192 {
1198 }
1201 /*
1202 wait for an election to finish. It finished election_timeout seconds after
1203 the last election packet is received
1204 */
1206 {
1210 }
1211 }
1213 /*
1214 Update our local flags from all remote connected nodes.
1215 This is only run when we are or we belive we are the recovery master
1216 */
1218 {
1223 /* get the nodemap for all active remote nodes and verify
1224 they are the same as for this node
1225 */
1232 }
1235 }
1245 }
1247 /* We should tell our daemon about this so it
1248 updates its flags or else we will log the same
1249 message again in the next iteration of recovery.
1250 Since we are the recovery master we can just as
1251 well update the flags on all nodes.
1252 */
1253 ret = ctdb_ctrl_modflags(ctdb, CONTROL_TIMEOUT(), nodemap->nodes[j].pnn, remote_nodemap->nodes[j].flags, ~remote_nodemap->nodes[j].flags);
1257 }
1259 /* Update our local copy of the flags in the recovery
1260 daemon.
1261 */
1266 }
1268 }
1271 }
1274 /* Create a new random generation id.
1275 The generation id can not be the INVALID_GENERATION id
1276 */
1278 {
1286 }
1287 }
1290 }
1293 /*
1294 create a temporary working database
1295 */
1297 {
1302 /* open up the temporary recovery database */
1308 }
1314 }
1321 }
1326 }
1329 /*
1330 a traverse function for pulling all relevant records from recdb
1331 */
1339 };
1342 {
1347 /*
1348 * skip empty records - but NOT for persistent databases:
1349 *
1350 * The record-by-record mode of recovery deletes empty records.
1351 * For persistent databases, this can lead to data corruption
1352 * by deleting records that should be there:
1353 *
1354 * - Assume the cluster has been running for a while.
1355 *
1356 * - A record R in a persistent database has been created and
1357 * deleted a couple of times, the last operation being deletion,
1358 * leaving an empty record with a high RSN, say 10.
1359 *
1360 * - Now a node N is turned off.
1361 *
1362 * - This leaves the local database copy of D on N with the empty
1363 * copy of R and RSN 10. On all other nodes, the recovery has deleted
1364 * the copy of record R.
1365 *
1366 * - Now the record is created again while node N is turned off.
1367 * This creates R with RSN = 1 on all nodes except for N.
1368 *
1369 * - Now node N is turned on again. The following recovery will chose
1370 * the older empty copy of R due to RSN 10 > RSN 1.
1371 *
1372 * ==> Hence the record is gone after the recovery.
1373 *
1374 * On databases like Samba's registry, this can damage the higher-level
1375 * data structures built from the various tdb-level records.
1376 */
1379 }
1381 /* update the dmaster field to point to us */
1386 }
1388 /* add the record to the blob ready to send to the nodes */
1393 }
1395 params->allocated_len = recdata->length + params->len + params->ctdb->tunable.pulldb_preallocation_size;
1397 }
1403 }
1410 }
1412 /*
1413 push the recdb database out to all nodes
1414 */
1418 {
1421 TDB_DATA outdata;
1445 }
1452 }
1469 }
1478 }
1481 /*
1482 go through a full recovery on one database
1483 */
1491 {
1495 TDB_DATA data;
1502 }
1504 /* pull all remote databases onto the recdb */
1509 }
1513 /* wipe all the remote databases. This is safe as we are in a transaction */
1529 }
1531 /* push out the correct database. This sets the dmaster and skips
1532 the empty records */
1537 }
1539 /* all done with this database */
1543 }
1546 {
1548 }
1554 };
1559 {
1575 }
1579 }
1584 {
1594 }
1595 }
1598 {
1605 };
1612 }
1616 }
1621 }
1628 }
1631 {
1635 }
1636 }
1639 {
1648 }
1652 }
1660 /* Banning ourself? */
1663 }
1664 }
1665 }
1669 {
1672 TDB_DATA data;
1685 }
1690 }
1692 /* Disable IP checks (takeover runs, really) on other nodes
1693 * while doing this takeover run. This will stop those other
1694 * nodes from triggering takeover runs when think they should
1695 * be hosting an IP but it isn't yet on an interface. Don't
1696 * wait for replies since a failure here might cause some
1697 * noise in the logs but will not actually cause a problem.
