1CMAN_TOOL(8) System Manager's Manual CMAN_TOOL(8)
2
6 cman_tool - Cluster Management Tool
7
9 cman_tool join | leave | kill | expected | votes | version | wait |
10 status | nodes | services | debug [options]
11
13 cman_tool is a program that manages the cluster management subsystem
14 CMAN. cman_tool can be used to join the node to a cluster, leave the
15 cluster, kill another cluster node or change the value of expected
16 votes of a cluster.
17 Be careful that you understand the consequences of the commands issued
18 via cman_tool as they can affect all nodes in your cluster. Most of the
19 time the cman_tool will only be invoked from your startup and shutdown
20 scripts.
21
23 join This is the main use of cman_tool. It instructs the cluster man‐
24 ager to attempt to join an existing cluster or (if no existing
25 cluster exists) then to form a new one on its own.
26 If no options are given to this command then it will take the
27 cluster configuration information from cluster.conf. However, it
28 is possible to provide all the information on the command-line
29 or to override cluster.conf values by using the command line.
30 leave Tells CMAN to leave the cluster. You cannot do this if there are
33 subsystems (eg DLM, GFS) active. You should dismount all GFS
34 filesystems, shutdown CLVM, fenced and anything else using the
35 cluster manager before using cman_tool leave. Look at
36 'cman_tool status' and group_tool to see how many (and which)
37 subsystems are active.
38 When a node leaves the cluster, the remaining nodes recalculate
39 quorum and this may block cluster activity if the required num‐
40 ber of votes is not present. If this node is to be down for an
41 extended period of time and you need to keep the cluster run‐
42 ning, add the remove option, and the remaining nodes will recal‐
43 culate quorum such that activity can continue.
44 kill Tells CMAN to kill another node in the cluster. This will cause
47 the local node to send a "KILL" message to that node and it will
48 shut down. Recovery will occur for the killed node as if it had
49 failed. This is a sort of remote version of "leave force" so
50 only use if if you really know what you are doing.
51 expected
54 Tells CMAN a new value of expected votes and instructs it to
55 recalculate quorum based on this value.
56 Use this option if your cluster has lost quorum due to nodes
57 failing and you need to get it running again in a hurry.
58 version
61 Used alone this will report the major, minor, patch and config
62 versions used by CMAN (also displayed in 'cman_tool status'). It
63 can also be used with -r to tell cluster members to update the
64 cluster configuration.
65 If -r is specified, cman will read the configuration file, vali‐
66 date it, distribute it around the cluster (if necessary) an
67 activate it. See the VERSION OPTIONS section below for addi‐
68 tional options to the version command.
69 wait Waits until the node is a member of the cluster and then
72 returns.
73 status Displays the local view of the cluster status.
76 nodes Displays the local view of the cluster nodes.
79 services
82 Displays the local view of subsystems using cman (deprecated,
83 group_tool should be used instead).
84 debug Sets the debug level of the running cman daemon. Debug output
87 will be sent to syslog level LOG_DEBUG. the -d switch specifies
88 the new logging level. This is the same bitmask used for
89 cman_tool join -d
90
92 -w Normally, "cman_tool leave" will fail if the cluster is in tran‐
93 sition (ie another node is joining or leaving the cluster). By
94 adding the -w flag, cman_tool will wait and retry the leave
95 operation repeatedly until it succeeds or a more serious error
96 occurs.
97 -t <seconds>
99 If -w is also specified then -t dictates the maximum amount of
100 time cman_tool is prepared to wait. If the operation times out
101 then a status of 2 is returned.
102 force Shuts down the cluster manager without first telling any of the
104 subsystems to close down. Use this option with extreme care as
105 it could easily cause data loss.
106 remove Tells the rest of the cluster to recalculate quorum such that
108 activity can continue without this node.
109
112 -e <expected-votes>
113 The new value of expected votes to use. This will usually be
114 enough to bring the cluster back to life. Values that would
115 cause incorrect quorum will be rejected.
116
119 -n <nodename>
120 The node name of the node to be killed. This should be the
121 unqualified node name as it appears in 'cman_tool nodes'.
122
125 -r Update config version. You don't need to use this when adding a
126 new node, the new cman node will tell the rest of the cluster to
127 read the latest version of the config file automatically. The
128 version present in the new configuration must be higher than the
129 one currently in use by cman.
130 cman_tool version on its own will always show the current ver‐
132 sion and not the one being looked for. So be aware that the dis‐
133 play will possibly not update immediately after you have run
134 cman_tool version -r.
135 -D<option>
137 see "JOIN" options
138 -S By default cman_tool version will try to distribute the new
140 cluster.conf file using ccs_sync and ricci. If you have distrib‐
141 uted the file yourself and/or do not have ricci installed then
142 the -S option will skip this step. NOTE: it is still important
143 that all nodes in the cluster have the same version of the file.
144 Make sure that this is the case before using this option.
145
147 -q Waits until the cluster is quorate before returning. -t <sec‐
148 onds> Dictates the maximum amount of time cman_tool is prepared
149 to wait. If the operation times out then a status of 2 is
150 returned.
151
154 -c <clustername>
155 Provides a text name for the cluster. You can have several clus‐
156 ters on one LAN and they are distinguished by this name. Note
157 that the name is hashed to provide a unique number which is what
158 actually distinguishes the cluster, so it is possible that two
159 different names can clash. If this happens, the node will not be
160 allowed into the existing cluster and you will have to pick
161 another name or use different port number for cluster communica‐
162 tion.
163 -p <port>
165 UDP port number used for cluster communication. This defaults to
166 5405.
167 -v <votes>
169 Number of votes this node has in the cluster. Defaults to 1.
170 -e <expected votes>
172 Number of expected votes for the whole cluster. If different
173 nodes provide different values then the highest is used. The
174 cluster will only operate when quorum is reached - that is more
175 than half the available votes are available to the cluster. The
176 default for this value is the total number of votes for all
177 nodes in the configuration file.
178 -2 Sets the cluster up for a special "two node only" mode. Because
180 of the quorum requirements mentioned above, a two-node cluster
181 cannot be valid. This option tells the cluster manager that
182 there will only ever be two nodes in the cluster and relies on
183 fencing to ensure cluster integrity. If you specify this you
184 cannot add more nodes without taking down the existing cluster
185 and reconfiguring it. Expected votes should be set to 1 for a
186 two-node cluster.
187 -n <nodename>
189 Overrides the node name. By default the unqualified hostname is
190 used. This option is also used to specify which interface is
191 used for cluster communication.
192 -N <nodeid>
194 Overrides the node ID for this node. Normally, nodes are
195 assigned a node id in cluster.conf. If you specify an incorrect
196 node ID here, the node might not be allowed to join the cluster.
197 Setting node IDs in the configuration is a far better way to do
198 this. Note that the node's application to join the cluster may
199 be rejected if you try to set the nodeid to one that has already
200 been used, or if the node was previously a member of the cluster
201 but with a different nodeid.
202 -o <nodename>
204 Override the name this node will have in the cluster. This will
205 normally be the hostname or the first name specified by -n.
206 Note how this differs from -n: -n tells cman_tool how to find
207 the host address and/or the entry in the configuration file. -o
208 simply changes the name the node will have in the cluster and
209 has no bearing on the actual name of the machine. Use this
210 option will extreme caution.
211 -m <multicast-address>
213 Specifies a multicast address to use for cluster communication.
214 This is required for IPv6 operation. You should also specify an
215 ethernet interface to bind to this multicast address using the
216 -i option.
217 -w Join and wait until the node is a cluster member.
219 -q Join and wait until the cluster is quorate. If the cluster join
221 fails and -w (or -q) is specified, then it will be retried. Note
222 that cman_tool cannot tell whether the cluster join was rejected
223 by another node for a good reason or that it timed out for some
224 benign reason; so it is strongly recommended that a timeout is
225 also given with the wait options to join. If you don't want join
226 to retry on failure but do want to wait, use the cman_tool join
227 command without -w followed by cman_tool wait.
228 -k <keyfile>
230 All traffic sent out by cman/corosync is encrypted. By default
231 the security key used is simply the cluster name. If you need
232 more security you can specify a key file that contains the key
233 used to encrypt cluster communications. Of course, the contents
234 of the key file must be the same on all nodes in the cluster. It
235 is up to you to securely copy the file to the nodes.
236 -t <seconds>
238 If -w or -q is also specified then -t dictates the maximum
239 amount of time cman_tool is prepared to wait. If the operation
240 times out then a status of 2 is returned. Note that just
241 because cman_tool has given up, does not mean that cman itself
242 has stopped trying to join a cluster.
243 -X Tells cman not to use the configuration file to get cluster
245 information. If you use this option then cman will apply several
246 defaults to the cluster to get it going. The cluster name will
247 be "RHCluster", node IDs will default to the IP address of the
248 node and remote node names will show up as Node<nodeid>. All of
249 these, apart from the node names can be overridden on the
250 cman_tool command-line if required.
