[jira] [Commented] (HADOOP-8247) Auto-HA: add a config to enable auto-HA, which disables manual FC

Mon, 09 Apr 2012 15:55:40 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-8247?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13250271#comment-13250271
 ] 

Todd Lipcon commented on HADOOP-8247:
-------------------------------------

Hi Hari. That's specifically the point of the FORCEMANUAL flag. It is not safe 
to use it with automatic failover. So, the user has to accept the warning and 
acknowledge they're about to do something dumb, that _will_ break auto failover 
if the ZKFCs are running.

The purpose of allowing it at all is to give a recourse for an expert admin if 
their ZK cluster has crashed and they need to manually do a failover in an 
emergency situation. Its use is highly discouraged. The warning printed is:
{code}
        "  --forceManual allows the manual failover commands to be used\n" +
        "                even when automatic failover is enabled. This\n" +
        "                flag is DANGEROUS and should only be used with\n" +
        "                expert guidance.");
{code}
                
> Auto-HA: add a config to enable auto-HA, which disables manual FC
> -----------------------------------------------------------------
>
>                 Key: HADOOP-8247
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8247
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: auto-failover, ha
>    Affects Versions: Auto Failover (HDFS-3042)
>            Reporter: Todd Lipcon
>            Assignee: Todd Lipcon
>         Attachments: hadoop-8247.txt, hadoop-8247.txt
>
>
> Currently, if automatic failover is set up and running, and the user uses the 
> "haadmin -failover" command, he or she can end up putting the system in an 
> inconsistent state, where the state in ZK disagrees with the actual state of 
> the world. To fix this, we should add a config flag which is used to enable 
> auto-HA. When this flag is set, we should disallow use of the haadmin command 
> to initiate failovers. We should refuse to run ZKFCs when the flag is not 
> set. Of course, this flag should be scoped by nameservice.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to