[
https://issues.apache.org/jira/browse/KUDU-2048?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Todd Lipcon updated KUDU-2048:
------------------------------
Status: In Review (was: Open)
> consensus: Only evict a replica is a majority is up to date
> -----------------------------------------------------------
>
> Key: KUDU-2048
> URL: https://issues.apache.org/jira/browse/KUDU-2048
> Project: Kudu
> Issue Type: Bug
> Components: consensus, recovery
> Affects Versions: 1.4.0
> Reporter: Mike Percy
> Assignee: Todd Lipcon
>
> In the context of replica eviction and 3-2-3 recovery, we currently have a
> "hacky" rule that states that evicting down to less than 2 replicas in a
> config is prohibited. However we don't currently check to see, when evicting,
> whether that would leave the config with less than a majority of caught-up
> voters.
> That means, for example, that if we have a config of 3 replicas { A, B, C }
> and B falls behind, so is currently undergoing a tablet copy, and C goes
> offline then the algorithm will evict C. However, since A is the only
> up-to-date replica, this leaves the config in a state where nothing can
> commit until B is done copying. Even worse, if B is killed or has an error,
> then we are left in a state that requires manual recovery.
> Consider adding an additional rule that states that to evict a node, we must
> have a majority of up-to-date replicas that are recently active. This will
> help prevent certain problem scenarios like the above from occurring.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
