Understanding Continental Cluster Concepts

The Continentalclusters product provides the ability to monitor a high availability cluster and fail over mission critical applications to another cluster if the monitored cluster should become unavailable. In the following example, the Los Angeles cluster runs the mission critical application and replicates data to the New York cluster, which has another copy of the mission critical application ready to run in case of failover. In addition, Continentalclusters supports mutual recovery, which allows for different critical applications to be run on each cluster, with each cluster configured to recover the mission critical applications of the other.

Because clusters may be separated over wide geographical distances, and because they have independent function, the operation of clusters in a Continentalclusters configuration is somewhat different from that of typical Serviceguard clusters. A typical Continentalclusters recovery pair environment is shown in Figure 2-1 “Sample Continentalclusters Configuration”.

Figure 2-1 Sample Continentalclusters Configuration

Two packages are running on the cluster in Los Angeles, and their data is replicated to the cluster in New York. Physical data replication is carried out using ESCON (Enterprise Storage Connect) links between the disk array hardware in New York and Los Angeles via an ESCON/WAN converter at each end. The New York cluster is running a monitor that checks the status of the Los Angeles cluster. In this example, the Los Angeles cluster runs just like any Serviceguard cluster, with applications configured in packages that may fail from node to node as necessary. The New York cluster is configured with a recovery version of the packages that are running on the Los Angeles cluster. These packages do not run under normal circumstances, but are set to start up when they are needed. In addition, either cluster may run other packages that are not involved in Continentalclusters operation.

Mutual Recovery Configuration

Bi-directional failover is supported in what is called a “mutual recovery configuration.” This allows recovery groups to be defined for primary packages running in both component clusters of a recovery pair in the Continentalclusters configuration. Figure 2-2 “Sample Mutual Recovery Configuration” shows a mutual recovery configuration.

Figure 2-2 Sample Mutual Recovery Configuration

In the above figure, the salespkg is running on the New York cluster and can be recovered by the Los Angeles cluster. Similarly, the custpkg running on the Los Angeles cluster can be recovered by the New York cluster. As stated previously, physical data replication is carried out using ESCON (Enterprise Storage Connect) links between the disk array hardware in New York and Los Angeles via an ESCON/WAN converter at each end. Each cluster is running a monitor that checks the status of the alternate cluster.

As depicted in the above example, each cluster runs just like any Serviceguard cluster, with applications configured in packages that may fail from node to node as necessary. Each cluster is configured with a recovery version of the packages that are running on the alternate cluster. These packages do not run under normal circumstances, but are set to start up when they are needed. In addition, either cluster may run other packages that are not involved in Continentalclusters operation.

Application Recovery in a Continental Cluster

If a given cluster in a recovery pair of a continental cluster should become unavailable, Continentalclusters allows an administrator to issue a single command, cmrecovercl (described later) to transfer mission critical applications from that cluster to another cluster, making sure that the packages do not run on both clusters at the same time. Transfer is not automatic, although it is automated through a recovery command, which a root user must issue. The result after issuing the recovery command is shown in Figure 2-3 “Continental Cluster After Recovery”.

Figure 2-3 Continental Cluster After Recovery

The movement of an application from one cluster to another cluster does not replace local failover activity; packages are normally configured to fail over from node to node as they would on any high availability cluster. Cluster recovery, failover of packages to a different cluster, occurs only after the following events:

Continentalclusters detects the problem
Continentalclusters sends a notification of the problem
Verify that the monitored cluster has failed
Issue the cluster recovery command

Monitoring over a Network

A monitor package running on one cluster tracks the health of another cluster in the recovery pair and sends notification to configured destinations if the state of the monitored cluster changes. (If a cluster contains any packages to be recovered it must be monitored.) The monitor software polls the monitored cluster at a specific MONITOR_INTERVAL defined in an ASCII configuration file, which also indicates when and where to send messages if there is a state change.

The physical separation between clusters will require communication by way of a Local or Wide Area Network (LAN or WAN). Since the polling takes place across the network, interruptions of network service cannot always be differentiated from cluster failure states. This means that if the network is unreliable, the monitoring facility will often detect and report an unreachable state for the monitored cluster that is actually an interruption of the network service.

Because the monitoring is indeterminate in some instances, information from independent sources must be gathered to determine the need for proceeding with the recovery process. For these reasons, cluster recovery is not automatic, but must be initiated by a root user. Once initiated, however, the cluster recovery is automated to reduce the chance of human error that might occur if manual steps were needed. In Continentalclusters, a system of cluster events and notifications is provided so that events can be easily tracked, and users will know when to seek additional information before initiating recovery.

