了解 Azure Stack HCI 上的叢集和集區仲裁Understanding cluster and pool quorum on Azure Stack HCI

適用于: Azure Stack HCI、版本 20H2;Windows Server 2019Applies to: Azure Stack HCI, version 20H2; Windows Server 2019

Windows Server 容錯移轉叢集可為工作負載提供高可用性。Windows Server Failover Clustering provides high availability for workloads. 如果裝載資源的節點已啟動,則會將這些資源視為高可用性;不過,叢集通常需要執行一半以上的節點,如此才具有「仲裁」 。These resources are considered highly available if the nodes that host resources are up; however, the cluster generally requires more than half the nodes to be running, which is known as having quorum.

設計仲裁的目的是為了防止「核心分裂」 情況,當網路中有分割區,而且節點的子集無法彼此通訊時,就會發生這種情況。Quorum is designed to prevent split-brain scenarios which can happen when there is a partition in the network and subsets of nodes cannot communicate with each other. 這可能會導致兩個節點子集都嘗試擁有工作負載,並寫入到可能造成許多問題的相同磁碟。This can cause both subsets of nodes to try to own the workload and write to the same disk which can lead to numerous problems. 不過,這可透過仲裁的容錯移轉叢集概念來避免,因為其會強制這些節點群組中只能有一組繼續執行,所以只有其中一個群組會保持在線上狀態。However, this is prevented with Failover Clustering's concept of quorum which forces only one of these groups of nodes to continue running, so only one of these groups will stay online.

仲裁會決定叢集仍然在線上時可以承受的失敗次數。Quorum determines the number of failures that the cluster can sustain while still remaining online. 仲裁的設計目的是處理叢集節點子集間發生通訊問題時的情況,讓多部伺服器不會嘗試同時裝載資源群組和寫入到相同的磁碟。Quorum is designed to handle the scenario when there is a problem with communication between subsets of cluster nodes, so that multiple servers don't try to simultaneously host a resource group and write to the same disk at the same time. 因為有此仲裁概念,叢集將會強制叢集服務在其中一個節點子集中停止,以確保特定資源群組只有一個真正的擁有者。By having this concept of quorum, the cluster will force the cluster service to stop in one of the subsets of nodes to ensure that there is only one true owner of a particular resource group. 一旦停止的節點可以再次與主要節點群組通訊,這些節點就會自動重新加入叢集並啟動其叢集服務。Once nodes which have been stopped can once again communicate with the main group of nodes, they will automatically rejoin the cluster and start their cluster service.

在 Windows Server 2019 中,有兩個系統元件具有自己的仲裁機制:In Windows Server 2019, there are two components of the system that have their own quorum mechanisms:

  • 叢集仲裁:這會在叢集層級上運作 (也就是您可以在遺失節點的情況下讓叢集保持啟動狀態)Cluster Quorum: This operates at the cluster level (i.e. you can lose nodes and have the cluster stay up)
  • 集區仲裁:這會在啟用儲存空間直接存取時在集區層級上運作 (也就是您可以在遺失節點和磁碟機的情況下讓集區保持啟動狀態)。Pool Quorum: This operates on the pool level when Storage Spaces Direct is enabled (i.e. you can lose nodes and drives and have the pool stay up). 存放集區已設計成可用於叢集和非叢集案例,這就是為什麼會有不同的仲裁機制。Storage pools were designed to be used in both clustered and non-clustered scenarios, which is why they have a different quorum mechanism.

叢集仲裁概觀Cluster quorum overview

下表提供每個案例的叢集仲裁結果概觀:The table below gives an overview of the Cluster Quorum outcomes per scenario:

伺服器節點Server nodes 可以承受一個伺服器節點失敗Can survive one server node failure 可以承受一個伺服器節點失敗,然後再承受另一個節點失敗Can survive one server node failure, then another 可以承受兩個同時發生的伺服器節點失敗Can survive two simultaneous server node failures
22 50/5050/50 No No
2 個 + 見證2 + Witness Yes No No
33 Yes 50/5050/50 No
3 個 + 見證3 + Witness Yes Yes No
44 Yes Yes 50/5050/50
4 個 + 見證4 + Witness Yes Yes Yes
5 (含) 個以上5 and above Yes Yes Yes