1698 */
1708 /* Disable for 60 seconds. This can be a tunable later if
1709 * necessary.
1710 */
1714 CTDB_SRVID_DISABLE_TAKEOVER_RUNS,
1717 }
1718 }
1723 /* Reenable takeover runs and IP checks on other nodes */
1727 CTDB_SRVID_DISABLE_TAKEOVER_RUNS,
1730 }
1731 }
1737 }
1740 /* Takeover run was successful so clear force rebalance targets */
1746 }
1747 done:
1754 }
1758 pid_t pid;
1761 };
1766 {
1774 }
1777 }
1781 {
1792 }
1798 }
1807 }
1816 }
1826 }
1835 }
1846 }
1851 }
1858 }
1864 fail:
1867 }
1870 }
1873 }
1876 }
1882 {
1885 TDB_DATA data;
1889 /* set recovery mode to active on all nodes */
1894 }
1896 /* execute the "startrecovery" event script on all nodes */
1901 }
1903 /* pick a new generation number */
1906 /* change the vnnmap on this node to use the new generation
1907 number but not on any other nodes.
1908 this guarantees that if we abort the recovery prematurely
1909 for some reason (a node stops responding?)
1910 that we can just return immediately and we will reenter
1911 recovery shortly again.
1912 I.e. we deliberately leave the cluster with an inconsistent
1913 generation id to allow us to abort recovery at any stage and
1914 just restart it from scratch.
1915 */
1921 }
1923 /* Database generations are updated when the transaction is commited to
1924 * the databases. So make sure to use the final generation as the
1925 * transaction id
1926 */
1936 NULL,
1937 transaction_start_fail_callback,
1943 NULL,
1944 NULL,
1947 }
1949 }
1961 }
1962 }
1966 /* commit all the changes */
1974 }
1978 /* build a new vnn map with all the currently active and
1979 unbanned nodes */
1989 }
1992 CTDB_CAP_LMASTER)) {
1993 /* this node can not be an lmaster */
1996 }
2003 }
2010 }
2012 /* update to the new vnnmap on all nodes */
2017 }
2021 /* disable recovery mode */
2026 }
2030 /* execute the "recovered" event script on all nodes */
2033 DEBUG(DEBUG_ERR, (__location__ " Unable to run the 'recovered' event on cluster. Recovery process failed.\n"));
2035 }
2040 }
2042 /*
2043 we are the recmaster, and recovery is needed - start a recovery run
2044 */
2048 {
2057 /* Check if the current node is still the recmaster. It's possible that
2058 * re-election has changed the recmaster.
2059 */
2065 }
2067 /* if recovery fails, force it again */
2072 }
2075 /* an election is in progress */
2078 }
2084 }
2094 /* If ctdb is trying first recovery, it's
2095 * possible that current node does not know
2096 * yet who the recmaster is.
2097 */
2101 }
2108 }
2111 }
2112 }
2114 DEBUG(DEBUG_NOTICE, (__location__ " Recovery initiated due to problem with node %u\n", rec->last_culprit_node));
2116 /* get a list of all databases */
2121 }
2123 /* we do the db creation before we set the recovery mode, so the freeze happens
2124 on all databases we will be dealing with. */
2126 /* verify that we have all the databases any other node has */
2131 }
2133 /* verify that all other nodes have all our databases */
2138 }
2141 /* update the database priority for all remote databases */
2145 }
2149 /* Retrieve capabilities from all connected nodes */
2154 }
2156 /*
2157 update all nodes to have the same flags that we have
2158 */
2162 }
2171 }
2172 }
2173 }
2177 /* Check if all participating nodes have parallel recovery capability */
2182 }
2185 CTDB_CAP_PARALLEL_RECOVERY)) {
2188 }
2189 }
2195 dbmap);
2196 }
2200 }
2204 /* send a message to all clients telling them that the cluster
2205 has been reconfigured */
2211 }
2218 /* we managed to complete a full recovery, make sure to forgive
2219 any past sins by the nodes that could now participate in the
2220 recovery.
