Thanks for all the responses.
Benjamin Reed wrote:
Would this feature be something you'd consider implementing in the short
to medium term?
in the scenario you give you have two simultaneous failures with 3 nodes, so it
will not recover correctly. A is failed because it is not up. B has failed
because it lost all its data.
it would be good for ZooKeeper to not come up in that scenario. perhaps what we
need is something similar to your safe state proposal. basically a server that
has forgotten everything should not be allowed to vote in the leader election.
that would avoid your scenario. we just need to put a flag file in the data
directory to say that the data is valid and thus can vote.