ctdb-tunables — CTDB tunable configuration variables
CTDB's behaviour can be configured by setting run-time tunable variables. This lists and describes all tunables. See the ctdb(1) listvars, setvar and getvar commands for more details.
Unless otherwise stated, tunables should be set to the same value on all nodes. Setting tunables to different values across nodes may produce unexpected results. Future releases may set (some or most) tunables globally across the cluster but doing so is currently a manual process.
The tunable variables are listed alphabetically.
When set to 0, clients are not allowed to attach to any databases. This can be used to temporarily block any new processes from attaching to and accessing the databases. This is mainly used for detaching a volatile database using 'ctdb detach'.
CTDB will not allow incompatible versions to co-exist in a cluster. If a version mismatch is found, then losing CTDB will shutdown. To disable the incompatible version check, set this tunable to 1.
For version checking, CTDB uses major and minor version. For example, CTDB 4.6.1 and CTDB CTDB 4.6.2 are matching versions; CTDB 4.5.x and CTDB 4.6.y do not match.
CTDB with version check support will lose to CTDB without version check support. Between two different CTDB versions with version check support, one running for less time will lose. If the running time for both CTDB versions with version check support is equal (to seconds), then the older version will lose. The losing CTDB daemon will shutdown.
When set to 1, ctdb allows database traverses to read unhealthy databases. By default, ctdb does not allow reading records from unhealthy databases.
This is the default setting for timeout for when sending a control message to either the local or a remote ctdb daemon.
Number of the hash chains for the local store of the tdbs that ctdb manages.
Maximum number of dead records per hash chain for the tdb databses managed by ctdb.
When set to non-zero, ctdb will log a warning during recovery if a database has more than this many records. This will produce a warning if a database grows uncontrollably with orphaned records.
When set to non-zero, ctdb will log a warning during recovery if a single record is bigger than this size. This will produce a warning if a database record grows uncontrollably.
When set to non-zero, ctdb will log a warning during recovery if a database size is bigger than this. This will produce a warning if a database grows uncontrollably.
When databases are frozen we do not allow clients to attach to the databases. Instead of returning an error immediately to the client, the attach request from the client is deferred until the database becomes available again at which stage we respond to the client.
This timeout controls how long we will defer the request from the client before timing it out and returning an error to the client.
When set to non-zero, ctdb will not perform failover or failback. Even if a node fails while holding public IPs, ctdb will not recover the IPs or assign them to another node.
When this tunable is enabled, ctdb will no longer attempt to recover the cluster by failing IP addresses over to other nodes. This leads to a service outage until the administrator has manually performed IP failover to replacement nodes using the 'ctdb moveip' command.
The number of seconds to wait for the election of recovery master to complete. If the election is not completed during this interval, then that round of election fails and ctdb starts a new election.
This parameter allows ctdb to ban a node if the node is misbehaving.
When set to 0, this disables banning completely in the cluster and thus nodes can not get banned, even it they break. Don't set to 0 unless you know what you are doing.
Maximum time in seconds to allow an event to run before timing out. This is the total time for all enabled scripts that are run for an event, not just a single event script.
Note that timeouts are ignored for some events ("takeip", "releaseip", "startrecovery", "recovered") and converted to success. The logic here is that the callers of these events implement their own additional timeout.
This parameter is used to avoid multiple migration requests for the same record from a single node. All the record requests for the same record are queued up and processed when the record is migrated to the current node.
When many clients across many nodes try to access the same record at the same time this can lead to a fetch storm where the record becomes very active and bounces between nodes very fast. This leads to high CPU utilization of the ctdbd daemon, trying to bounce that record around very fast, and poor performance. This can improve performance and reduce CPU utilization for certain workloads.
For database(s) marked STICKY (using 'ctdb setdbsticky'),
any record that is migrating so fast that hopcount
exceeds this limit is marked as STICKY record for
StickyDuration seconds. This means that
after each migration the sticky record will be kept on the node
StickyPindownmilliseconds and prevented from
being migrated off the node.
This will improve performance for certain workloads, such as locking.tdb if many clients are opening/closing the same file concurrently.
Selects the algorithm that CTDB should use when doing public IP address allocation. Meaningful values are:
Deterministic IP address allocation.
This is a simple and fast option. However, it can cause unnecessary address movement during fail-over because each address has a "home" node. Works badly when some nodes do not have any addresses defined. Should be used with care when addresses are defined across multiple networks.
Non-deterministic IP address allocation.
This is a relatively fast option that attempts to do a minimise unnecessary address movements. Addresses do not have a "home" node. Rebalancing is limited but it usually adequate. Works badly when addresses are defined across multiple networks.
LCP2 IP address allocation.
Uses a heuristic to assign addresses defined across multiple networks, usually balancing addresses on each network evenly across nodes. Addresses do not have a "home" node. Minimises unnecessary address movements. The algorithm is complex, so is slower than other choices for a large number of addresses. However, it can calculate an optimal assignment of 900 addresses in under 10 seconds on modern hardware.
If the specified value is not one of these then the default will be used.
How often in seconds should the nodes send keep-alive packets to each other.
After how many keepalive intervals without any traffic should a node wait until marking the peer as DISCONNECTED.
If a node has hung, it can take
KeepaliveLimit + 1) seconds before
ctdb determines that the node is DISCONNECTED and performs
a recovery. This limit should not be set too high to enable
early detection and avoid any application timeouts (e.g. SMB1)
to kick in before the fail over is completed.
This is the maximum number of lock helper processes ctdb will create for obtaining record locks. When ctdb cannot get a record lock without blocking, it creates a helper process that waits for the lock to be obtained.
When set to non-zero, ctdb will log if certains operations take longer than this value, in milliseconds, to complete. These operations include "process a record request from client", "take a record or database lock", "update a persistent database record" and "vaccum a database".
This is the maximum number of messages to be queued up for a client before ctdb will treat the client as hung and will terminate the client connection.
How often should ctdb run the 'monitor' event in seconds to check for a node's health.
How many 'monitor' events in a row need to timeout before a node is flagged as UNHEALTHY. This setting is useful if scripts can not be written so that they do not hang for benign reasons.
When set to 1, ctdb will not perform failback of IP addresses when a node becomes healthy. When a node becomes UNHEALTHY, ctdb WILL perform failover of public IP addresses, but when the node becomes HEALTHY again, ctdb will not fail the addresses back.
Use with caution! Normally when a node becomes available to the cluster ctdb will try to reassign public IP addresses onto the new node as a way to distribute the workload evenly across the clusternode. Ctdb tries to make sure that all running nodes have approximately the same number of public addresses it hosts.
When you enable this tunable, ctdb will no longer attempt to rebalance the cluster by failing IP addresses back to the new nodes. An unbalanced cluster will therefore remain unbalanced until there is manual intervention from the administrator. When this parameter is set, you can manually fail public IP addresses over to the new node(s) using the 'ctdb moveip' command.
If no nodes are HEALTHY then by default ctdb will happily host public IPs on disabled (unhealthy or administratively disabled) nodes. This can cause problems, for example if the underlying cluster filesystem is not mounted. When set to 1 and a node is disabled, any IPs hosted by this node will be released and the node will not takeover any IPs until it is no longer disabled.
When set to 1, ctdb will not allow IP addresses to be failed over to other nodes. Any IP addresses already hosted on healthy nodes will remain. Usually IP addresses hosted on unhealthy nodes will also remain, if NoIPHostOnAllDisabled is 0. However, if NoIPHostOnAllDisabled is 1 then IP addresses will be released by unhealthy nodes and will become un-hosted.
This is the size of a record buffer to pre-allocate for sending reply to PULLDB control. Usually record buffer starts with size of the first record and gets reallocated every time a new record is added to the record buffer. For a large number of records, this can be very inefficient to grow the record buffer one record at a time.
This is the maximum amount of data (in bytes) ctdb will read from a socket at a time.
For a busy setup, if ctdb is not able to process the TCP sockets fast enough (large amount of data in Recv-Q for tcp sockets), then this tunable value should be increased. However, large values can keep ctdb busy processing packets and prevent ctdb from handling other events.
This is the limit on the size of the record buffer to be sent in various controls. This limit is used by new controls used for recovery and controls used in vacuuming.
If the recovery daemon has failed to ping the main dameon for this many consecutive intervals, the main daemon will consider the recovery daemon as hung and will try to restart it to recover.
If the main dameon has not heard a "ping" from the recovery dameon
for this many seconds, the main dameon will log a message that
the recovery daemon is potentially hung. This also increments a
counter which is checked against
for detection of hung recovery daemon.
When using a reclock file for split brain prevention, if set to non-zero this tunable will make the recovery dameon log a message if the fcntl() call to lock/testlock the recovery file takes longer than this number of milliseconds.
How frequently in seconds should the recovery daemon perform the consistency checks to determine if it should perform a recovery.
This is the default setting for timeouts for controls when sent from the recovery daemon. We allow longer control timeouts from the recovery daemon than from normal use since the recovery dameon often use controls that can take a lot longer than normal controls.
The duration in seconds for which a node is banned if the node fails during recovery. After this time has elapsed the node will automatically get unbanned and will attempt to rejoin the cluster.
A node usually gets banned due to real problems with the node. Don't set this value too small. Otherwise, a problematic node will try to re-join cluster too soon causing unnecessary recoveries.
If a node is stuck in recovery, or stopped, or banned, for this many seconds, then ctdb will release all public addresses on that node.
During recoveries, if a node has not caused recovery failures during the last grace period in seconds, any records of transgressions that the node has caused recovery failures will be forgiven. This resets the ban-counter back to zero for that node.
During vacuuming, if the number of freelist records are more than
RepackLimit, then the database is repacked
to get rid of the freelist records to avoid fragmentation.
Databases are repacked only if both
VacuumLimit are exceeded.
Once a recovery has completed, no additional recoveries are permitted until this timeout in seconds has expired.
Some databases have seqnum tracking enabled, so that samba will be able to detect asynchronously when there has been updates to the database. Everytime a database is updated its sequence number is increased.
This tunable is used to specify in milliseconds how frequently ctdb will send out updates to remote nodes to inform them that the sequence number is increased.
Granularity of the statistics collected in the statistics history. This is reported by 'ctdb stats' command.
Once a record has been marked STICKY, this is the duration in seconds, the record will be flagged as a STICKY record.
Once a STICKY record has been migrated onto a node, it will be pinned down on that node for this number of milliseconds. Any request from other nodes to migrate the record off the node will be deferred.
This is the duration in seconds in which ctdb tries to complete IP failover.
This parameter enables TDB_MUTEX_LOCKING feature on volatile databases if the robust mutexes are supported. This optimizes the record locking using robust mutexes and is much more efficient that using posix locks.
TickleUpdateInterval seconds, ctdb
synchronizes the client connection information across nodes.
This is the duration in seconds for which a database traverse is allowed to run. If the traverse does not complete during this interval, ctdb will abort the traverse.
During a vacuuming run, ctdb usually processes only the records
marked for deletion also called the fast path vacuuming. After
VacuumFastPathCount number of fast
path vacuuming runs, ctdb will trigger a scan of complete database
for any empty records that need to be deleted.
Periodic interval in seconds when vacuuming is triggered for volatile databases.
During vacuuming, if the number of deleted records are more than
VacuumLimit, then databases are repacked to
Databases are repacked only if both
VacuumLimit are exceeded.
The maximum time in seconds for which the vacuuming process is allowed to run. If vacuuming process takes longer than this value, then the vacuuming process is terminated.
ctdb(1), ctdbd(1), ctdbd.conf(5), ctdb(7), http://ctdb.samba.org/