ctdb-tunables - CTDB tunable configuration variables
CTDB's behaviour can be configured by setting run-time tunable variables. This
lists and describes all tunables. See the ctdb
commands for more details.
Unless otherwise stated, tunables should be set to the same value on all nodes.
Setting tunables to different values across nodes may produce unexpected
results. Future releases may set (some or most) tunables globally across the
cluster but doing so is currently a manual process.
The tunable variables are listed alphabetically.
When set to 0, clients are not allowed to attach to any databases. This can be
used to temporarily block any new processes from attaching to and accessing
the databases. This is mainly used for detaching a volatile database using
CTDB will not allow incompatible versions to co-exist in a cluster. If a version
mismatch is found, then losing CTDB will shutdown. To disable the incompatible
version check, set this tunable to 1.
For version checking, CTDB uses major and minor version. For example, CTDB 4.6.1
and CTDB CTDB 4.6.2 are matching versions; CTDB 4.5.x and CTDB 4.6.y do not
CTDB with version check support will lose to CTDB without version check support.
Between two different CTDB versions with version check support, one running
for less time will lose. If the running time for both CTDB versions with
version check support is equal (to seconds), then the older version will lose.
The losing CTDB daemon will shutdown.
When set to 1, ctdb allows database traverses to read unhealthy databases. By
default, ctdb does not allow reading records from unhealthy databases.
This is the default setting for timeout for when sending a control message to
either the local or a remote ctdb daemon.
Number of the hash chains for the local store of the tdbs that ctdb manages.
Maximum number of dead records per hash chain for the tdb databses managed by
When set to non-zero, ctdb will log a warning during recovery if a database has
more than this many records. This will produce a warning if a database grows
uncontrollably with orphaned records.
When set to non-zero, ctdb will log a warning during recovery if a single record
is bigger than this size. This will produce a warning if a database record
When set to non-zero, ctdb will log a warning during recovery if a database size
is bigger than this. This will produce a warning if a database grows
When databases are frozen we do not allow clients to attach to the databases.
Instead of returning an error immediately to the client, the attach request
from the client is deferred until the database becomes available again at
which stage we respond to the client.
This timeout controls how long we will defer the request from the client before
timing it out and returning an error to the client.
When set to non-zero, ctdb will not perform failover or failback. Even if a node
fails while holding public IPs, ctdb will not recover the IPs or assign them
to another node.
When this tunable is enabled, ctdb will no longer attempt to recover the cluster
by failing IP addresses over to other nodes. This leads to a service outage
until the administrator has manually performed IP failover to replacement
nodes using the 'ctdb moveip' command.
The number of seconds to wait for the election of recovery master to complete.
If the election is not completed during this interval, then that round of
election fails and ctdb starts a new election.
This parameter allows ctdb to ban a node if the node is misbehaving.
When set to 0, this disables banning completely in the cluster and thus nodes
can not get banned, even it they break. Don't set to 0 unless you know what
you are doing.
Maximum time in seconds to allow an event to run before timing out. This is the
total time for all enabled scripts that are run for an event, not just a
single event script.
Note that timeouts are ignored for some events ("takeip",
"releaseip", "startrecovery", "recovered") and
converted to success. The logic here is that the callers of these events
implement their own additional timeout.
This parameter is used to avoid multiple migration requests for the same record
from a single node. All the record requests for the same record are queued up
and processed when the record is migrated to the current node.
When many clients across many nodes try to access the same record at the same
time this can lead to a fetch storm where the record becomes very active and
bounces between nodes very fast. This leads to high CPU utilization of the
ctdbd daemon, trying to bounce that record around very fast, and poor
performance. This can improve performance and reduce CPU utilization for
For database(s) marked STICKY (using 'ctdb setdbsticky'), any record that is
migrating so fast that hopcount exceeds this limit is marked as STICKY record
seconds. This means that after each migration the
sticky record will be kept on the node StickyPindown
prevented from being migrated off the node.
This will improve performance for certain workloads, such as locking.tdb if many
clients are opening/closing the same file concurrently.
