Return-Path: 
 <issues-return-94392-apmail-hbase-issues-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-issues-archive@www.apache.org
Delivered-To: apmail-hbase-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 500E310106
	for <apmail-hbase-issues-archive@www.apache.org>;
 Mon, 22 Apr 2013 22:45:20 +0000 (UTC)
Received: (qmail 94563 invoked by uid 500); 22 Apr 2013 22:45:20 -0000
Delivered-To: apmail-hbase-issues-archive@hbase.apache.org
Received: (qmail 94520 invoked by uid 500); 22 Apr 2013 22:45:20 -0000
Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@hbase.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@hbase.apache.org>
List-Post: <mailto:issues@hbase.apache.org>
List-Id: <issues.hbase.apache.org>
Delivered-To: mailing list issues@hbase.apache.org
Received: (qmail 94511 invoked by uid 99); 22 Apr 2013 22:45:20 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Apr 2013 22:45:20 +0000
Date: Mon, 22 Apr 2013 22:45:19 +0000 (UTC)
From: "Nicolas Liochon (JIRA)" <jira@apache.org>
To: issues@hbase.apache.org
Message-ID: <JIRA.12643831.1366565704069.204542.1366670719959@arcas>
In-Reply-To: <JIRA.12643831.1366565704069@arcas>
References: <JIRA.12643831.1366565704069@arcas>
Subject: [jira] [Commented] (HBASE-8389) HBASE-8354 DDoSes Namenode with
 lease recovery requests
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/HBASE-8389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13638531#comment-13638531 ] 

Nicolas Liochon commented on HBASE-8389:
----------------------------------------

I think that for 0.94.8, we should stick to the version that acts like before except the increased sleep from 1s to 4s. That's Ted"s version v5 if I'm not wrong. This version lowers the probability to have a dataloss on false positive regionserver timeout, at a very low cost on mttr.

For 0.95, we need to test the fixes. By test, I mean unplugging a computer to see what is the mttr. In the tests done here, it's over 10 minutes (more tests to come tomorrow, but it's repeatable)

This will take a little bit longer, but given the complexity and the criticality, it's our best bet imho...
                
> HBASE-8354 DDoSes Namenode with lease recovery requests
> -------------------------------------------------------
>
>                 Key: HBASE-8389
>                 URL: https://issues.apache.org/jira/browse/HBASE-8389
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Varun Sharma
>            Assignee: Varun Sharma
>            Priority: Critical
>             Fix For: 0.94.8
>
>         Attachments: 8389-0.94.txt, 8389-0.94-v2.txt, 8389-0.94-v3.txt, 8389-0.94-v4.txt, 8389-0.94-v5.txt, 8389-0.94-v6.txt, 8389-trunk-v1.txt, 8389-trunk-v2.patch, 8389-trunk-v2.txt, 8389-trunk-v3.txt, nn1.log, nn.log, sample.patch
>
>
> We ran hbase 0.94.3 patched with 8354 and observed too many outstanding lease recoveries because of the short retry interval of 1 second between lease recoveries.
> The namenode gets into the following loop:
> 1) Receives lease recovery request and initiates recovery choosing a primary datanode every second
> 2) A lease recovery is successful and the namenode tries to commit the block under recovery as finalized - this takes < 10 seconds in our environment since we run with tight HDFS socket timeouts.
> 3) At step 2), there is a more recent recovery enqueued because of the aggressive retries. This causes the committed block to get preempted and we enter a vicious cycle
> So we do,  <initiate_recovery> --> <commit_block> --> <commit_preempted_by_another_recovery>
> This loop is paused after 300 seconds which is the "hbase.lease.recovery.timeout". Hence the MTTR we are observing is 5 minutes which is terrible. Our ZK session timeout is 30 seconds and HDFS stale node detection timeout is 20 seconds.
> Note that before the patch, we do not call recoverLease so aggressively - also it seems that the HDFS namenode is pretty dumb in that it keeps initiating new recoveries for every call. Before the patch, we call recoverLease, assume that the block was recovered, try to get the file, it has zero length since its under recovery, we fail the task and retry until we get a non zero length. So things just work.
> Fixes:
> 1) Expecting recovery to occur within 1 second is too aggressive. We need to have a more generous timeout. The timeout needs to be configurable since typically, the recovery takes as much time as the DFS timeouts. The primary datanode doing the recovery tries to reconcile the blocks and hits the timeouts when it tries to contact the dead node. So the recovery is as fast as the HDFS timeouts.
> 2) We have another issue I report in HDFS 4721. The Namenode chooses the stale datanode to perform the recovery (since its still alive). Hence the first recovery request is bound to fail. So if we want a tight MTTR, we either need something like HDFS 4721 or we need something like this
>   recoverLease(...)
>   sleep(1000)
>   recoverLease(...)
>   sleep(configuredTimeout)
>   recoverLease(...)
>   sleep(configuredTimeout)
> Where configuredTimeout should be large enough to let the recovery happen but the first timeout is short so that we get past the moot recovery in step #1.
>  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira