[jira] [Commented] (HADOOP-8247) Auto-HA: add a config to enable auto-HA, which disables manual FC

Mon, 09 Apr 2012 16:45:39 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-8247?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13250307#comment-13250307
 ] 

Todd Lipcon commented on HADOOP-8247:
-------------------------------------

bq. There are always admins who disregard these warnings

I think they deserve what they get... admins can also decide to run "rm -Rf 
/my/metadata/dir" and get into a bad state.

bq. Instead, wouldn't it be better to come up with a set of procedures to 
unwedge the cluster, starting with setting auto-failover key to false, 
resetting NNs and using manual failover

Assumedly you want to be able to do this without incurring downtime. Certainly 
if downtime is acceptable, that would be the right response.. But still I think 
having a manual override here is useful for advanced operators who need to use 
it in an extenuating circumstance.

As I said above, I'm OK giving it a scarier name and/or making it prompt for 
confirmation upon use, with a scary warning message. I'm even OK removing it 
from the documentation, so people aren't lured into using it when they don't 
really know what they're doing.
                
> Auto-HA: add a config to enable auto-HA, which disables manual FC
> -----------------------------------------------------------------
>
>                 Key: HADOOP-8247
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8247
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: auto-failover, ha
>    Affects Versions: Auto Failover (HDFS-3042)
>            Reporter: Todd Lipcon
>            Assignee: Todd Lipcon
>         Attachments: hadoop-8247.txt, hadoop-8247.txt, hadoop-8247.txt, 
> hadoop-8247.txt
>
>
> Currently, if automatic failover is set up and running, and the user uses the 
> "haadmin -failover" command, he or she can end up putting the system in an 
> inconsistent state, where the state in ZK disagrees with the actual state of 
> the world. To fix this, we should add a config flag which is used to enable 
> auto-HA. When this flag is set, we should disallow use of the haadmin command 
> to initiate failovers. We should refuse to run ZKFCs when the flag is not 
> set. Of course, this flag should be scoped by nameservice.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to