AZ Failover Configuration Procedures
Introduction
This article outlines the steps required for configuring your Eyeglass VM and PowerScale OneFS Clusters for an Access Zone Failover.
Access Zone Failover Configuration Steps
Active Directory
Delegation of Cluster Machine Accounts with Active Directory
The steps in the article above are required to prepare your system for the Eyeglass Assisted Access Zone Failover.
This is necessary to prevent Eyeglass from needing direct access to Active Directory in order to synchronize the Service Principal Names (SPN) for the computer accounts of production or DR clusters.
SmartConnect Zones
For access zone failover, SmartConnect Zones must be mapped between the source and target clusters.
This allows Eyeglass to automatically create SmartConnect Zone names and aliases on the DR cluster during a failover. Each new SmartConnect Zone Alias also creates a matching service principal name (SPN) for Kerberos authentication.
Service Account Privileges
If the Eyeglass Service Account needs to run CLI commands that require root privileges, the PowerScale OneFS sudoer file must be updated. This is especially important for clusters running in STIG or compliance mode, where direct root access is disabled.
Access zone failover requires certain CLI commands to run with elevated permissions. For example, the "SPN machine account maintenance" command, which is needed before and after a cluster failover, requires elevated permissions across all cluster nodes.
Refer to “Eyeglass Service Account Guide for Minimum Permissions” for instructions on how to grant sudo privileges to the Eyeglass Service Account.
SPN Delegation
SPN delegation is a one-time setup required for Eyeglass Access Zone failover. It ensures that SPNs for the source cluster zone and SmartConnect Zone Active Directory (AD) providers are managed automatically, avoiding conflicts and authentication failures during a failover.
Each AD provider added to a cluster requires SPN delegation for its corresponding machine account. For example, if four AD providers are used across different domains, four delegations must be set up.
Subnet IP Pool Mapping
This section explains why IP pools are configured and how to map them for failover. IP pools provide data access through SmartConnect names, and the IP pool used during failover is predefined using IP pool mapping hints.
Zone Aliases for Failover
Access Zone failover relies on dual DNS delegation, ensuring no DNS changes are needed during failover. On the target cluster, the Subnet IP Pools must have a SmartConnect Zone name set directly in the PowerScale OneFS UI (not as an alias).
Even though this SmartConnect name is not actively used or mounted on the disaster recovery (DR) cluster, it is necessary for configuring the second DNS name server record.
The following approach simplifies the failover process:
- Enter the source IP pool’s SmartConnect Zone name in the PowerScale OneFS UI on the target IP pool, using the format:
igls-original-<source cluster SmartConnect zone name>
The target IP pool must have a SmartConnect name assigned. Without this, dual delegation will not function correctly.
Blank or missing SmartConnect names are not supported, and there is no automatic validation in the DR Dashboard to check for correct SmartConnect name configuration on the target cluster.
This method simplifies failover management within the PowerScale OneFS UI by automatically renaming the SmartConnect Zone name during failover, without needing to create an extra alias. The name is swapped between the source and target during failover.
When and How to Exclude an IP Pool SmartConnect Name Using the "igls-ignore" hint
The "igls-ignore" hint tells Eyeglass not to process the SmartConnect names or aliases associated with a specific IP pool. Syntax of "igls-ignore":
The "igls-ignore" hint can be customized by adding a unique identifier (e.g., igls-ignore-xxxx) to document the reason for excluding the IP pool. Here are some examples:
igls-ignore-repl: For IP pools used with SyncIQ replication.igls-ignore-dfsprod: For IP pools used by DFS clients.igls-ignore-mgmtclst1: For IP pools used to manage the cluster.
When to Apply "igls-ignore" Hints:
- SyncIQ IP pools: To avoid processing IP pools used for replication targets.
- DFS IP pools: To prevent DNS updates for DFS target folders and avoid SPN updates.
- Cluster management IP pools: If a cluster is added to Eyeglass using an FQDN, an "igls-ignore" hint is required to prevent Eyeglass from losing access to the cluster during failover or failback.
Eyeglass will validate this configuration in the Zone Readiness screen, ensuring the FQDN used to add the cluster has the correct "igls-ignore" hint. Missing this hint will block failover operations.
Creating Mapping Hints for IP Pools Between Source and Target Clusters
To ensure proper access to data from the correct SmartConnect Zone IP and node pool on the target cluster during failover, mapping hints must be created for IP pools between the source and target clusters. This mapping is completed after installation and is audited by Eyeglass as part of the Failover Readiness validation process. The mapping uses SmartConnect Zone aliases.
Best Practice for Naming Conventions
Mapping hints for IP pools should follow a clear and consistent format using the syntax: igls-xxx, where “xxx” can be any string, though we recommend keeping it simple by using numbers.
Example:
- Source IP pool hint:
igls-01-pool-name-prod - Target IP pool hint:
igls-01-pool-name-dr
This naming convention ensures clarity and easy identification of mapped pools.
Using this naming convention also helps avoid SPN collisions. While Eyeglass does not inject these hints, an administrator could manually add them via ISI commands without causing issues.
For example, hints like igls-01-prod and igls-01-dr are considered matching because only the "igls-xx" part needs to match. You can make the strings unique while still maintaining a functional match by using the format: igls-xx-some-unique-string.
Eyeglass requires the user to specify which network pools on the source cluster are partnered with network pools on the target cluster for failover. To enable this, you must create identical alias hints on both the source and target network pools.
Ignore Hint for SyncIQ Replication
An ignore hint is used to designate the SmartConnect Zone(s) dedicated to SyncIQ replication.
PowerScale OneFS best practices recommend using a dedicated SmartConnect Zone for SyncIQ replication and not using it for client data access.
During failover, the SyncIQ SmartConnect Zone doesn’t need to be failed over. Eyeglass needs this ignore hint to exclude these zones from failover and to assess Access Zones and SmartConnect Zones during readiness checks.
How to Add the Mapping Alias
To add a mapping alias to the PowerScale OneFS cluster:
-
SSH into the cluster and log in as root.
-
Use the following commands (note that subnet and pool names are case sensitive):
-
Get a list of pools:
isi network pools list -v -
Add a zone alias hint to a pool:
isi network pools modify --name=<subnet:poolname> --add-sc-dns-zone-aliases=<hint>
-
See Also
After configuring the Eyeglass VM and PowerScale OneFS Clusters for an Access Zone failover, you can test your failover solution with the Runbook Robot or Execute a Failover with DR Assistant.