2221 */
2228 }
2233 }
2236 }
2238 /* We just finished a recovery successfully.
2239 We now wait for rerecovery_timeout before we allow
2240 another recovery to take place.
2241 */
2242 DEBUG(DEBUG_NOTICE, ("Just finished a recovery. New recoveries will now be supressed for the rerecovery timeout (%d seconds)\n", ctdb->tunable.rerecovery_timeout));
2247 fail:
2250 }
2253 /*
2254 elections are won by first checking the number of connected nodes, then
2255 the priority time, then the pnn
2256 */
2262 };
2264 /*
2265 form this nodes election data
2266 */
2268 {
2282 }
2290 }
2291 }
2293 /* we shouldnt try to win this election if we cant be a recmaster */
2297 }
2300 }
2302 /*
2303 see if the given election data wins
2304 */
2306 {
2312 /* we cant win if we don't have the recmaster capability */
2315 }
2317 /* we cant win if we are banned */
2320 }
2322 /* we cant win if we are stopped */
2325 }
2327 /* we will automatically win if the other node is banned */
2330 }
2332 /* we will automatically win if the other node is banned */
2335 }
2337 /* then the longest running node */
2340 }
2344 }
2347 }
2349 /*
2350 send out an election request
2351 */
2353 {
2355 TDB_DATA election_data;
2368 /* first we assume we will win the election and set
2369 recoverymaster to be ourself on the current node
2370 */
2376 }
2379 /* send an election message to all active nodes */
2382 }
2384 /*
2385 we think we are winning the election - send a broadcast election request
2386 */
2390 {
2397 }
2400 }
2402 /*
2403 handler for memory dumps
2404 */
2406 {
2419 }
2427 }
2433 }
2442 }
2445 }
2447 /*
2448 handler for reload_nodes
2449 */
2452 {
2459 }
2464 {
2474 }
2477 DEBUG(DEBUG_ERR,(__location__ " Incorrect size of node rebalance message. Was %zd but expected %zd bytes\n", data.dsize, sizeof(uint32_t)));
2479 }
2485 /* Copy any existing list of nodes. There's probably some
2486 * sort of realloc variant that will do this but we need to
2487 * make sure that freeing the old array also cancels the timer
2488 * event for the timeout... not sure if realloc will do that.
2489 */
2494 /* This allows duplicates to be added but they don't cause
2495 * harm. A call to add a duplicate PNN arguably means that
2496 * the timeout should be reset, so this is the simplest
2497 * solution.
2498 */
2503 }
2509 }
2514 TDB_DATA data,
2516 {
2519 TDB_DATA result;
2522 /* Validate input data */
2528 }
2532 }
2540 }
2542 /* Returning our PNN tells the caller that we succeeded */
2544 done:
2548 }
2552 {
2557 }
2559 /* Backward compatibility for this SRVID */
2562 {
2572 }
2576 }
2581 }
2585 {
2590 }
2592 /*
2593 handler for ip reallocate, just add it to the list of requests and
2594 handle this later in the monitor_cluster loop so we do not recurse
2595 with other requests to takeover_run()
2596 */
2599 {
2607 }
2612 }
2616 {
2617 TDB_DATA result;
2621 /* Only process requests that are currently pending. More
2622 * might come in while the takeover run is in progress and
2623 * they will need to be processed later since they might
2624 * be in response flag changes.
2625 */
2633 }
2639 }
2641 /*
2642 * handler for assigning banning credits
2643 */
2645 {
2650 /* Ignore if we are not recmaster */
2653 }
2659 }
2664 }
2666 /*
2667 handler for recovery master elections
2668 */
2670 {
2677 /* Ignore election packets from ourself */
2680 }
2682 /* we got an election packet - update the timeout for the election */
2686 fast_start ?