Cluster Events

A cluster event is a change of state in a monitored cluster. The four cluster states reported by the monitor are Unreachable, Down, Up, and Error. Table 2-1 “Monitored States and Possible Causes” summarizes possible causes for the cluster events with regard to both the monitored cluster and the network. However, in many cases the causes of cluster events are indeterminate without additional information that is not available to the software.

Table 2-1 Monitored States and Possible Causes

Cluster Event (Old state -> New state)	Cluster-related Causes	Network-related Causes
Up -> Unreachable	Cluster went down; no nodes are responding to network inquiries	Network failure
Down -> Unreachable	Cluster was down and nodes are no longer responding	Network failure
Error -> Unreachable	Error resolved but cluster down and nodes not responding	Network failure
Up -> Down	Cluster has been halted, but at least one node is still responding to network inquiries	No network problems
Error -> Down	Error resolved, cluster is down	Network problem was fixed, cluster is down
Unreachable -> Down	Cluster nodes were rebooted but the cluster was not started	Network came up but the cluster was not running
Up -> Error	Serviceguard version or security file mismatch, software error	Network is misconfigured, or DNS server crashed or set up incorrectly
Down -> Error	Serviceguard version or security file mismatch, software error	Network is misconfigured, or DNS server crashed or set up incorrectly
Unreachable -> Error	Serviceguard version or security file mismatch, software error	Network problem was fixed, but the error condition still exists
Down -> Up	Cluster started	No network problems
Unreachable -> Up	Cluster nodes were rebooted and the cluster started	Network came up and the cluster was already running
Error -> Up	Error resolved, cluster is up	Network problem was fixed, cluster is up




	NOTE: There is only one condition under which cmclsentryd will determine that the cluster has Error status: all nodes are unreachable except those which have Serviceguard Error status. (If any nodes are Down or Up, then the cluster status will take one of those values, rather than Error.)

Interpreting the Significance of Cluster Events

Because some cluster events (for example, Up -> Unreachable) can be caused by changes in either a cluster state or a network state, additional independent information is required to achieve the primary objective of determining whether you need to recover a cluster’s applications. Sources of independent information include:

Contact with the network provider
Contact with the administrator of the monitored cluster
Contact with local cluster administrator
Contact with company executives

When problematic cluster events persist, obtain as much information as possible, including authorization to recover, if your business practices require this, and then issue the Continentalclusters recovery command, cmrecovercl.

How Notifications Work

A central part of the operation of Continentalclusters is the transmission of notifications following the detection of a cluster event. Notifications occur at specifically coded times, and at two different levels:

Alert—when a cluster event should be considered noteworthy.
Alarm—when an event shows evidence of a cluster failure.

Notifications are typically sent as:

Email messages
SNMP traps
Text log files
OPC messages to OpenView IT/Operations

In addition, notifications are sent to the eventlog file located in the /var/opt/resmon/log/cc directory on the system where monitoring is taking place.




	NOTE: An email message can be sent to an address supplied by a pager service that will forward the message to a specified pager system. (Contact your pager service provider for more information.)

Alerts

Alerts are intended as informational. Some typical uses of alerts include:

Notification that a cluster has been halted for a significant amount of time.
Notification that a cluster has come up after being down or unreachable.
Notification that a cluster came down for any reason.
Notification that a cluster has been in an unreachable state for a short period of time. An alert is sent in this case as a warning that an alarm might be issued later if the cluster’s state remains unreachable for a longer time.

The expected process in dealing with alerts is to continue watching for additional notifications and to contact individuals at the site of the monitored cluster to see whether problems exist.

Alarms

Alarms are intended to indicate that a cluster failure might have taken place. The most common example of an alarm is the following:

Notification that a specified cluster has been in an unreachable state for a significant amount of time.

The expected process in dealing with cluster events that persist at the alarm level is to obtain as much information as possible, including authorization to recover, if your business practices require this. At which point, issue the Continentalclusters recovery command, cmrecovercl.

Creating Notifications for Failure Events

For events that indicate potential cluster failure, display the escalation of concern of the cluster health by defining alerts followed by one or more alarms. The following is a typical sequence:

cluster alert at 5 minutes
cluster alert at 10 minutes
cluster alarm at 15 minutes

This could be accomplished by entering two CLUSTER_ALERT lines in the configuration file, and one CLUSTER_ALARM line. A detailed example is provided in the comments in the ASCII configuration file template, shown in “Editing Section 3—Monitoring Definitions”.

