Tanti Technology

My photo
Bangalore, karnataka, India
Multi-platform UNIX systems consultant and administrator in mutualized and virtualized environments I have 4.5+ years experience in AIX system Administration field. This site will be helpful for system administrator in their day to day activities.Your comments on posts are welcome.This blog is all about IBM AIX Unix flavour. This blog will be used by System admins who will be using AIX in their work life. It can also be used for those newbies who want to get certifications in AIX Administration. This blog will be updated frequently to help the system admins and other new learners. DISCLAIMER: Please note that blog owner takes no responsibility of any kind for any type of data loss or damage by trying any of the command/method mentioned in this blog. You may use the commands/method/scripts on your own responsibility. If you find something useful, a comment would be appreciated to let other viewers also know that the solution/method work(ed) for you.

Sunday, 26 June 2011

HACMP BEST PRACTICES

HACMP
HIGH AVAILABILITY CLUSTER MULTIPROCESSING
BEST PRACTICES


Table of Contents
I. Overview1

II. Designing High Availability1

Risk Analysis2

III. Cluster Components3

Nodes3

Networks3

Adapters5

Applications5

IV. Testing9

V. Maintenance 9

Upgrading the Cluster Environment10

VI. Monitoring12

VII. HACMP in a Virtualized World13

Maintenance of the VIOS partition – Applying Updates18

VIII.Summary19

IX. References 21

X. About the Authors 21








WHITE PAPER

Overview
IBM High Availability Cluster Multiprocessing (HACMP TM) product was first shipped in 1991 and is now
in its 14th release, with over 60,000 HACMP clusters in production world wide. It is generally recognized
as a robust, mature high availability product. HACMP supports a wide variety of configurations, and provides
the cluster administrator with a great deal of flexibility. With this flexibility comes the responsibility
to make wise choices: there are many cluster configurations that are workable in the sense that the cluster
will pass verification and come on line, but which are not optimum in terms of providing availability. This
document discusses the choices that the cluster designer can make, and suggests the alternatives that make
for the highest level of availability*.


Designing High Availability

“…A fundamental design goal of (successful) cluster design is the elimination of single points of failure (SPOFs)…”
A High Availability Solution helps ensure that the failure of any component of the solution, be it hardware,
software, or system management, does not cause the application and its data to be inaccessible to the user
community. This is achieved through the elimination or masking of both planned and unplanned downtime.
High availability solutions should eliminate single points of failure (SPOF) through appropriate design,
planning, selection of hardware, configuration of software, and carefully controlled change management
discipline.
While the principle of "no single point of failure" is generally accepted, it is sometimes deliberately or inadvertently
violated. It is inadvertently violated when the cluster designer does not appreciate the consequences
of the failure of a specific component. It is deliberately violated when the cluster designer chooses
not to put redundant hardware in the cluster. The most common instance of this is when cluster nodes are
chosen that do not have enough I/O slots to support redundant adapters. This choice is often made to reduce
the price of a cluster, and is generally a false economy: the resulting cluster is still more expensive
than a single node, but has no better availability.
A cluster should be carefully planned so that every cluster element has a backup (some would say two of
everything!). Best practice is that either the paper or on-line planning worksheets be used to do this planning,
and saved as part of the on-going documentation of the system. Fig 1.0 provides a list of typical
SPOFs within a cluster.
“….cluster design decisions should be based on whether they contribute to availability (that is, eliminate a SPOF) or
detract from availability (gratuitously complex) …”
* This document applies to HACMP running under AIX®, although general best practice concepts are also applicable to HACMP
running under Linux®.

Fig 1.0 Eliminating SPOFs



Risk Analysis

Sometimes however, in reality it is just not feasible to truly eliminate all SPOFs within a cluster. Examples,
may include : Network ¹, Site ². Risk analysis techniques should be used to determine those which simply
must be dealt with as well as those which can be tolerated. One should :
Study the current environment. An example would be that the server room is on a properly sized
UPS but there is no disk mirroring today.
Perform requirements analysis. How much availability is required and what is the acceptable likelihood
of a long outage.
Hypothesize all possible vulnerabilities. What could go wrong?
Identify and quantify risks. Estimate the cost of a failure versus the probability that it occurs.
Evaluate counter measures. What does it take to reduce the risk or consequence to an acceptable
level?
Finally, make decisions, create a budget and design the cluster.
1 If the network as a SPOF must be eliminated then the cluster requires at least two networks. Unfortunately, this only eliminates
the network directly connected to the cluster as a SPOF. It is not unusual for the users to be located some number of hops away
from the cluster. Each of these hops involves routers, switches and cabling – each of which typically represents yet another SPOF.
Truly eliminating the network as a SPOF can become a massive undertaking.
2 Eliminating the Site as a SPOF depends on distance and the corporate disaster recovery strategy. Generally, this involves using
HACMP eXtended Distance (XD, previously known as HAGEO). However, if the sites can be covered by a common storage area
network—say, buildings within a 2km radius—then Cross-site LVM mirroring function as described in the HACMP Administration
Guide is most appropriate, providing the best performance at no additional expense. If the sites are within the range of PPRC
(roughly, 100km) and compatible ESS/DS/SVC storage systems are used, then one of the HACMP/XD: PPRC technologies is
appropriate. Otherwise, consider HACMP/XD: GLVM. These topics are beyond the scope of this white paper.