2691 /* someone called an election. check their election data
2692 and if we disagree and we would rather be the elected node,
2693 send a new election message to all other nodes
2694 */
2701 }
2703 }
2705 /* we didn't win */
2708 /* Release the recovery lock file */
2711 }
2713 /* ok, let that guy become recmaster then */
2719 }
2723 }
2726 /*
2727 force the start of the election process
2728 */
2731 {
2737 /* set all nodes to recovery mode to stop all internode traffic */
2742 }
2747 fast_start ?
2756 }
2758 /* wait for a few seconds to collect all responses */
2760 }
2764 /*
2765 handler for when a node changes its flags
2766 */
2768 {
2781 }
2791 }
2796 }
2802 }
2805 DEBUG(DEBUG_NOTICE,("Node %u has changed flags - now 0x%x was 0x%x\n", c->pnn, c->new_flags, c->old_flags));
2806 }
2811 }
2813 /*
2814 handler for when we need to push out flag changes ot all other nodes
2815 */
2818 {
2828 /* read the node flags from the recmaster */
2835 }
2840 }
2842 /* send the flags update to all connected nodes */
2854 }
2857 }
2863 };
2866 {
2867 struct verify_recmode_normal_data *rmdata = talloc_get_type(state->async.private_data, struct verify_recmode_normal_data);
2870 /* one more node has responded with recmode data*/
2873 /* if we failed to get the recmode, then return an error and let
2874 the main loop try again.
2875 */
2879 }
2881 }
2883 /* if we got a response, then the recmode will be stored in the
2884 status field
2885 */
2887 DEBUG(DEBUG_NOTICE, ("Node:%u was in recovery mode. Start recovery process\n", state->c->hdr.destnode));
2889 }
2892 }
2895 /* verify that all nodes are in normal recovery mode */
2896 static enum monitor_result verify_recmode(struct ctdb_context *ctdb, struct ctdb_node_map_old *nodemap)
2897 {
2909 /* loop over all active nodes and send an async getrecmode call to
2910 them*/
2914 }
2919 /* we failed to send the control, treat this as
2920 an error and try again next iteration
2921 */
2925 }
2927 /* set up the callback functions */
2931 /* one more control to wait for to complete */
2933 }
2936 /* now wait for up to the maximum number of seconds allowed
2937 or until all nodes we expect a response from has replied
2938 */
2941 }
2946 }
2954 };
2957 {
2958 struct verify_recmaster_data *rmdata = talloc_get_type(state->async.private_data, struct verify_recmaster_data);
2961 /* one more node has responded with recmaster data*/
2964 /* if we failed to get the recmaster, then return an error and let
2965 the main loop try again.
2966 */
2970 }
2972 }
2974 /* if we got a response, then the recmaster will be stored in the
2975 status field
2976 */
2978 DEBUG(DEBUG_ERR,("Node %d thinks node %d is recmaster. Need a new recmaster election\n", state->c->hdr.destnode, state->status));
2981 }
2984 }
2987 /* verify that all nodes agree that we are the recmaster */
2988 static enum monitor_result verify_recmaster(struct ctdb_recoverd *rec, struct ctdb_node_map_old *nodemap, uint32_t pnn)
2989 {
3004 /* loop over all active nodes and send an async getrecmaster call to
3005 them*/
3009 }
3012 }
3017 /* we failed to send the control, treat this as
3018 an error and try again next iteration
3019 */
3023 }
3025 /* set up the callback functions */
3029 /* one more control to wait for to complete */
3031 }
3034 /* now wait for up to the maximum number of seconds allowed
3035 or until all nodes we expect a response from has replied
3036 */
3039 }
3044 }
3048 {
3055 /* Read the interfaces from the local node */
3059 /* We could return an error. However, this will be
3060 * rare so we'll decide that the interfaces have
3061 * actually changed, just in case.
3062 */
3065 }
3068 /* We haven't been here before so things have changed */
3072 /* Number of interfaces has changed */
3077 /* See if interface names or link states have changed */
3087 }
3095 }
3096 }
3097 }
3104 }
3106 /* Check that the local allocation of public IP addresses is correct
3107 * and do some house-keeping */
3112 {
3118 /* If we are not the recmaster then do some housekeeping */
3120 /* Ignore any IP reallocate requests - only recmaster
3121 * processes them
3122 */
3124 /* Clear any nodes that should be force rebalanced in
3125 * the next takeover run. If the recovery master role
3126 * has moved then we don't want to process these some
3127 * time in the future.
3128 */
3130 }
3132 /* Return early if disabled... */
3136 }
3140 }
3142 /* If there are unhosted IPs but this node can host them then
3143 * trigger an IP reallocation */
3145 /* Read *available* IPs from local node */
3153 }
3162 }
3163 }
3169 }
3171 /* Validate the IP addresses that this node has on network
3172 * interfaces. If there is an inconsistency between reality
3173 * and the state expected by CTDB then try to fix it by
3174 * triggering an IP reallocation or releasing extraneous IP
3175 * addresses. */
3177 /* Read *known* IPs from local node */
3184 }
3193 }
3201 CTDB_CURRENT_NODE,
3206 }
3207 }
3208 }
3209 }
3211 done:
3214 TDB_DATA data;
3228 }
3229 }
3232 }
3235 static void async_getnodemap_callback(struct ctdb_context *ctdb, uint32_t node_pnn, int32_t res, TDB_DATA outdata, void *callback_data)
3236 {
3242 }
3244 remote_nodemaps[node_pnn] = (struct ctdb_node_map_old *)talloc_steal(remote_nodemaps, outdata.dptr);
3246 }
3251 {
3258 async_getnodemap_callback,
3259 NULL,
3264 }
3267 }
3271 {
3278 /* When recovery daemon is started, recmaster is set to
3279 * "unknown" so it knows to start an election.
3280 */
3286 }
3288 /*
3289 * If the current recmaster does not have CTDB_CAP_RECMASTER,
3290 * but we have, then force an election and try to become the new
3291 * recmaster.
3292 */
3295 CTDB_CAP_RECMASTER) &&
3304 }
3306 /* Verify that the master node has not been deleted. This
3307 * should not happen because a node should always be shutdown
3308 * before being deleted, causing a new master to be elected
3309 * before now. However, if something strange has happened
3310 * then checking here will ensure we don't index beyond the
3311 * end of the nodemap array. */
3318 }
3320 /* if recovery master is disconnected/deleted we must elect a new recmaster */
3328 }
3330 /* get nodemap from the recovery master to check if it is inactive */
3335 (__location__
3338 /* No election, just error */
3340 }
3348 /*
3349 * update our nodemap to carry the recmaster's notion of
3350 * its own flags, so that we don't keep freezing the
3351 * inactive recmaster node...
3352 */
3357 }
3360 }
3364 {
3376 /* verify that the main daemon is still running */
3380 }
3382 /* ping the local daemon to tell it we are alive */
3386 /* an election is in progress */
3388 }
3390 /* read the debug level from the parent and update locally */
3395 }
3398 /* get relevant tunables */
3403 }
3405 /* get runstate */
3411 }
3415 /* get nodemap */
3421 }
3424 /* remember our own node flags */
3431 }
3433 /* if the local daemon is STOPPED or BANNED, we verify that the databases are
3434 also frozen and that the recmode is set to active.
3435 */
3437 /* If this node has become inactive then we want to
3438 * reduce the chances of it taking over the recovery
3439 * master role when it becomes active again. This
3440 * helps to stabilise the recovery master role so that
3441 * it stays on the most stable node.