叢集仲裁建議Cluster quorum recommendations

  • 如果您有兩個節點,則 需要 見證。If you have two nodes, a witness is required.
  • 如果您有三個或四個節點,則 強烈建議 使用見證。If you have three or four nodes, witness is strongly recommended.
  • 如果您可以存取網際網路,請使用 雲端見證If you have Internet access, use a cloud witness
  • 如果您在具有其他機器和檔案共用的 IT 環境中,請使用檔案共用見證If you're in an IT environment with other machines and file shares, use a file share witness

叢集仲裁的運作方式How cluster quorum works

當節點失敗時,或某些節點子集失去與另一個子集的聯繫時,存活的節點必須確認其可構成叢集的「多數」 ,才能保持在線上。When nodes fail, or when some subset of nodes loses contact with another subset, surviving nodes need to verify that they constitute the majority of the cluster to remain online. 如果無法確認,則這些節點會離線。If they can't verify that, they'll go offline.

但是「多數」 的概念只有在叢集中的節點總數是奇數時,才會完全正常運作 (例如,五個節點叢集中的三個節點)。But the concept of majority only works cleanly when the total number of nodes in the cluster is odd (for example, three nodes in a five node cluster). 那麼,如果叢集的節點數目是偶數呢 (例如四個節點的叢集)?So, what about clusters with an even number of nodes (say, a four node cluster)?

有兩種方式可讓叢集將「投票總數」 變成奇數:There are two ways the cluster can make the total number of votes odd:

  1. 首先,可以藉由新增「見證」 來「增加」 一個投票數。First, it can go up one by adding a witness with an extra vote. 這需要使用者設定。This requires user set-up.
  2. 或者,可以藉由將一個不幸的節點清空來「減去」 投票數 (這會在有需要時自動發生)。Or, it can go down one by zeroing one unlucky node's vote (happens automatically as needed).

當存活的節點成功確認其屬於「多數」 時,「多數」 的定義會在這些存活的節點中更新。Whenever surviving nodes successfully verify they are the majority, the definition of majority is updated to be among just the survivors. 這可讓叢集失去一個節點,然後再失去另一個節點,依此類推。This allows the cluster to lose one node, then another, then another, and so forth. 此概念是在後續失敗之後調整的 總投票數 ,稱為 *動態仲裁 _。This concept of the total number of votes adapting after successive failures is known as *Dynamic quorum _.

動態見證Dynamic witness

動態見證會切換見證的投票,以確保 _total 的投票數 * 是奇數。Dynamic witness toggles the vote of the witness to make sure that the _total number of votes* is odd. 如果投票數為奇數,則見證就不會有投票資格。If there are an odd number of votes, the witness doesn't have a vote. 如果投票數為偶數,則見證會有投票資格。If there is an even number of votes, the witness has a vote. 動態見證會大幅降低叢集因見證失敗而中斷的風險。Dynamic witness significantly reduces the risk that the cluster will go down because of witness failure. 叢集會根據叢集中可用的投票節點數目,決定是否要使用見證投票。The cluster decides whether to use the witness vote based on the number of voting nodes that are available in the cluster.

動態仲裁會以下面所述的方式與動態見證搭配運作。Dynamic quorum works with Dynamic witness in the way described below.

動態仲裁行為Dynamic quorum behavior

  • 如果您的節點數目為 偶數,而且沒有見證,則「其中一個節點會將其投票資格清除」 。If you have an even number of nodes and no witness, one node gets its vote zeroed. 例如,四個節點中只有三個可投票,因此「投票總數」 為三個,而可投票的兩個存活節點則視為多數。For example, only three of the four nodes get votes, so the total number of votes is three, and two survivors with votes are considered a majority.
  • 如果您的節點數目為 奇數,而且沒有見證,則「這些節點都可投票」 。If you have an odd number of nodes and no witness, they all get votes.
  • 如果有 偶數 數目的節點再加上見證 (見證投票) ,則節點總計為奇數。If you have an even number of nodes plus witness, the witness votes, so the total is odd.
  • 如果有 奇數 數目的節點再加上見證,則「見證不會投票」 。If you have an odd number of nodes plus witness, the witness doesn't vote.

