Jump to content

Incidents/2022-05-31 Analytics Hadoop failure

From Wikitech

document status: in-review


Incident metadata (see Incident Scorecard)
Incident ID 2022-05-31 Analytics Hadoop failure Start 2022-05-31 17:09:10
Task T309649 End ~2022-05-31 18:00:00
People paged 3 Responder count 4
Coordinators Andrew Otto Affected metrics/SLOs
Impact A component of our Hadoop HDFS distributed file system called the NameNode failed, on both the primary and standby server. This caused all HDFS writes and reads to fail.

There was no public-facing impact to this incident, so the users involved are those in the various WMF data teams who use tools such as Hive, Spark, Jupyter, Superset etc.

In addition to these interactive users, several scheduled ingestion pipelines that read from or write to HDFS were also broken for the duration of the incident.

After recovery of the namenodes, regular ingestion from Kafka was resumed from the point where it stopped. Therefore there was no lasting impact nor data loss as a result of this incident.

  • At Tue May 31 17:09:10 UTC 2022 analytics-alerts@wikimedia.org received an email alert: "At least one Hadoop HDFS NameNode is active is CRITICAL"
  • Otto, Btullis, Joal, and Mforns jumped in hangout to troubleshoot.
  • /var/lib/hadoop/journal on all 5 journalnodes was full
  • Otto and Btullis stopped namenodes and journalnodes
  • Btullis increases /var/lib/hadoop/journal on journalnodes from 10 GB to 30 GB
  • Btullis starts journalnodes, then master namenode.
  • Otto forces HDFS to stay in safe mode.
  • Wait for master namenode to apply edits from journalnodes.
  • Start standby namenode
  • Wait for standby namenode to apply edits
  • Otto allows HDFS to leave safe mode.


Cause analysis:

On Sunday evening May 22, /srv filled up on an-master1002. an-master1002 takes daily fs image snapshots, and saves them in /srv/backup/hadoop/namenode, keeping the last 20. Over time, as the number of HDFS blocks has increased, so has the size of these backup images.

We received an alert email for a failure of the hadoop-namenode-backup-fetchimage that takes these backups with the subject "an-master1002/Check unit status of hadoop-namenode-backup-fetchimage is CRITICAL".

24 hours later, this backup job succeeded, even if no new image backup was taken, and we got a RECOVERY status email for this job. Otto was on ops week, and only working half days this week. Otto most likely saw the RECOVERY email and ignored the alert.

On Tuesday May 31, /var/lib/hadoop/journal on all journalnodes completely filled, and NameNodes crashed as they were not able to get ACKs from the journalnodes that their writes had been saved.

We believe that after /srv/backup/hadoop/namenode filled up on May 22, the standby NameNode was no longer able to save its image to /srv/hadoop/name/current. Because no new image was saved, the hadoop-namenode-backup-fetchimage did not detect that a new image was present, it did not try to take a new backup. The hadoop-namenode-backup-prune kept purning backup files older than 20 days, freeing up space on the /srv partition.

However, because the standby NameNode was not able to save its FS images snapshots, JournalNodes were not able to clear up historical edits files, which caused them to fill up their journal partitions.

After the NameNodes were recovered and out of safe mode, writes could proceed. All ingestion is handled either via Kafka or periodic jobs, and these can resume from where they left off. No lasting impact.


The following ticket contains all actionable items. https://phabricator.wikimedia.org/T309649

These are:

  • Make old journalnode edits files are cleaned properly now that namenodes are back online and saving fs image snapshots.
  • Reduce profile::hadoop::backup::namenode::fsimage_retention_days, 20 is too many
  • Create an alert for the freshness of the standby namenode's FSImage dump in /srv/hadoop/name/current
  • Make sure journalnodes alert sooner about disk journalnode partition
  • Check that bacula backups of fs image snapshots are available and usable
  • Check that the alerting for disk space is correct on an-master hosts - since we seem not to have been alerted to /srv/ becoming full on an-master1002

All have now been completed.


Incident Engagement™ ScoreCard
Question Answer


People Were the people responding to this incident sufficiently different than the previous five incidents? Yes
Were the people who responded prepared enough to respond effectively Yes
Were fewer than five people paged? Yes
Were pages routed to the correct sub-team(s)? Yes
Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours. Yes
Process Was the incident status section actively updated during the incident? Yes
Was the public status page updated? n/a This is not a public-facing service, but we notified users of HDFS via email, Slack and IRC.
Is there a phabricator task for the incident? Yes
Are the documented action items assigned? Yes
Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence? Yes
Tooling To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are

open tasks that would prevent this incident or make mitigation easier if implemented.

Were the people responding able to communicate effectively during the incident with the existing tooling? Yes
Did existing monitoring notify the initial responders? No Monitoring has been updated to inform the Data Engineering team for all relevant services.
Were all engineering tools required available and in service? Yes
Was there a runbook for all known issues present? Yes
Total score (count of all “yes” answers above) 13