Appendix A. DRBD system manual pages

Name

drbd.conf — Configuration file for DRBD's devices

Introduction

The file /etc/drbd.conf is read by drbdadm.

The file format was designed as to allow to have a verbatim copy of the file on both nodes of the cluster. It is highly recommended to do so in order to keep your configuration manageable. The file /etc/drbd.conf should be the same on both nodes of the cluster. Changes to /etc/drbd.conf do not apply immediately.

Example A.1. A small drbd.conf file

global { usage-count yes; }
common { syncer { rate 10M; } }
resource r0 {
	protocol C;
	net {
		cram-hmac-alg sha1;
		shared-secret "FooFunFactory";
	}
	on alice {
		device    minor 1;
		disk      /dev/sda7;
		address   10.1.1.31:7789;
		meta-disk internal;
	}
	on bob {
		device    minor 1;
		disk      /dev/sda7;
		address   10.1.1.32:7789;
		meta-disk internal;
	}
}


In this example, there is a single DRBD resource (called r0) which uses protocol C for the connection between its devices. The device which runs on host alice uses /dev/drbd1 as devices for its application, and /dev/sda7 as low-level storage for the data. The IP addresses are used to specify the networking interfaces to be used. An eventually running resync process should use about 10MByte/second of IO bandwidth.

There may be multiple resource sections in a single drbd.conf file. For more examples, please have a look at the DRBD User's Guide.

File Format

The file consists of sections and parameters. A section begins with a keyword, sometimes an additional name, and an opening brace ({). A section ends with a closing brace (}. The braces enclose the parameters.

section [name] { parameter value; [...] }

A parameter starts with the identifier of the parameter followed by whitespace. Every subsequent character is considered as part of the parameter's value. A special case are Boolean parameters which consist only of the identifier. Parameters are terminated by a semicolon (;).

Some parameter values have default units which might be overruled by K, M or G. These units are defined in the usual way (K = 2^10 = 1024, M = 1024 K, G = 1024 M).

Comments may be placed into the configuration file and must begin with a hash sign (#). Subsequent characters are ignored until the end of the line.

Sections

skip

Comments out chunks of text, even spanning more than one line. Characters between the keyword skip and the opening brace ({) are ignored. Everything enclosed by the braces is skipped. This comes in handy, if you just want to comment out some 'resource [name] {...}' section: just precede it with 'skip'.

global

Configures some global parameters. Currently only minor-count, dialog-refresh, disable-ip-verification and usage-count are allowed here. You may only have one global section, preferably as the first section.

common

All resources inherit the options set in this section. The common section might have a startup, a syncer, a handlers, a net and a disk section.

resource name

Configures a DRBD resource. Each resource section needs to have two (or more) on host sections and may have a startup, a syncer, a handlers, a net and a disk section. Required parameter in this section: protocol.

on host-name

Carries the necessary configuration parameters for a DRBD device of the enclosing resource. host-name is mandatory and must match the Linux host name (uname -n) of one of the nodes. You may list more than one host name here, in case you want to use the same parameters on several hosts (you'd have to move the IP around usually). Or you may list more than two such sections.

	resource r1 {
		protocol C;
		device minor 1;
		meta-disk internal;

		on alice bob {
			address 10.2.2.100:7801;
			disk /dev/mapper/some-san;
		}
		on charlie {
			address 10.2.2.101:7801;
			disk /dev/mapper/other-san;
		}
		on daisy {
			address 10.2.2.103:7801;
			disk /dev/mapper/other-san-as-seen-from-daisy;
		}
	}
	

See also the floating section keyword. Required parameters in this section: device, disk, address, meta-disk, flexible-meta-disk.

stacked-on-top-of resource

For a stacked DRBD setup (3 or 4 nodes), a stacked-on-top-of is used instead of an on section. Required parameters in this section: device and address.

floating AF addr:port

Carries the necessary configuration parameters for a DRBD device of the enclosing resource. This section is very similar to the on section. The difference to the on section is that the matching of the host sections to machines is done by the IP-address instead of the node name. Required parameters in this section: device, disk, meta-disk, flexible-meta-disk, all of which may be inherited from the resource section, in which case you may shorten this section down to just the address identifier.

	resource r2 {
		protocol C;
		device minor 2;
		disk      /dev/sda7;
		meta-disk internal;

		# short form, device, disk and meta-disk inherited
		floating 10.1.1.31:7802;

		# longer form, only device inherited
		floating 10.1.1.32:7802 {
			disk /dev/sdb;
			meta-disk /dev/sdc8;
		}
	}
	
disk

This section is used to fine tune DRBD's properties in respect to the low level storage. Please refer to drbdsetup(8) for detailed description of the parameters. Optional parameters: on-io-error, size, fencing, use-bmbv, no-disk-barrier, no-disk-flushes, no-disk-drain, no-md-flushes, max-bio-bvecs.

net

This section is used to fine tune DRBD's properties. Please refer to drbdsetup(8) for a detailed description of this section's parameters. Optional parameters: sndbuf-size, rcvbuf-size, timeout, connect-int, ping-int, ping-timeout, max-buffers, max-epoch-size, ko-count, allow-two-primaries, cram-hmac-alg, shared-secret, after-sb-0pri, after-sb-1pri, after-sb-2pri, data-integrity-alg, no-tcp-cork, on-congestion, congestion-fill, congestion-extents

startup

This section is used to fine tune DRBD's properties. Please refer to drbdsetup(8) for a detailed description of this section's parameters. Optional parameters: wfc-timeout, degr-wfc-timeout, outdated-wfc-timeout, wait-after-sb, stacked-timeouts and become-primary-on.

syncer

This section is used to fine tune the synchronization daemon for the device. Please refer to drbdsetup(8) for a detailed description of this section's parameters. Optional parameters: rate, after, al-extents, use-rle, cpu-mask, verify-alg, csums-alg, c-plan-ahead, c-fill-target, c-delay-target, c-max-rate, c-min-rate and on-no-data-accessible.

handlers

In this section you can define handlers (executables) that are started by the DRBD system in response to certain events. Optional parameters: pri-on-incon-degr, pri-lost-after-sb, pri-lost, fence-peer (formerly oudate-peer), local-io-error, initial-split-brain, split-brain, before-resync-target, after-resync-target.

The interface is done via environment variables:

DRBD_RESOURCE

is the name of the resource

DRBD_MINOR

is the minor number of the DRBD device, in decimal.

DRBD_CONF

is the path to the primary configuration file; if you split your configuration into multiple files (e.g. in /etc/drbd.conf.d/), this will not be helpful.

DRBD_PEER_AF, DRBD_PEER_ADDRESS, DRBD_PEERS

are the address family (e.g. ipv6), the peer's address and hostnames.

DRBD_PEER (note the singular form) is deprecated, and superseeded by DRBD_PEERS.

Please note that not all of these might be set for all handlers, and that some values might not be useable for a floating definition.

Parameters

minor-count count

count may be a number from 1 to 255.

Use minor-count if you want to define massively more resources later without reloading the DRBD kernel module. Per default the module loads with 11 more resources than you have currently in your config but at least 32.

dialog-refresh time

time may be 0 or a positive number.

The user dialog redraws the second count every time seconds (or does no redraws if time is 0). The default value is 1.

disable-ip-verification

Use disable-ip-verification if, for some obscure reasons, drbdadm can/might not use ip or ifconfig to do a sanity check for the IP address. You can disable the IP verification with this option.

usage-count val

Please participate in DRBD's online usage counter. The most convenient way to do so is to set this option to yes. Valid options are: yes, no and ask.

protocol prot-id

On the TCP/IP link the specified protocol is used. Valid protocol specifiers are A, B, and C.

Protocol A: write IO is reported as completed, if it has reached local disk and local TCP send buffer.

Protocol B: write IO is reported as completed, if it has reached local disk and remote buffer cache.

Protocol C: write IO is reported as completed, if it has reached both local and remote disk.

device name minor nr

The name of the block device node of the resource being described. You must use this device with your application (file system) and you must not use the low level block device which is specified with the disk parameter.

One can ether omit the name or minor and the minor number. If you omit the name a default of /dev/drbdminor will be used.

Udev will create additional symlinks in /dev/drbd/by-res and /dev/drbd/by-disk.

disk name

DRBD uses this block device to actually store and retrieve the data. Never access such a device while DRBD is running on top of it. This also holds true for dumpe2fs(8) and similar commands.

address AF addr:port

A resource needs one IP address per device, which is used to wait for incoming connections from the partner device respectively to reach the partner device. AF must be one of ipv4, ipv6, ssocks or sdp (for compatibility reasons sci is an alias for ssocks). It may be omited for IPv4 addresses. The actual IPv6 address that follows the ipv6 keyword must be placed inside brackets: ipv6 [fd01:2345:6789:abcd::1]:7800.