Selects the algorithm that CTDB should use when doing public IP address
allocation. Meaningful values are:
Deterministic IP address allocation.
This is a simple and fast option. However, it can cause unnecessary address
movement during fail-over because each address has a "home" node.
Works badly when some nodes do not have any addresses defined. Should be used
with care when addresses are defined across multiple networks.
Non-deterministic IP address allocation.
This is a relatively fast option that attempts to do a minimise unnecessary
address movements. Addresses do not have a "home" node. Rebalancing
is limited but it usually adequate. Works badly when addresses are defined
across multiple networks.
LCP2 IP address allocation.
Uses a heuristic to assign addresses defined across multiple networks, usually
balancing addresses on each network evenly across nodes. Addresses do not have
a "home" node. Minimises unnecessary address movements. The
algorithm is complex, so is slower than other choices for a large number of
addresses. However, it can calculate an optimal assignment of 900 addresses in
under 10 seconds on modern hardware.
If the specified value is not one of these then the default will be used.
How often in seconds should the nodes send keep-alive packets to each other.
After how many keepalive intervals without any traffic should a node wait until
marking the peer as DISCONNECTED.
If a node has hung, it can take KeepaliveInterval
+ 1) seconds before ctdb determines that the node is
DISCONNECTED and performs a recovery. This limit should not be set too high to
enable early detection and avoid any application timeouts (e.g. SMB1) to kick
in before the fail over is completed.
This is the maximum number of lock helper processes ctdb will create for
obtaining record locks. When ctdb cannot get a record lock without blocking,
it creates a helper process that waits for the lock to be obtained.
When set to non-zero, ctdb will log if certains operations take longer than this
value, in milliseconds, to complete. These operations include "process a
record request from client", "take a record or database lock",
"update a persistent database record" and "vaccum a
This is the maximum number of messages to be queued up for a client before ctdb
will treat the client as hung and will terminate the client connection.
How often should ctdb run the 'monitor' event in seconds to check for a node's
How many 'monitor' events in a row need to timeout before a node is flagged as
UNHEALTHY. This setting is useful if scripts can not be written so that they
do not hang for benign reasons.
When set to 1, ctdb will not perform failback of IP addresses when a node
becomes healthy. When a node becomes UNHEALTHY, ctdb WILL perform failover of
public IP addresses, but when the node becomes HEALTHY again, ctdb will not
fail the addresses back.
Use with caution! Normally when a node becomes available to the cluster ctdb
will try to reassign public IP addresses onto the new node as a way to
distribute the workload evenly across the clusternode. Ctdb tries to make sure
that all running nodes have approximately the same number of public addresses
When you enable this tunable, ctdb will no longer attempt to rebalance the
cluster by failing IP addresses back to the new nodes. An unbalanced cluster
will therefore remain unbalanced until there is manual intervention from the
administrator. When this parameter is set, you can manually fail public IP
addresses over to the new node(s) using the 'ctdb moveip' command.
If no nodes are HEALTHY then by default ctdb will happily host public IPs on
disabled (unhealthy or administratively disabled) nodes. This can cause
problems, for example if the underlying cluster filesystem is not mounted.
When set to 1 and a node is disabled, any IPs hosted by this node will be
released and the node will not takeover any IPs until it is no longer
When set to 1, ctdb will not allow IP addresses to be failed over to other
nodes. Any IP addresses already hosted on healthy nodes will remain. Usually
IP addresses hosted on unhealthy nodes will also remain, if
NoIPHostOnAllDisabled is 0. However, if NoIPHostOnAllDisabled is 1 then IP
addresses will be released by unhealthy nodes and will become un-hosted.
This is the size of a record buffer to pre-allocate for sending reply to PULLDB
control. Usually record buffer starts with size of the first record and gets
reallocated every time a new record is added to the record buffer. For a large
number of records, this can be very inefficient to grow the record buffer one
record at a time.
This is the maximum amount of data (in bytes) ctdb will read from a socket at a
For a busy setup, if ctdb is not able to process the TCP sockets fast enough
(large amount of data in Recv-Q for tcp sockets), then this tunable value
should be increased. However, large values can keep ctdb busy processing
packets and prevent ctdb from handling other events.