Cluster Components

Here are the recommended practices for important cluster components.

Nodes
HACMP supports clusters of up to 32 nodes, with any combination of active and standby nodes. While it
is possible to have all nodes in the cluster running applications (a configuration referred to as "mutual
takeover"), the most reliable and available clusters have at least one standby node - one node that is normally
not running any applications, but is available to take them over in the event of a failure on an active
node.
Additionally, it is important to pay attention to environmental considerations. Nodes should not have a
common power supply - which may happen if they are placed in a single rack. Similarly, building a cluster
of nodes that are actually logical partitions (LPARs) with a single footprint is useful as a test cluster, but
should not be considered for availability of production applications.
Nodes should be chosen that have sufficient I/O slots to install redundant network and disk adapters.
That is, twice as many slots as would be required for single node operation. This naturally suggests that
processors with small numbers of slots should be avoided. Use of nodes without redundant adapters
should not be considered best practice. Blades are an outstanding example of this. And, just as every cluster
resource should have a backup, the root volume group in each node should be mirrored, or be on a
RAID device.
Nodes should also be chosen so that when the production applications are run at peak load, there are still
sufficient CPU cycles and I/O bandwidth to allow HACMP to operate. The production application
should be carefully benchmarked (preferable) or modeled (if benchmarking is not feasible) and nodes chosen
so that they will not exceed 85% busy, even under the heaviest expected load.
Note that the takeover node should be sized to accommodate all possible workloads: if there is a single
standby backing up multiple primaries, it must be capable of servicing multiple workloads. On hardware
that supports dynamic LPAR operations, HACMP can be configured to allocate processors and memory to
a takeover node before applications are started. However, these resources must actually be available, or
acquirable through Capacity Upgrade on Demand. The worst case situation – e.g., all the applications on
a single node – must be understood and planned for.

Networks
HACMP is a network centric application. HACMP networks not only provide client access to the applications
but are used to detect and diagnose node, network and adapter failures. To do this, HACMP uses
RSCT which sends heartbeats (UDP packets) over ALL defined networks. By gathering heartbeat information
on multiple nodes, HACMP can determine what type of failure has occurred and initiate the appropriate
recovery action. Being able to distinguish between certain failures, for example the failure of a network
and the failure of a node, requires a second network! Although this additional network can be “IP
based” it is possible that the entire IP subsystem could fail within a given node. Therefore, in addition


there should be at least one, ideally two, non-IP networks. Failure to implement a non-IP network can potentially
lead to a Partitioned cluster, sometimes referred to as 'Split Brain' Syndrome. This situation can
occur if the IP network(s) between nodes becomes severed or in some cases congested. Since each node is
in fact, still very alive, HACMP would conclude the other nodes are down and initiate a takeover. After
takeover has occurred the application(s) potentially could be running simultaneously on both nodes. If the
shared disks are also online to both nodes, then the result could lead to data divergence (massive data corruption).
This is a situation which must be avoided at all costs.
The most convenient way of configuring non-IP networks is to use Disk Heartbeating as it removes the
problems of distance with rs232 serial networks. Disk heartbeat networks only require a small disk or
LUN. Be careful not to put application data on these disks. Although, it is possible to do so, you don't want
any conflict with the disk heartbeat mechanism!
Important network best practices for high availability :
Failure detection is only possible if at least two physical adapters per node are in the same physical
network/VLAN. Take extreme care when making subsequence changes to the networks, with regards
to IP addresses, subnetmasks, intelligent switch port settings and VLANs.
Ensure there is at least one non-IP network configured.
Where possible use Etherchannel configuration in conjunction with HACMP to aid availability. This
can be achieved by ensuring the configuration contains a backup adapter which plugs into an alternate
switch. However, note: HACMP see Etherchannel configurations as single adapter networks. To
aid problem determination configure the netmon.cf file to allow ICMP echo requests to be sent to
other interfaces outside of the cluster. See Administration guide for further details.
Each physical adapter in each node needs an IP address in a different subnet using the same subnet
mask unless Heartbeating over IP Aliasing is used.
Currently, there is NO support in HACMP for Virtual IP Addressing (VIPA), IPv6 and IEEE802.3
standard et interfaces.
Ensure you have in place the correct network configuration rules for the cluster with regards IPAT
via Replacement/Aliasing, Etherchannel, H/W Address Take-over (HWAT), Virtual Adapter support,
service and persistent addressing. For more information check the HACMP Planning Guide
documentation.
Name resolution is essential for HACMP. External resolvers are deactivated under certain event
processing conditions. Avoid problems by configuring /etc/netsvc.conf and NSORDER variable in
/etc/environment to ensure the host command checks the local /etc/hosts file first.
Read the release notes stored in : /usr/es/sbin/cluster/release_notes. Look out for new
and enhanced features, such as collocation rules, persistent addressing and Fast failure detection.
Configure persistent IP labels to each node. These IP addresses are available at AIX® boot time and
HACMP will strive to keep them highly available. They are useful for remote administration, monitoring
and secure Node-to-Node communications. Consider implementing a host-to-host IPsec tunnel
between persistent labels between nodes. This will ensure sensitive data such as passwords are
not sent unencrypted across the network. An example: when using C-SPOC option "change a users
password".
If you have several virtual clusters split across frames, ensure boot subnet Addresses are unique per
cluster. This will avoid problems with netmon reporting the network is up when indeed the physical
network outside the cluster maybe down.

Adapters
As stated above, each network defined to HACMP should have at least two adapters per node. While it is
possible to build a cluster with fewer, the reaction to adapter failures is more severe: the resource group
must be moved to another node. AIX provides support for Etherchannel, a facility that can used to aggregate
adapters (increase bandwidth) and provide network resilience. Etherchannel is particularly useful for
fast responses to adapter / switch failures. This must be set up with some care in an HACMP cluster.
When done properly, this provides the highest level of availability against adapter failure. Refer to the IBM
techdocs website: http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/TD101785 for further
details.
Many System p TM servers contain built-in Ethernet adapters. If the nodes are physically close together, it
is possible to use the built-in Ethernet adapters on two nodes and a "cross-over" Ethernet cable (sometimes
referred to as a "data transfer" cable) to build an inexpensive Ethernet network between two nodes for
heart beating. Note that this is not a substitute for a non-IP network.
Some adapters provide multiple ports. One port on such an adapter should not be used to back up another
port on that adapter, since the adapter card itself is a common point of failure. The same thing is true
of the built-in Ethernet adapters in most System p servers and currently available blades: the ports have a
common adapter. When the built-in Ethernet adapter can be used, best practice is to provide an additional
adapter in the node, with the two backing up each other.
Be aware of network detection settings for the cluster and consider tuning these values. In HACMP terms,
these are referred to as NIM values. There are four settings per network type which can be used : slow,
normal, fast and custom. With the default setting of normal for a standard Ethernet network, the network
failure detection time would be approximately 20 seconds. With todays switched network technology this
is a large amount of time. By switching to a fast setting the detection time would be reduced by 50% (10
seconds) which in most cases would be more acceptable. Be careful however, when using custom settings,
as setting these values too low can cause false takeovers to occur. These settings can be viewed using a variety
of techniques including : lssrc –ls topsvcs command (from a node which is active) or odmget
HACMPnim |grep –p ether and smitty hacmp.

Applications
The most important part of making an application run well in an HACMP cluster is understanding the
application's requirements. This is particularly important when designing the Resource Group policy behavior
and dependencies. For high availability to be achieved, the application must have the ability to
stop and start cleanly and not explicitly prompt for interactive input. Some applications tend to bond to a
particular OS characteristic such as a uname, serial number or IP address. In most situations, these problems
can be overcome. The vast majority of commercial software products which run under AIX are well
suited to be clustered with HACMP.

Application Data Location
Where should application binaries and configuration data reside? There are many arguments to this discussion.
Generally, keep all the application binaries and data were possible on the shared disk, as it is easy
to forget to update it on all cluster nodes when it changes. This can prevent the application from starting or
working correctly, when it is run on a backup node. However, the correct answer is not fixed. Many application
vendors have suggestions on how to set up the applications in a cluster, but these are recommendations.
Just when it seems to be clear cut as to how to implement an application, someone thinks of a new
set of circumstances. Here are some rules of thumb:
If the application is packaged in LPP format, it is usually installed on the local file systems in rootvg. This
behavior can be overcome, by bffcreate’ing the packages to disk and restoring them with the preview option.
This action will show the install paths, then symbolic links can be created prior to install which point
to the shared storage area. If the application is to be used on multiple nodes with different data or configuration,
then the application and configuration data would probably be on local disks and the data sets on
shared disk with application scripts altering the configuration files during fallover. Also, remember the
HACMP File Collections facility can be used to keep the relevant configuration files in sync across the cluster.
This is particularly useful for applications which are installed locally.

