You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
Incidents/2022-05-31 Analytics Data Lake - Hadoop Namenode failure
document status: draft
|Incident ID||2022-05-31 Analytics Data Lake - Hadoop Namenode failure||Start||2022-05-31T17:09:10|
|People paged||3||Responder count||4|
|Coordinators||Andrew Otto||Affected metrics/SLOs|
|Impact||Hadoop NameNodes failed, causing all writes and reads to HDFS to fail|
- At Tue May 31 17:09:10 UTC 2022 firstname.lastname@example.org received an email alert: "At least one Hadoop HDFS NameNode is active is CRITICAL"
- Otto, Btullis, Joal, and Mforns jumped in hangout to troubleshoot.
- /var/lib/hadoop/journal on all 5 journalnodes was full
- Otto and Btullis stopped namenodes and journalnodes
- Btullis increases csize
- Btullis starts journalnodes, then master namenode.
- Otto forces HDFS to stay in safe mode.
- Wait for master namenode to apply edits from journalnodes.
- Start standby namenode
- Wait for standby namenode to apply edits
- Otto allows HDFS to leave safe mode.
On Sunday evening May 22, /srv filled up on an-master1002. an-master1002 takes daily fs image snapshots, and saves them in /srv/backup/hadoop/namenode, keeping the last 20. Over time, as the number of HDFS blocks has increased, so has the size of these backup images.
We received an alert email for a failure of the hadoop-namenode-backup-fetchimage that takes these backups with the subject 'an-master1002/Check unit status of hadoop-namenode-backup-fetchimage is CRITICAL'. 24 hours later, this backup job succeeded, even no new image backup was taken, and we got a RECOVERY email for this job. Otto was on ops week, and only working half days these days. Otto most likely saw the RECOVERY email and ignored the alert.
On Tuesday May 31, /var/lib/hadoop/journal on all journalnodes completely filled, and NameNodes crashed as they were not able to get ACKs from the journalnodes that their writes had been saved.
We believe that after /srv/backup/hadoop/namenode filled up on May 22, the standby NameNode was no longer able to save its image to /srv/hadoop/name/current. Because no new image was saved, the hadoop-namenode-backup-fetchimage did not detect that a new image was present, it did not try to take a new backup. The hadoop-namenode-backup-prune kept purning backup files older than 20 days, freeing up space on the /srv partition.
However, because the standby NameNode was not able to save its FS images snapshots, JournalNodes were not able to clear up historical edits files, which caused THEM to fill up their journal partitions.
Create a list of action items that will help prevent this from happening again as much as possible. Link to or create a Phabricator task for every step.
|People||Were the people responding to this incident sufficiently different than the previous five incidents?|
|Were the people who responded prepared enough to respond effectively|
|Were fewer than five people paged?|
|Were pages routed to the correct sub-team(s)?|
|Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours.|
|Process||Was the incident status section actively updated during the incident?|
|Was the public status page updated?|
|Is there a phabricator task for the incident?|
|Are the documented action items assigned?|
|Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence?|
|Tooling||To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are
open tasks that would prevent this incident or make mitigation easier if implemented.
|Were the people responding able to communicate effectively during the incident with the existing tooling?|
|Did existing monitoring notify the initial responders?|
|Were all engineering tools required available and in service?|
|Was there a runbook for all known issues present?|
|Total score (count of all “yes” answers above)|