This is the limit on the size of the record buffer to be sent in various
controls. This limit is used by new controls used for recovery and controls
used in vacuuming.
If the recovery daemon has failed to ping the main dameon for this many
consecutive intervals, the main daemon will consider the recovery daemon as
hung and will try to restart it to recover.
If the main dameon has not heard a "ping" from the recovery dameon for
this many seconds, the main dameon will log a message that the recovery daemon
is potentially hung. This also increments a counter which is checked against
for detection of hung recovery daemon.
When using a reclock file for split brain prevention, if set to non-zero this
tunable will make the recovery dameon log a message if the fcntl() call to
lock/testlock the recovery file takes longer than this number of milliseconds.
How frequently in seconds should the recovery daemon perform the consistency
checks to determine if it should perform a recovery.
This is the default setting for timeouts for controls when sent from the
recovery daemon. We allow longer control timeouts from the recovery daemon
than from normal use since the recovery dameon often use controls that can
take a lot longer than normal controls.
The duration in seconds for which a node is banned if the node fails during
recovery. After this time has elapsed the node will automatically get unbanned
and will attempt to rejoin the cluster.
A node usually gets banned due to real problems with the node. Don't set this
value too small. Otherwise, a problematic node will try to re-join cluster too
soon causing unnecessary recoveries.
If a node is stuck in recovery, or stopped, or banned, for this many seconds,
then ctdb will release all public addresses on that node.
During recoveries, if a node has not caused recovery failures during the last
grace period in seconds, any records of transgressions that the node has
caused recovery failures will be forgiven. This resets the ban-counter back to
zero for that node.
During vacuuming, if the number of freelist records are more than
, then the database is repacked to get rid of the freelist
records to avoid fragmentation.
Databases are repacked only if both RepackLimit
Once a recovery has completed, no additional recoveries are permitted until this
timeout in seconds has expired.
Some databases have seqnum tracking enabled, so that samba will be able to
detect asynchronously when there has been updates to the database. Everytime a
database is updated its sequence number is increased.
This tunable is used to specify in milliseconds how frequently ctdb will send
out updates to remote nodes to inform them that the sequence number is
Granularity of the statistics collected in the statistics history. This is
reported by 'ctdb stats' command.
Once a record has been marked STICKY, this is the duration in seconds, the
record will be flagged as a STICKY record.
Once a STICKY record has been migrated onto a node, it will be pinned down on
that node for this number of milliseconds. Any request from other nodes to
migrate the record off the node will be deferred.
This is the duration in seconds in which ctdb tries to complete IP failover.
This parameter enables TDB_MUTEX_LOCKING feature on volatile databases if the
robust mutexes are supported. This optimizes the record locking using robust
mutexes and is much more efficient that using posix locks.
seconds, ctdb synchronizes the client
connection information across nodes.
This is the duration in seconds for which a database traverse is allowed to run.
If the traverse does not complete during this interval, ctdb will abort the
During a vacuuming run, ctdb usually processes only the records marked for
deletion also called the fast path vacuuming. After finishing
number of fast path vacuuming runs, ctdb will
trigger a scan of complete database for any empty records that need to be
Periodic interval in seconds when vacuuming is triggered for volatile databases.
During vacuuming, if the number of deleted records are more than
, then databases are repacked to avoid fragmentation.
Databases are repacked only if both RepackLimit
The maximum time in seconds for which the vacuuming process is allowed to run.
If vacuuming process takes longer than this value, then the vacuuming process
When set to non-zero, ctdb assigns verbose names for some of the talloc
allocated memory objects. These names are visible in the talloc memory report
generated by 'ctdb dumpmemory'.
This documentation was written by Ronnie Sahlberg, Amitay Isaacs, Martin
Copyright © 2007 Andrew Tridgell, Ronnie Sahlberg
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 3 of the License, or (at your option) any later
This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program; if not, see http://www.gnu.org/licenses