Start/Stop Scripts
Application start scripts should not assume the status of the environment. Intelligent programming should
correct any irregular conditions that may occur. The cluster manager spawns theses scripts off in a separate
job in the background and carries on processing. Some things a start script should do are:
First, check that the application is not currently running! This is especially crucial for v5.4 users as
resource groups can be placed into an unmanaged state (forced down action, in previous versions).
Using the default startup options, HACMP will rerun the application start script which may cause
problems if the application is actually running. A simple and effective solution is to check the state
of the application on startup. If the application is found to be running just simply end the start script
with exit 0.
Verify the environment. Are all the disks, file systems, and IP labels available?
If different commands are to be run on different nodes, store the executing HOSTNAME to variable.
Check the state of the data. Does it require recovery? Always assume the data is in an unknown state
since the conditions that occurred to cause the takeover cannot be assumed.
Are there prerequisite services that must be running? Is it feasible to start all prerequisite services
from within the start script? Is there an inter-resource group dependency or resource group sequencing
that can guarantee the previous resource group has started correctly? HACMP v5.2 and later has
facilities to implement checks on resource group dependencies including collocation rules in
HACMP v5.3.
Finally, when the environment looks right, start the application. If the environment is not correct and
error recovery procedures cannot fix the problem, ensure there are adequate alerts (email, SMS,
SMTP traps etc) sent out via the network to the appropriate support administrators.
Stop scripts are different from start scripts in that most applications have a documented start-up routine
and not necessarily a stop routine. The assumption is once the application is started why stop it? Relying
on a failure of a node to stop an application will be effective, but to use some of the more advanced features
of HACMP the requirement exists to stop an application cleanly. Some of the issues to avoid are:
Be sure to terminate any child or spawned processes that may be using the disk resources. Consider
implementing child resource groups.
Verify that the application is stopped to the point that the file system is free to be unmounted. The
fuser command may be used to verify that the file system is free.
In some cases it may be necessary to double check that the application vendor’s stop script did actually
stop all the processes, and occasionally it may be necessary to forcibly terminate some processes.
Clearly the goal is to return the machine to the state it was in before the application start script was
run.
Failure to exit the stop script with a zero return code as this will stop cluster processing. * Note: This
is not the case with start scripts!
Remember, most vendor stop/starts scripts are not designed to be cluster proof! A useful tip is to have stop
and start script verbosely output using the same format to the /tmp/hacmp.out file. This can be achieved
by including the following line in the header of the script: set -x && PS4="${0##*/}"'[$LINENO]

'
Application Monitoring
HACMP provides the ability to monitor the state of an application. Although optional, implementation is
highly recommended. This mechanism provides for self-healing clusters. In order to ensure that event
processing does not hang due to failures in the (user supplied) script and to prevent hold-up during event
processing, HACMP has always started the application in the background. This approach has disadvantages
:
There’s no wait or error checking
In a multi-tiered environment there is no easy way to ensure that applications of higher tiers have
been started.
Application monitoring can either check for process death, or run a user-supplied custom monitor method
during the start-up or continued running of the application. The latter is particularly useful when the application
provides some form of transaction processing - a monitor can run a null transaction to ensure that
the application is functional. Best practice for applications is to have both process death and usersupplied
application monitors in place.
Don’t forget to test the monitoring, start, restart and stop methods carefully! Poor start, stop and monitor
scripts can cause cluster problems, not just in maintaining application availability but avoiding data corruption
3.
In addition, HACMP also supplies a number of tools and utilities to help in customization efforts like preand
post- event scripts. Care should be taken to use only those for which HACMP also supplies a man
page (lslpp -f cluster.man.en_US.es.data) – those are the only ones for which upwards compatibility
is guaranteed. A good best practice example for this use would be for application provisioning.
3 Having monitoring scripts exit with non zero return codes when the application has not failed in-conjunction with poor start / stop
scripts can result in undesirable behavior (i.e. data corruption). Not only is the application down but is in need of emergency repair
which may involve data restore from backup.
4 CoD support includes : On/Off CoD inc. Trial, CUoD and CBU for high-end only. See
http://www-03.ibm.com/servers/eserver/about/cod for further details.

Application Provisioning
HACMP has the capability of driving Dynamic LPAR and some Capacity on Demand (CoD) operations 4
to ensure there is adequate processing and memory available for the application(s) upon start-up. This is
shown in Fig 1.1.
Fig 1.1 Application Provisioning example.
This process can be driven using HACMP smit panels. However, this approach does have several limitations
:
Support for POWER4 TM architecture only (Whole CPU's and 256 Memory Chunks)
No provisions or flexibility for shutting down or "stealing from" other LPARs
CoD activation key must have been entered manually prior to any HACMP Dynamic Logical Partitioning
(DLPAR) event
Must have LPAR name = AIX OS Hostname = HACMP node name
Large memory moves will be actioned in one operation. This will invariably take some time and
hold up event processing
LPAR hostname must be resolvable at HMC
The HACMP diver script hmc_cmd does not log the DLPAR / CoD commands it sends to the HMC.
Debugging is limited and often is it necessary to hack the script - which is far from ideal!
If the acquisition / release fails the operation is not repeated on another HMC if defined
Given these drawbacks, I would recommend this behavior is implemented using user supplied custom
scripts. Practical examples can be explored in the AU61G Education class - see Reference section.

Testing
Simplistic as it may seem, the most important thing about testing is to actually do it.
A cluster should be thoroughly tested prior to initial production (and once clverify runs without errors or
warnings). This means that every cluster node and every interface that HACMP uses should be brought
down and up again, to validate that HACMP responds as expected. Best practice would be to perform the
same level of testing after each change to the cluster. HACMP provides a cluster test tool that can be run
on a cluster before it is put into production. This will verify that the applications are brought back on line
after node, network and adapter failures. The test tool should be run as part of any comprehensive cluster
test effort.
Additionally, regular testing should be planned. It’s a common safety recommendation that home smoke
detectors be tested twice a year - the switch to and from daylight savings time being well-known points.
Similarly, if the enterprise can afford to schedule it, node fallover and fallback tests should be scheduled
biannually. These tests will at least indicate whether any problems have crept in, and allow for correction
before the cluster fails in production.
On a more regular basis, clverify should be run. Not only errors but also warning messages should be
taken quite seriously, and fixed at the first opportunity. Starting with HACMP v5.2, clverify is run
automatically daily @ 00:00 hrs. Administrators should make a practice of checking the logs daily, and reacting
to any warnings or errors.)

Maintenance
Even the most carefully planned and configured cluster will have problems if it is not well maintained. A
large part of best practice for an HACMP cluster is associated with maintaining the initial working state of
the cluster through hardware and software changes.
Prior to any change to a cluster node, take an HACMP snapshot. If the change involves installing an
HACMP, AIX or other software fix, also take a mksysb backup. On successful completion of the change,
use SMIT to display the cluster configuration, print out and save the smit.log file. The Online Planning
Worksheets facility can also be used to generate a HTML report of the cluster configuration.
All mission critical HA Cluster Enterprises should, as best practice, maintain a test cluster identical to the
production ones. All changes to applications, cluster configuration, or software should be first thoroughly
tested on the test cluster prior to being put on the production clusters. The HACMP cluster test tool can be
used to at least partially automate this effort.
Change control is vitally important in an HACMP cluster. In some organizations, databases, networks and
clusters are administered by separate individuals or groups. When any group plans maintenance on a
cluster node, it should be planned and coordinated amongst all the parties. All should be aware of the
changes being made to avoid introducing problems. Organizational policy must preclude “unilateral”
changes to a cluster node. Additionally, change control in an HACMP cluster needs to include a goal of
having all cluster nodes at the same level. It is insufficient (and unwise!) to upgrade just the node running
the application. Develop a process which encompasses the following set of questions :
Is the change necessary?
How urgent is the change?
How important is the change? (not the same as urgent)
What impact does the change have on other aspects of the cluster?
What is the impact if the change is not allowed to occur?
Are all of the steps required to implement the change clearly understood and documented?
How is the change to be tested?
What is the plan for backing out the change if necessary?
Is the appropriate expertise be available should problems develop?
When is the change scheduled?
Have the users been notified?
Does the maintenance period include sufficient time for a full set of backups prior to the change and
sufficient time for a full restore afterwards should the change fail testing?
This process should include an electronic form which requires appropriate sign-offs before the change can
go ahead. Every change, even the minor ones, must follow the process. The notion that a change, even a
small change might be permitted (or sneaked through) without following the process must not be permitted.
To this end, the best practice is to use the HACMP C-SPOC facility where possible for any change, especially
with regards to shared volume groups. If the installation uses AIX password control on the cluster
nodes (as opposed to NIS or LDAP), C-SPOC should also be used for any changes to users and groups.
HACMP will then ensure that the change is properly reflected to all cluster nodes.

