[
https://issues.apache.org/jira/browse/HDFS-15588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17198532#comment-17198532
]
Hadoop QA commented on HDFS-15588:
----------------------------------
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 2m
7s{color} | {color:blue} Docker mode activated. {color} |
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} dupname {color} | {color:green} 0m
0s{color} | {color:green} No case conflicting files found. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m
0s{color} | {color:red} The patch doesn't appear to include any new or modified
tests. Please justify why no new tests are needed for this patch. Also please
list what manual steps were performed to verify this patch. {color} |
|| || || || {color:brown} trunk Compile Tests {color} ||
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 26m
39s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 1m
6s{color} | {color:green} trunk passed with JDK
Ubuntu-11.0.8+10-post-Ubuntu-0ubuntu118.04.1 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 1m
1s{color} | {color:green} trunk passed with JDK Private
Build-1.8.0_265-8u265-b01-0ubuntu2~18.04-b01 {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m
30s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m
0s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} shadedclient {color} | {color:green}
18m 49s{color} | {color:green} branch has no errors when building and testing
our client artifacts. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
43s{color} | {color:green} trunk passed with JDK
Ubuntu-11.0.8+10-post-Ubuntu-0ubuntu118.04.1 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
40s{color} | {color:green} trunk passed with JDK Private
Build-1.8.0_265-8u265-b01-0ubuntu2~18.04-b01 {color} |
| {color:blue}0{color} | {color:blue} spotbugs {color} | {color:blue} 2m
45s{color} | {color:blue} Used deprecated FindBugs config; considering
switching to SpotBugs. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m
43s{color} | {color:green} trunk passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:red}-1{color} | {color:red} mvninstall {color} | {color:red} 0m
47s{color} | {color:red} hadoop-hdfs-client in the patch failed. {color} |
| {color:red}-1{color} | {color:red} compile {color} | {color:red} 0m
54s{color} | {color:red} hadoop-hdfs-client in the patch failed with JDK
Ubuntu-11.0.8+10-post-Ubuntu-0ubuntu118.04.1. {color} |
| {color:red}-1{color} | {color:red} javac {color} | {color:red} 0m 54s{color}
| {color:red} hadoop-hdfs-client in the patch failed with JDK
Ubuntu-11.0.8+10-post-Ubuntu-0ubuntu118.04.1. {color} |
| {color:red}-1{color} | {color:red} compile {color} | {color:red} 0m
47s{color} | {color:red} hadoop-hdfs-client in the patch failed with JDK
Private Build-1.8.0_265-8u265-b01-0ubuntu2~18.04-b01. {color} |
| {color:red}-1{color} | {color:red} javac {color} | {color:red} 0m 47s{color}
| {color:red} hadoop-hdfs-client in the patch failed with JDK Private
Build-1.8.0_265-8u265-b01-0ubuntu2~18.04-b01. {color} |
| {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange}
0m 22s{color} | {color:orange} hadoop-hdfs-project/hadoop-hdfs-client: The
patch generated 2 new + 74 unchanged - 0 fixed = 76 total (was 74) {color} |
| {color:red}-1{color} | {color:red} mvnsite {color} | {color:red} 0m
48s{color} | {color:red} hadoop-hdfs-client in the patch failed. {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m
0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:red}-1{color} | {color:red} shadedclient {color} | {color:red} 3m
37s{color} | {color:red} patch has errors when building and testing our client
artifacts. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
39s{color} | {color:green} the patch passed with JDK
Ubuntu-11.0.8+10-post-Ubuntu-0ubuntu118.04.1 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
33s{color} | {color:green} the patch passed with JDK Private
Build-1.8.0_265-8u265-b01-0ubuntu2~18.04-b01 {color} |
| {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 0m
47s{color} | {color:red} hadoop-hdfs-client in the patch failed. {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:red}-1{color} | {color:red} unit {color} | {color:red} 0m 48s{color}
| {color:red} hadoop-hdfs-client in the patch failed. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
33s{color} | {color:green} The patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 67m 23s{color} |
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | ClientAPI=1.40 ServerAPI=1.40 base:
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/artifact/out/Dockerfile
|
| JIRA Issue | HDFS-15588 |
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/13011763/HDFS-15588-001.patch |
| Optional Tests | dupname asflicense compile javac javadoc mvninstall mvnsite
unit shadedclient findbugs checkstyle |
| uname | Linux f71756d6da2d 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9