3442 */
3445 ret = ctdb_ctrl_getrecmode(ctdb, mem_ctx, CONTROL_TIMEOUT(), CTDB_CURRENT_NODE, &ctdb->recovery_mode);
3448 }
3450 DEBUG(DEBUG_ERR,("Node is stopped or banned but recovery mode is not active. Activate recovery mode and lock databases\n"));
3454 DEBUG(DEBUG_ERR,(__location__ " Failed to activate recovery mode in STOPPED or BANNED state\n"));
3457 }
3458 }
3461 CTDB_CURRENT_NODE);
3467 }
3470 }
3472 /* If this node is stopped or banned then it is not the recovery
3473 * master, so don't do anything. This prevents stopped or banned
3474 * node from starting election and sending unnecessary controls.
3475 */
3477 }
3481 /* Retrieve capabilities from all connected nodes */
3486 }
3490 }
3492 /* Check if an IP takeover run is needed and trigger one if
3493 * necessary */
3496 /* if we are not the recmaster then we do not need to check
3497 if recovery is needed
3498 */
3501 }
3504 /* ensure our local copies of flags are right */
3509 }
3512 DEBUG(DEBUG_ERR, (__location__ " ctdb->num_nodes (%d) != nodemap->num (%d) reloading nodes file\n", ctdb->num_nodes, nodemap->num));
3515 }
3517 /* verify that all active nodes agree that we are the recmaster */
3520 /* can not happen */
3529 }
3532 /* get the vnnmap */
3537 }
3540 /* a previous recovery didn't finish */
3543 }
3545 /* verify that all active nodes are in normal mode
3546 and not in recovery mode
3547 */
3555 /* can not happen */
3558 }
3562 /* We must already hold the recovery lock */
3568 }
3569 }
3572 /* If recoveries are disabled then there is no use doing any
3573 * nodemap or flags checks. Recoveries might be disabled due
3574 * to "reloadnodes", so doing these checks might cause an
3575 * unnecessary recovery. */
3578 }
3580 /* get the nodemap for all active remote nodes
3581 */
3586 }
3589 }
3593 }
3595 /* verify that all other nodes have the same nodemap as we have
3596 */
3600 }
3603 DEBUG(DEBUG_ERR,(__location__ " Did not get a remote nodemap for node %d, restarting monitoring\n", j));
3607 }
3609 /* if the nodes disagree on how many nodes there are
3610 then this is a good reason to try recovery
3611 */
3613 DEBUG(DEBUG_ERR, (__location__ " Remote node:%u has different node count. %u vs %u of the local node\n",
3618 }
3620 /* if the nodes disagree on which nodes exist and are
3621 active, then that is also a good reason to do recovery
3622 */
3625 DEBUG(DEBUG_ERR, (__location__ " Remote node:%u has different nodemap pnn for %d (%u vs %u).\n",
3630 vnnmap);
3632 }
3633 }
3634 }
3636 /*
3637 * Update node flags obtained from each active node. This ensure we have
3638 * up-to-date information for all the nodes.
3639 */
3643 }
3645 }
3650 }
3652 /* verify the flags are consistent
3653 */
3657 }
3660 DEBUG(DEBUG_ERR, (__location__ " Remote node:%u has different flags for node %u. It has 0x%02x vs our 0x%02x\n",
3666 DEBUG(DEBUG_ERR,("Use flags 0x%02x from remote node %d for cluster update of its own flags\n", remote_nodemaps[j]->nodes[i].flags, j));
3667 update_flags_on_all_nodes(ctdb, nodemap, nodemap->nodes[i].pnn, remote_nodemaps[j]->nodes[i].flags);
3670 vnnmap);
3673 DEBUG(DEBUG_ERR,("Use flags 0x%02x from local recmaster node for cluster update of node %d flags\n", nodemap->nodes[i].flags, i));
3677 vnnmap);
3679 }
3680 }
3681 }
3682 }
3685 /* count how many active nodes there are */
3691 CTDB_CAP_LMASTER)) {
3692 num_lmasters++;
3693 }
3694 }
3695 }
3698 /* There must be the same number of lmasters in the vnn map as
3699 * there are active nodes with the lmaster capability... or
3700 * do a recovery.