動態仲裁可讓您以動態方式指派選票給節點,以避免失去多數選票,並且可允許叢集以一個節點執行 (也就是「存活到最後的節點」)。Dynamic quorum enables the ability to assign a vote to a node dynamically to avoid losing the majority of votes and to allow the cluster to run with one node (known as last-man standing). 讓我們以四個節點的叢集作為範例。Let's take a four-node cluster as an example. 假設仲裁需要 3 個投票數。Assume that quorum requires 3 votes.

在此情況下,如果您失去兩個節點,叢集就會停止。In this case, the cluster would have gone down if you lost two nodes.

顯示四個叢集節點的圖表,每個節點都有投票資格

不過,動態仲裁可防止這種情況發生。However, dynamic quorum prevents this from happening. 仲裁所需的「投票總數」 現在會根據可用的節點數目來決定。The total number of votes required for quorum is now determined based on the number of nodes available. 因此,使用動態仲裁時,即使您失去三個節點,叢集仍會持續運作。So, with dynamic quorum, the cluster will stay up even if you lose three nodes.

顯示每次有一個節點失敗的四個叢集節點圖表,以及每次失敗後所需的投票數調整。

上述情況適用於未啟用儲存空間直接存取的一般叢集。The above scenario applies to a general cluster that doesn't have Storage Spaces Direct enabled. 不過,啟用儲存空間直接存取時,叢集只能支援兩個節點失敗。However, when Storage Spaces Direct is enabled, the cluster can only support two node failures. 這會在集區仲裁區段中詳細說明。This is explained more in the pool quorum section.

範例Examples

兩個節點,沒有見證。Two nodes without a witness.

一個節點的投票資格已清空,因此「多數」 投票會由總數為 1 的票數所決定。One node's vote is zeroed, so the majority vote is determined out of a total of 1 vote. 如果非投票節點意外停止,存活的節點會有 1/1,而叢集可繼續生存。If the non-voting node goes down unexpectedly, the survivor has 1/1 and the cluster survives. 如果投票節點意外停止,存活的節點會有 0/1,而叢集也會停止。If the voting node goes down unexpectedly, the survivor has 0/1 and the cluster goes down. 如果投票節點正常關閉,則投票會轉移至另一個節點,而叢集可繼續生存。If the voting node is gracefully powered down, the vote is transferred to the other node, and the cluster survives.\ *這就是設定見證很重要的原因。 _\ *This is why it's critical to configure a witness. _

描述有兩個節點但沒有見證時的仲裁

  • 可以承受一個伺服器失敗: _ * 有50% 的機率 * *。Can survive one server failure: _*Fifty percent chance**.
  • 可以承受一個伺服器失敗,然後再承受另一個伺服器失敗:Can survive one server failure, then another: No.
  • 可以承受同時發生兩個伺服器失敗:Can survive two server failures at once: No.

兩個節點和一個見證。Two nodes with a witness.

這兩個節點都可投票,再加上見證投票,因此「多數」 會由總數為 3 的票數來決定。Both nodes vote, plus the witness votes, so the majority is determined out of a total of 3 votes. 如果其中一個節點停止運作,存活的節點會有 2/3,則叢集可繼續生存。If either node goes down, the survivor has 2/3 and the cluster survives.

描述有兩個節點和一個見證時的仲裁

  • 可以承受一個伺服器失敗:Can survive one server failure: Yes.
  • 可以承受一個伺服器失敗,然後再承受另一個伺服器失敗:Can survive one server failure, then another: No.
  • 可以承受同時發生兩個伺服器失敗:Can survive two server failures at once: No.

三個節點,沒有見證。Three nodes without a witness.

所有節點都可投票,因此「多數」 會由總數為 3 的票數來決定。All nodes vote, so the majority is determined out of a total of 3 votes. 如果任何節點停止運作,存活的節點會有 2/3,而叢集可繼續生存。If any node goes down, the survivors are 2/3 and the cluster survives. 叢集會變成兩個節點且沒有見證 – 此時,您屬於案例 1 的情況。The cluster becomes two nodes without a witness – at that point, you're in Scenario 1.

描述有三個節點但沒有見證時的仲裁

  • 可以承受一個伺服器失敗:Can survive one server failure: Yes.
  • 可以承受一個伺服器失敗,然後再承受另一個伺服器失敗:50% 的機率Can survive one server failure, then another: Fifty percent chance.
  • 可以承受同時發生兩個伺服器失敗:Can survive two server failures at once: No.

三個節點和一個見證。Three nodes with a witness.

所有節點都可投票,因此見證不會在一開始進行投票。All nodes vote, so the witness doesn't initially vote. 「多數」 會由總數為 3 的票數所決定。The majority is determined out of a total of 3 votes. 在一個節點失敗之後,叢集會有兩個節點和一個見證,也就是回到案例 2 的情況。After one failure, the cluster has two nodes with a witness – which is back to Scenario 2. 因此,現在會由兩個節點和見證進行投票。So, now the two nodes and the witness vote.

描述有三個節點和一個見證時的仲裁

  • 可以承受一個伺服器失敗:Can survive one server failure: Yes.
  • 可以承受一個伺服器失敗,然後再承受另一個伺服器失敗:Can survive one server failure, then another: Yes.
  • 可以承受同時發生兩個伺服器失敗:Can survive two server failures at once: No.

四個節點,沒有見證Four nodes without a witness

一個節點的投票資格已清空,因此「多數」 會由總數為 3 的票數決定。One node's vote is zeroed, so the majority is determined out of a total of 3 votes. 在一個節點失敗之後,叢集會變成三個節點,也就是案例 3 的情況。After one failure, the cluster becomes three nodes, and you're in Scenario 3.

描述有四個節點但沒有見證時的仲裁

  • 可以承受一個伺服器失敗:Can survive one server failure: Yes.
  • 可以承受一個伺服器失敗,然後再承受另一個伺服器失敗:Can survive one server failure, then another: Yes.
  • 可以承受同時發生兩個伺服器失敗:50% 的機率Can survive two server failures at once: Fifty percent chance.

四個節點和一個見證。Four nodes with a witness.

所有節點都可投票,再加上見證投票,因此「多數」 會由總數為 5 的票數來決定。All nodes votes and the witness votes, so the majority is determined out of a total of 5 votes. 在一個節點失敗之後,您就會處於案例 4 的情況中。After one failure, you're in Scenario 4. 同時發生兩個失敗之後,您就會跳到案例 2。After two simultaneous failures, you skip down to Scenario 2.

描述有四個節點和一個見證時的仲裁

  • 可以承受一個伺服器失敗:Can survive one server failure: Yes.
  • 可以承受一個伺服器失敗,然後再承受另一個伺服器失敗:Can survive one server failure, then another: Yes.
  • 可以承受同時發生兩個伺服器失敗:Can survive two server failures at once: Yes.

五個 (含) 以上的節點。Five nodes and beyond.

所有節點都可投票,或不讓其中一個投票,無論如何要讓總數變成奇數。All nodes vote, or all but one vote, whatever makes the total odd. 儲存空間直接存取無法處理兩個以上的節點停止運作,所以此時見證沒有必要或派不上用場。Storage Spaces Direct cannot handle more than two nodes down anyway, so at this point, no witness is needed or useful.

描述有五個 (含) 以上節點時的仲裁

  • 可以承受一個伺服器失敗:Can survive one server failure: Yes.
  • 可以承受一個伺服器失敗,然後再承受另一個伺服器失敗:Can survive one server failure, then another: Yes.
  • 可以承受同時發生兩個伺服器失敗:Can survive two server failures at once: Yes.

現在我們已了解仲裁的運作方式,接著讓我們來看看仲裁見證的類型。Now that we understand how quorum works, let's look at the types of quorum witnesses.