23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | personality/hadoop.sh |
| git revision | trunk / fc2435cb5cf |
| Default Java | Private Build-1.8.0_265-8u265-b01-0ubuntu2~18.04-b01 |
| Multi-JDK versions |
/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.8+10-post-Ubuntu-0ubuntu118.04.1
/usr/lib/jvm/java-8-openjdk-amd64:Private
Build-1.8.0_265-8u265-b01-0ubuntu2~18.04-b01 |
| mvninstall |
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/artifact/out/patch-mvninstall-hadoop-hdfs-project_hadoop-hdfs-client.txt
|
| compile |
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/artifact/out/patch-compile-hadoop-hdfs-project_hadoop-hdfs-client-jdkUbuntu-11.0.8+10-post-Ubuntu-0ubuntu118.04.1.txt
|
| javac |
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/artifact/out/patch-compile-hadoop-hdfs-project_hadoop-hdfs-client-jdkUbuntu-11.0.8+10-post-Ubuntu-0ubuntu118.04.1.txt
|
| compile |
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/artifact/out/patch-compile-hadoop-hdfs-project_hadoop-hdfs-client-jdkPrivateBuild-1.8.0_265-8u265-b01-0ubuntu2~18.04-b01.txt
|
| javac |
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/artifact/out/patch-compile-hadoop-hdfs-project_hadoop-hdfs-client-jdkPrivateBuild-1.8.0_265-8u265-b01-0ubuntu2~18.04-b01.txt
|
| checkstyle |
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/artifact/out/diff-checkstyle-hadoop-hdfs-project_hadoop-hdfs-client.txt
|
| mvnsite |
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/artifact/out/patch-mvnsite-hadoop-hdfs-project_hadoop-hdfs-client.txt
|
| findbugs |
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/artifact/out/patch-findbugs-hadoop-hdfs-project_hadoop-hdfs-client.txt
|
| unit |
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/artifact/out/patch-unit-hadoop-hdfs-project_hadoop-hdfs-client.txt
|
| Test Results |
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/testReport/ |
| Max. process+thread count | 308 (vs. ulimit of 5500) |
| modules | C: hadoop-hdfs-project/hadoop-hdfs-client U:
hadoop-hdfs-project/hadoop-hdfs-client |
| Console output |
https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/186/console |
| versions | git=2.17.1 maven=3.6.0 findbugs=4.0.6 |
| Powered by | Apache Yetus 0.13.0-SNAPSHOT https://yetus.apache.org |
This message was automatically generated.
> Arbitrarily low values for `dfs.block.access.token.lifetime` aren't safe and
> can cause a healthy datanode to be excluded
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: HDFS-15588
> URL: https://issues.apache.org/jira/browse/HDFS-15588
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: hdfs, hdfs-client, security
> Reporter: sr2020
> Priority: Major
> Attachments: HDFS-15588-001.patch
>
>
> *Problem*:
> Setting `dfs.block.access.token.lifetime` to arbitrarily low values (like 1)
> means the lifetime of a block token is very short, as a result some healthy
> datanodes could be wrongly excluded by the client due to the
> `InvalidBlockTokenException`.
> More specifically, in `nextBlockOutputStream`, the client tries to get the
> `accessToken` from the namenode and use it to talk to datanode. And the
> lifetime of `accessToken` could set to very small (like 1 min) by setting
> `dfs.block.access.token.lifetime`. In some extreme conditions (like a VM
> migration, temporary network issue, or a stop-the-world GC), the
> `accessToken` could become expired when the client tries to use it to talk to
> the datanode. If expired, `createBlockOutputStream` will return false (and
> mask the `InvalidBlockTokenException`), so the client will think the datanode
> is unhealthy, mark the it as "excluded" and will never read/write on it.
> Related code in `nextBlockOutputStream`:
> {code:java}
> // Connect to first DataNode in the list.
> success = createBlockOutputStream(nodes, nextStorageTypes, nextStorageIDs,
> 0L, false);
> if (!success) {
> LOG.warn("Abandoning " + block);
> dfsClient.namenode.abandonBlock(block.getCurrentBlock(),
> stat.getFileId(), src, dfsClient.clientName);
> block.setCurrentBlock(null);
> final DatanodeInfo badNode = nodes[errorState.getBadNodeIndex()];
> LOG.warn("Excluding datanode " + badNode);
> excludedNodes.put(badNode, badNode);
> }
> {code}
>
> *Proposed solution*:
> A simple retry on the same datanode after catching
> `InvalidBlockTokenException` can solve this problem (assuming the extreme
> conditions won't happen often). Since currently the
> `dfs.block.access.token.lifetime` can even accept values like 0, we can also
> choose to prevent the users from setting `dfs.block.access.token.lifetime` to
> a small value (e.g., we can enforce a minimum value of 5mins for this
> parameter).
> We submit a patch for retrying after catching `InvalidBlockTokenException` in
> `nextBlockOutputStream`. We can also provide a patch for enforcing a larger
> minimum value for `dfs.block.access.token.lifetime` if it is a better way to
> handle this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
