Option 50 in failover mode

Bob Proulx bob at proulx.com
Mon Nov 28 19:14:23 UTC 2011 

Simon Hobson wrote:
> Bob Proulx wrote:
> >It would need very careful handling.  Let me show one example.
> >...
>
> Even more incidious are cases where you can have two servers in a
> failover pair, they cannot communicate with each other, but can both
> communicate with all the clients. There are several ways this can
> happen, 2 which come to mind are :

Yes.  I have seen such asymetrical routing problems.  They do happen!

> >I have personally been using "hands off" failover mode since 3.1.1
> >from 2008.  It has been three years and it has been working very well
> >...
> 
> Yes, but unless you scripted handling of partner down state, then
> this wasn't what most people consider "hands off". I think this
> could well be just a difference of opinion about what the words
> mean.

Yes.  Apparently I mistakenly used bad words and confused things
terribly.  Sorry about that.  I mean "automatic and unattended".  Are
those words used yet?  Can I say automatic and unattended?  :-) :-)

> As Glenn explained, until recently there was no option to
> automatically go into partner-down state because the ISC (correctly
> IMO) determined that they couldn't know anything about the networks
> on which people would be running the software. They figured that the
> only safe option was to leave it to the administrators of the
> servers and networks to work out what worked/was safe for them.

I am in total agreement.  Network connectivity is a problem that is
very difficult to determine automatically.  Much better is to have a
configuration that will work and continue to work in spite of
failures.  I consider the current failover design used with a large
enough pool one possibility.  It works.  It would be better if it
handled more than exactly two machines but that just increases the
complexity.  Complexity tends to add bugs and tends to break more
often than simple.  So I am okay with simple.

> If you have a reasonable quantity of spare addresses then things
> will carry on reasonably well with one server down but it's partner
> not in partner-down state.

Agreed.

> But to get full functionality back requires either setting the new
> option, or manually putting (or scripting) the remaining server into
> partner-down mode.

The words "full functionality" trigger me to disagree.  Going to
partner-down doesn't give you full funcationality.  Fully functional
would require redundancy and a failover server.  It is acceptably
functional without partner-down if the pool is large enough.  If it is
in partner-down then it doesn't have any failover redundancy and so it
isn't fully functional.  It just has a larger address pool.  Which it
wouldn't need if it had had a large enough pool to begin with.  To be
blunt it is really just a workaround for a misconfiguration.

I am sure that if we were sitting across the table from each other
over lunch discussing this we would nod and it would all be understood
and we would just keep talking.  I think in general we are in
agreement.

Bob

More information about the dhcp-users mailing list