Each DRBD resource needs a TCP port which is used to connect to the node's partner device. Two different DRBD resources may not use the same addr:port combination on the same node.

meta-disk internal , flexible-meta-disk internal , meta-disk device [index] , flexible-meta-disk device

Internal means that the last part of the backing device is used to store the meta-data. You must not use [index] with internal. Note: Regardless of whether you use the meta-disk or the flexible-meta-disk keyword, it will always be of the size needed for the remaining storage size.

You can use a single block device to store meta-data of multiple DRBD devices. E.g. use meta-disk /dev/sde6[0]; and meta-disk /dev/sde6[1]; for two different resources. In this case the meta-disk would need to be at least 256 MB in size.

With the flexible-meta-disk keyword you specify a block device as meta-data storage. You usually use this with LVM, which allows you to have many variable sized block devices. The required size of the meta-disk block device is 36kB + Backing-Storage-size / 32k. Round this number to the next 4kb boundary up and you have the exact size. Rule of the thumb: 32kByte per 1GByte of storage, round up to the next MB.

on-io-error handler

handler is taken, if the lower level device reports io-errors to the upper layers.

handler may be pass_on, call-local-io-error or detach.

pass_on: The node downgrades the disk status to inconsistent, marks the erroneous block as inconsistent in the bitmap and retries the IO on the remote node.

call-local-io-error: Call the handler script local-io-error.

detach: The node drops its low level device, and continues in diskless mode.

fencing fencing_policy

By fencing we understand preventive measures to avoid situations where both nodes are primary and disconnected (AKA split brain).

Valid fencing policies are:

dont-care

This is the default policy. No fencing actions are taken.

resource-only

If a node becomes a disconnected primary, it tries to fence the peer's disk. This is done by calling the fence-peer handler. The handler is supposed to reach the other node over alternative communication paths and call 'drbdadm outdate res' there.

resource-and-stonith

If a node becomes a disconnected primary, it freezes all its IO operations and calls its fence-peer handler. The fence-peer handler is supposed to reach the peer over alternative communication paths and call 'drbdadm outdate res' there. In case it cannot reach the peer it should stonith the peer. IO is resumed as soon as the situation is resolved. In case your handler fails, you can resume IO with the resume-io command.

use-bmbv

In case the backing storage's driver has a merge_bvec_fn() function, DRBD has to pretend that it can only process IO requests in units not larger than 4KiB. (At the time of writing the only known drivers which have such a function are: md (software raid driver), dm (device mapper - LVM) and DRBD itself).

To get the best performance out of DRBD on top of software RAID (or any other driver with a merge_bvec_fn() function) you might enable this function, if you know for sure that the merge_bvec_fn() function will deliver the same results on all nodes of your cluster. I.e. the physical disks of the software RAID are of exactly the same type. Use this option only if you know what you are doing.

no-disk-barrier , no-disk-flushes , no-disk-drain

DRBD has four implementations to express write-after-write dependencies to its backing storage device. DRBD will use the first method that is supported by the backing storage device and that is not disabled by the user.

When selecting the method you should not only base your decision on the measurable performance. In case your backing storage device has a volatile write cache (plain disks, RAID of plain disks) you should use one of the first two. In case your backing storage device has battery-backed write cache you may go with option 3 or 4. Option 4 will deliver the best performance on such devices.

Unfortunately device mapper (LVM) might not support barriers.

The letter after "wo:" in /proc/drbd indicates with method is currently in use for a device: b, f, d, n. The implementations are:

barrier

The first requires that the driver of the backing storage device support barriers (called 'tagged command queuing' in SCSI and 'native command queuing' in SATA speak). The use of this method can be disabled by the no-disk-barrier option.

flush

The second requires that the backing device support disk flushes (called 'force unit access' in the drive vendors speak). The use of this method can be disabled using the no-disk-flushes option.

drain

The third method is simply to let write requests drain before write requests of a new reordering domain are issued. This was the only implementation before 8.0.9. You can disable this method by using the no-disk-drain option.

none

The fourth method is to not express write-after-write dependencies to the backing store at all.

no-md-flushes

Disables the use of disk flushes and barrier BIOs when accessing the meta data device. See the notes on no-disk-flushes.

max-bio-bvecs

In some special circumstances the device mapper stack manages to pass BIOs to DRBD that violate the constraints that are set forth by DRBD's merge_bvec() function and which have more than one bvec. A known example is: phys-disk -> DRBD -> LVM -> Xen -> misaligned partition (63) -> DomU FS. Then you might see "bio would need to, but cannot, be split:" in the Dom0's kernel log.

The best workaround is to proper align the partition within the VM (E.g. start it at sector 1024). This costs 480 KiB of storage. Unfortunately the default of most Linux partitioning tools is to start the first partition at an odd number (63). Therefore most distribution's install helpers for virtual linux machines will end up with misaligned partitions. The second best workaround is to limit DRBD's max bvecs per BIO (= max-bio-bvecs) to 1, but that might cost performance.

The default value of max-bio-bvecs is 0, which means that there is no user imposed limitation.

sndbuf-size size

size is the size of the TCP socket send buffer. The default value is 0, i.e. autotune. You can specify smaller or larger values. Larger values are appropriate for reasonable write throughput with protocol A over high latency networks. Values below 32K do not make sense. Since 8.0.13 resp. 8.2.7, setting the size value to 0 means that the kernel should autotune this.

rcvbuf-size size

size is the size of the TCP socket receive buffer. The default value is 0, i.e. autotune. You can specify smaller or larger values. Usually this should be left at its default. Setting the size value to 0 means that the kernel should autotune this.

timeout time

If the partner node fails to send an expected response packet within time tenths of a second, the partner node is considered dead and therefore the TCP/IP connection is abandoned. This must be lower than connect-int and ping-int. The default value is 60 = 6 seconds, the unit 0.1 seconds.

connect-int time

In case it is not possible to connect to the remote DRBD device immediately, DRBD keeps on trying to connect. With this option you can set the time between two retries. The default value is 10 seconds, the unit is 1 second.

ping-int time

If the TCP/IP connection linking a DRBD device pair is idle for more than time seconds, DRBD will generate a keep-alive packet to check if its partner is still alive. The default is 10 seconds, the unit is 1 second.

ping-timeout time

The time the peer has time to answer to a keep-alive packet. In case the peer's reply is not received within this time period, it is considered as dead. The default value is 500ms, the default unit are tenths of a second.

max-buffers number

Maximum number of requests to be allocated by DRBD. Unit is PAGE_SIZE, which is 4 KiB on most systems. The minimum is hard coded to 32 (=128 KiB). For high-performance installations it might help if you increase that number. These buffers are used to hold data blocks while they are written to disk.

ko-count number

In case the secondary node fails to complete a single write request for count times the timeout, it is expelled from the cluster. (I.e. the primary node goes into StandAlone mode.) The default value is 0, which disables this feature.

max-epoch-size number

The highest number of data blocks between two write barriers. If you set this smaller than 10, you might decrease your performance.

allow-two-primaries

With this option set you may assign the primary role to both nodes. You only should use this option if you use a shared storage file system on top of DRBD. At the time of writing the only ones are: OCFS2 and GFS. If you use this option with any other file system, you are going to crash your nodes and to corrupt your data!

unplug-watermark number

When the number of pending write requests on the standby (secondary) node exceeds the unplug-watermark, we trigger the request processing of our backing storage device. Some storage controllers deliver better performance with small values, others deliver best performance when the value is set to the same value as max-buffers. Minimum 16, default 128, maximum 131072.

cram-hmac-alg

You need to specify the HMAC algorithm to enable peer authentication at all. You are strongly encouraged to use peer authentication. The HMAC algorithm will be used for the challenge response authentication of the peer. You may specify any digest algorithm that is named in /proc/crypto.

shared-secret

The shared secret used in peer authentication. May be up to 64 characters. Note that peer authentication is disabled as long as no cram-hmac-alg (see above) is specified.

after-sb-0pri policy

possible policies are:

disconnect

No automatic resynchronization, simply disconnect.

discard-younger-primary

Auto sync from the node that was primary before the split-brain situation happened.

discard-older-primary

Auto sync from the node that became primary as second during the split-brain situation.

discard-zero-changes

In case one node did not write anything since the split brain became evident, sync from the node that wrote something to the node that did not write anything. In case none wrote anything this policy uses a random decision to perform a "resync" of 0 blocks. In case both have written something this policy disconnects the nodes.

discard-least-changes

Auto sync from the node that touched more blocks during the split brain situation.

discard-node-NODENAME

Auto sync to the named node.