Upgrading the Cluster Environment
OK, so you want to upgrade? Start by reading the upgrade chapter in the HACMP installation documentation
and make a detailed plan. Taking the time to review and plan thoroughly will save many 'I forgot to
do that!' problems during and after the migration/upgrade process. Don’t forget to check all the version
compatibilities between the different levels of software/firmware and most importantly the application
software certification against the level of AIX and HACMP. If you are not sure check with IBM support
and/or user the Fix Level Recommendation Tool (FLRT) which is available at :
http://www14.software.ibm.com/webapp/set2/flrt/home.
Don’t even think about upgrading AIX or HACMP without first taking a backup and checking that it is
restorable. In all cases, it is extremely useful to complete the process in test environment before actually
doing it for real. AIX facilities such as alt_disk_copy and multibos for creating an alternative rootvg
which can activated via a reboot are very useful tools worth exploring and using.
Before, attempting the upgrade ensure you carry out the following steps :
Check that cluster and application are stable and that the cluster can synchronize cleanly

Take a cluster snapshot and save it to a temporary non cluster directory
(export SNAPSHOTPATH=)
Save event script customization files / User Supplied scripts to a temporary non cluster directory. If
you are unsure that any custom scripts are included, check with odmget HACMPcustom.
Check that the same level of cluster software (including PTFs) are on all nodes before beginning a
migration
Ensure that the cluster software is committed (and not just applied)
Where possible the Rolling Migration method should be used as this ensures maximum availability. Effectively,
cluster services are stopped one node at a time using the takeover option (Now move resource
groups’ in HACMP v5.4). The node/system is updated accordingly and cluster services restarted. This operation
is completed one node at a time until all nodes are at the same level and operational. Note : While
HACMP will work with mixed levels of AIX or HACMP in the cluster, the goal should be to have all nodes
at exactly the same levels of AIX, HACMP and application software. Additionally, HACMP prevents
changes to the cluster configuration when mixed levels of HACMP are present.
Starting with HACMP v5.4, PTFs can now be applied using a ‘Non disruptive upgrade’ method. The process
is actually identical to the rolling migration, however, resource groups are placed into an ‘Unmanaged’
State to ensure they remain available. Note: During this state the application(s) are not under the control
of HACMP (ie. Not highly Available!). Using the default start-up options, HACMP relies on an application
monitor to determine the application state and hence appropriate actions to undertake.
Alternatively, the entire cluster and applications can be gracefully shutdown to update the cluster using
either the ‘snapshot’ or ‘Offline’ conversion methods. Historically, upgrading the cluster this way has resulted
in fewer errors! but requires a period of downtime!

Monitoring
HACMP provides a rich set of facilities for monitoring a cluster, such as Tivoli Integration filesets and
commands such as cldisp, cldump & clstat. The actual facilities used may well be set by enterprise
policy (e.g., Tivoli is used to monitor all enterprise systems). The SNMP protocol is the crux to obtaining
the status of the cluster. HACMP implements a private Managed Information Base (MIB) branch maintained
via a SMUX peer subagent to SNMP contained in clstrmgrES daemon, as shown in Fig 2.0.
Fig 2.0 SNMP and HACMP
The clinfo daemon status facility does have several restrictions and many users/administrators of HACMP
clusters implement custom monitoring scripts. This may seem complex but actually it’s remarkably
straight forward. The cluster SNMP MIB data can be pulled simply over an secure session by typing : ssh
$NODE snmpinfo -v -m dump -o /usr/es/sbin/cluster/hacmp.defs risc6000clsmuxpd
> $OUTFILE. The output can be parsed through perl or shell scripts to produce a cluster status report. A
little further scripting can parse the output again in HTML format so the cluster status can be obtained
through a cgi web driven program, as shown in Fig 2.1. Further details are covered in the AU61 World-
Wide HACMP Education class. Other parties also have HACMP aware add-ons for SNMP monitors,
these include : HP OpenView, Tivoli Universal Agent and BMC PATROL (HACMP Observe Knowledge
Module by to/max/x).
Furthermore, HACMP can invoke notification methods such as a SMS, pager and e-mail messages on cluster
event execution and execute scripts on entry of error log reports. Best practice is to have notification of
some form in place for all cluster events associated with hardware, software failures and significant actions
such as adapter, network & node failures.
Fig 2.1 Custom HACMP Monitor

HACMP in a Virtualized World
HACMP will work with virtual devices, however some restrictions apply when using virtual Ethernet or
virtual disk access. Creating a cluster in a virtualized environment will add new SPOFs which need to be
taken into account. HACMP nodes inside the same physical footprint (frame) must be avoided if high
availability is to be achieved; this configuration should be considered only for test environments. To eliminate
the additional SPOFs in a virtual cluster the use of a second VIOS should be implemented in each
frame with the Virtual Client (VIOC) LPARs located within different frames, ideally some distance apart.
Redundancy for disk access can be achieved through LVM mirroring or Multi-Path I/O (MPIO). LVM mirroring
is most suited to eliminate the VIOC rootvg as a SPOF as shown in Fig 3.0. The root volume group
can be mirrored using standard AIX practices. In the event of VIOS failure, the LPAR will see stale partitions
and the volume group would need to be resynchronized using syncvg. This procedure can also util-
ize logical volumes as backing storage to maximize flexibility. For test environments, whereby each VIOC
is located in the same frame LVM mirroring could also be used for datavgs as well.
Fig 3.0 Redundancy using LVM Mirroring
For shared data volume groups, the MPIO method should be deployed. See Fig 4.0. A LUN is mapped to
both VIOS in the SAN. From both VIOSs, the LUN is mapped again to the same VIOC. The VIOC LPAR
will correctly identify the disk as an MPIO capable device and create one hdisk device with two paths. The
configuration is then duplicated on the backup frame/node. Currently, the virtual storage devices will
work only in failover mode, other modes are not yet supported. All devices accessed through a VIO server
must support a “no_reserve” attribute. If the device driver is not able to “ignore” the reservation, the device
can not be mapped to a second VIOS. Currently, the reservation held by a VIO server can not be broken
by HACMP, hence only devices that will not be reserved on open are supported. Therefore, HACMP
requires the use of enhanced concurrent mode volume groups (ECVGs) The use of ECVGs is generally
considered best practice!
Fig 4.0 Redundancy using MPIO
In a virtualized networking environment, a VIOS is needed for access to the outside world via a layer-2
based Ethernet bridge which is referred to an a Shared Ethernet Adapter (SEA). Now, the physical network
devices along with the SEA are the new SPOFs. How are these SPOFs eliminated? Again through the
use of a second VIOS. Etherchannel technology from within the VIOS can use used to eliminate both the
network adapters and switch as a SPOF. To eliminate the VIOS as a SPOF there are two choices :
1. Etherchannel (configured in backup mode ONLY - No Aggregation) in the VIOC. See Fig 5.0
2. SEA failover via the Hypervisor. See Fig 6.0.
There are advantages and disadvantages with both methods. However, SEA failover is generally considered
best practice as it provides the use of Virtual LAN ID (VID) tags and keeps the client configuration
cleaner.
From the client perspective only a single virtual adapter is required and hence IPAT via Aliasing must be
used. IPAT via Replacement and H/W Address Takeover (HWAT) are not supported. Having a second virtual
adapter will not eliminate a SPOF as the adapter is not real! The SPOF is the Hypervisor! Generally,
single interface networks are not best practice as this limits the error detection capabilities of HACMP. In
this case, it can’t be avoided so to aid additional analysis, add external IP-addresses to the netmon.cf file.
In addition, at least two physical adapters per SEA should be used in the VIOS in an Etherchannel configuration.
Adapters in this channel can also form an aggregate, but remember that most vendors require
adapters which form an aggregate to share the same backplane (A SPOF! - so don’t forget to define a
backup adapter). An exception this this rule is Nortel’s Split Multi-Link Trunking. Depending on your environment
this technology maybe worth investigating.
Fig 5.0 Etherchannel in Backup Mode
Fig 6.0 SEA Failover
And finally a view of the big picture. Be methodical in your planning. As you can see from Fig 7.0 even a
simple cluster design can soon become rather complex!
Fig 7.0 A HACMP Cluster in a virtualized world

Maintenance of the VIOS partition – Applying Updates
The VIOS must be updated in isolation, i.e. with no client access. A simple way of achieving this is to start
by creating a new profile for the VIO server by copying the existing one. Then delete all virtual devices
from the profile and reactivate the VIOS using the new profile. This ensures that no client partition can
access any devices and the VIOS is ready for maintenance.
Prior to restarting the VIOS, manual failover from the client must be performed so all disk access and networking
goes through the alternate VIOS. Steps to accomplish this are as follows. For:
MPIO storage, disable the activate path by typing :
chpath -l hdiskX -p vscsiX -s disable
LVM mirrored disks, set the virtual SCSI target devices to 'defined' state in the VIO server partition.
SEA failover can be initiated from the active VIOS by typing:
chdev -attr ha_mode=standby
Etherchannel in the VIOC, initiate a force failover using smitty etherchannel.
After the update has been applied the VIOS must be rebooted. The client should then be redirected to the
newly updated VIOS and the same procedure followed on the alternative VIOS. It’s important that each
VIOS used has the same code level.