3701 */
3703 DEBUG(DEBUG_ERR, (__location__ " The vnnmap count is different from the number of active lmaster nodes: %u vs %u\n",
3708 }
3710 /* verify that all active nodes in the nodemap also exist in
3711 the vnnmap.
3712 */
3716 }
3719 }
3724 }
3725 }
3727 DEBUG(DEBUG_ERR, (__location__ " Node %u is active in the nodemap but did not exist in the vnnmap\n",
3732 }
3733 }
3736 /* verify that all other nodes have the same vnnmap
3737 and are from the same generation
3738 */
3742 }
3745 }
3753 }
3755 /* verify the vnnmap generation is the same */
3757 DEBUG(DEBUG_ERR, (__location__ " Remote node %u has different generation of vnnmap. %u vs %u (ours)\n",
3762 }
3764 /* verify the vnnmap size is the same */
3766 DEBUG(DEBUG_ERR, (__location__ " Remote node %u has different size of vnnmap. %u vs %u (ours)\n",
3771 }
3773 /* verify the vnnmap is the same */
3780 vnnmap);
3782 }
3783 }
3784 }
3786 /* FIXME: Add remote public IP checking to ensure that nodes
3787 * have the IP addresses that are allocated to them. */
3789 takeover_run_checks:
3791 /* If there are IP takeover runs requested or the previous one
3792 * failed then perform one and notify the waiters */
3796 }
3797 }
3803 {
3809 }
3812 /*
3813 the main monitoring loop
3814 */
3816 {
3843 }
3845 /* register a message port for sending memory dumps */
3848 /* when a node is assigned banning credits */
3852 /* register a message port for recovery elections */
3855 /* when nodes are disabled/enabled */
3858 /* when we are asked to puch out a flag change */
3861 /* register a message port for vacuum fetch */
3864 /* register a message port for reloadnodes */
3867 /* register a message port for performing a takeover run */
3870 /* register a message port for disabling the ip check for a short while */
3871 ctdb_client_set_message_handler(ctdb, CTDB_SRVID_DISABLE_IP_CHECK, disable_ip_check_handler, rec);
3873 /* register a message port for forcing a rebalance of a node next
3874 reallocation */
3875 ctdb_client_set_message_handler(ctdb, CTDB_SRVID_REBALANCE_NODE, recd_node_rebalance_handler, rec);
3877 /* Register a message port for disabling takeover runs */
3879 CTDB_SRVID_DISABLE_TAKEOVER_RUNS,
3882 /* Register a message port for disabling recoveries */
3884 CTDB_SRVID_DISABLE_RECOVERIES,
3887 /* register a message port for detaching database */
3889 CTDB_SRVID_DETACH_DATABASE,
3901 }
3907 /* we only check for recovery once every second */
3912 }
3913 }
3914 }
3916 /*
3917 event handler for when the main ctdbd dies
3918 */
3922 {
3925 }
3927 /*
3928 called regularly to verify that the recovery daemon is still running
3929 */
3933 {
3937 DEBUG(DEBUG_ERR,("Recovery daemon (pid:%d) is no longer running. Trying to restart recovery daemon.\n", (int)ctdb->recoverd_pid));
3943 }
3948 }
3954 {
3955 // struct ctdb_context *ctdb = talloc_get_type(private_data, struct ctdb_context);
3963 DEBUG(DEBUG_ERR, (__location__ " waitpid() returned error. errno:%s(%d)\n", strerror(errno),errno));
3964 }
3966 }
3969 }
3970 }
3971 }
3973 /*
3974 startup the recovery daemon as a child of the main ctdb daemon
3975 */
3977 {
3984 }
3989 }
4001 }
4009 DEBUG(DEBUG_CRIT, (__location__ "ERROR: failed to switch recovery daemon into client mode. shutting down.\n"));
4011 }
4019 /* set up a handler to pick up sigchld */
4025 }
4031 }
4033 /*
4034 shutdown the recovery daemon
4035 */
4037 {
4040 }
4047 }
4052 {
4058 }