Creating Notifications for Events that Indicate a Return of Service

For those events that indicate that the cluster is back online or that communication with the monitor has been restored, use cluster alerts to show the de-escalation of concern. In this case, use a CLUSTER_ALERT line in the configuration file with a time of zero (0), so that notifications are sent as soon as the return to service is detected.

Maintenance Mode for Recovery Groups

A recovery group in a maintenance mode allows the recovery group to be exempted from a recovery. This implies that the recovery package cannot be started in a recovery cluster. By default, all recovery groups in the Continentalclusters configuration are not in the maintenance mode. To move a recovery group in continentalclusters into the maintenance mode, you must disable it. To move a recovery group out of the maintenance mode, you must enable it. You can complete rehearsal operations on a recovery group only when the recovery group is in the maintenance mode. For more information on rehearsal operations, see “Performing a Rehearsal Operation in your Environment”.

Use the cmrecovercl -d -g command to move a recovery group into the maintenance mode. To move the recovery group out of the maintenance mode, use the cmrecovercl -e -g command.

Maintenance mode for recovery groups is an optional feature. You must explicitly configure Continentalclusters to use this feature. Consider the following guidelines when you move a recovery group into the maintenance mode:

Configure a shared disk with a file system in all primary clusters and in the recovery cluster. This shared disk is local to the cluster and need not be replicated.
Configure the CONTINENTAL_CLUSTER_STATE_DIR parameter in the Continentalcluster configuration file with an absolute path to a file system. Create this path in all nodes and reserve it for Continentalclusters. This filesystem is used to hold the current maintenance mode setting for recovery groups.
Configure the monitor package control script to mount the file system in the shared disk for the path specified with the CONTINENTAL_CLUSTER_STATE_DIR parameter.

When a recovery group is in the maintenance mode, start up of a recovery package with cmrecovercl, cmrunpkg or cmmodpkg commands is prevented by Continentalclusters for that recovery group.

When a recovery group is in the maintenance mode there is no impact on the availability of the primary packages. The primary package continues to be up and is highly available within the primary cluster (i.e., local failover allowed). Clients can continue to connect to the primary package and access its production data on the primary cluster.

There is no dependency on data replication to move a recovery group into maintenance mode. Array based replication can be suspended or can be in progress. Similarly, logical replication can either be suspended (receiver package is down) or can be resumed (receiver package is up).

Table 2-2 “Impact of Maintenance Mode” describes the impact on recovery when a recovery group is in the maintenance mode.

Table 2-2 Impact of Maintenance Mode

Default Mode

Maintenance Mode

Recovery package startup using cmrecovercl, cmrunpkg, cmmodpkg or cmforceconcl commands is allowed.

Recovery package startup using cmrecovercl, cmrunpkg, cmmodpkg or cmforceconcl commands is not allowed.

Cross-checking is done between primary and recovery packages to ensure both packages are not up at the same time.

The primary package is allowed to start only if the recovery package is down. Similarly, a recovery package is allowed to start only if the primary package is down.

No impact to primary packages. The primary package continues to run irrespective of the mode.

Moving a Recovery Group into Maintenance Mode

Run the following command to disable a recovery group and move it into the maintenance mode:

cmrecovercl -d [-f] -g <recovery group>

Where:

<recovery group> is the name of the recovery group to be disabled.

Run this command only on recovery cluster nodes. This command succeeds only when Continentalclusters is configured for maintenance mode. The command checks for the following conditions to successfully disable a recovery group:

The recovery package is down and package switching is disabled.
The primary cluster and the primary package are up. If the cluster is down or unreachable, use the force -f option to forcefully disable the recovery group.
WARNING! When you use the force option, ensure that the primary package and the cluster are not down due to a primary site failure.
The monitor package is up and running in the recovery cluster.

Moving a Recovery Group out of the Maintenance Mode

Run the following command to enable a recovery group and move it out of the maintenance mode:

cmrecovercl -e -g <recovery group>

Where:

<recovery group> is the name of the recovery group to be enabled and moved out of the maintenance mode.

You can run this command only on recovery cluster nodes. The command succeeds only when Continentalclusters is configured for maintenance mode. Following are the conditions that need to be met for the recovery group to be enabled and moved out of the maintenance mode:

For recovery groups configured with a rehearsal package, the rehearsal package is halted and package switching is disabled.
The monitor package is up and running in the recovery cluster.

Performing Cluster Recovery

When a CLUSTER_ALARM is issued, there may be a need for a cluster recovery using the recovery command, cmrecovercl, which is enabled for use by the root user. Cluster recovery is carried out at the site of the recovery cluster by using the cmrecovercl command. The cmrecovercl command will only recover recovery groups that are enabled for recovery and are not in the maintenance mode.

# cmrecovercl

Issuing this command will halt any configured data replication activity from the failed cluster to the recovery cluster, and will start all configured recovery packages on the recovery cluster that are pre-configured in recovery groups. A recovery group is the basic unit of recovery used in a continental cluster configuration. This command will fail if a cluster alarm has not been issued.

If option “-g RecoveryGroup” is specified with the recovery command, then the recovery process of halting data replication activity and starting of the recovery package will only be done for the specified recovery group.

After the cmrecovercl command is issued, there is a delay of at least 90 seconds (per recovery group) while the command ensures that the package is not active on another cluster.

Cluster recovery is done as a last resort, after all other approaches to restore the unavailable cluster have been exhausted. It is important to remember that cluster recovery sets in motion a process that cannot be easily reversed. Unlike the failover of a package from one node to another, failing a package from one cluster to another normally involves a significant quantity of data that is being accessed from a new set of disks. Returning control to the original cluster will involve resynchronizing this data and resetting the roles of the clusters in a process that is easier for some data replication techniques than others.




	NOTE: After a recovery, it is not possible to reverse directions and return a package to its original cluster without first reconfiguring the data replication hardware and/or software and synchronizing data. Therefore, be very cautious when deciding to use the cmrecovercl command. It is for this reason, HP recommends that stringent procedures and processes are in place to aid in making the decision to complete a recovery process.

Performing Recovery Group Rehearsal in Continentalclusters

During a recovery in Continentalclusters, a configuration inconsistency at the recovery cluster can result in an unsuccessful recovery attempt. Rehearsing the recovery procedure provides you a method to proactively identify and fix these configuration inconsistencies so that there are no issues during an actual recovery. Continentalclusters provides the environment and a set of required tools to complete a Disaster Recovery (DR) Rehearsal.

Continentalclusters allows recovery groups to be configured with a special rehearsal package for DR rehearsal. You must configure the rehearsal package in the recovery cluster and specify it as part of the recovery group definition. The rehearsal package is identical to the recovery package and can be effectively used in place of the recovery package to verify the environment. This rehearsal package bundles the same application and uses the same storage devices as the recovery package.

During a DR rehearsal process, Continentalclusters will start the rehearsal package and validate the recovery cluster environment. However, to stop clients from using the recovery package application instance, it is necessary that the client access network IP address be different for the rehearsal package. For more information on configuring a rehearsal package, see “Configuring Recovery Groups with Rehearsal Packages”.

Also, you must configure Continentalclusters to enable the maintenance mode feature for recovery groups. For more information on the maintenance mode, see “Maintenance Mode for Recovery Groups”.

Disaster Recovery Rehearsal for a recovery group is done in the following phases:

Rehearsal Preparation Phase
In this phase, you must prepare your environment for rehearsal. To prepare a recovery group for rehearsal, complete the following steps:
1. Enter the cmrecovercl -d command to move the recovery group into the maintenance mode by disabling it.
2. Suspend replication from the primary cluster.
3. Prepare a business copy (BC/BCV) of the storage on the recovery cluster.
4. Make the storage system read-write on the recovery cluster.
5. Import the volume manager entities such as LVM or SLVM volume groups or the VxVM or CVM disk groups in the recovery cluster.
Rehearsal Run Phase
Start the DR rehearsal for the recovery group using the Continentalclusters command cmrecovercl -r. This command starts the rehearsal package for the recovery group and validates the Continentalclusters configuration and environment for the recovery group. Once rehearsal is started, use the regular Serviceguard commands to manage the rehearsal package. You can run any test load on the rehearsal package to validate the recovery of the application.

Rehearsal Restoration Phase

Once rehearsal process is complete, you must restore recovery for the recovery group. You must halt and disable the rehearsal package in the cluster and synchronize the recovery cluster storage with the primary site storage with the latest application data. Also, you must resume replication from the primary cluster. Finally, you need to move the recovery group out of the maintenance mode by enabling it using the cmrecovercl -e command.




	WARNING! Ensure that the storage system of the recovery group is synchronized with the latest data and the replication environment is restored before the recovery group is moved out of the maintenance mode. Failure to do so can result in the recovery package using production data that was invalidated by the rehearsal run during a subsequent recovery.

For information on running a rehearsal process in your environment, see Appendix G “Data Replication Rehearsal in a Sample Environment”.

Notes on Packages in a Continental Cluster

Packages have somewhat different behavior in a continental cluster than in a normal Serviceguard environment. There are specific differences in

Startup and Switching Characteristics
Network Attributes

From Serviceguard A.11.17 and above, you can configure the following package types in a recovery group:

Failover
Oracle RAC Multi-node packages

In the case of a multi-node package, a recovery process recovers all instances of the package in a recovery cluster.




	NOTE: System multi-node packages cannot be configured in Continentalclusters recovery groups. Multi-node packages are supported only for Oracle with CFS or CVM environments.

Startup and Switching Characteristics

Normally, an application (package) can run on only one node at a time in a cluster. However, in a continental cluster, there are two clusters in which an application—the primary package or the recovery package—could operate on the same data. Both the primary and the recovery package must not be allowed to run at the same time. To prevent this, it is important to ensure that packages are not allowed to start automatically and are not started at inappropriate times.

To keep packages from starting up automatically, when a cluster starts, set the AUTO_RUN (PKG_SWITCHING_ENABLED used prior to Serviceguard A.11.12) parameter for all primary and recovery packages to NO. Then use the cmmodpkg command with the -e <packagename> option to start up only the primary packages and enable switching. The cmrecovercl command, when run, will start up the recovery packages and enable switching during the cluster recovery operation.




	CAUTION: After initial testing is complete, the cmrunpkg and cmmodpkg commands or the equivalent options in SAM should never be used to start a recovery package unless cluster recovery has already taken place.

To prevent packages from being started at the wrong time and in the wrong place, use the following strategies:

Set the AUTO_RUN (PKG_SWITCHING_ENABLED used prior to Serviceguard A.11.12) parameter for all primary and recovery packages to NO.
Ensure that recovery package names are well known, and that personnel understand they should never be started with a cmrunpkg or cmmodpkg command unless the cmrecovercl command has been invoked first.
If a cluster has no packages to run before recovery, then do not allow packages to be run on that cluster with Serviceguard Manager.

Network Attributes

Another important difference between the packages configured in a continental cluster and the packages configured in a standard Serviceguard cluster is that the same or different subnets can be used for primary cluster and recovery cluster configurations. In addition, the same or different relocatable IP addresses can be used for the primary package and its corresponding recovery package. The client application must be designed properly to connect to the appropriate IP address following a recovery operation. For recovery groups with a rehearsal package configured, ensure that the rehearsal package IP address is different from the recovery package IP address.

How Serviceguard commands work in a Continentalclusters

Continentalclusters packages are manipulated manually by the user via Serviceguard commands and by cmcld automatically in the same way as any other packages.

In a continental cluster the recovery package are not allowed to run at the same time as the primary, data sender, or data receiver packages. To enforce this, several Serviceguard commands behave in a slightly different manner when used in a continental cluster.

Table 2-3 “Serviceguard and Continentalclusters Commands” describes the Serviceguard commands whose behavior is different in a continental cluster environment. Specifically, when one of the commands listed in Table 2-3 “Serviceguard and Continentalclusters Commands” attempts to start or enable switching of a package, it first checks the status of the other packages in the recovery group. Based on the status, the operation is either allowed or disallowed.

The checking is done based on the stable clusters' environment and the proper functioning of the network communication. In the case when the network communication between clusters can not be established or the cluster or package status can not be determined, it is must be checked manually to ensure that the operation to be performed on the target package will not have a conflict with other packages configured in the same recovery group.

Table 2-3 Serviceguard and Continentalclusters Commands

Commands	How the commands work in Serviceguard	How the commands work in Continentalclusters
cmrunpkg	runs a package	Will not start a recovery package if any of the primary, data receiver, or data sender package in the same recovery group is running or enabled. Will not start recovery package if the recovery group is in maintenance mode. Will not start a primary, data receiver, or data sender package if the recovery package in the same recovery group is running or enabled. Will not start a rehearsal package when the recovery group is not in maintenance mode.
cmmodpkg -e	enable switching attribute for a highly available package	Will not enable switching on a recovery package if any of the primary, data receiver, or data sender package in the same recovery group is running or enabled. Will not enable switching for a recovery package if the recovery group is in maintenance mode. Will not enable a primary, data receiver, or data sender package if the recovery package in the same recovery group is running or enabled. Will not enable switching for a rehearsal package when the recovery group is not in maintenance mode.
cmhaltnode -f	halts a node in a highly available cluster	Will not re-enable switching on a recovery package if any of the primary, data receiver, or data sender package in the same recovery group is running or enabled. Will not re-enable a primary, data receiver, or data sender package if the recovery package in the same recovery group is running or enabled.
cmhaltcl -f	This command will halt daemons on all currently running systems	Will not re-enable switching on a recovery package if any of the primary, data receiver, or data sender package in the same recovery group is running or enabled. Will not re-enable a primary, data receiver, or data sender package if the recovery package in the same recovery group is running or enabled.