after-sb-1pri policy

possible policies are:

disconnect

No automatic resynchronization, simply disconnect.

consensus

Discard the version of the secondary if the outcome of the after-sb-0pri algorithm would also destroy the current secondary's data. Otherwise disconnect.

violently-as0p

Always take the decision of the after-sb-0pri algorithm, even if that causes an erratic change of the primary's view of the data. This is only useful if you use a one-node FS (i.e. not OCFS2 or GFS) with the allow-two-primaries flag, AND if you really know what you are doing. This is DANGEROUS and MAY CRASH YOUR MACHINE if you have an FS mounted on the primary node.

discard-secondary

Discard the secondary's version.

call-pri-lost-after-sb

Always honor the outcome of the after-sb-0pri algorithm. In case it decides the current secondary has the right data, it calls the "pri-lost-after-sb" handler on the current primary.

after-sb-2pri policy

possible policies are:

disconnect

No automatic resynchronization, simply disconnect.

violently-as0p

Always take the decision of the after-sb-0pri algorithm, even if that causes an erratic change of the primary's view of the data. This is only useful if you use a one-node FS (i.e. not OCFS2 or GFS) with the allow-two-primaries flag, AND if you really know what you are doing. This is DANGEROUS and MAY CRASH YOUR MACHINE if you have an FS mounted on the primary node.

call-pri-lost-after-sb

Call the "pri-lost-after-sb" helper program on one of the machines. This program is expected to reboot the machine, i.e. make it secondary.

always-asbp

Normally the automatic after-split-brain policies are only used if current states of the UUIDs do not indicate the presence of a third node.

With this option you request that the automatic after-split-brain policies are used as long as the data sets of the nodes are somehow related. This might cause a full sync, if the UUIDs indicate the presence of a third node. (Or double faults led to strange UUID sets.)

rr-conflict policy

This option helps to solve the cases when the outcome of the resync decision is incompatible with the current role assignment in the cluster.

disconnect

No automatic resynchronization, simply disconnect.

violently

Sync to the primary node is allowed, violating the assumption that data on a block device are stable for one of the nodes. Dangerous, do not use.

call-pri-lost

Call the "pri-lost" helper program on one of the machines. This program is expected to reboot the machine, i.e. make it secondary.

data-integrity-alg alg

DRBD can ensure the data integrity of the user's data on the network by comparing hash values. Normally this is ensured by the 16 bit checksums in the headers of TCP/IP packets.

This option can be set to any of the kernel's data digest algorithms. In a typical kernel configuration you should have at least one of md5, sha1, and crc32c available. By default this is not enabled.

See also the notes on data integrity.

no-tcp-cork

DRBD usually uses the TCP socket option TCP_CORK to hint to the network stack when it can expect more data, and when it should flush out what it has in its send queue. It turned out that there is at least one network stack that performs worse when one uses this hinting method. Therefore we introducted this option, which disables the setting and clearing of the TCP_CORK socket option by DRBD.

on-congestion congestion_policy , congestion-fill fill_threshold , congestion-extents active_extents_threshold

By default DRBD blocks when the available TCP send queue becomes full. That means it will slow down the application that generates the write requests that cause DRBD to send more data down that TCP connection.

When DRBD is deployed with DRBD-proxy it might be more desirable that DRBD goes into AHEAD/BEHIND mode shortly before the send queue becomes full. In AHEAD/BEHIND mode DRBD does no longer replicate data, but still keeps the connection open.

The advantage of the AHEAD/BEHIND mode is that the application is not slowed down, even if DRBD-proxy's buffer is not sufficient to buffer all write requests. The downside is that the peer node falls behind, and that a resync will be necessary to bring it back into sync. During that resync the peer node will have an inconsistent disk.

Available congestion_policys are block and pull-ahead. The default is block. Fill_threshold might be in the range of 0 to 10GiBytes. The default is 0 which disables the check. Active_extents_threshold has the same limits as al-extents.

The AHEAD/BEHIND mode and its settings are available since DRBD 8.3.10.

wfc-timeout time

Wait for connection timeout. The init script drbd(8) blocks the boot process until the DRBD resources are connected. When the cluster manager starts later, it does not see a resource with internal split-brain. In case you want to limit the wait time, do it here. Default is 0, which means unlimited. The unit is seconds.

degr-wfc-timeout time

Wait for connection timeout, if this node was a degraded cluster. In case a degraded cluster (= cluster with only one node left) is rebooted, this timeout value is used instead of wfc-timeout, because the peer is less likely to show up in time, if it had been dead before. Value 0 means unlimited.

outdated-wfc-timeout time

Wait for connection timeout, if the peer was outdated. In case a degraded cluster (= cluster with only one node left) with an outdated peer disk is rebooted, this timeout value is used instead of wfc-timeout, because the peer is not allowed to become primary in the meantime. Value 0 means unlimited.

wait-after-sb

By setting this option you can make the init script to continue to wait even if the device pair had a split brain situation and therefore refuses to connect.

become-primary-on node-name

Sets on which node the device should be promoted to primary role by the init script. The node-name might either be a host name or the keyword both. When this option is not set the devices stay in secondary role on both nodes. Usually one delegates the role assignment to a cluster manager (e.g. heartbeat).

stacked-timeouts

Usually wfc-timeout and degr-wfc-timeout are ignored for stacked devices, instead twice the amount of connect-int is used for the connection timeouts. With the stacked-timeouts keyword you disable this, and force DRBD to mind the wfc-timeout and degr-wfc-timeout statements. Only do that if the peer of the stacked resource is usually not available or will usually not become primary. By using this option incorrectly, you run the risk of causing unexpected split brain.

rate rate

To ensure a smooth operation of the application on top of DRBD, it is possible to limit the bandwidth which may be used by background synchronizations. The default is 250 KB/sec, the default unit is KB/sec. Optional suffixes K, M, G are allowed.

use-rle

During resync-handshake, the dirty-bitmaps of the nodes are exchanged and merged (using bit-or), so the nodes will have the same understanding of which blocks are dirty. On large devices, the fine grained dirty-bitmap can become large as well, and the bitmap exchange can take quite some time on low-bandwidth links.

Because the bitmap typically contains compact areas where all bits are unset (clean) or set (dirty), a simple run-length encoding scheme can considerably reduce the network traffic necessary for the bitmap exchange.

For backward compatibilty reasons, and because on fast links this possibly does not improve transfer time but consumes cpu cycles, this defaults to off.

after res-name

By default, resynchronization of all devices would run in parallel. By defining a sync-after dependency, the resynchronization of this resource will start only if the resource res-name is already in connected state (i.e., has finished its resynchronization).

al-extents extents

DRBD automatically performs hot area detection. With this parameter you control how big the hot area (= active set) can get. Each extent marks 4M of the backing storage (= low-level device). In case a primary node leaves the cluster unexpectedly, the areas covered by the active set must be resynced upon rejoining of the failed node. The data structure is stored in the meta-data area, therefore each change of the active set is a write operation to the meta-data device. A higher number of extents gives longer resync times but less updates to the meta-data. The default number of extents is 127. (Minimum: 7, Maximum: 3843)

verify-alg hash-alg

During online verification (as initiated by the verify sub-command), rather than doing a bit-wise comparison, DRBD applies a hash function to the contents of every block being verified, and compares that hash with the peer. This option defines the hash algorithm being used for that purpose. It can be set to any of the kernel's data digest algorithms. In a typical kernel configuration you should have at least one of md5, sha1, and crc32c available. By default this is not enabled; you must set this option explicitly in order to be able to use on-line device verification.

See also the notes on data integrity.

csums-alg hash-alg

A resync process sends all marked data blocks from the source to the destination node, as long as no csums-alg is given. When one is specified the resync process exchanges hash values of all marked blocks first, and sends only those data blocks that have different hash values.

This setting is useful for DRBD setups with low bandwidth links. During the restart of a crashed primary node, all blocks covered by the activity log are marked for resync. But a large part of those will actually be still in sync, therefore using csums-alg will lower the required bandwidth in exchange for CPU cycles.

c-plan-ahead plan_time , c-fill-target fill_target , c-delay-target delay_target , c-max-rate max_rate

The dynamic resync speed controller gets enabled with setting plan_time to a positive value. It aims to fill the buffers along the data path with either a constant amount of data fill_target, or aims to have a constant delay time of delay_target along the path. The controller has an upper bound of max_rate.

By plan_time the agility of the controller is configured. Higher values yield for slower/lower responses of the controller to deviation from the target value. It should be at least 5 times RTT. For regular data paths a fill_target in the area of 4k to 100k is appropriate. For a setup that contains drbd-proxy it is advisable to use delay_target instead. Only when fill_target is set to 0 the controller will use delay_target. 5 times RTT is a reasonable starting value. Max_rate should be set to the bandwidth available between the DRBD-hosts and the machines hosting DRBD-proxy, or to the available disk-bandwidth.

