SUSE Linux Enterprise High Availability 16.0

Configuring Node Fencing in a High Availability Cluster

Publication Date: 31 Oct 2025

WHAT?

How to configure a SUSE Linux Enterprise High Availability cluster to use a physical node fencing device.

WHY?

To be supported, all SUSE Linux Enterprise High Availability clusters must have node fencing configured.

EFFORT

Adding physical fencing devices takes approximately 5-10 minutes, depending on the complexity of the cluster.

GOAL

Protect the cluster from data corruption by fencing failed nodes.

REQUIREMENTS

An existing SUSE Linux Enterprise High Availability cluster
A physical fencing device, such as a power switch or network switch

To use SBD as the node fencing mechanism instead of a physical device, see Configuring Disk-Based SBD in an Existing High Availability Cluster.

Revision History: Configuring Node Fencing in a High Availability Cluster

1 What is node fencing? #

In a split-brain scenario, cluster nodes are divided into two or more groups (or partitions) that do not know about each other. This might be because of a hardware or software failure, or a failed network connection, for example. A split-brain scenario can be resolved by fencing (resetting or powering off) one or more of the nodes. Node fencing prevents a failed node from accessing shared resources and prevents cluster resources from running on a node with an uncertain status. This helps protect the cluster from data corruption.

To be supported, all SUSE Linux Enterprise High Availability clusters must have at least one node fencing device configured. For critical workloads, we recommend using two or three fencing devices. A fencing device can be either a physical device (a power switch) or a software mechanism (SBD in combination with a watchdog).

1.1 Components #

pacemaker-fenced: The pacemaker-fenced daemon runs on every node in the High Availability cluster. It accepts fencing requests from pacemaker-controld. It can also check the status of the fencing device.
Fence agent: Each type of fencing device can be controlled by a specific fence agent, a stonith-class resource agent that acts as an interface between the cluster and the fencing device. Starting or stopping a fencing resource means registering or deregistering the fencing device with the pacemaker-fenced daemon and does not perform any operation on the device itself. Monitoring a fencing resource means logging in to the device to verify that it works.
Fencing device: The fencing device is the actual physical device that resets or powers off a node when requested by the cluster via the fence agent. The device you use depends on your budget and hardware.

1.2 Fencing devices #

Physical devices

Power Distribution Units (PDU) are devices with multiple power outlets that can provide remote load monitoring and power recycling.
Uninterruptible Power Supplies (UPS) provide emergency power to connected equipment in the event of a power failure.
Blade power control devices can be used for fencing if the cluster nodes are running on a set of blades. This device must be capable of managing single-blade computers.
Lights-out devices are network-connected devices that allow remote management and monitoring of servers.

Software mechanisms

Disk-based SBD fences nodes by exchanging messages via shared block storage. It works together with a watchdog on each node to ensure that misbehaving nodes are really stopped.
Diskless SBD fences nodes by using only the watchdog, without a shared storage device. Unlike other node fencing mechanisms, diskless SBD does not need a fence agent.
The fence_kdump agent checks if a node is performing a kernel dump (kdump). If a kdump is in progress, the cluster acts as if the node was fenced, because the node will reboot after the kdump is complete. If a kdump is not in progress, the next fencing device fences the node. This fence agent must be used together with a physical fencing device. It cannot be used with SBD.

1.3 For more information #

For more information, see https://clusterlabs.org/projects/pacemaker/doc/3.0/Pacemaker_Explained/html/fencing.html.

For a full list of available fence agents, run the crm ra list stonith command.

For details about a specific fence agent, run the crm ra info stonith:fence_AGENT command.

2 Creating fencing resources for a physical device #

Each type of fencing device can be controlled by a specific fence agent, a stonith-class resource agent that acts as an interface between the cluster and the fencing device. Starting or stopping a fencing resource means registering or deregistering the fencing device with the pacemaker-fenced daemon and does not perform any operation on the device itself. Monitoring a fencing resource means logging in to the device to verify that it works.

When a node needs to be fenced, the fencing action is usually performed by a different node in the cluster. Therefore, in this procedure you will create multiple fencing resources, each targeting a specific node. Each fencing resource can run on any node in the cluster except for the node it targets.

Requirements #

An existing High Availability cluster is already running.
All cluster nodes can access a physical fencing device.

Perform this procedure on only one node in the cluster:

Log in either as the root user or as a user with sudo privileges.
Show the list of available fence agents:
```
> sudo crm ra list stonith
```
Show the list of required and optional parameters for your device, and make a note of the parameters you need for your specific setup:
```
> sudo crm ra info stonith:fence_AGENT
```
Start the crm interactive shell:
```
> sudo crm configure
```
This mode lets you make multiple configuration changes before committing all the changes at once.

