[#HADOOP-5643] Ability to blacklist tasktracker

Hadoop Common

Ability to blacklist tasktracker

Created: 08/Apr/09 06:43 PM Updated: 25/Sep/09 10:37 PM

Component/s:

None

Affects Version/s:

0.20.0

Fix Version/s:

0.21.0

Time Tracking:

Not Specified

File Attachments:

File Name	Date Attached	Attached By	Size
Fixed 5643-0.20	2009-06-04 12:54 AM	Robert Chansler	55 kB
Fixed+5643-0.20-final	2009-06-15 04:51 AM	Amar Kamat	57 kB
Fixed+5643-0.20-part2	2009-06-05 05:46 AM	Amar Kamat	2 kB
HADOOP-5643-v3.4.patch	2009-04-28 08:11 PM	Amar Kamat	60 kB
HADOOP-5643-v4.0.patch	2009-04-29 01:08 PM	Amar Kamat	81 kB
HADOOP-5643-v4.6.patch	2009-05-04 01:21 PM	Amar Kamat	82 kB
HADOOP-5643-v5.1.patch	2009-05-05 02:43 PM	Amar Kamat	54 kB
HADOOP-5643-v5.12-testcase.patch	2009-05-11 12:46 PM	Amar Kamat	13 kB
HADOOP-5643-v5.12.patch	2009-05-08 01:31 PM	Amar Kamat	50 kB
HADOOP-5643-v5.5.patch	2009-05-07 08:13 AM	Amar Kamat	59 kB
HADOOP-5643-v5.9.patch	2009-05-08 08:29 AM	Amar Kamat	60 kB

Issue Links:

Reference

This issue relates to:

~~HADOOP-5818~~ Revert the renaming from checkSuperuserPrivilege to checkAccess by HADOOP-5643

This issue is related to:

~~HADOOP-4733~~ Decommissioning TaskTrackers

Hadoop Flags:	Reviewed
Release Note:	« Hide New mradmin command -refreshNodes updates the job tracker's node lists. Show » New mradmin command -refreshNodes updates the job tracker's node lists.
Resolution Date:	11/May/09 12:49 PM

Description

« Hide

Its not always possible to shutdown the tasktracker to stop scheduling tasks on the node. (eg you can't login to the node but the TT is up).

This can be via

mapred.exclude and should be refreshed with out restarting the tasktracker
hadoop job -fail-tracker <tracker id>

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

[ Permlink | « Hide ]

Koji Noguchi added a comment - 15/Apr/09 05:54 PM

Just like we use dfs.exclude for blocking AND decommissioning datanodes,
can we use this feature for blocking(blacklisting) and decommisioning TaskTrackers?

[ Permlink | « Hide ]

Owen O'Malley added a comment - 22/Apr/09 05:12 AM

I think we should also be able to do this via the web ui, which is very convenient.

There should be a way to make it not black listed any more.

It should be persistent across job tracker restarts.

It probably should be decommissioning instead of black listing.

It should probably start rerunning all of the running and stored tasks. (including the map outputs that are stored there)

[ Permlink | « Hide ]

Amar Kamat added a comment - 22/Apr/09 08:42 AM

I think calling this as blacklisting will lead to more confusion. As Owen suggested we can call it as decommissioning/recommissioning of trackers which would essentially mean that irrespective of what state the tracker is, the jobtracker is asked to decommission(rerun+ignore)/recommission(add back) it. So the command would be

bin/hadoop jobtracker -decommission tracker1,tracker2.... and bin/hadoop jobtracker -recommission tracker1,tracker2.....

All the running tasks (also completed maps) that were launched on that machine will be killed and rerun. We can reuse the lost-tracker code for doing this. Maybe a thread should be started on demand (similar to cleanup queue thread) for a decommissioning request. Also these tracker will be added to the ignore list (i.e issue a 'shutdown' upon contact). So a decommission request is equivalent to lost-tracker + add-to-ignore-list.

Upon a recommission, the trackers will be removed from the ignore list. This can be done inline.

From the webui, a simple checkbox against all the trackers can be provided and an action named 'Decommission' can be provided (similar to actions for jobs on jobtracker.jsp). On the trackers page, we can provide another section for decommissioned trackers and there we can provide a checkbox for recommissioning it.

Note :
1) Acls check should be done before decommissioning and recommissioning.
2) This info needs to be persisted. Upon every decommission/recommission, persist this info to system.dir/jobtracker.info
3) Upon restart, the ignore list will also be recovered and loaded (i.e invoke jobtracker.decommission(recovered-list) from recovery-manager)
4) These new apis can be added to the TaskTrackerManager interface as there really are tasktracker level actions.

