A group of computers is called a cluster. A computer inside the cluster is called a node.
When the number of nodes inside the cluster is N (2, 3, etc.) then we talk about an N-node cluster.
The high-availability software, both the transport and the cluster manager layer is running on each of the nodes.
The cluster provides services, or resources. Since each node is running one instance of the cluster manager layer, any service can be started on any node. The rules given to the cluster manager layer control the placement of the services.
Services can be standalone, cloned, or master-slave resources. Only one instance of a standalone resource can be running at any time across the cluster. Cloned resources work a lot like standalone ones but more than one instance can be running across the cluster and they work independently. Master-slave resources are usually related or connected to each other, and they depend on each other. In the particular implementation of Pacemaker, master-slave resources all start up as slaves and promotion or demotion can happen to any of them. The resource scripts can provide hints to the high-availability management layer about their states, like which one is ready to be promoted and which one cannot be.
Resources are provided in the form of resource agents. These are usually scripts that conform to a set of rules: how to accept parameters, which mode they can be running in and what status codes can be returned in case of specific errors.
In a high-availability cluster, one computer (or one subset of computers) from the cluster can take over services from a previous one at any time. This can be controlled by the administrator or it can be automatic.
A special case of this service takeover is called fail-over, which happens when a service or a computer shows faulty behavior. Monitoring is an essential part of a high-availability cluster, and this is what makes automatic fail-over possible.
The nodes inside the cluster all represent a vote. When the network connections inside the cluster are broken and some nodes see each other but not all nodes in the cluster (so "islands" of nodes are formed), this is called a split-brain situation. This is an error condition. The votes are maintained for nodes that can communicate with each other. In this regard, we can talk about smaller and larger parts of the cluster, with and without the majority of the votes. The majority is also called the quorum.
Erroneous computers or services must be excluded automatically from the cluster to ensure proper operation. This operation is called fencing. Fencing is also used to prevent the split-brain situation. Fencing can be voluntary or forced externally. Linux-HA developers jokingly introduced the terminology for forced fencing as an acronym for Shoot The Other Node In The Head (STONITH) and the name stuck. The applicable mode of fencing depends on the number of nodes in the cluster.
Voluntary fencing or self-fencing happens when the services are given up by the node that provided them. It can be used in clusters with an odd number (3, 5, 7...) of nodes. The split-brain situation can only happen in a way that one part of the cluster is smaller than the other. In this case, the nodes in the smaller part voluntarily give up their services and the larger part relies on this fact automatically and starts providing those services.
It's not unusual that the nodes providing the services are symmetric. This implies an even number of nodes and there can be a tie in the votes in the case of a split cluster. This can be solved by adding another node that doesn't provide services, only a vote. Because of this, it's a tie-breaker. This is node is called a quorum-server.
Forced fencing (STONITH) can be used as an addition to or as a replacement for the quorum-server. Forced fencing can only be used with dedicated hardware, with remote administration facilities. It can be built into the computer chassis or the motherboard but it can be an add-on card as well. Such hardware is Intelligent Platform Management Interface (IPMI), HP's Integral Lights-Out (iLO), Dell's Dell Remote Access Card (DRAC). These provide direct management of a particular node. Sometimes a dedicated management computer is used for administrating the other computers; for example, Intel Blade servers, and it provides a proxy to the nodes; this is called indirect management. The remote management facility can control the power state of the nodes; you can physically turn off nodes remotely. The high-availability software uses this feature, since a node that is turned off obviously cannot participate in the cluster. For clusters with even number of nodes, there may be no "smaller part" of the cluster, so only forced fencing is applicable.
A single point of failure (SPOF) is a design deficiency that can lead to the failure of the whole cluster in the form of an unexpected downtime.