仲裁見證類型Quorum witness types

容錯移轉叢集支援三種類型的仲裁見證:Failover Clustering supports three types of Quorum Witnesses:

  • 雲端見證 - 叢集的所有節點都可存取 Azure 中的 Blob 儲存體。Cloud Witness - Blob storage in Azure accessible by all nodes of the cluster. 其會在 witness.log 檔案中維護叢集資訊,但不會儲存叢集資料庫的複本。It maintains clustering information in a witness.log file, but doesn't store a copy of the cluster database.
  • 檔案共用見證 – 在執行 Windows Server 的檔案伺服器上設定的 SMB 檔案共用。File Share Witness – A SMB file share that is configured on a file server running Windows Server. 其會在 witness.log 檔案中維護叢集資訊,但不會儲存叢集資料庫的複本。It maintains clustering information in a witness.log file, but doesn't store a copy of the cluster database.
  • 磁碟見證 - 叢集可用儲存群組中的小型叢集磁碟。Disk Witness - A small clustered disk which is in the Cluster Available Storage group. 此磁碟具有高可用性,而且可以在節點之間進行容錯移轉。This disk is highly-available and can failover between nodes. 其中包含叢集資料庫的複本。It contains a copy of the cluster database.\ **儲存空間直接存取 _ 不支援磁片見證*。\ *A Disk Witness isn't supported with Storage Spaces Direct _.

集區仲裁概觀Pool quorum overview

我們剛才討論了在叢集層級上運作的叢集仲裁。We just talked about Cluster Quorum, which operates at the cluster level. 現在,讓我們深入探索在集區層級上運作的集區仲裁 (也就是您可以在遺失節點和磁碟機的情況下讓集區保持啟動狀態)。Now, let's dive into Pool Quorum, which operates on the pool level (i.e. you can lose nodes and drives and have the pool stay up). 存放集區已設計成可用於叢集和非叢集案例,這就是為什麼會有不同的仲裁機制。Storage pools were designed to be used in both clustered and non-clustered scenarios, which is why they have a different quorum mechanism.

下表提供每個案例的集區仲裁結果概觀:The table below gives an overview of the Pool Quorum outcomes per scenario:

伺服器節點Server nodes 可以承受一個伺服器節點失敗Can survive one server node failure 可以承受一個伺服器節點失敗,然後再承受另一個節點失敗Can survive one server node failure, then another 可以承受兩個同時發生的伺服器節點失敗Can survive two simultaneous server node failures
22 No No No
2 個 + 見證2 + Witness Yes No No
33 Yes No No
3 個 + 見證3 + Witness Yes No No
44 Yes No No
4 個 + 見證4 + Witness Yes Yes Yes
5 (含) 個以上5 and above Yes Yes Yes

集區仲裁的運作方式How pool quorum works

當磁片磁碟機失敗,或某些磁片磁碟機子集失去與另一個子集的聯繫時,存活磁片磁碟機必須確認它們構成集區的 _majority *,才能保持連線。When drives fail, or when some subset of drives loses contact with another subset, surviving drives need to verify that they constitute the _majority* of the pool to remain online. 如果無法確認,則這些節點會離線。If they can't verify that, they'll go offline. 集區是根據其磁碟是否足以用於仲裁 (50% + 1) 而決定離線或保持上線狀態的實體。The pool is the entity that goes offline or stays online based on whether it has enough disks for quorum (50% + 1). 集區資源擁有者 (主動叢集節點) 可以是 +1 的那一個。The pool resource owner (active cluster node) can be the +1.

但是集區仲裁的下列運作方式不同於叢集仲裁:But pool quorum works differently from cluster quorum in the following ways:

  • 集區會使用叢集中的一個節點作為見證,讓其決定集區是否可在一半磁碟機消失時繼續生存 (此節點是集區資源擁有者)the pool uses one node in the cluster as a witness as a tie-breaker to survive half of drives gone (this node that is the pool resource owner)
  • 集區「沒有」動態仲裁the pool does NOT have dynamic quorum
  • 集區「不會」執行自己的移除投票版本the pool does NOT implement its own version of removing a vote

範例Examples

對稱配置的四個節點。Four nodes with a symmetrical layout.