The default value of plan_time is 0, the default unit is 0.1 seconds. Fill_target has 0 and sectors as default unit. Delay_target has 1 (100ms) and 0.1 as default unit. Max_rate has 10240 (100MiB/s) and KiB/s as default unit.

The dynamic resync speed controller and its settings are available since DRBD 8.3.9.

c-min-rate min_rate

A node that is primary and sync-source has to schedule application IO requests and resync IO requests. The min_rate tells DRBD use only up to min_rate for resync IO and to dedicate all other available IO bandwidth to application requests.

Note: The value 0 has a special meaning. It disables the limitation of resync IO completely, which might slow down application IO considerably. Set it to a value of 1, if you prefer that resync IO never slows down application IO.

Note: Although the name might suggest that it is a lower bound for the dynamic resync speed controller, it is not. If the DRBD-proxy buffer is full, the dynamic resync speed controller is free to lower the resync speed down to 0, completely independent of the c-min-rate setting.

Min_rate has 4096 (4MiB/s) and KiB/s as default unit.

on-no-data-accessible ond-policy

This setting controls what happens to IO requests on a degraded, disk less node (I.e. no data store is reachable). The available policies are io-error and suspend-io.

If ond-policy is set to suspend-io you can either resume IO by attaching/connecting the last lost data storage, or by the drbdadm resume-io res command. The latter will result in IO errors of course.

The default is io-error. This setting is available since DRBD 8.3.9.

cpu-mask cpu-mask

Sets the cpu-affinity-mask for DRBD's kernel threads of this device. The default value of cpu-mask is 0, which means that DRBD's kernel threads should be spread over all CPUs of the machine. This value must be given in hexadecimal notation. If it is too big it will be truncated.

pri-on-incon-degr cmd

This handler is called if the node is primary, degraded and if the local copy of the data is inconsistent.

pri-lost-after-sb cmd

The node is currently primary, but lost the after-split-brain auto recovery procedure. As as consequence, it should be abandoned.

pri-lost cmd

The node is currently primary, but DRBD's algorithm thinks that it should become sync target. As a consequence it should give up its primary role.

fence-peer cmd

The handler is part of the fencing mechanism. This handler is called in case the node needs to fence the peer's disk. It should use other communication paths than DRBD's network link.

local-io-error cmd

DRBD got an IO error from the local IO subsystem.

initial-split-brain cmd

DRBD has connected and detected a split brain situation. This handler can alert someone in all cases of split brain, not just those that go unresolved.

split-brain cmd

DRBD detected a split brain situation but remains unresolved. Manual recovery is necessary. This handler should alert someone on duty.

before-resync-target cmd

DRBD calls this handler just before a resync begins on the node that becomes resync target. It might be used to take a snapshot of the backing block device.

after-resync-target cmd

DRBD calls this handler just after a resync operation finished on the node whose disk just became consistent after being inconsistent for the duration of the resync. It might be used to remove a snapshot of the backing device that was created by the before-resync-target handler.

Other Keywords

include file-pattern

Include all files matching the wildcard pattern file-pattern. The include statement is only allowed on the top level, i.e. it is not allowed inside any section.

Notes on data integrity

There are two independent methods in DRBD to ensure the integrity of the mirrored data. The online-verify mechanism and the data-integrity-alg of the network section.

Both mechanisms might deliver false positives if the user of DRBD modifies the data which gets written to disk while the transfer goes on. This may happen for swap, or for certain append while global sync, or truncate/rewrite workloads, and not necessarily poses a problem for the integrity of the data. Usually when the initiator of the data transfer does this, it already knows that that data block will not be part of an on disk data structure, or will be resubmitted with correct data soon enough.

The data-integrity-alg causes the receiving side to log an error about "Digest integrity check FAILED: Ns +x\n", where N is the sector offset, and x is the size of the requst in bytes. It will then disconnect, and reconnect, thus causing a quick resync. If the sending side at the same time detected a modification, it warns about "Digest mismatch, buffer modified by upper layers during write: Ns +x\n", which shows that this was a false positive. The sending side may detect these buffer modifications immediately after the unmodified data has been copied to the tcp buffers, in which case the receiving side won't notice it.

The most recent (2007) example of systematic corruption was an issue with the TCP offloading engine and the driver of a certain type of GBit NIC. The actual corruption happened on the DMA transfer from core memory to the card. Since the TCP checksum gets calculated on the card, this type of corruption stays undetected as long as you do not use either the online verify or the data-integrity-alg.

We suggest to use the data-integrity-alg only during a pre-production phase due to its CPU costs. Further we suggest to do online verify runs regularly e.g. once a month during a low load period.

Version

This document was revised for version 8.3.2 of the DRBD distribution.

Author

Written by Philipp Reisner and Lars Ellenberg .

Reporting Bugs

Report bugs to .

Copyright

Copyright 2001-2008 LINBIT Information Technologies, Philipp Reisner, Lars Ellenberg. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

See Also

drbd(8), drbddisk(8), drbdsetup(8), drbdadm(8), DRBD User's Guide, DRBD web site

Name

drbdadm — Administration tool for DRBD

Synopsis

drbdadm [-d] [-c{file}] [-t{file}] [-s{cmd}] [-m{cmd}] [-S] [-h{host}] [--{backend-options}] { command } [ all | resource ... ]

Description

Drbdadm is the high level tool of the DRBD program suite. Drbdadm is to drbdsetup and drbdmeta what ifup/ifdown is to ifconfig. Drbdadm reads its configuration file and performs the specified commands by calling the drbdsetup and/or the drbdmeta program.

Options

-d, --dry-run

Just prints the calls of drbdsetup to stdout, but does not run the commands.

-c, --config-file file

Specifies the configuration file drbdadm will use. If this parameter is not specified, drbdadm will look for /etc/drbd-83.conf, /etc/drbd-08.conf and /etc/drbd.conf.

-t, --config-to-test file

Specifies an additional configuration file drbdadm to check. This option is only allowed with the dump and the sh-nop commands.

-s, --drbdsetup file

Specifies the full path to the drbdsetup program. If this option is omitted, drbdadm will look for /sbin/drbdsetup and ./drbdsetup.

-m, --drbdmeta file

Specifies the full path to the drbdmeta program. If this option is omitted, drbdadm will look for /sbin/drbdmeta and ./drbdmeta.

-S, --stacked

Specifies that this command should be performed on a stacked resource.

-P, --peer

Specifies to which peer node to connect. Only necessary if there are more than two host sections in the resource you are working on.

-- backend-options

All options following the doubly hyphen are considered backend-options. These are passed through to the backend command. I.e. to drbdsetup, drbdmeta or drbd-proxy-ctl.

Commands

attach

Attaches a local backing block device to the DRBD resource's device.

detach

Removes the backing storage device from a DRBD resource's device.

connect

Sets up the network configuration of the resource's device. If the peer device is already configured, the two DRBD devices will connect. If there are more than two host sections in the resource you need to use the --peer option to select the peer you want to connect to.

disconnect

Removes the network configuration from the resource. The device will then go into StandAlone state.

syncer

Loads the resynchronization parameters into the device.

up

Is a shortcut for attach and connect.

down

Is a shortcut for disconnect and detach.

primary

Promote the resource's device into primary role. You need to do this before any access to the device, such as creating or mounting a file system.

secondary

Brings the device back into secondary role. This is needed since in a connected DRBD device pair, only one of the two peers may have primary role (except if allow-two-primaries is explicitly set in the configuration file).

invalidate

Forces DRBD to consider the data on the local backing storage device as out-of-sync. Therefore DRBD will copy each and every block from its peer, to bring the local storage device back in sync.

invalidate-remote

This command is similar to the invalidate command, however, the peer's backing storage is invalidated and hence rewritten with the data of the local node.

resize

Causes DRBD to re-examine all sizing constraints, and resize the resource's device accordingly. For example, if you increased the size of your backing storage devices (on both nodes, of course), then DRBD will adopt the new size after you called this command on one of your nodes. Since new storage space must be synchronised this command only works if there is at least one primary node present.

