[
https://issues.apache.org/jira/browse/HDFS-7121?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14145576#comment-14145576
]
Colin Patrick McCabe edited comment on HDFS-7121 at 9/23/14 10:58 PM:
----------------------------------------------------------------------
Good point. I wasn't thinking of that failure case.
I think a "pre-check" should include checking that we have the ability to write
to the target directory. POSIX has access() for this... maybe Java never
bothered to implement this, but we could get something similar by creating a
directory there with a random UUID and then immediately deleting it. If we can
do that, then it's almost certain that we can do the rename later, barring
something exotic like ACLs or selinux.
Of course, even if we did two-phase commit, we'd still have to do something
meaningful in the "promise" phase. That would mean doing exactly this check
that the filesystem permissions were sane. Otherwise the node would be making
a promise it couldn't keep.
I don't like the "have everyone do the rename and undo everyone if someone
fails" solution that you mentioned earlier. I think it's rather complex and
has a lot of weird corner cases (like if undo fails). Also, it seems
confusingly similar to rollback (or maybe that's just me?)
was (Author: cmccabe):
Good point. I wasn't thinking of that failure case.
I think a "pre-check" should include checking that we have the ability to write
to the target directory. POSIX has access() for this... maybe Java never
bothered to implement this, but we could get something similar by creating a
directory there with a random UUID and then immediately deleting it. If we can
do that, then it's almost certain that we can do the rename later, barring
something exotic like ACLs or selinux.
Of course, even if we did two-phase commit, we'd still have to do something
meaningful in the "promise" phase. That would mean doing exactly this check
that the filesystem permissions were sane. Otherwise the node would be making
a promise it couldn't keep.
I don't like the "have everyone do the rename and rollback everyone if someone
fails" solution that you mentioned earlier. I think it's rather complex and
has a lot of weird corner cases (like if rollback fails). Plus, we already
have something called "rollback" and this would create more terminology
confusion.
> For JournalNode operations that must succeed on all nodes, attempt to undo
> the operation on all nodes if it fails on one node.
> ------------------------------------------------------------------------------------------------------------------------------
>
> Key: HDFS-7121
> URL: https://issues.apache.org/jira/browse/HDFS-7121
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: journal-node
> Reporter: Chris Nauroth
>
> Several JournalNode operations are not satisfied by a quorum. They must
> succeed on every JournalNode in the cluster. If the operation succeeds on
> some nodes, but fails on others, then this may leave the nodes in an
> inconsistent state and require operations to do manual recovery steps. For
> example, if {{doPreUpgrade}} succeeds on 2 nodes and fails on 1 node, then
> the operator will need to correct the problem on the failed node and also
> manually restore the previous.tmp directory to current on the 2 successful
> nodes before reattempting the upgrade.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