16 個磁碟機都各有一票,而節點二也有一票 (因為是集區資源擁有者)。Each of the 16 drives has one vote and node two also has one vote (since it's the pool resource owner). 「多數」 會由總數為 16 的投票數所決定。The majority is determined out of a total of 16 votes. 如果節點三和四停止運作,則存活的子集會有 8 個磁碟機和集區資源擁有者,也就是 9/16 票。If nodes three and four go down, the surviving subset has 8 drives and the pool resource owner, which is 9/16 votes. 因此,集區可繼續生存。So, the pool survives.

集區仲裁 1

  • 可以承受一個伺服器失敗:Can survive one server failure: Yes.
  • 可以承受一個伺服器失敗,然後再承受另一個伺服器失敗:Can survive one server failure, then another: Yes.
  • 可以承受同時發生兩個伺服器失敗:Can survive two server failures at once: Yes.

對稱配置的四個節點和磁碟機失敗。Four nodes with a symmetrical layout and drive failure.

16 個磁碟機都各有一票,而節點 2 也有一個票 (因為是集區資源擁有者)。Each of the 16 drives has one vote and node 2 also has one vote (since it's the pool resource owner). 「多數」 會由總數為 16 的投票數所決定。The majority is determined out of a total of 16 votes. 首先,磁碟機 7 停止運作。First, drive 7 goes down. 如果節點三和四停止運作,則存活的子集會有 7 個磁碟機和集區資源擁有者,也就是 8/16 票。If nodes three and four go down, the surviving subset has 7 drives and the pool resource owner, which is 8/16 votes. 因此,集區不具有多數,並且會停止運作。So, the pool doesn't have majority and goes down.

集區仲裁 2

  • 可以承受一個伺服器失敗:Can survive one server failure: Yes.
  • 可以承受一個伺服器失敗,然後再承受另一個伺服器失敗:Can survive one server failure, then another: No.
  • 可以承受同時發生兩個伺服器失敗:Can survive two server failures at once: No.

非對稱配置的四個節點。Four nodes with a non-symmetrical layout.

24 個磁碟機各有一票,而節點二也有一票 (因為是集區資源擁有者)。Each of the 24 drives has one vote and node two also has one vote (since it's the pool resource owner). 「多數」 會由總數為 24 的投票數所決定。The majority is determined out of a total of 24 votes. 如果節點三和四停止運作,則存活的子集會有 8 個磁碟機和集區資源擁有者,也就是 9/24 票。If nodes three and four go down, the surviving subset has 8 drives and the pool resource owner, which is 9/24 votes. 因此,集區不具有多數,並且會停止運作。So, the pool doesn't have majority and goes down.

集區仲裁 3

  • 可以承受一個伺服器失敗:Can survive one server failure: Yes.
  • 可以承受一個伺服器失敗,然後另一個 :當 節點三和四都停止運作時, (無法繼續運作,但仍可繼續進行其他所有案例。Can survive one server failure, then another: Depends (cannot survive if both nodes three and four go down, but can survive all other scenarios.
  • 一次可承受兩個伺服器失敗: 相依 (如果節點三和四都停止運作,則無法繼續運作,但仍可繼續進行其他所有案例。Can survive two server failures at once: Depends (cannot survive if both nodes three and four go down, but can survive all other scenarios.

集區仲裁建議Pool quorum recommendations

  • 確定叢集中的每個節點都採對稱配置 (每個節點都有相同數目的磁碟機)Ensure that each node in your cluster is symmetrical (each node has the same number of drives)
  • 啟用三向鏡像或雙同位,讓您可以容忍節點失敗並讓虛擬磁碟維持上線狀態。Enable three-way mirror or dual parity so that you can tolerate a node failures and keep the virtual disks online.
  • 如果有兩個以上的節點停止運作,或兩個節點和另一個節點上的磁碟停止運作,則磁碟區可能無法存取其資料的全部三個複本,因而造成離線且無法使用。If more than two nodes are down, or two nodes and a disk on another node are down, volumes may not have access to all three copies of their data, and therefore be taken offline and be unavailable. 建議您快速將伺服器取回或取代磁碟,以確保磁碟區中所有資料的最大復原能力。It's recommended to bring the servers back or replace the disks quickly to ensure the most resiliency for all the data in the volume.

後續步驟Next steps

如需詳細資訊,請參閱下列:For more information, see the following: