CorosyncEdit

Corosync is a free, open-source cluster engine that coordinates multiple servers in high-availability environments. It provides the core group communication, membership management, and quorum services that enable resource managers to keep critical services running even as individual nodes fail. In practice, Corosync sits beneath popular cluster stacks such as Pacemaker and is widely deployed in data centers, virtualization hosts, and service-provider environments where uptime and predictable recovery matter. Its design emphasizes deterministic messaging, dynamic membership, and explicit fencing to minimize downtime and data loss during failures.

Originally developed to serve as a portable, vendor-neutral base for clustering, Corosync’s lineage reflects the evolution of the Linux HA ecosystem toward standards-based reliability and practical, cost-conscious operations. The project grew out of the OpenAIS effort, which aimed to deliver a robust, interoperable core for high-availability clustering based on a dependable group communication protocol. When OpenAIS faded, the Corosync project continued to refine the core components—the Totem protocol for reliable multicast and a cohesive membership service—while adapting to real-world deployments across diverse hardware and networks. Today, Corosync remains a common foundation for enterprise-grade HA deployments, frequently bundled with other tools in mainstream Linux distributions and used to support mission-critical workloads from databases to virtualized infrastructure.

In deployment, Corosync is valued for enabling fast failover, controlled recovery, and consistent state across a cluster. Its emphasis on a deterministic ordering of messages, rapid propagation of membership changes, and explicit fencing through STONITH helps reduce risk in industries such as finance, telecommunications, and large-scale virtualization. While alternative approaches exist—ranging from simple passive clustering to newer distributed systems—the Corosync-Pacemaker combination remains a mature, cost-effective option for operators who prize uptime, interoperability, and predictable governance over software stacks.

History

Corosync’s history is closely tied to the open-source cluster movement. The lineage begins with OpenAIS, which sought to provide a standard, portable cluster engine built on the Totem protocol. When the OpenAIS project evolved or dissolved in various ways, the Corosync project inherited and extended its core ideas, continuing to develop the messaging, membership, and quorum primitives that HA stacks rely on. A key feature across versions has been the Totem protocol and its associated membership model, which together deliver a unified view of the cluster and a deterministic mechanism for ordering events. Over time, Corosync integrated with popular resource managers like Pacemaker, enabling operators to manage services and resources with high availability guarantees. The project has progressed through multiple releases, balancing stability, performance, and security updates in response to real-world needs.

Architecture and core components

• Totem protocol: The backbone of Corosync’s communications, providing reliable multicast and a deterministic ordering of messages. This protocol underpins the cluster’s ability to coordinate actions across nodes and ensures a consistent state view for all participants. Totem protocol

• Membership service: Tracks which nodes are part of the cluster, detects joins and leaves, and maintains a current view of the system topology. The membership view is essential for making decisions about quorum and failover.

• Quorum and consensus: Quorum rules determine whether the cluster can make decisions and proceed with failover. This mechanism prevents split-brain conditions and helps ensure that only a majority (or preconfigured quorum policy) can commit changes.

• Fencing (STONITH): A critical safety mechanism that isolates faulty nodes to protect shared resources and prevent data corruption. Corosync coordinates with fencing devices and strategies to enforce isolation when a node misbehaves or fails. STONITH

• Resource manager integration: Corosync provides the coordination layer that resource managers rely on to manage services and resources across the cluster. The most common pairing is with Pacemaker to implement a complete HA solution.

• Configuration and management: Clusters are configured through files and tools that interact with Corosync’s core services. While the details vary by deployment, the design aims to be self-describing and interoperable across environments.

• Networking and multi-site support: Corosync supports deploying clusters across networks and, in some configurations, across multiple sites to enable disaster recovery and data-center-wide resilience. This capability is often paired with other DR strategies to minimize downtime.

Features and capabilities

• High availability engine: Coordinates failover and service restart across nodes to minimize downtime.

• Reliable messaging and ordering: Guarantees that critical state changes are consistently observed by all participants in the cluster. Totem protocol

• Dynamic membership: Handles nodes joining and leaving with minimal disruption to running services.

• Quorum-based decision making: Uses quorum rules to avoid split-brain and to maintain data integrity during network partitions. Quorum (distributed systems)

• Fencing and recovery safety: Integrates with fencing devices to isolate failed nodes and protect shared resources. STONITH

• Integration with resource managers: Primarily used with Pacemaker to automate the管理 and placement of services such as databases, virtual machines, and web services.

• Cross-platform and distribution support: Widely shipped with major Linux distributions, enabling broad deployment without vendor-specific lock-in.

• Open-source governance: The project is developed in a community-driven model with corporate and individual contributors, promoting interoperability and transparency.

Deployment considerations

• Planning for quorum and fencing: Operators configure quorum policies and fencing strategies to balance availability and safety. Correct fencing is essential to prevent data corruption in the event of node failure.

• Network design: Reliable, low-latency networks improve failover times and reduce the risk of inconclusive member state changes. Separate management networks can help isolate cluster traffic.

• Resource manager readiness: A stable HA stack depends on a compatible resource manager (notably Pacemaker) and properly defined resource constraints and failover behaviors.

• Security and updates: Regular security updates and careful access control for cluster management interfaces help protect the control plane from compromise.

• Distribution and ecosystem: The maturity of Corosync in major Linux distributions means enterprises can rely on familiar tooling and long-term support while avoiding vendor lock-in.

• Licensing and cost: As open-source software, Corosync allows organizations to avoid licensing fees associated with proprietary clustering products, while relying on community and vendor support where needed. The project’s open licensing aligns with general expectations for interoperable enterprise software. GNU General Public License

Controversies and debates

• Open-source governance and corporate sponsorship: Like many mature open-source projects, Corosync operates with a blend of community developers and corporate contributors. Proponents argue this mix brings essential funding, professional maintenance, and rapid bug fixes, while critics worry about potential influence from large sponsors shaping feature sets or priorities. In practice, the balance tends to favor reliability and interoperability, as core primitives are designed to remain stable and portable across environments.

• Complexity versus reliability: The architecture of a cluster engine—combining membership, ordering, and fencing—will inherently be more complex than single-node systems. Advocates emphasize that the complexity is deliberate and justified by the reliability gains in failure scenarios. Critics may point to the maintenance burden and potential for subtle interaction bugs. From a pragmatist perspective, the proven track record, extensive testing in real deployments, and the ability to avoid data loss during partitions are compelling assurances of value.

• Security and audits: Distributed systems introduce surface areas for risk. The debate centers on whether open-source transparency and community-driven audits provide adequate assurances or whether formal vendor-backed security programs are necessary for compliance-sensitive industries. The practical stance is that open-source software, coupled with rigorous configuration and regular updates, can offer robust security when deployed with disciplined governance.

• Woke criticisms and technical merit: Some critics attempt to frame technical debates as broader social debates, arguing that priorities outside performance, security, and cost-efficiency should drive clustering decisions. Proponents counter that focusing on governance or social critiques distracts from the fundamental requirements of uptime, data integrity, and predictable maintenance. In this view, the core technical design—deterministic messaging, explicit fencing, and quorum discipline—remains the essential criterion for evaluating a cluster engine.

See also

• Pacemaker
• STONITH
• Totem protocol
• QDevice
• Quorum (distributed computing)
• OpenAIS
• GNU General Public License
• High availability
• Linux clustering