Product Documentation

Enabling HA on a XenServer Pool

Jun 13, 2017
Enabling HA on a XenServer Pool
Prev Chapter 3. XenServer Hosts and Resource Pools Next

HA can be enabled on a pool using either XenCenter or the command-line interface. In either case, you will specify a set of priorities that determine which VMs should be given highest restart priority when a pool is overcommitted.


When HA is enabled, some operations that would compromise the plan for restarting VMs may be disabled, such as removing a server from a pool. To perform these operations, HA can be temporarily disabled, or alternately, VMs protected by HA made unprotected.

  1. Verify that you have a compatible Storage Repository (SR) attached to your pool. iSCSI, NFS or Fibre Channel are compatible SR types. Please refer to the section called “Storage Configuration” for details on how to configure such a storage repository using the CLI.

  2. For each VM you wish to protect, set a restart priority. You can do this as follows:

    xe vm-param-set uuid=vm_uuid ha-restart-priority=1 ha-always-run=true
  3. Enable HA on the pool, and optionally, specify a timeout:

    xe pool-ha-enable heartbeat-sr-uuids=sr_uuid ha-config:timeout=timeout in seconds 

    Timeout is the period during which networking or storage is not accessible by the hosts in your pool. If you do not specify a timeout when you enable HA, XenServer will use the default 30 seconds timeout. If any XenServer host is unable to access networking or storage within the timeout period, it will self-fence and restart.

  4. Run the pool-ha-compute-max-host-failures-to-tolerate command. This command returns the maximum number of hosts that can fail before there are insufficient resources to run all the protected VMs in the pool.

    xe pool-ha-compute-max-host-failures-to-tolerate

    The number of failures to tolerate determines when an alert is sent: the system will recompute a failover plan as the state of the pool changes and with this computation the system identifies the capacity of the pool and how many more failures are possible without loss of the liveness guarantee for protected VMs. A system alert is generated when this computed value falls below the specified value for ha-host-failures-to-tolerate.

  5. Specify the number of failures to tolerate parameter. This should be less than or equal to the computed value:

    xe pool-param-set ha-host-failures-to-tolerate=2 uuid=pool-uuid

To disable HA features for a VM, use the xe vm-param-set command to set the ha-always-run parameter to false. This does not clear the VM restart priority settings. You can enable HA for a VM again by setting the ha-always-run parameter to true.

If for some reason a host cannot access the HA statefile, it is possible that a host may become unreachable. To recover your XenServer installation it may be necessary to disable HA using the host-emergency-ha-disable command:

xe host-emergency-ha-disable --force

If the host was the pool master, then it should start up as normal with HA disabled. Slaves should reconnect and automatically disable HA. If the host was a Pool slave and cannot contact the master, then it may be necessary to force the host to reboot as a pool master (xe pool-emergency-transition-to-master) or to tell it where the new master is (xe pool-emergency-reset-master):

xe pool-emergency-transition-to-master uuid=host_uuid		 
xe pool-emergency-reset-master master-address=new_master_hostname

When all hosts have successfully restarted, re-enable HA:

xe pool-ha-enable heartbeat-sr-uuid=sr_uuid

When HA is enabled special care needs to be taken when shutting down or rebooting a host to prevent the HA mechanism from assuming that the host has failed. To shutdown a host cleanly in an HA-enabled environment, first disable the host, then evacuate the host and finally shutdown the host using either XenCenter or the CLI. To shutdown a host in an HA-enabled environment on the command line:

xe host-disable host=host_name 
xe host-evacuate uuid=host_uuid 
xe host-shutdown host=host_name

When a VM is protected under a HA plan and set to restart automatically, it cannot be shut down while this protection is active. To shut down a VM, first disable its HA protection and then execute the CLI command. XenCenter offers you a dialog box to automate disabling the protection if you click on the Shutdown button of a protected VM.


If you shut down a VM from within the guest, and the VM is protected, it is automatically restarted under the HA failure conditions. This helps ensure that operator error (or an errant program that mistakenly shuts down the VM) does not result in a protected VM being left shut down accidentally. If you want to shut this VM down, disable its HA protection first.

Prev Up Next
High Availability Home Host Power On