13.3. Special Treatment of STONITH Resources

STONITH resources are somewhat special in Pacemaker.

STONITH may be initiated by pacemaker or by other parts of the cluster (such as resources like DRBD or DLM). To accommodate this, pacemaker does not require the STONITH resource to be in the started state in order to be used, thus allowing reliable use of STONITH devices in such a case.

Note

In pacemaker versions 1.1.9 and earlier, this feature either did not exist or did not work well. Only "running" STONITH resources could be used by Pacemaker for fencing, and if another component tried to fence a node while Pacemaker was moving STONITH resources, the fencing could fail.

All nodes have access to STONITH devices' definitions and instantiate them on-the-fly when needed, but preference is given to verified instances, which are the ones that are started according to the cluster’s knowledge.

In the case of a cluster split, the partition with a verified instance will have a slight advantage, because the STONITH daemon in the other partition will have to hear from all its current peers before choosing a node to perform the fencing.

Fencing resources do work the same as regular resources in some respects:

target-role can be used to enable or disable the resource
Location constraints can be used to prevent a specific node from using the resource

Important

Currently there is a limitation that fencing resources may only have one set of meta-attributes and one set of instance attributes. This can be revisited if it becomes a significant limitation for people.

See the table below or run man stonithd to see special instance attributes that may be set for any fencing resource, regardless of fence agent.

Table 13.1. Additional Properties of Fencing Resources

Field	Type	Default	Description
`stonith-timeout`	NA	NA	Older versions used this to override the default period to wait for a STONITH (reboot, on, off) action to complete for this device. It has been replaced by the `pcmk_reboot_timeout` and `pcmk_off_timeout` properties.
`provides`	string		Any special capability provided by the fence device. Currently, only one such capability is meaningful: `unfencing` (see Section 13.4, “Unfencing”).
`pcmk_host_map`	string		A mapping of host names to ports numbers for devices that do not support host names. Example: `node1:1;node2:2,3` tells the cluster to use port 1 for node1 and ports 2 and 3 for node2.
`pcmk_host_list`	string		A list of machines controlled by this device (optional unless `pcmk_host_check` is `static-list`).
`pcmk_host_check`	string	dynamic-list	How to determine which machines are controlled by the device. Allowed values: `dynamic-list:` query the device `static-list:` check the `pcmk_host_list` attribute `none:` assume every device can fence every machine
`pcmk_delay_max`	time	0s	Enable a random delay of up to the time specified before executing stonith actions. This is sometimes used in two-node clusters to ensure that the nodes don’t fence each other at the same time. The overall delay introduced by pacemaker is derived from this random delay value adding a static delay so that the sum is kept below the maximum delay.
`pcmk_delay_base`	time	0s	Enable a static delay before executing stonith actions. This can be used e.g. in two-node clusters to ensure that the nodes don’t fence each other, by having separate fencing resources with different values. The node that is fenced with the shorter delay will lose a fencing race. The overall delay introduced by pacemaker is derived from this value plus a random delay such that the sum is kept below the maximum delay.
`pcmk_action_limit`	integer	1	The maximum number of actions that can be performed in parallel on this device, if the cluster option `concurrent-fencing` is `true`. -1 is unlimited. (since 1.1.15)
`pcmk_host_argument`	string	port	Advanced use only. Which parameter should be supplied to the resource agent to identify the node to be fenced. Some devices do not support the standard `port` parameter or may provide additional ones. Use this to specify an alternate, device-specific parameter. A value of `none` tells the cluster not to supply any additional parameters.
`pcmk_reboot_action`	string	reboot	Advanced use only. The command to send to the resource agent in order to reboot a node. Some devices do not support the standard commands or may provide additional ones. Use this to specify an alternate, device-specific command.
`pcmk_reboot_timeout`	time	60s	Advanced use only. Specify an alternate timeout to use for `reboot` actions instead of the value of `stonith-timeout`. Some devices need much more or less time to complete than normal. Use this to specify an alternate, device-specific timeout.
`pcmk_reboot_retries`	integer	2	Advanced use only. The maximum number of times to retry the `reboot` command within the timeout period. Some devices do not support multiple connections, and operations may fail if the device is busy with another task, so Pacemaker will automatically retry the operation, if there is time remaining. Use this option to alter the number of times Pacemaker retries before giving up.
`pcmk_off_action`	string	off	Advanced use only. The command to send to the resource agent in order to shut down a node. Some devices do not support the standard commands or may provide additional ones. Use this to specify an alternate, device-specific command.
`pcmk_off_timeout`	time	60s	Advanced use only. Specify an alternate timeout to use for `off` actions instead of the value of `stonith-timeout`. Some devices need much more or less time to complete than normal. Use this to specify an alternate, device-specific timeout.
`pcmk_off_retries`	integer	2	Advanced use only. The maximum number of times to retry the `off` command within the timeout period. Some devices do not support multiple connections, and operations may fail if the device is busy with another task, so Pacemaker will automatically retry the operation, if there is time remaining. Use this option to alter the number of times Pacemaker retries before giving up.
`pcmk_list_action`	string	list	Advanced use only. The command to send to the resource agent in order to list nodes. Some devices do not support the standard commands or may provide additional ones. Use this to specify an alternate, device-specific command.
`pcmk_list_timeout`	time	60s	Advanced use only. Specify an alternate timeout to use for `list` actions instead of the value of `stonith-timeout`. Some devices need much more or less time to complete than normal. Use this to specify an alternate, device-specific timeout.
`pcmk_list_retries`	integer	2	Advanced use only. The maximum number of times to retry the `list` command within the timeout period. Some devices do not support multiple connections, and operations may fail if the device is busy with another task, so Pacemaker will automatically retry the operation, if there is time remaining. Use this option to alter the number of times Pacemaker retries before giving up.
`pcmk_monitor_action`	string	monitor	Advanced use only. The command to send to the resource agent in order to report extended status. Some devices do not support the standard commands or may provide additional ones. Use this to specify an alternate, device-specific command.
`pcmk_monitor_timeout`	time	60s	Advanced use only. Specify an alternate timeout to use for `monitor` actions instead of the value of `stonith-timeout`. Some devices need much more or less time to complete than normal. Use this to specify an alternate, device-specific timeout.
`pcmk_monitor_retries`	integer	2	Advanced use only. The maximum number of times to retry the `monitor` command within the timeout period. Some devices do not support multiple connections, and operations may fail if the device is busy with another task, so Pacemaker will automatically retry the operation, if there is time remaining. Use this option to alter the number of times Pacemaker retries before giving up.
`pcmk_status_action`	string	status	Advanced use only. The command to send to the resource agent in order to report status. Some devices do not support the standard commands or may provide additional ones. Use this to specify an alternate, device-specific command.
`pcmk_status_timeout`	time	60s	Advanced use only. Specify an alternate timeout to use for `status` actions instead of the value of `stonith-timeout`. Some devices need much more or less time to complete than normal. Use this to specify an alternate, device-specific timeout.
`pcmk_status_retries`	integer	2	Advanced use only. The maximum number of times to retry the `status` command within the timeout period. Some devices do not support multiple connections, and operations may fail if the device is busy with another task, so Pacemaker will automatically retry the operation, if there is time remaining. Use this option to alter the number of times Pacemaker retries before giving up.