Details
Description
Currently, our HA design ensures "write fencing" by having the failover controller call a fencing script before transitioning a new node to active. However, if the fencing script is based on storage fencing (and not stonith), there is no read fencing. That is to say, the old active may continue to believe himself active for an unbounded amount of time, assuming that it does not try to write to its edit log.
This isn't super problematic, but it would be beneficial for monitoring, etc, to have the old NN periodically check the writability of any "required" journals, and abort if they become unwritable, even if there are no writes coming into the system.