The --assume-peer-has-space allows you to resize a device which is currently not connected to the peer. Use with care, since if you do not resize the peer's disk as well, further connect attempts of the two will fail.

check-resize

Calls drbdmeta to eventually move internal meta data. If the backing device was resized, while DRBD was not running, meta data has to be moved to the end of the device, so that the next attach command can succeed.

create-md

Initializes the meta data storage. This needs to be done before a DRBD resource can be taken online for the first time. In case of issues with that command have a look at drbdmeta(8)

get-gi

Shows a short textual representation of the data generation identifiers.

show-gi

Prints a textual representation of the data generation identifiers including explanatory information.

dump-md

Dumps the whole contents of the meta data storage, including the stored bit-map and activity-log, in a textual representation.

outdate

Sets the outdated flag in the meta data.

adjust

Synchronizes the configuration of the device with your configuration file. You should always examine the output of the dry-run mode before actually executing this command.

wait-connect

Waits until the device is connected to its peer device.

role

Shows the current roles of the devices (local/peer). E.g. Primary/Secondary

state

Deprecated alias for "role", see above.

cstate

Shows the current connection state of the devices.

status

Shows the current status of all devices defined in the current config file, in XML-like format. Example output:

<drbd-status version="8.3.2" api="88">
<resources config_file="/etc/drbd.conf">
<resource minor="0" name="s0" cs="SyncTarget" st1="Secondary" st2="Secondary"
          ds1="Inconsistent" ds2="UpToDate" resynced_precent="5.9" />
<resource minor="1" name="s1" cs="WFConnection" st1="Secondary"
          st2="Unknown" ds1="Inconsistent" ds2="Outdated" />
<resource minor="3" name="dummy" cs="Unconfigured" />
<!-- resource minor="4" name="scratch" not available or not yet created -->
</resources>
</drbd-status>
dump

Just parse the configuration file and dump it to stdout. May be used to check the configuration file for syntactic correctness.

outdate

Used to mark the node's data as outdated. Usually used by the peer's fence-peer handler.

verify

Starts online verify. During online verify, data on both nodes is compared for equality. See /proc/drbd for online verify progress. If out-of-sync blocks are found, they are not resynchronized automatically. To do that, disconnect and connect the resource when verification has completed.

See also the notes on data integrity on the drbd.conf manpage.

pause-sync

Temporarily suspend an ongoing resynchronization by setting the local pause flag. Resync only progresses if neither the local nor the remote pause flag is set. It might be desirable to postpone DRBD's resynchronization until after any resynchronization of the backing storage's RAID setup.

resume-sync

Unset the local sync pause flag.

new-current-uuid

Generates a new currend UUID and rotates all other UUID values.

This can be used to shorten the initial resync of a cluster. See the drbdsetup manpage for a more details.

dstate

Show the current state of the backing storage devices. (local/peer)

hidden-commands

Shows all commands undocumented on purpose.

Version

This document was revised for version 8.3.2 of the DRBD distribution.

Author

Written by Philipp Reisner and Lars Ellenberg

Reporting Bugs

Report bugs to .

Copyright

Copyright 2001-2008 LINBIT Information Technologies, Philipp Reisner, Lars Ellenberg. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

See Also

drbd.conf(5), drbd(8), drbddisk(8), drbdsetup(8), drbdmeta(8) and the DRBD project web site

Name

drbdsetup — Setup tool for DRBD

Synopsis

drbdsetup { device } disk { lower_dev } { meta_data_dev } { meta_data_index } [-d{size}] [-e{err_handler}] [-f{fencing_policy}] [-b]

drbdsetup { device } net [ af: ] { local_addr } [ :port ] [ af: ] { remote_addr } [ :port ] { protocol } [-c{time}] [-i{time}] [-t{val}] [-S{size}] [-r{size}] [-k{count}] [-e{max_epoch_size}] [-b{max_buffers}] [-m] [-a{hash_alg}] [-x{shared_secret}] [-A{asb-0p-policy}] [-B{asb-1p-policy}] [-C{asb-2p-policy}] [-D] [-R{role-resync-conflict-policy}] [-p{ping_timeout}] [-u{val}] [-d{hash_alg}] [-o] [-n] [-g{congestion_policy}] [-f{val}] [-h{val}]

drbdsetup { device } syncer [-a{dev_minor}] [-r{rate}] [-e{extents}] [-v{verify-hash-alg}] [-c{cpu-mask}] [-C{csums-hash-alg}] [-R] [-p{plan_time}] [-s{fill_target}] [-d{delay_target}] [-m{max_rate}] [-n{ond-policy}]

drbdsetup { device } disconnect

drbdsetup { device } detach

drbdsetup { device } down

drbdsetup { device } primary [-f] [-o]

drbdsetup { device } secondary

drbdsetup { device } verify [-s{start-position}]

drbdsetup { device } invalidate

drbdsetup { device } invalidate-remote

drbdsetup { device } wait-connect [-t{wfc_timeout}] [-d{degr_wfc_timeout}] [-o{outdated_wfc_timeout}] [-w]

drbdsetup { device } wait-sync [-t{wfc_timeout}] [-d{degr_wfc_timeout}] [-o{outdated_wfc_timeout}] [-w]

drbdsetup { device } role

drbdsetup { device } cstate

drbdsetup { device } dstate

drbdsetup { device } status

drbdsetup { device } resize [-d{size}] [-f{assume-peer-has-space}] [-c{assume-clean}]

drbdsetup { device } check-resize

drbdsetup { device } pause-sync

drbdsetup { device } resume-sync

drbdsetup { device } outdate

drbdsetup { device } show-gi

drbdsetup { device } get-gi

drbdsetup { device } show

drbdsetup { device } suspend-io

drbdsetup { device } resume-io

drbdsetup { device } events [-u] [-a]

drbdsetup { device } new-current-uuid [-c]

Description

drbdsetup is used to associate DRBD devices with their backing block devices, to set up DRBD device pairs to mirror their backing block devices, and to inspect the configuration of running DRBD devices.

Note

drbdsetup is a low level tool of the DRBD program suite. It is used by the data disk and drbd scripts to communicate with the device driver.

Commands

Each drbdsetup sub-command might require arguments and bring its own set of options. All values have default units which might be overruled by K, M or G. These units are defined in the usual way (e.g. K = 2^10 = 1024).

Common options

All drbdsetup sub-commands accept these two options

--create-device

In case the specified DRBD device (minor number) does not exist yet, create it implicitly.

--set-defaults

When --set-defaults is given on the command line, all options of the invoked sub-command that are not explicitly set are reset to their default values.

disk

Associates device with lower_device to store its data blocks on. The -d (or --disk-size) should only be used if you wish not to use as much as possible from the backing block devices. If you do not use -d, the device is only ready for use as soon as it was connected to its peer once. (See the net command.)

-d, --disk-size size

You can override DRBD's size determination method with this option. If you need to use the device before it was ever connected to its peer, use this option to pass the size of the DRBD device to the driver. Default unit is sectors (1s = 512 bytes).

If you use the size parameter in drbd.conf, we strongly recommend to add an explicit unit postfix. drbdadm and drbdsetup used to have mismatching default units.

-e, --on-io-error err_handler

If the driver of the lower_device reports an error to DRBD, DRBD will mark the disk as inconsistent, call a helper program, or detach the device from its backing storage and perform all further IO by requesting it from the peer. The valid err_handlers are: pass_on, call-local-io-error and detach.

-f, --fencing fencing_policy

Under fencing we understand preventive measures to avoid situations where both nodes are primary and disconnected (AKA split brain).

Valid fencing policies are:

dont-care

This is the default policy. No fencing actions are done.

resource-only

If a node becomes a disconnected primary, it tries to outdate the peer's disk. This is done by calling the fence-peer handler. The handler is supposed to reach the other node over alternative communication paths and call 'drbdadm outdate res' there.

resource-and-stonith

If a node becomes a disconnected primary, it freezes all its IO operations and calls its fence-peer handler. The fence-peer handler is supposed to reach the peer over alternative communication paths and call 'drbdadm outdate res' there. In case it cannot reach the peer, it should stonith the peer. IO is resumed as soon as the situation is resolved. In case your handler fails, you can resume IO with the resume-io command.

-b, --use-bmbv

In case the backing storage's driver has a merge_bvec_fn() function, DRBD has to pretend that it can only process IO requests in units not larger than 4 KiB. (At time of writing the only known drivers which have such a function are: md (software raid driver), dm (device mapper - LVM) and DRBD itself)

To get best performance out of DRBD on top of software raid (or any other driver with a merge_bvec_fn() function) you might enable this option, if you know for sure that the merge_bvec_fn() function will deliver the same results on all nodes of your cluster. I.e. the physical disks of the software raid are exactly of the same type. USE THIS OPTION ONLY IF YOU KNOW WHAT YOU ARE DOING.

-a, --no-disk-barrier, -i, --no-disk-flushes, -D, --no-disk-drain

DRBD has four implementations to express write-after-write dependencies to its backing storage device. DRBD will use the first method that is supported by the backing storage device and that is not disabled by the user.

When selecting the method you should not only base your decision on the measurable performance. In case your backing storage device has a volatile write cache (plain disks, RAID of plain disks) you should use one of the first two. In case your backing storage device has battery-backed write cache you may go with option 3 or 4. Option 4 will deliver the best performance such devices.

Unfortunately device mapper (LVM) might not support barriers.

The letter after "wo:" in /proc/drbd indicates with method is currently in use for a device: b, f, d, n. The implementations:

barrier

The first requires that the driver of the backing storage device support barriers (called 'tagged command queuing' in SCSI and 'native command queuing' in SATA speak). The use of this method can be disabled by the --no-disk-barrier option.

flush

The second requires that the backing device support disk flushes (called 'force unit access' in the drive vendors speak). The use of this method can be disabled using the --no-disk-flushes option.

drain

The third method is simply to let write requests drain before write requests of a new reordering domain are issued. That was the only implementation before 8.0.9. You can prevent to use of this method by using the --no-disk-drain option.

none

The fourth method is to not express write-after-write dependencies to the backing store at all.

-m, --no-md-flushes

Disables the use of disk flushes and barrier BIOs when accessing the meta data device. See the notes on --no-disk-flushes.

-s, --max-bio-bvecs

In some special circumstances the device mapper stack manages to pass BIOs to DRBD that violate the constraints that are set forth by DRBD's merge_bvec() function and which have more than one bvec. A known example is: phys-disk -> DRBD -> LVM -> Xen -> missaligned partition (63) -> DomU FS. Then you might see "bio would need to, but cannot, be split:" in the Dom0's kernel log.

The best workaround is to proper align the partition within the VM (E.g. start it at sector 1024). That costs 480 KiB of storage. Unfortunately the default of most Linux partitioning tools is to start the first partition at an odd number (63). Therefore most distributions install helpers for virtual linux machines will end up with missaligned partitions. The second best workaround is to limit DRBD's max bvecs per BIO (i.e., the max-bio-bvecs option) to 1, but that might cost performance.

The default value of max-bio-bvecs is 0, which means that there is no user imposed limitation.

net

Sets up the device to listen on af:local_addr:port for incoming connections and to try to connect to af:remote_addr:port. If port is omitted, 7788 is used as default. If af is omitted ipv4 gets used. Other supported address families are ipv6, ssocks for Dolphin Interconnect Solutions' "super sockets" and sdp for Sockets Direct Protocol (Infiniband).

On the TCP/IP link the specified protocol is used. Valid protocol specifiers are A, B, and C.

Protocol A: write IO is reported as completed, if it has reached local disk and local TCP send buffer.

Protocol B: write IO is reported as completed, if it has reached local disk and remote buffer cache.

Protocol C: write IO is reported as completed, if it has reached both local and remote disk.

-c, --connect-int time

In case it is not possible to connect to the remote DRBD device immediately, DRBD keeps on trying to connect. With this option you can set the time between two retries. The default value is 10 seconds, the unit is 1 second.

-i, --ping-int time

If the TCP/IP connection linking a DRBD device pair is idle for more than time seconds, DRBD will generate a keep-alive packet to check if its partner is still alive. The default value is 10 seconds, the unit is 1 second.

-t, --timeout val

If the partner node fails to send an expected response packet within val tenths of a second, the partner node is considered dead and therefore the TCP/IP connection is abandoned. The default value is 60 (= 6 seconds).

-S, --sndbuf-size size

The socket send buffer is used to store packets sent to the secondary node, which are not yet acknowledged (from a network point of view) by the secondary node. When using protocol A, it might be necessary to increase the size of this data structure in order to increase asynchronicity between primary and secondary nodes. But keep in mind that more asynchronicity is synonymous with more data loss in the case of a primary node failure. Since 8.0.13 resp. 8.2.7 setting the size value to 0 means that the kernel should autotune this. The default size is 0, i.e. autotune.

-r, --rcvbuf-size size

Packets received from the network are stored in the socket receive buffer first. From there they are consumed by DRBD. Before 8.3.2 the receive buffer's size was always set to the size of the socket send buffer. Since 8.3.2 they can be tuned independently. A value of 0 means that the kernel should autotune this. The default size is 0, i.e. autotune.

-k, --ko-count count

In case the secondary node fails to complete a single write request for count times the timeout, it is expelled from the cluster, i.e. the primary node goes into StandAlone mode. The default is 0, which disables this feature.

-e, --max-epoch-size val

With this option the maximal number of write requests between two barriers is limited. Should be set to the same as --max-buffers. Values smaller than 10 can lead to degraded performance. The default value is 2048.

-b, --max-buffers val

With this option the maximal number of buffer pages allocated by DRBD's receiver thread is limited. Should be set to the same as --max-epoch-size. Small values could lead to degraded performance. The default value is 2048, the minimum 32.

-u, --unplug-watermark val

When the number of pending write requests on the standby (secondary) node exceeds the unplug-watermark, we trigger the request processing of our backing storage device. Some storage controllers deliver better performance with small values, others deliver best performance when the value is set to the same value as max-buffers. Minimum 16, default 128, maximum 131072.

-m, --allow-two-primaries

With this option set you may assign primary role to both nodes. You only should use this option if you use a shared storage file system on top of DRBD. At the time of writing the only ones are: OCFS2 and GFS. If you use this option with any other file system, you are going to crash your nodes and to corrupt your data!

-a, --cram-hmac-alg alg

You need to specify the HMAC algorithm to enable peer authentication at all. You are strongly encouraged to use peer authentication. The HMAC algorithm will be used for the challenge response authentication of the peer. You may specify any digest algorithm that is named in /proc/crypto.

-x, --shared-secret secret

The shared secret used in peer authentication. May be up to 64 characters.

-A, --after-sb-0pri asb-0p-policy

possible policies are:

disconnect

No automatic resynchronization, simply disconnect.

discard-younger-primary

Auto sync from the node that was primary before the split-brain situation occurred.

discard-older-primary

Auto sync from the node that became primary as second during the split-brain situation.

discard-zero-changes

In case one node did not write anything since the split brain became evident, sync from the node that wrote something to the node that did not write anything. In case none wrote anything this policy uses a random decision to perform a "resync" of 0 blocks. In case both have written something this policy disconnects the nodes.

discard-least-changes

Auto sync from the node that touched more blocks during the split brain situation.

discard-node-NODENAME

Auto sync to the named node.

-B, --after-sb-1pri asb-1p-policy

possible policies are:

disconnect

No automatic resynchronization, simply disconnect.

consensus

Discard the version of the secondary if the outcome of the after-sb-0pri algorithm would also destroy the current secondary's data. Otherwise disconnect.

discard-secondary

Discard the secondary's version.

call-pri-lost-after-sb

Always honor the outcome of the after-sb-0pri algorithm. In case it decides the current secondary has the correct data, call the pri-lost-after-sb on the current primary.

violently-as0p

Always honor the outcome of the after-sb-0pri algorithm. In case it decides the current secondary has the correct data, accept a possible instantaneous change of the primary's data.

-C, --after-sb-2pri asb-2p-policy

possible policies are:

disconnect

No automatic resynchronization, simply disconnect.

call-pri-lost-after-sb

Always honor the outcome of the after-sb-0pri algorithm. In case it decides the current secondary has the right data, call the pri-lost-after-sb on the current primary.

violently-as0p

Always honor the outcome of the after-sb-0pri algorithm. In case it decides the current secondary has the right data, accept a possible instantaneous change of the primary's data.

-P, --always-asbp

Normally the automatic after-split-brain policies are only used if current states of the UUIDs do not indicate the presence of a third node.

With this option you request that the automatic after-split-brain policies are used as long as the data sets of the nodes are somehow related. This might cause a full sync, if the UUIDs indicate the presence of a third node. (Or double faults have led to strange UUID sets.)

-R, --rr-conflict role-resync-conflict-policy

This option sets DRBD's behavior when DRBD deduces from its meta data that a resynchronization is needed, and the SyncTarget node is already primary. The possible settings are: disconnect, call-pri-lost and violently. While disconnect speaks for itself, with the call-pri-lost setting the pri-lost handler is called which is expected to either change the role of the node to secondary, or remove the node from the cluster. The default is disconnect.

With the violently setting you allow DRBD to force a primary node into SyncTarget state. This means that the data exposed by DRBD changes to the SyncSource's version of the data instantaneously. USE THIS OPTION ONLY IF YOU KNOW WHAT YOU ARE DOING.

-d, --data-integrity-alg hash_alg

DRBD can ensure the data integrity of the user's data on the network by comparing hash values. Normally this is ensured by the 16 bit checksums in the headers of TCP/IP packets. This option can be set to any of the kernel's data digest algorithms. In a typical kernel configuration you should have at least one of md5, sha1, and crc32c available. By default this is not enabled.

