High Availability command line interface - future plans.

Thu Nov 7 02:20:35 UTC 2013

On 07/11/13 12:00, Andrew Wilkins wrote:
> On Thu, Nov 7, 2013 at 9:23 AM, Ian Booth <ian.booth at canonical.com> wrote:
> 
>> So, I haven't been involved directly in a lot of the discussion, but my 2c
>> is:
>>
>> +1 to juju ensure-ha
>>
>> Users don't give a f*ck about how Juju achieves HA, they just want to know
>> their
>> data will survive a node outage. What Juju does under the covers to make
>> that
>> happen, what jobs are run on what nodes etc - that's for Juju to care
>> about.
>>
> 
> I'm not so sure about that. I expect there'll be users who wants to know
> *exactly* how it works, because otherwise they won't feel they can trust it
> with their services. That's not to say that ensure-ha can't be trusted -
> just that some users will want to know what it's doing under the covers.
> Speculative, but based on past experience with banks, insurance companies,
> etc.
> 
> Another thing to consider is that one person's HA is not the next person's.
> I may want to disperse my state servers across multiple regions (were that
> supported); you might find this costs too much in inter-region traffic.
> What happens if I have a temporary outage in one region - where does
> ensure-ha automatically spin up a new one? What happens when the original
> comes back? Each of these things are things people may want to do
> differently, because they each have different trade-offs.
> 
> I'm not really keen on ensure-ha due to the magical nature, but if it's
> just a stop gap... I guess.
> 

ensure-has does not automatically bring up new services if a node goes down.
That will be a user initiated action initially. So there's user control.

Whether users want to know the gory detail of how HA works under the covers - I
agree users from different industry segments will have different expectations.
My past experience was such that users didn't care, so long as it worked. I
really don't see ensure-has as a stop gap. It's a legitimate solution for many
users.

My view is that the users who don't care will use ensure-ha; other users will be
able to deploy redundant services as described in my original email if they want
more control. But the abstraction needs to be done right, and in my view, it's
best done at the service level.