Create a fencing resource for every node in the cluster. Specify your device type, the parameters for that device type, and a monitor operation:

crm(live)configure# primitive RESOURCE-NAME stonith:fence_AGENT \
  params KEY=VALUE KEY=VALUE KEY=VALUE [...] \
  op monitor interval=INTEGER timeout=INTEGER

Example 1: Fencing resources for two nodes with an IBM RSA device #

This example shows a basic resource configuration for an IBM RSA lights-out device on two nodes, alice and bob:

crm(live)configure# primitive fence-rsa-alice stonith:fence_rsa \
  params pcmk_host_list=alice \1
  ip=192.168.1.101 username=root password=secret \2
  op monitor interval=30m timeout=120s3
crm(live)configure# primitive fence-rsa-bob stonith:external/fence_rsa \
  params pcmk_host_list=bob \
  ip=192.168.1.102 username=root password=secret \
  op monitor interval=30m timeout=120s

Use pcmk_host_list to specify the node for this resource to target. In this example, the resource fence-rsa-alice fences the node alice.

Provide login details for the fencing device. The required parameters depend on the specific device.

If you use the password parameter, the password is obscured in the output of crm configure show, but is stored as plain text in the CIB and the command history. Alternatively, you can use a different parameter, such as identity_file.

Include a monitor operation to check the status of the device. Ideally, fencing devices are not needed very often and are unlikely to fail during a fencing operation. Therefore, a monitoring interval of 30 minutes or more should be sufficient for most devices.

Add location constraints so that each fencing resource cannot run on the node it targets:
```
crm(live)configure# location CONSTRAINT-NAME RESOURCE-NAME -inf: NODE-NAME
```
Example 2: Location constraints for IBM RSA resources on two nodes #
This example shows location constraints for two nodes, alice and bob:
crm(live)configure# location loc-rsa-alice fence-rsa-alice -inf: alice crm(live)configure# location loc-rsa-bob fence-rsa-bob -inf: bob
The resource fence-rsa-alice must not run on alice, and the resource fence-rsa-bob must not run on bob. In a two-node cluster, this means fence-rsa-alice always runs on bob. In a cluster with more nodes, this means fence-rsa-alice can run on any node except alice.

Enable node fencing for the whole cluster:

crm(live)configure# property stonith-enabled=true

Add a fencing timeout to define how long to wait for the fencing action to finish:
```
crm(live)configure# property stonith-timeout=60
```
The default is 60 seconds, but you might need to change it for your specific setup and infrastructure.
Review the updated cluster configuration:
```
crm(live)configure# show
```
Commit the changes:
```
crm(live)configure# commit
```
Exit the crm interactive shell:
```
crm(live)configure# quit
```
Check the status of the cluster to make sure the fencing resources can start:
```
> sudo crm status
```

If the fencing resources have the status Stopped, the nodes might have failed to connect to the fencing device. You can check the connection with the command line tool for your specific fence agent. For more information, run the man fence_AGENT command.

Example 3: Testing a node's connection to an IBM RSA device #

This command uses the example details from the previous procedure to check the status of node bob. Adjust this command for your specific configuration and device.

alice> sudo fence_rsa -a 192.168.1.102 -l root -p secret -n bob -o status

If the connection is successful, the output shows Status: ON. If the connection is not successful, the output shows an error message that explains the issue.

3 Preventing node fencing during a kernel dump #

Use this procedure if the nodes have kdump configured. If not, you can skip this procedure.

The fence_kdump agent checks if a node is performing a kernel dump (kdump). If a kdump is in progress, the cluster acts as if the node was fenced, because the node will reboot after the kdump is complete. If a kdump is not in progress, the next fencing device fences the node. This fence agent must be used together with a physical fencing device. It cannot be used with SBD.

Requirements #

The cluster uses a physical node fencing device.
Cluster resources for the fencing device are already configured.
kdump is installed and configured on all nodes.

Perform this procedure on only one node in the cluster:

Create a fence_kdump resource that can check all the nodes in the cluster. For example:

> sudo crm configure primitive RESOURCE-NAME stonith:fence_kdump \
  params pcmk_host_list="NODE-LIST" timeout=INTEGER

The resource is registered with the pacemaker-fenced daemon on all the specified nodes. You do not need to clone this resource.

For more information, run the crm ra info stonith:fence_kdump command.

Example 4: fence_kdump resource for two nodes #

This example shows a basic resource configuration for two nodes, alice and bob:

> sudo crm configure primitive check-kdump stonith:fence_kdump \
  params pcmk_host_list="alice,bob"1 timeout=602

1	A comma-separated list of the cluster nodes. When a node needs to be fenced, this resource listens for a message from `fence_kdump_send` on that node. If a message is received, the node is considered fenced. If no message is received, the physical fencing device must fence the node.
2	How long to wait for a message from a node. The default is `60` seconds.

Check that the fence_kdump resource appears on all nodes:

> sudo crm cluster run "sudo stonith_admin -L"

You should see output similar to this:

INFO: [alice]
check-kdump
fence-rsa-bob
2 fence devices found

INFO: [bob]
check-kdump
fence-rsa-alice
2 fence devices found

Specify the order of the fencing devices. This tells the cluster to check if a kdump is in progress before deciding whether to call the physical fencing device. Include all the nodes in one command:
```
> sudo crm configure fencing_topology \
  NODE-NAME: KDUMP-RESOURCE FENCING-RESOURCE \
  NODE-NAME: KDUMP-RESOURCE FENCING-RESOURCE \
  [...]
```
For more information, run the crm configure help fencing_topology command.
Example 5: Fencing topology for two nodes #
This example shows the order of the fencing devices for two nodes, alice and bob:
> sudo crm configure fencing_topology \ alice: check-kdump fence-rsa-alice \ bob: check-kdump fence-rsa-bob
Both nodes have kdump and a physical IBM RSA device configured. If alice needs to be fenced, the cluster first calls the resource check-kdump to check whether alice is performing a kdump. If not, the cluster calls the resource fence-rsa-alice to fence alice.
You might need to increase the fencing timeout so the fencing action has time to finish:
```
> sudo crm configure property stonith-timeout=INTEGER
```
The appropriate value depends on your specific setup and infrastructure.

Open the firewall port for kdump messages on all nodes:

> sudo crm cluster run "sudo firewall-cmd --add-port=7410/udp --permanent"
> sudo crm cluster run "sudo firewall-cmd --reload"

Configure fence_kdump_send to send a message to all nodes when the kdump process is finished. In the file /etc/sysconfig/kdump, edit the KDUMP_POSTSCRIPT line:

KDUMP_POSTSCRIPT="/usr/lib/fence_kdump_send -c 51 -i 102 -p 74103 NODE-LIST"4

1	Use `--count` (or `-c`) to specify how many messages to send. We recommend sending multiple messages in case the first message fails.
2	Use `--interval` (or `-i`) to specify the interval between messages. The default is `10` seconds.
3	Use `--port` (or `-p`) to specify the firewall port for `kdump` messages.
4	Replace NODE-LIST with a space-separated list of all the cluster nodes.

Copy the kdump/etc/sysconfig/kdump file to the rest of the nodes:
```
> sudo crm cluster copy /etc/sysconfig/kdump
```
Regenerate the kdump initrd on all nodes:
```
> sudo crm cluster run "sudo mkdumprd"
```

4 Testing node fencing #

The crm cluster crash_test command simulates cluster failures and reports the results. To test node fencing, you can run one or both of the tests --fence-node and --split-brain-iptables.

The command supports the following checks:

--fence-node NODE: Fences a specific node passed from the command line.
--kill-sbd/--kill-corosync/ --kill-pacemakerd: Kills the daemons for SBD, Corosync, or Pacemaker. After running one of these tests, you can find a report in the directory /var/lib/crmsh/crash_test/. The report includes a test case description, action logging, and an explanation of possible results.
--split-brain-iptables: Simulates a split-brain scenario by blocking the Corosync port, and checks whether one node can be fenced as expected. You must install iptables before you can run this test.

For more information, run the crm cluster crash_test --help command.

This example uses nodes called alice and bob, and tests fencing bob. To watch bob change status during the test, you can log in to Hawk and navigate to Status › Nodes, or run crm status from another node.

Example 6: Manually triggering node fencing #

admin@alice> sudo crm cluster crash_test --fence-node bob

==============================================
Testcase:          Fence node bob
Fence action:      reboot
Fence timeout:     95

!!! WARNING WARNING WARNING !!!
THIS CASE MAY LEAD TO NODE BE FENCED.
TYPE Yes TO CONTINUE, OTHER INPUTS WILL CANCEL THIS CASE [Yes/No](No): Yes
INFO: Trying to fence node "bob"
INFO: Waiting 95s for node "bob" reboot...
INFO: Node "bob" will be fenced by "alice"!
INFO: Node "bob" was fenced by "alice" at DATE TIME

5 Legal Notice #

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.