See also the notes on data integrity on the drbd.conf manpage.

-o, --no-tcp-cork

DRBD usually uses the TCP socket option TCP_CORK to hint to the network stack when it can expect more data, and when it should flush out what it has in its send queue. There is at least one network stack that performs worse when one uses this hinting method. Therefore we introduced this option, which disable the setting and clearing of the TCP_CORK socket option by DRBD.

-p, --ping-timeout ping_timeout

The time the peer has to answer to a keep-alive packet. In case the peer's reply is not received within this time period, it is considered dead. The default unit is tenths of a second, the default value is 5 (for half a second).

-D, --discard-my-data

Use this option to manually recover from a split-brain situation. In case you do not have any automatic after-split-brain policies selected, the nodes refuse to connect. By passing this option you make this node a sync target immediately after successful connect.

-n, --dry-run

Causes DRBD to abort the connection process after the resync handshake, i.e. no resync gets performed. You can find out which resync DRBD would perform by looking at the kernel's log file.

-g, --on-congestion congestion_policy, -f, --congestion-fill fill_threshold, -h, --congestion-extents active_extents_threshold

By default DRBD blocks when the available TCP send queue becomes full. That means it will slow down the application that generates the write requests that cause DRBD to send more data down that TCP connection.

When DRBD is deployed with DRBD-proxy it might be more desirable that DRBD goes into AHEAD/BEHIND mode shortly before the send queue becomes full. In AHEAD/BEHIND mode DRBD does no longer replicate data, but still keeps the connection open.

The advantage of the AHEAD/BEHIND mode is that the application is not slowed down, even if DRBD-proxy's buffer is not sufficient to buffer all write requests. The downside is that the peer node falls behind, and that a resync will be necessary to bring it back into sync. During that resync the peer node will have an inconsistent disk.

Available congestion_policys are block and pull-ahead. The default is block. Fill_threshold might be in the range of 0 to 10GiBytes. The default is 0 which disables the check. Active_extents_threshold has the same limits as al-extents.

The AHEAD/BEHIND mode and its settings are available since DRBD 8.3.10.

syncer

Changes the synchronization daemon parameters of device at runtime.

-r, --rate rate

To ensure smooth operation of the application on top of DRBD, it is possible to limit the bandwidth that may be used by background synchronization. The default is 250 KiB/sec, the default unit is KiB/sec.

-a, --after minor

Start resync on this device only if the device with minor is already in connected state. Otherwise this device waits in SyncPause state.

-e, --al-extents extents

DRBD automatically performs hot area detection. With this parameter you control how big the hot area (=active set) can get. Each extent marks 4M of the backing storage. In case a primary node leaves the cluster unexpectedly, the areas covered by the active set must be resynced upon rejoining of the failed node. The data structure is stored in the meta-data area, therefore each change of the active set is a write operation to the meta-data device. A higher number of extents gives longer resync times but less updates to the meta-data. The default number of extents is 127. (Minimum: 7, Maximum: 3843)

-v, --verify-alg hash-alg

During online verification (as initiated by the verify sub-command), rather than doing a bit-wise comparison, DRBD applies a hash function to the contents of every block being verified, and compares that hash with the peer. This option defines the hash algorithm being used for that purpose. It can be set to any of the kernel's data digest algorithms. In a typical kernel configuration you should have at least one of md5, sha1, and crc32c available. By default this is not enabled; you must set this option explicitly in order to be able to use on-line device verification.

See also the notes on data integrity on the drbd.conf manpage.

-c, --cpu-mask cpu-mask

Sets the cpu-affinity-mask for DRBD's kernel threads of this device. The default value of cpu-mask is 0, which means that DRBD's kernel threads should be spread over all CPUs of the machine. This value must be given in hexadecimal notation. If it is too big it will be truncated.

-C, --csums-alg hash-alg

A resync process sends all marked data blocks form the source to the destination node, as long as no csums-alg is given. When one is specified the resync process exchanges hash values of all marked blocks first, and sends only those data blocks over, that have different hash values.

This setting is useful for DRBD setups with low bandwidth links. During the restart of a crashed primary node, all blocks covered by the activity log are marked for resync. But a large part of those will actually be still in sync, therefore using csums-alg will lower the required bandwidth in exchange for CPU cycles.

-R, --use-rle

During resync-handshake, the dirty-bitmaps of the nodes are exchanged and merged (using bit-or), so the nodes will have the same understanding of which blocks are dirty. On large devices, the fine grained dirty-bitmap can become large as well, and the bitmap exchange can take quite some time on low-bandwidth links.

Because the bitmap typically contains compact areas where all bits are unset (clean) or set (dirty), a simple run-length encoding scheme can considerably reduce the network traffic necessary for the bitmap exchange.

For backward compatibilty reasons, and because on fast links this possibly does not improve transfer time but consumes cpu cycles, this defaults to off.

Introduced in 8.3.2.

-p, --c-plan-ahead plan_time, -s, --c-fill-target fill_target, -d, --c-delay-target delay_target, -M, --c-max-rate max_rate

The dynamic resync speed controller gets enabled with setting plan_time to a positive value. It aims to fill the buffers along the data path with either a constant amount of data fill_target, or aims to have a constant delay time of delay_target along the path. The controller has an upper bound of max_rate.

By plan_time the agility of the controller is configured. Higher values yield for slower/lower responses of the controller to deviation from the target value. It should be at least 5 times RTT. For regular data paths a fill_target in the area of 4k to 100k is appropriate. For a setup that contains drbd-proxy it is advisable to use delay_target instead. Only when fill_target is set to 0 the controller will use delay_target. 5 times RTT is a reasonable starting value. Max_rate should be set to the bandwidth available between the DRBD-hosts and the machines hosting DRBD-proxy, or to the available disk-bandwidth.

The default value of plan_time is 0, the default unit is 0.1 seconds. Fill_target has 0 and sectors as default unit. Delay_target has 1 (100ms) and 0.1 as default unit. Max_rate has 10240 (100MiB/s) and KiB/s as default unit.

-m, --c-min-rate min_rate

We track the disk IO rate caused by the resync, so we can detect non-resync IO on the lower level device. If the lower level device seems to be busy, and the current resync rate is above min_rate, we throttle the resync.

The default value of min_rate is 4M, the default unit is k. If you want to not throttle at all, set it to zero, if you want to throttle always, set it to one.

-n, --on-no-data-accessible ond-policy

This setting controls what happens to IO requests on a degraded, disk less node (I.e. no data store is reachable). The available policies are io-error and suspend-io.

If ond-policy is set to suspend-io you can either resume IO by attaching/connecting the last lost data storage, or by the drbdadm resume-io res command. The latter will result in IO errors of course.

The default is io-error. This setting is available since DRBD 8.3.9.

primary

Sets the device into primary role. This means that applications (e.g. a file system) may open the device for read and write access. Data written to the device in primary role are mirrored to the device in secondary role.

Normally it is not possible to set both devices of a connected DRBD device pair to primary role. By using the --allow-two-primaries option, you override this behavior and instruct DRBD to allow two primaries.

-o, --overwrite-data-of-peer

Alias for --force.

-f, --force

Becoming primary fails if the local replica is not up-to-date. I.e. when it is inconsistent, outdated of consistent. By using this option you can force it into primary role anyway. USE THIS OPTION ONLY IF YOU KNOW WHAT YOU ARE DOING.

secondary

Brings the device into secondary role. This operation fails as long as at least one application (or file system) has opened the device.

It is possible that both devices of a connected DRBD device pair are secondary.

verify

This initiates on-line device verification. During on-line verification, the contents of every block on the local node are compared to those on the peer node. Device verification progress can be monitored via /proc/drbd. Any blocks whose content differs from that of the corresponding block on the peer node will be marked out-of-sync in DRBD's on-disk bitmap; they are not brought back in sync automatically. To do that, simply disconnect and reconnect the resource.

If on-line verification is already in progress, this command silently does nothing.

This command will fail if the device is not part of a connected device pair.

See also the notes on data integrity on the drbd.conf manpage.

-s, --start start-sector

Since version 8.3.2, on-line verification should resume from the last position after connection loss. It may also be started from an arbitrary position by setting this option.

Default unit is sectors. You may also specify a unit explicitly. The start-sector will be rounded down to a multiple of 8 sectors (4kB).

invalidate

This forces the local device of a pair of connected DRBD devices into SyncTarget state, which means that all data blocks of the device are copied over from the peer.

This command will fail if the device is not part of a connected device pair.

invalidate-remote

This forces the local device of a pair of connected DRBD devices into SyncSource state, which means that all data blocks of the device are copied to the peer.

