Recovering or Preventing Out of Disk Space #4441
Comments
deepthidevaki
added
kind/toil
|
I did a spike to prevent/recover from OOD due to slow exporter. Assumptions: OOD means free space <= threshold. There is always enough space for a snapshot. Leader rejects external commands when freespace < X
If the leader is OOD, at some point in time it can take snapshot i.e when the exporter is back. Questions: Problematic CaseBoth followers are OOD (free space < Y) and reject event replication . Only way for them to recover is to get a snapshot and compact. What are the cases that both followers are OOD?
The chances of such a case might be probably low. But if it happens we are in a non-recoverable state. Verified - If leader is not OOD and followers are OOD, followers cannot recover because leader cannot take snapshot with out committing. Verified - It can recover if we re-size atleast one follower's disk when it goes OOD, restart the node and wait until leader takes snapshot. To resize a pvc -> Main issue: /cc @Zelldon |
4782: chore(broker): handle out of disk space in broker r=deepthidevaki a=deepthidevaki ## Description * expose configuration parameters for minimum free disk space * When broker free disk space available is less than configured min free disk, - reject client requests - reject commands from other partitions - pause stream processor ## Related issues closes #4441 # 4832: feat(clients/java): add user-agent to java client requests r=MiguelPires a=MiguelPires ## Description Add user-agent header with client and version information to gRPC and OAuth requests. ## Related issues closes #4265 # Co-authored-by: Deepthi Devaki Akkoorath <deepthidevaki@gmail.com> Co-authored-by: Miguel Pires <miguel.pires@camunda.com>
4782: chore(broker): handle out of disk space in broker r=deepthidevaki a=deepthidevaki ## Description * expose configuration parameters for minimum free disk space * When broker free disk space available is less than configured min free disk, - reject client requests - reject commands from other partitions - pause stream processor ## Related issues closes #4441 # Co-authored-by: Deepthi Devaki Akkoorath <deepthidevaki@gmail.com>
4782: chore(broker): handle out of disk space in broker r=deepthidevaki a=deepthidevaki ## Description * expose configuration parameters for minimum free disk space * When broker free disk space available is less than configured min free disk, - reject client requests - reject commands from other partitions - pause stream processor ## Related issues closes #4441 # Co-authored-by: Deepthi Devaki Akkoorath <deepthidevaki@gmail.com>
4782: chore(broker): handle out of disk space in broker r=deepthidevaki a=deepthidevaki ## Description * expose configuration parameters for minimum free disk space * When broker free disk space available is less than configured min free disk, - reject client requests - reject commands from other partitions - pause stream processor ## Related issues closes #4441 # Co-authored-by: Deepthi Devaki Akkoorath <deepthidevaki@gmail.com>
4782: chore(broker): handle out of disk space in broker r=deepthidevaki a=deepthidevaki ## Description * expose configuration parameters for minimum free disk space * When broker free disk space available is less than configured min free disk, - reject client requests - reject commands from other partitions - pause stream processor ## Related issues closes #4441 # Co-authored-by: Deepthi Devaki Akkoorath <deepthidevaki@gmail.com>
4782: chore(broker): handle out of disk space in broker r=deepthidevaki a=deepthidevaki ## Description * expose configuration parameters for minimum free disk space * When broker free disk space available is less than configured min free disk, - reject client requests - reject commands from other partitions - pause stream processor ## Related issues closes #4441 # Co-authored-by: Deepthi Devaki Akkoorath <deepthidevaki@gmail.com>
Description
There are several reasons when a broker goes Out of Disk space.
In all of the above cases there are no automatic recovery possible. But it is possible that the faults that leads to OOD is resolved eventually. Exporter comes back and starts exporting again. Temporary I/O errors are gone. Buggy compaction module is fixed and broker is upgraded. However, if the broker is already OOD we cannot take a new snapshot because there is no space for snapshot. So they cannot compact and brokers can never recover from OOD. Since we cannot prevent the faults that causes OOD (such as exporter is slow), we focus on preventing the broker from reaching a non-recoverable state. Towards that, we have the following proposals:
The above two features would prevent broker from going to fully OOD. Once the fault is fixed, partitions can take snapshot and compact.
In addition to the above two:
3. Add health checks for compaction and snapshoting
4. Modify snapshot taking frequency. Instead of periodic snapshots, use other heuristics such as size of the log, number of newly processed events/newly exported from last snapshot etc. This would ensure that once the fault is fixed, we can immediately take snapshot/compact and no need to wait until the next snapshot period.
5. Gateway redirects all requests to other partitions if only one of the partition is affected by the OOD.
6. In some cases stepdown will be helpful as other brokers are not OOD and can take over the leadership to ensure progress. However, in most cases it is not useful since brokers have similar configuration, and are compacting at the same time. Step down immediately when disk space usage > threshold is not a good idea, if other brokers are also OOD. It would lead to a back-to-back failover. Since no broker stays as leader for long enough to export or to take snapshot, they can never compact and recover from OOD. Investigate what is a good strategy to step down.
The text was updated successfully, but these errors were encountered: