Update design document for hroller

The requirement to be able to plan full node evacuation came up after
the initial design. So add a section describing the algorithm, if
full evacuation is requested.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Michele Tartara <mtartara@google.com>

diff --git a/doc/design-hroller.rst b/doc/design-hroller.rst
index fade880..0129de8 100644 (file)
--- a/doc/design-hroller.rst
+++ b/doc/design-hroller.rst
@@ -123,6 +123,17 @@ algorithm might be safe. This perhaps would be a good reason to consider
 managing better RBD pools, if those are implemented on top of nodes
 storage, rather than on dedicated storage machines.
 
+Full-Evacuation
++++++++++++++++
+
+If full evacuation of the nodes to be rebooted is desired, a simple
+migration is not enough for the DRBD instances. To keep the number of
+disk operations small, we restrict moves to ``migrate, replace-secondary``.
+That is, after migrating instances out of the nodes to be rebooted,
+replacement secondaries are searched for, for all instances that have
+their then secondary on one of the rebooted nodes. This is done by a
+greedy algorithm, refining the initial reboot partition, if necessary.
+
 Future work
 ===========