On a disconnected device, this will set all bits in the out of sync bitmap. As a side affect this suspend updates to the on disk activity log. Updates to the on disk activity log will get resumes automatically when necessary.

wait-connect

Returns as soon as the device can communicate with its partner device.

-t, --wfc-timeout wfc_timeout, -d, --degr-wfc-timeout degr_wfc_timeout, -o, --outdated-wfc-timeout outdated_wfc_timeout, -w, --wait-after-sb

This command will fail if the device cannot communicate with its partner for timeout seconds. If the peer was working before this node was rebooted, the wfc_timeout is used. If the peer was already down before this node was rebooted, the degr_wfc_timeout is used. If the peer was sucessfully outdated before this node was rebooted the outdated_wfc_timeout is used. The default value for all those timeout values is 0 which means to wait forever. In case the connection status goes down to StandAlone because the peer appeared but the devices had a split brain situation, the default for the command is to terminate. You can change this behavior with the --wait-after-sb option.

wait-sync

Returns as soon as the device leaves any synchronization into connected state. The options are the same as with the wait-connect command.

disconnect

Removes the information set by the net command from the device. This means that the device goes into unconnected state and will no longer listen for incoming connections.

detach

Removes the information set by the disk command from the device. This means that the device is detached from its backing storage device.

down

Removes all configuration information from the device and forces it back to unconfigured state.

role

Shows the current roles of the device and its peer, as local/peer.

state

Deprecated alias for "role"

cstate

Shows the current connection state of the device.

dstate

Shows the current states of the backing storage devices, as local/peer.

status

Shows the current status of the device in XML-like format. Example output:

<resource minor="0" name="s0" cs="SyncTarget" st1="Secondary" st2="Secondary"
         ds1="Inconsistent" ds2="UpToDate" resynced_precent="5.9" />

resize

This causes DRBD to reexamine the size of the device's backing storage device. To actually do online growing you need to extend the backing storages on both devices and call the resize command on one of your nodes.

The --assume-peer-has-space allows you to resize a device which is currently not connected to the peer. Use with care, since if you do not resize the peer's disk as well, further connect attempts of the two will fail.

When the --assume-clean option is given DRBD will skip the resync of the new storage. Only do this if you know that the new storage was initialized to the same content by other means.

check-resize

To enable DRBD to detect offline resizing of backing devices this command may be used to record the current size of backing devices. The size is stored in files in /var/lib/drbd/ named drbd-minor-??.lkbd

This command is called by drbdadm resize res after drbdsetup device resize returned.

pause-sync

Temporarily suspend an ongoing resynchronization by setting the local pause flag. Resync only progresses if neither the local nor the remote pause flag is set. It might be desirable to postpone DRBD's resynchronization after eventual resynchronization of the backing storage's RAID setup.

resume-sync

Unset the local sync pause flag.

outdate

Mark the data on the local backing storage as outdated. An outdated device refuses to become primary. This is used in conjunction with fencing and by the peer's fence-peer handler.

show-gi

Displays the device's data generation identifiers verbosely.

get-gi

Displays the device's data generation identifiers.

show

Shows all available configuration information of the device.

suspend-io

This command is of no apparent use and just provided for the sake of completeness.

resume-io

If the fence-peer handler fails to stonith the peer node, and your fencing policy is set to resource-and-stonith, you can unfreeze IO operations with this command.

events

Displays every state change of DRBD and all calls to helper programs. This might be used to get notified of DRBD's state changes by piping the output to another program.

-a, --all-devices

Display the events of all DRBD minors.

-u, --unfiltered

This is a debugging aid that displays the content of all received netlink messages.

new-current-uuid

Generates a new current UUID and rotates all other UUID values. This has at least two use cases, namely to skip the initial sync, and to reduce network bandwidth when starting in a single node configuration and then later (re-)integrating a remote site.

Available option:

-c, --clear-bitmap

Clears the sync bitmap in addition to generating a new current UUID.

This can be used to skip the initial sync, if you want to start from scratch. This use-case does only work on "Just Created" meta data. Necessary steps:

  1. On both nodes, initialize meta data and configure the device.

    drbdadm -- --force create-md res

  2. They need to do the initial handshake, so they know their sizes.

    drbdadm up res

  3. They are now Connected Secondary/Secondary Inconsistent/Inconsistent. Generate a new current-uuid and clear the dirty bitmap.

    drbdadm -- --clear-bitmap new-current-uuid res

  4. They are now Connected Secondary/Secondary UpToDate/UpToDate. Make one side primary and create a file system.

    drbdadm primary res

    mkfs -t fs-type $(drbdadm sh-dev res)

One obvious side-effect is that the replica is full of old garbage (unless you made them identical using other means), so any online-verify is expected to find any number of out-of-sync blocks.

You must not use this on pre-existing data! Even though it may appear to work at first glance, once you switch to the other node, your data is toast, as it never got replicated. So do not leave out the mkfs (or equivalent).

This can also be used to shorten the initial resync of a cluster where the second node is added after the first node is gone into production, by means of disk shipping. This use-case works on disconnected devices only, the device may be in primary or secondary role.

The necessary steps on the current active server are:

  1. drbdsetup device new-current-uuid --clear-bitmap
  2. Take the copy of the current active server. E.g. by pulling a disk out of the RAID1 controller, or by copying with dd. You need to copy the actual data, and the meta data.
  3. drbdsetup device new-current-uuid

Now add the disk to the new secondary node, and join it to the cluster. You will get a resync of that parts that were changed since the first call to drbdsetup in step 1.

Examples

For examples, please have a look at the DRBD User's Guide.

Version

This document was revised for version 8.3.2 of the DRBD distribution.

Author

Written by Philipp Reisner and Lars Ellenberg

Reporting Bugs

Report bugs to .

Copyright

Copyright 2001-2008 LINBIT Information Technologies, Philipp Reisner, Lars Ellenberg. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

See Also

drbd.conf(5), drbd(8), drbddisk(8), drbdadm(8), DRBD User's Guide, DRBD web site

Name

drbdmeta — DRBD's meta data management tool

Synopsis

drbdmeta [--force] [--ignore-sanity-checks] { device } { v06 minor | v07 meta_dev index | v08 meta_dev index } { command } [ cmd args ...]

Description

Drbdmeta is used to create, display and modify the contents of DRBD's meta data storage. Usually you do not want to use this command directly, but start it via the frontend drbdadm(8).

This command only works if the DRBD resource is currently down, or at least detached from its backing storage. The first parameter is the device node associated to the resource. With the second parameter you can select the version of the meta data. Currently all major DRBD releases (0.6, 0.7 and 8) are supported.

Options

--force

All questions that get asked by drbdmeta are treated as if the user answered 'yes'.

--ignore-sanity-checks

Some sanity checks cause drbdmeta to terminate. E.g. if a file system image would get destroyed by creating the meta data. By using that option you can force drbdmeta to ignore these checks.

Commands

create-md

Create-md initializes the meta data storage. This needs to be done before a DRBD resource can be taken online for the first time. In case there is already a meta data signature of an older format in place, drbdmeta will ask you if it should convert the older format to the selected format.

get-gi

Get-gi shows a short textual representation of the data generation identifier. In version 0.6 and 0.7 these are generation counters, while in version 8 it is a set of UUIDs.

show-gi

Show-gi prints a textual representation of the data generation identifiers including explanatory information.

dump-md

Dumps the whole contents of the meta data storage including the stored bit-map and activity-log in a textual representation.

outdate

Sets the outdated flag in the meta data. This is used by the peer node when it wants to become primary, but cannot communicate with the DRBD stack on this host.

dstate

Prints the state of the data on the backing storage. The output is always followed by '/DUnknown' since drbdmeta only looks at the local meta data.

check-resize

Examines the device size of a backing device, and it's last known device size, recorded in a file /var/lib/drbd/drbd-minor-??.lkbd. In case the size of the backing device changed, and the meta data can be found at the old position, it moves the meta data to the right position at the end of the block device.

Expert's commands

Drbdmeta allows you to modify the meta data as well. This is intentionally omitted for the command's usage output, since you should only use it if you really know what you are doing. By setting the generation identifiers to wrong values, you risk to overwrite your up-to-data data with an older version of your data.

set-gi gi

Set-gi allows you to set the generation identifier. Gi needs to be a generation counter for the 0.6 and 0.7 format, and a UUID set for 8.x. Specify it in the same way as get-gi shows it.

restore-md dump_file

Reads the dump_file and writes it to the meta data.

Version

This document was revised for version 8.3.2 of the DRBD distribution.

Author

Written by Philipp Reisner and Lars Ellenberg .

Reporting Bugs

Report bugs to .

Copyright

Copyright 2001-2008 LINBIT Information Technologies, Philipp Reisner, Lars Ellenberg. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

See Also

drbdadm(8)