251 If you have to set up fence devices, services or anything else
252 in cluster.conf then this option is probably not worthwhile to
253 you - the extra readability of sensible node names and numbers
254 will make it worth using cluster.conf for the cluster too. But
255 for a simple failover cluster this might save you some effort.
256 On each node using this configuration you will need to have the
257 same authorization key installed. To create this key run
258 corosync-keygen
259 mv /etc/ais/authkey /etc/cluster/cman_authkey
260 then copy that file to all nodes you want to join the cluster.
261 -C Overrides the default configuration module. Usually cman uses
263 xmlconfig (cluster.conf) to load its configuration. If you have
264 your configuration database held elsewhere (eg LDAP) and have a
265 configuration plugin for it, then you should specify the name of
266 the module (see the documentation for the module for the name of
267 it - it's not necessarily the same as the filename) here.
268 It is possible to chain configuration modules by separating them
269 with colons. So to add two modules (eg) 'configloader' and 'con‐
270 figpreproc' to the chain start cman with -C configloader:config‐
271 preproc
272 The default value for this is 'xmlconfig'. Note that if the -X
273 is on the command-line then -C will be ignored.
274 -A Don't load openais services. Normally cman_tool join will load
276 the configuration module 'openaisserviceenablestable' which will
277 load the services installed by openais. If you don't want to
278 use these services or have not installed openais then this
279 switch will disable them.
280 -D Tells cman_tool whether to validate the configuration before
282 loading or reloading it. By default the configuration is vali‐
283 dated, which is equivalent to -Dfail.
284 -Dwarn will validate the configuration and print any messages
285 arising, but will attempt to use it regardless of its validity.
286 -Dnone (or just -D) will skip the validation completely.
287 The -D switch does not take a space between -D and the parame‐
288 ter. so '-D fail' will cause an error. Use -Dfail.
289
291 -a Shows the IP address(es) the nodes are communicating on.
292 -n <nodename>
294 Shows node information for a specific node. This should be the
295 unqualified node name as it appears in 'cman_tool nodes'.
296 -F <format>
298 Specify the format of the output. The format string may contain
299 one or more format options, each separated by a comma. Valid
300 format options include: id, name, type, and addr.
301
303 -d<value>
304 The value is a bitmask of
305 2 Barriers
306 4 Membership messages
307 8 Daemon operation, including command-line interaction
308 16 Interaction with Corosync
309 32 Startup debugging (cman_tool join operations only)
310
312 the nodes subcommand shows a list of nodes known to cman. the state is
313 one of the following:
314 M The node is a member of the cluster
315 X The node is not a member of the cluster
316 d The node is known to the cluster but disallowed access to it.
317
319 cman_tool removes most environment variables before forking and running
320 Corosync, as well as adding some of its own for setting up configura‐
321 tion parameters that were overridden on the command-line, the exception
322 to this is that variable with names starting COROSYNC_ will be passed
323 down intact as they are assumed to be used for configuring the daemon.
324
327 Occasionally (but very infrequently I hope) you may see nodes marked as
328 "Disallowed" in cman_tool status or "d" in cman_tool nodes. This is a
329 bit of a nasty hack to get around mismatch between what the upper lay‐
330 ers expect of the cluster manager and corosync.
331 If a node experiences a momentary lack of connectivity, but one that is
333 long enough to trigger the token timeouts, then it will be removed from
334 the cluster. When connectivity is restored corosync will happily let it
335 rejoin the cluster with no fuss. Sadly the upper layers don't like this
336 very much. They may (indeed probably will have) have changed their
337 internal state while the other node was away and there is no straight‐
338 forward way to bring the rejoined node up-to-date with that state. When
339 this happens the node is marked "Disallowed" and is not permitted to
340 take part in cman operations.
341 If the remainder of the cluster is quorate the the node will be sent a
343 kill message and it will be forced to leave the cluster that way. Note
344 that fencing should kick in to remove the node permanently anyway, but
345 it may take longer than the network outage for this to complete.
346 If the remainder of the cluster is inquorate then we have a problem.
348 The likelihood is that we will have two (or more) partitioned clusters
349 and we cannot decide which is the "right" one. In this case we need to
350 defer to the system administrator to kill an appropriate selection of
351 nodes to restore the cluster to sensible operation.
352 The latter scenario should be very rare and may indicate a bug some‐
354 where in the code. If the local network is very flaky or busy it may be
355 necessary to increase some of the protocol timeouts for corosync. We
356 are trying to think of better solutions to this problem.
357 Recovering from this state can, unfortunately, be complicated. Fortu‐
359 nately, in the majority of cases, fencing will do the job for you, and
360 the disallowed state will only be temporary. If it persists, the recom‐
361 mended approach it is to do a cman tool nodes on all systems in the
362 cluster and determine the largest common subset of nodes that are valid
363 members to each other. Then reboot the others and let them rejoin cor‐
364 rectly. In the case of a single-node disconnection this should be
365 straightforward, with a large cluster that has experienced a network
366 partition it could get very complicated!
367 Example:
369 In this example we have a five node cluster that has experienced a net‐
371 work partition. Here is the output of cman_tool nodes from all systems:
372 Node Sts Inc Joined Name
373 1 M 2372 2007-11-05 02:58:55 node-01.example.com
374 2 d 2376 2007-11-05 02:58:56 node-02.example.com
375 3 d 2376 2007-11-05 02:58:56 node-03.example.com
376 4 M 2376 2007-11-05 02:58:56 node-04.example.com
377 5 M 2376 2007-11-05 02:58:56 node-05.example.com
378 Node Sts Inc Joined Name
380 1 d 2372 2007-11-05 02:58:55 node-01.example.com
381 2 M 2376 2007-11-05 02:58:56 node-02.example.com
382 3 M 2376 2007-11-05 02:58:56 node-03.example.com
383 4 d 2376 2007-11-05 02:58:56 node-04.example.com
384 5 d 2376 2007-11-05 02:58:56 node-05.example.com
385 Node Sts Inc Joined Name
387 1 d 2372 2007-11-05 02:58:55 node-01.example.com
388 2 M 2376 2007-11-05 02:58:56 node-02.example.com
389 3 M 2376 2007-11-05 02:58:56 node-03.example.com
390 4 d 2376 2007-11-05 02:58:56 node-04.example.com
391 5 d 2376 2007-11-05 02:58:56 node-05.example.com
392 Node Sts Inc Joined Name
394 1 M 2372 2007-11-05 02:58:55 node-01.example.com
395 2 d 2376 2007-11-05 02:58:56 node-02.example.com
396 3 d 2376 2007-11-05 02:58:56 node-03.example.com
397 4 M 2376 2007-11-05 02:58:56 node-04.example.com
398 5 M 2376 2007-11-05 02:58:56 node-05.example.com
399 Node Sts Inc Joined Name
401 1 M 2372 2007-11-05 02:58:55 node-01.example.com
402 2 d 2376 2007-11-05 02:58:56 node-02.example.com
403 3 d 2376 2007-11-05 02:58:56 node-03.example.com
404 4 M 2376 2007-11-05 02:58:56 node-04.example.com
405 5 M 2376 2007-11-05 02:58:56 node-05.example.com
406 In this scenario we should kill the node node-02 and node-03. Of
407 course, the 3 node cluster of node-01, node-04 & node-05 should remain
408 quorate and be able to fenced the two rejoined nodes anyway, but it is
409 possible that the cluster has a qdisk setup that precludes this.
410
413 This section details how the configuration systems work in cman. You
414 might need to know this if you are using the -C option to cman_tool, or
415 writing your own configuration subsystem.
416 By default cman uses two configuration plugins to corosync. The first,
417 'xmlconfig', reads the configuration information stored in cluster.conf
418 and stores it in an internal database, in the same schema as it finds
419 in cluster.conf. The second plugin, 'cmanpreconfig', takes the infor‐
420 mation in that the database, adds several cman defaults, determines the
421 corosync node name and nodeID and formats the information in a similar
422 manner to corosync.conf(5). Corosync then reads those keys to start the
423 cluster protocol. cmanpreconfig also reads several environment vari‐
424 ables that might be set by cman_tool which can override information in
425 the configuration.
426 In the absence of xmlconfig, ie when 'cman_tool join' is run with -X
427 switch (this removes xmlconfig from the module list), cmanpreconfig
428 also generates several defaults so that the cluster can be got running
429 without any configuration information - see above for the details.
430 Note that cmanpreconfig will not overwrite corosync keys that are
431 explicitly set in the configuration file, allowing you to provide cus‐
432 tom values for token timeouts etc, even though cman has its own
433 defaults for some of those values. The exception to this is the node
434 name/address and multicast values, which are always taken from the cman
435 configuration keys.
436 Most of the extra keys that cmanpreconfig adds are outside of the
437 /cluster/ tree and will only be seen if you dump the whole of
438 corosync's object database. However it does add some keys into /clus‐
439 ter/cman that you would not normally see in a normal cluster.conf file.
440 These are harmless, though could be confusing. The most obvious of
441 these is the "nodename" option which is passed from cmanpreconfig to
442 the name cman module, to save it recalculating the node name again.
443Cluster utilities Nov 8 2007 CMAN_TOOL(8)