Summary
‘Some final words of advice ....’
Spend considerable time in the planning stage. This is where the bulk of the documentation will be produced
and will lay the foundation for a successful production environment! Start by building a detailed
requirements document⁵. Focus on ensuring the cluster does what the users want /need it to do and that
the cluster behaves how you intend it to do. Next, build a technical detailed design document⁶. Details
should include a thorough description of the Storage / Network / Application / Cluster environment (H/
W & S/W configuration) and the Cluster Behavior (RG policies, location dependencies etc). Finally, make
certain the cluster undergoes comprehensive and thorough testing⁷ before going live and further at regular
intervals.
Once the cluster is in production, all changes must be made in accordance with a documented Change
Management procedure, and the specific changes must follow the Operational Procedures using (where
possible) cluster aware tools⁸.
Following the above steps from the initial start phase will greatly reduce the likelihood of problems and
change once the cluster is put into production. In addition, to conclude this white paper, here is a general
summary list of HACMP do’s and don’ts.
Do :
Where feasible, use IPAT via Aliasing style networking and enhanced concurrent VGs.
Ensure the H/W & S/W environment has a reasonable degree of currency. Take regular cluster
snapshots and system backups.
Configure application monitors to enhance availability and aid self healing.
Implement a test environment to ensure changes are adequately tested.
Implement a reliable heartbeat mechanism and include at least one non IP network.
Ensure there are mechanisms in place which will send out alerts via SNMP, SMS or email when failures
are encountered within the cluster.
Implement verification and validation scripts that capture common problems (or problems that are
discovered in the environment) eg. volume group settings, NFS mount/export settings, application
changes. In addition, ensure that these mechanisms are kept up-to-date.
Make use of available HACMP features, such as: application monitoring, extended cluster verification
methods, ‘automated’ cluster testing (in TEST only), file collections, fast disk takover and fast
failure detection.
Do not :
Introduce changes to one side of the cluster whilst not keeping the other nodes in sync. Always ensure
changes are synchronized immediately. If some nodes are up and others down, ensure the
change is made and synchronized from an active node.
Attempt change outside of HACMPs control using custom mechanisms. Where possible use CSPOC.
Configure applications to bind in any way to node specific attributes, such as IP Addresses, hostnames,
CPU IDs etc. It is best practice to move the applications from node-to-node manually before
putting them in resource groups under the control of HACMP.
Make the architecture too complex or implement a configuration which hard to test.
Deploy basic application start and stop scripts which do not include pre-requisite checking and error
recovery routines. Always ensure these scripts verbosely log to stdout and stderr.
Implement nested file systems that create dependencies or waits and other steps that elongate failovers.
Provide root access to untrained and cluster unaware administrators.
Change failure detection rates on networks without very careful thought and consideration.
Action operations such as # kill `ps –ef | grep appname | awk ‘{print $2}’` when
stopping an application. This may also result in killing the HACMP application monitor as well.
Rely on standard AIX volume groups (VGs) if databases use raw logical volumes. Consider instead
implementing Big or Scaleable VGs. This way, user, group and permission information can be stored
in the VGDA header and will reduce the likelihood of problems during failover.
Rely on any form of manual effort or intervention which maybe involved in keeping the applications
highly available.
⁵A written cluster requirements document allows you to carry out a coherent and focused discussion with the users about what they
want done. It also allows you to refer to these requirements while you design the cluster and while you develop the cluster test
plan.
⁶A written cluster design document describes from a technical perspective, exactly how you intend to configure the cluster environment.
The behavior of the environment should meet all requirements specified in ⁵.
⁷A written test plan allows you to test the cluster against the requirements (which describes what you were supposed to build) and
against the cluster design document (which describes what you intended to build). The test plan should be formatted in a way
which allows you to record the pass or failure of each test as this allows you to easily know what’s broken and it allows you to
eventually demonstrate that the cluster actually does what the users wanted it to do and what you intended it to do.
⁸Do not make the mistake of assuming that you have time to write the operational documentation once the cluster is in production.

No comments:

Post a Comment