Module controlling redundancy failover

Thomas_Mulcahy · June 10, 2026, 8:21am

Hello,

I currently have a module that does some processing in addition to standard Ignition.

I need to add redundancy support to the module, but one thing I am stuck on is. Once the backup gateway takes over from the master in a failover situation my module on the backup takes over the processing, which works correctly.

What I want to do is, once the master gateway is available again I want to delay moving back to master until my backup module has finished the processing it is doing, then the master can restart processing again.

This is to prevent effectively 2 modules writing the database during the short time they are moving from one to the other and to prevent confusion between the 2 modules.

I can't see a way of doing this, so I am not sure it is possible to control from a module. I am mainly dealing with the RedundancyManger class.

Any help is appreciated.

Thanks

pturmel · June 10, 2026, 11:44am

Unlike Ignition's jython infrastructure, your java code execution is not cut off on the inactive member of a redundant pair. So you can keep processing on the inactive node, but you will then be responsible for handling all of the error cases. In particular, what should your master do when the reason it becomes active is loss of the previously active backup?

And should the master finish processing on controlled fail-overs to the backup? (Symmetry to simplify code.)

I recommend you treat the gaining of active status like a fresh startup, in either direction, and have your module examine its DB storage to figure out what needs to be done to get started.

mgross · June 10, 2026, 2:57pm

One thing that is problematic about trying to do work on the inactive redundant node is that there is no easy way to monitor what is going on. Perspective sessions and Vision clients don't work so you can't use those. You can set up the master gateway to remain inactive after it comes back online and connects to the active backup. Then you have full control over when the master gateway becomes active. But then you have to deal with telling the backup to wrap up its database work to prepare for a manual failover back to the master. The backup is still active at this point, so at least you can send commands via a Perspective session or Vision client. You can also initiate the failover back to the master via the RedundancyManager, like so:

RedundancyManager rm = gatewayContext.getRedundancyManager();
ActivityLevel toRequest = rm.getCurrentState().getActivityLevel() == ActivityLevel.Active ? ActivityLevel.Active
            : ActivityLevel.Cold;

rm.requestPeerActivityLevel(toRequest);

Maybe you can combine the wrap-up-database-work and failover actions in your module?

Thomas_Mulcahy · June 10, 2026, 3:30pm

I think this is sort of what I was looking for.

I can set the master to "manual" and ask it to pass back control once the backup gateway is finished. That way I can do what Phil said, and interrogate the database to find out where to start from again.

Thanks!