OpenNebula

In order to prevent vm's from running more than once in case of a split-brain / host failure / transient network failure a "mailbox" machanism might be useful, at least in shared filesystem environments. Before a virtual machine is allowed to start this mailbox file should be checked for a "heartbeat". If this mailbox file isn't updated for $timeout by the host the vm was running on (or still is but cannot be reached because of netwerk problems) the vm can safely be started with the host id of the hypervisor it is running on. If however this file is still actively updated (every $heartbeat_interval) the vm should not be re-created on another hypervisor. A host should check this mailbox file regularly and if it finds a host id other than it's own and is still "running" the vm it should kill the instance immediatly. This will prevent vm's from running twice. It's just another safe guard that might help Virtual Machines High Availability (http://archives.opennebula.org/documentation:rel4.4:ftguide).