You are browsing a read-only backup copy of Wikitech. The primary site can be found at

Incidents/2022-05-31 Analytics Data Lake - Hadoop Namenode failure

From Wikitech-static
< Incidents
Revision as of 19:10, 31 May 2022 by imported>Ottomata (Created page with "{{irdoc|status=draft}} ==Summary== {{Incident scorecard | task =T309649 | paged-num =3 | responders-num =4 | coordinators =Andrew Otto | start =2022-05-31T17:09:10 | end = |impact=Hadoop NameNodes failed, causing all writes and reads to HDFS to fail}} <!-- Reminder: No private information on this page! --> * At Tue May 31 17:09:10 UTC 2022 received an email alert: "At least one Hadoop HDFS NameNode is active is CRITICAL" * Otto, Btul...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

document status: draft


Incident metadata (see Incident Scorecard)
Incident ID 2022-05-31 Analytics Data Lake - Hadoop Namenode failure Start 2022-05-31T17:09:10
Task T309649 End YYYY-MM-DD hh:mm:ss
People paged 3 Responder count 4
Coordinators Andrew Otto Affected metrics/SLOs
Impact Hadoop NameNodes failed, causing all writes and reads to HDFS to fail
  • At Tue May 31 17:09:10 UTC 2022 received an email alert: "At least one Hadoop HDFS NameNode is active is CRITICAL"
  • Otto, Btullis, Joal, and Mforns jumped in hangout to troubleshoot.
  • /var/lib/hadoop/journal on all 5 journalnodes was full
  • Otto and Btullis stopped namenodes and journalnodes
  • Btullis increases csize
  • Btullis starts journalnodes, then master namenode.
  • Otto forces HDFS to stay in safe mode.
  • Wait for master namenode to apply edits from journalnodes.
  • Start standby namenode
  • Wait for standby namenode to apply edits
  • Otto allows HDFS to leave safe mode.


Cause analysis:

On Sunday evening May 22, /srv filled up on an-master1002. an-master1002 takes daily fs image snapshots, and saves them in /srv/backup/hadoop/namenode, keeping the last 20. Over time, as the number of HDFS blocks has increased, so has the size of these backup images.

We received an alert email for a failure of the hadoop-namenode-backup-fetchimage that takes these backups with the subject 'an-master1002/Check unit status of hadoop-namenode-backup-fetchimage is CRITICAL'. 24 hours later, this backup job succeeded, even no new image backup was taken, and we got a RECOVERY email for this job. Otto was on ops week, and only working half days these days. Otto most likely saw the RECOVERY email and ignored the alert.

On Tuesday May 31, /var/lib/hadoop/journal on all journalnodes completely filled, and NameNodes crashed as they were not able to get ACKs from the journalnodes that their writes had been saved.

We believe that after /srv/backup/hadoop/namenode filled up on May 22, the standby NameNode was no longer able to save its image to /srv/hadoop/name/current. Because no new image was saved, the hadoop-namenode-backup-fetchimage did not detect that a new image was present, it did not try to take a new backup. The hadoop-namenode-backup-prune kept purning backup files older than 20 days, freeing up space on the /srv partition.

However, because the standby NameNode was not able to save its FS images snapshots, JournalNodes were not able to clear up historical edits files, which caused THEM to fill up their journal partitions.


Create a list of action items that will help prevent this from happening again as much as possible. Link to or create a Phabricator task for every step.


Incident Engagement™ ScoreCard
Question Answer


People Were the people responding to this incident sufficiently different than the previous five incidents?
Were the people who responded prepared enough to respond effectively
Were fewer than five people paged?
Were pages routed to the correct sub-team(s)?
Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours.
Process Was the incident status section actively updated during the incident?
Was the public status page updated?
Is there a phabricator task for the incident?
Are the documented action items assigned?
Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence?
Tooling To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are

open tasks that would prevent this incident or make mitigation easier if implemented.

Were the people responding able to communicate effectively during the incident with the existing tooling?
Did existing monitoring notify the initial responders?
Were all engineering tools required available and in service?
Was there a runbook for all known issues present?
Total score (count of all “yes” answers above)