Skip to main content

Overview

The recovery method defines how the Instance HA engine selects evacuation targets when a host fails. The method is configured at the segment level and applies to all hosts and instances within that segment. Choosing the right method for each workload tier is critical to meeting recovery time and availability objectives.
Prerequisites
  • Administrator privileges
  • At least one failover segment created
  • Compute hosts registered in the segment

Method Comparison

MethodTarget SelectionCapacity GuaranteeCostBest For
autoAny healthy host in segmentNone — first-come, first-servedLowestGeneral-purpose workloads
reserved_hostPre-designated standby hosts onlyGuaranteedHighest (idle nodes)SLA-critical, regulated workloads
rh_priorityReserved hosts first, then autoBest-effortModerateMixed critical and standard

auto — Evacuate to Any Host

The auto method instructs the recovery engine to select any available host in the segment with sufficient vCPU and memory to accept the evacuating instances.

How target selection works

The engine queries all registered, non-maintenance hosts in the segment and selects those with the most available capacity. Instances are distributed across multiple target hosts if no single host can accept all evacuees.Selection order: hosts with the most free vCPU are preferred, then memory, then any remaining host with capacity above the minimum threshold.
Maintain a minimum 20–30% unused vCPU and memory headroom across all hosts in the segment. Calculate the headroom needed to absorb the largest host’s workload:
Headroom needed = max(host vCPU) / total segment vCPU
Example: segment with 4 hosts × 40 vCPU = 160 vCPU total. Largest host uses 32 vCPU → required headroom = 32/160 = 20%.

Create an auto Segment

Create auto-recovery segment
openstack segment create \
  --recovery_method auto \
  --enabled True \
  prod-general

reserved_host — Dedicated Standby

The reserved_host method restricts evacuation to hosts explicitly designated as reserved standby nodes. Reserved hosts do not accept regular instance scheduling — they remain idle until a failover event.

Reserved host sizing

A reserved host must have sufficient vCPU and memory to absorb all instances from the largest non-reserved host in the segment. Size the reserved host generously to handle burst workloads:
Reserved vCPU >= max(non-reserved host vCPU used)
Reserved RAM >= max(non-reserved host RAM used)
For a host running 20 × m1.large (4 vCPU, 8 GB each): the reserved host needs 80 vCPU and 160 GB RAM minimum.
Create segment with reserved_host method
openstack segment create \
  --recovery_method reserved_host \
  --enabled True \
  prod-critical
Register compute hosts in segment
openstack segment host create \
  --type COMPUTE \
  --control_attributes '{"host": "compute-01"}' \
  --reserved False \
  <segment-uuid>

openstack segment host create \
  --type COMPUTE \
  --control_attributes '{"host": "compute-standby"}' \
  --reserved True \
  <segment-uuid>
The reserved host must not be a target for regular workload scheduling. Apply a compute service aggregate or availability zone restriction to prevent the scheduler from placing non-HA instances on it.

rh_priority — Reserved First, Fall Back

The rh_priority method attempts reserved hosts first. If all reserved hosts are at capacity, it falls back to the auto behaviour and selects any available host.
Create rh_priority segment
openstack segment create \
  --recovery_method rh_priority \
  --enabled True \
  prod-mixed
This method is suitable for segments with heterogeneous workloads where some instances need guaranteed failover capacity and others can tolerate best-effort recovery.
Use rh_priority as the default method when you have at least one reserved host but want recovery to succeed even if the reserved host is exhausted.

Change Recovery Method on an Existing Segment

Navigate to Admin → Compute → Instance HA → Segments, click the segment, and select Edit Segment. Change the Recovery Method field and save.
Changing the recovery method on an active segment takes effect immediately. Ongoing recovery workflows complete with the previous method. New fault events use the updated method.

Validation

Navigate to Admin → Compute → Instance HA → Segments and verify:
  • Each segment shows the intended Recovery Method
  • Reserved hosts are flagged with RESERVED: True in the host list
Segments are configured with correct methods and reserved hosts are designated.

Next Steps

Failover Segments

Create segments and register compute hosts within them.

Engine Configuration

Tune recovery timing, retry intervals, and instance failure behaviour.

Host Monitors

Configure the IPMI and SSH monitors that trigger recovery workflows.

Security

Secure segment access and enforce role-based recovery policies.