[
https://issues.apache.org/jira/browse/HDFS-3955?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Todd Lipcon updated HDFS-3955:
------------------------------
Attachment: hdfs-3955.txt
Uploading patch that fixes this issue.
The design is as follows:
Where we used to do the following actions:
- Download log to temporary file
- Rename log to edits_inprogress_N
- Persist new Paxos data for segment N
We now do:
1. Download log to temporary file (edits_inprogress_N.epoch=M)
2. Persist new Paxos data for segment N
3. Rename edits_inprogress_N.epoch=M to edits_inprogress_N
We also modify the {{prepareRecovery}} call as follows:
- If we find that we already have Paxos data for segment N, read its
acceptedEpoch, and then look for a file edits_inprogress_N_epoch=acceptedEpoch.
-- If that file exists, that implies we crashed between steps 2 and 3 above.
"Roll forward" by performing the rename.
This makes the creation of the Paxos file the "commit" for the atomic sequence.
I added fault points both before and after the new step 2, and modified the
randomized fault test to exercise them. I also added a more targeted test which
reliably caused the previous algorithm to fail with an AssertionError. I also
modified QuorumCall so that, if any of the underlying loggers throws an
AssertionError, *and* assertions are enabled on the writer, it will re-throw
the AssertionError even if a majority of nodes actually succeeded. With the new
fault points and this modification to QuorumCall, the randomized test would
fail about half the time before the patch. With the patch, I was able to run
5000 instances of the randomized fault test with no failures and no instances
of "AssertionError" in the logs.
> QJM: Make acceptRecovery() atomic
> ---------------------------------
>
> Key: HDFS-3955
> URL: https://issues.apache.org/jira/browse/HDFS-3955
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: ha
> Affects Versions: QuorumJournalManager (HDFS-3077)
> Reporter: Todd Lipcon
> Assignee: Todd Lipcon
> Attachments: hdfs-3955.txt
>
>
> Per one of the TODOs in Journal.java, there is currently a lack of atomicity
> in the {{acceptRecovery()}} code path. In particular, we have the following
> actions executed non-atomically:
> - Download a new edits_inprogress_N from some other node
> - Persist the paxos recovery file to disk.
> If the JN crashes between these two steps, then we may be left in the state
> whereby the edits_inprogress file has different data than the Paxos data left
> over on the disk from a previous recovery attempt. This causes the next
> {{prepareRecovery()}} to fail with an AssertionError.
> I discovered this by randomly injecting a fault between the two steps, and
> then running the randomized fault test on a cluster. This resulted in some
> AssertionErrors in the test logs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
