Restrict master failover to non-slave servers

If all but one server in a cluster fail and `failover` is enabled for mysqlmon, the last server would be used as if it were a master. With this change, the restrictions on failover also require that the last server is not configured as a slave. This change will prevent unintended failovers from happening when network connectivity is bad. It also allows external actors to clear the slave configuration from the last remaining server to signal MaxScale that the server can be used as a master.
2017-03-01 09:42:35 +02:00
parent 1d48a24d6a
commit 7daafd33fc
2 changed files with 8 additions and 7 deletions
--- a/Documentation/Monitors/MySQL-Monitor.md
+++ b/Documentation/Monitors/MySQL-Monitor.md
@ -138,6 +138,7 @@ initiated, the following conditions must have been met:
 - The monitor has repeatedly failed to connect to the failed servers
 - There is only one running server among the monitored servers
 - @@read_only is not enabled on the last running server
+- The last running server is not configured as a slave

 When these conditions are met, the monitor assigns the last remaining server the
 master status and puts all other servers into maintenance mode. This is done to
@ -167,12 +168,12 @@ milliseconds, the value of _failcount_ must be 10.
 ### `failover_recovery`

 Allow recovery after failover. This feature takes a boolean parameter is
-disabled by default.
+enabled by default.

-Normally if a failover has been triggered and the last remaining server is
-chosen as the master, the monitor will set all of the failed servers into
-maintenance mode. When this option is enabled, the failed servers are allowed to
-rejoin the cluster.
+When this parameter is disabled, if a failover has been triggered and the last
+remaining server is chosen as the master, the monitor will set all of the failed
+servers into maintenance mode. When this option is enabled, the failed servers
+are allowed to rejoin the cluster.

 This option should be enabled when failover in MaxScale is used in conjunction
 with an external agent that resets the slave status for new master servers. One
--- a/server/modules/monitor/mysqlmon/mysql_mon.c
+++ b/server/modules/monitor/mysqlmon/mysql_mon.c
@ -127,7 +127,7 @@ MXS_MODULE* MXS_CREATE_MODULE()
            {"multimaster", MXS_MODULE_PARAM_BOOL, "false"},
            {"failover", MXS_MODULE_PARAM_BOOL, "false"},
            {"failcount", MXS_MODULE_PARAM_COUNT, "5"},
-            {"failover_recovery", MXS_MODULE_PARAM_BOOL, "false"},
+            {"failover_recovery", MXS_MODULE_PARAM_BOOL, "true"},
            {
                "script",
                MXS_MODULE_PARAM_PATH,
@ -973,7 +973,7 @@ bool failover_required(MYSQL_MONITOR *handle, MXS_MONITOR_SERVERS *db)
            candidates++;
            MYSQL_SERVER_INFO *server_info = hashtable_fetch(handle->server_info, db->server->unique_name);

-            if (server_info->read_only || candidates > 1)
+            if (server_info->read_only || server_info->slave_configured || candidates > 1)
            {
                return false;
            }