Thoughts?

[ Permlink | « Hide ]

Amar Kamat added a comment - 24/Apr/09 11:10 AM

One more thing i forgot to add is that the jobtracker already reads the hosts file and the exclude file but just once. There is no refresh facility to it. I think we can add that to MR too. So here is the sequence of things :

files to include can be specified via mapred.hosts and will be read by the jobtracker upon init
files to exclude can be specified via mapred.hosts.exclude and will also be read by the jobtracker upon init
Admins can change these files and invoke a refresh from the command line (maybe from the webui too). These files will be loaded back.
If the hosts are added via command line or webui, it will be appended to the include/exclude files. So that upon next restart, the previously included/excluded host info is re-used.

[ Permlink | « Hide ]

eric baldeschwieler added a comment - 28/Apr/09 03:26 AM

Do we have a good security story for actions taken through the web UI? Absent that, I'd suggest we don't enable this there.

Being able to modify the excludes file and hup the server is probably good enough for an operator.

[ Permlink | « Hide ]

Amar Kamat added a comment - 28/Apr/09 06:19 AM

Had an offline discussion with Devaraj and we think it makes sense to provide a default location for mapred.hosts.exclude. The purpose of doing this is to provide persistence. The default file would be something like ${hadoop.log.dir}/history/hosts.exclude. By default the jobtracker persists the decommission/recommission host info in this file.

@Eric
I think we should do what we do for job killing i.e private actions thingy. There is always the option to do it either via refresh or -decommission/-recommission command line option. All the admin operations at the jobtracker will be checked for owner access. For now I think only the user who runs the jobtracker should be allowed to fire these commands. Thoughts?

[ Permlink | « Hide ]

Amar Kamat added a comment - 28/Apr/09 08:11 PM

Attaching a patch implementing the above discussed approach. Result of test patch

[exec] -1 overall.  
     [exec] 
     [exec]     +1 @author.  The patch does not contain any @author tags.
     [exec] 
     [exec]     +1 tests included.  The patch appears to include 9 new or modified tests.
     [exec] 
     [exec]     +1 javadoc.  The javadoc tool did not generate any warning messages.
     [exec] 
     [exec]     +1 javac.  The applied patch does not increase the total number of javac compiler warnings.
     [exec] 
     [exec]     +1 findbugs.  The patch does not introduce any new Findbugs warnings.
     [exec] 
     [exec]     +1 Eclipse classpath. The patch retains Eclipse classpath integrity.
     [exec] 
     [exec]     -1 release audit.  The applied patch generated 472 release audit warnings (more than the trunk's current 469 warnings).

Not clear why release audit warnings are there. This patch is tested on local box and testing is in progress. Will upload a new patch with fixed warnings and testcases.

[ Permlink | « Hide ]

Amar Kamat added a comment - 28/Apr/09 08:46 PM

Also added a new parameter mapred.permissions.supergroup to allow admins specify supergroups. Either the user running the jobtracker or user in the supergroup can issue admin commands.

[ Permlink | « Hide ]

Amar Kamat added a comment - 29/Apr/09 01:08 PM

Attaching a patch with the test case. Result of test-patch

[exec] +1 overall.  
     [exec] 
     [exec]     +1 @author.  The patch does not contain any @author tags.
     [exec] 
     [exec]     +1 tests included.  The patch appears to include 15 new or modified tests.
     [exec] 
     [exec]     +1 javadoc.  The javadoc tool did not generate any warning messages.
     [exec] 
     [exec]     +1 javac.  The applied patch does not increase the total number of javac compiler warnings.
     [exec] 
     [exec]     +1 findbugs.  The patch does not introduce any new Findbugs warnings.
     [exec] 
     [exec]     +1 Eclipse classpath. The patch retains Eclipse classpath integrity.
     [exec] 
     [exec]     +1 release audit.  The applied patch does not increase the total number of release audit warnings.

Testing in progress.

[ Permlink | « Hide ]

Amar Kamat added a comment - 30/Apr/09 10:59 AM

While testing the patch, we found that manually changing the excludes file (maintained by the jobtracker) results in checksum error. So, for now we think keeping it as it is (i.e using java to write/read) makes more sense. Also here are some of the test bugs :

documentation for command line is not sufficient
passing a wrong file to hosts reader causes the earlier data to be lost. So the correct way would be to first load the new file and on success replace the internal structures.
web ui doesnt work as expected.

Will upload a new patch soon.

[ Permlink | « Hide ]

Rajiv Chittajallu added a comment - 30/Apr/09 04:34 PM

>While testing the patch, we found that manually changing the excludes file (maintained by the jobtracker) results in checksum error.

For the name NameNode, this is allowed. JT should do the same.

[ Permlink | « Hide ]

eric baldeschwieler added a comment - 01/May/09 04:51 AM

I think we are going through an expensive process of reinventing the wheel here. We should think about solving this sort of issue once by maintain such lists in a plugable source of configuration and supporting the ability to "hup" the service.

We should then implement config in LDAP / SQL / or some other service via plugins and then we can modify these configurations in an environment with lots of tools to support this stuff. Adding ad hock commands and odd side files that will be lost if we need to swap hardware is awkward.

[ Permlink | « Hide ]

Amar Kamat added a comment - 04/May/09 01:21 PM

Attaching a patch fixing some bugs. Result of test-patch

[exec] +1 overall.  
     [exec] 
     [exec]     +1 @author.  The patch does not contain any @author tags.
     [exec] 
     [exec]     +1 tests included.  The patch appears to include 15 new or modified tests.
     [exec] 
     [exec]     +1 javadoc.  The javadoc tool did not generate any warning messages.
     [exec] 
     [exec]     +1 javac.  The applied patch does not increase the total number of javac compiler warnings.
     [exec] 
     [exec]     +1 findbugs.  The patch does not introduce any new Findbugs warnings.
     [exec] 
     [exec]     +1 Eclipse classpath. The patch retains Eclipse classpath integrity.
     [exec] 
     [exec]     +1 release audit.  The applied patch does not increase the total number of release audit warnings

Running ant test now. Will post the results of ant test and cluster run.

[ Permlink | « Hide ]

Amar Kamat added a comment - 05/May/09 02:43 PM

Attaching a patch that does what HDFS does. Testing the patch.

[ Permlink | « Hide ]

Amar Kamat added a comment - 05/May/09 05:19 PM

Result of test patch.

[exec] +1 overall.  
     [exec] 
     [exec]     +1 @author.  The patch does not contain any @author tags.
     [exec] 
     [exec]     +1 tests included.  The patch appears to include 15 new or modified tests.
     [exec] 
     [exec]     +1 javadoc.  The javadoc tool did not generate any warning messages.
     [exec] 
     [exec]     +1 javac.  The applied patch does not increase the total number of javac compiler warnings.
     [exec] 
     [exec]     +1 findbugs.  The patch does not introduce any new Findbugs warnings.
     [exec] 
     [exec]     +1 Eclipse classpath. The patch retains Eclipse classpath integrity.
     [exec] 
     [exec]     +1 release audit.  The applied patch does not increase the total number of release audit warnings.

Running ant test

[ Permlink | « Hide ]

Arun C Murthy added a comment - 05/May/09 06:21 PM

I think we are going through an expensive process of reinventing the wheel here. We should think about solving this sort of issue once by maintain such lists in a plugable source of configuration and supporting the ability to "hup" the service.

+1. I've opened HADOOP-5772 for the same.

[ Permlink | « Hide ]

Amar Kamat added a comment - 05/May/09 08:51 PM

Ant tests passed on my box.

[ Permlink | « Hide ]

Amar Kamat added a comment - 07/May/09 08:13 AM

Attaching a patch the tried to provide the refresh facility similar to HDFS. Result of test-patch

[exec] +1 overall.  
     [exec] 
     [exec]     +1 @author.  The patch does not contain any @author tags.
     [exec] 
     [exec]     +1 tests included.  The patch appears to include 21 new or modified tests.
     [exec] 
     [exec]     +1 javadoc.  The javadoc tool did not generate any warning messages.
     [exec] 
     [exec]     +1 javac.  The applied patch does not increase the total number of javac compiler warnings.
     [exec] 
     [exec]     +1 findbugs.  The patch does not introduce any new Findbugs warnings.
     [exec] 
     [exec]     +1 Eclipse classpath. The patch retains Eclipse classpath integrity.
     [exec] 
     [exec]     +1 release audit.  The applied patch does not increase the total number of release audit warnings.

Ant test passed on my box.

[ Permlink | « Hide ]

Amar Kamat added a comment - 08/May/09 08:29 AM

Attaching a patch incorporating Devaraj's offline comment. Result of test-patch

[exec] +1 overall.  
     [exec] 
     [exec]     +1 @author.  The patch does not contain any @author tags.
     [exec] 
     [exec]     +1 tests included.  The patch appears to include 15 new or modified tests.
     [exec] 
     [exec]     +1 javadoc.  The javadoc tool did not generate any warning messages.
     [exec] 
     [exec]     +1 javac.  The applied patch does not increase the total number of javac compiler warnings.
     [exec] 
     [exec]     +1 findbugs.  The patch does not introduce any new Findbugs warnings.
     [exec] 
     [exec]     +1 Eclipse classpath. The patch retains Eclipse classpath integrity.
     [exec] 
     [exec]     +1 release audit.  The applied patch does not increase the total number of release audit warnings.

Ant tests passed on my box.

[ Permlink | « Hide ]

Amar Kamat added a comment - 08/May/09 01:31 PM

Attaching a patch incorporating Devaraj's offline comments.

Permission checks are now factored out into a common class
Replaced decommissioned in some cases with excluded.

Result of test-patch

[exec] +1 overall.  
     [exec] 
     [exec]     +1 @author.  The patch does not contain any @author tags.
     [exec] 
     [exec]     +1 tests included.  The patch appears to include 9 new or modified tests.
     [exec] 
     [exec]     +1 javadoc.  The javadoc tool did not generate any warning messages.
     [exec] 
     [exec]     +1 javac.  The applied patch does not increase the total number of javac compiler warnings.
     [exec] 
     [exec]     +1 findbugs.  The patch does not introduce any new Findbugs warnings.
     [exec] 
     [exec]     +1 Eclipse classpath. The patch retains Eclipse classpath integrity.
     [exec] 
     [exec]     +1 release audit.  The applied patch does not increase the total number of release audit warnings.

Running ant test now.

[ Permlink | « Hide ]

Amar Kamat added a comment - 09/May/09 07:44 AM

Ant tests passed on my box.

[ Permlink | « Hide ]

Amar Kamat added a comment - 11/May/09 12:46 PM

Missed the testcase.

[ Permlink | « Hide ]

Devaraj Das added a comment - 11/May/09 12:49 PM

I just committed this. Thanks, Amar! (Please add a release note describing the way to run the command for decommissioning TTs)

[ Permlink | « Hide ]

Hudson added a comment - 11/May/09 08:14 PM

Integrated in Hadoop-trunk #833 (See http://hudson.zones.apache.org/hudson/job/Hadoop-trunk/833/)
. Adding the file src/test/mapred/org/apache/hadoop/mapred/TestNodeRefresh.java that got missed earlier.
. Adds a way to decommission TaskTrackers while the JobTracker is running. Contributed by Amar Kamat.

[ Permlink | « Hide ]

Tsz Wo (Nicholas), SZE added a comment - 11/May/09 09:27 PM

src/hdfs/org/apache/hadoop/hdfs/server/namenode/PermissionChecker.java becomes an empty file in trunk.

Why renaming the FSNamesystem.checkSuperuserPrivilege() method to checkAccess() even though it is still for checking superuser privilege?

[ Permlink | « Hide ]

Amar Kamat added a comment - 12/May/09 04:48 AM

src/hdfs/org/apache/hadoop/hdfs/server/namenode/PermissionChecker.java becomes an empty file in trunk.

We should do a svn delete of this file.

Why renaming the FSNamesystem.checkSuperuserPrivilege() method to checkAccess() even though it is still for checking superuser privilege?

I feel checkSuperuserPrivilege() should be used for simply checking superuser privilege (without permission switch which is just in HDFS for now) and checkAccess() for making a guarded call to checkSuperuserPrivilege(). The reason for doing this was to keep both the MR and HDFS consistent wrt superuser checks.

[ Permlink | « Hide ]

Tsz Wo (Nicholas), SZE added a comment - 12/May/09 06:28 PM

I feel checkSuperuserPrivilege() should be used for simply checking superuser privilege (without permission switch which is just in HDFS for now) and checkAccess() for making a guarded call to checkSuperuserPrivilege(). The reason for doing this was to keep both the MR and HDFS consistent wrt superuser checks.

Then, why not using the name "checkSuperuserPrivilege" for superuser checks in both HDFS and MR? "checkAccess" does not seem to mean "check superuser".

Also, "checkAccess" seems to be confusing in HDFS. In FSNamesystem, there are other methods checkPathAccess(..), checkParentAccess(..) and checkAncestorAccess(..) which are nothing to do with superuser.

[ Permlink | « Hide ]

Hudson added a comment - 12/May/09 09:32 PM

Integrated in Hadoop-trunk #834 (See http://hudson.zones.apache.org/hudson/job/Hadoop-trunk/834/)
. Removing the empty file src/hdfs/org/apache/hadoop/hdfs/server/namenode/PermissionChecker.java.

[ Permlink | « Hide ]

Amar Kamat added a comment - 13/May/09 04:11 AM

Nicholas,
If checkAccess() adds to confusion then we better revert the renaming.

[ Permlink | « Hide ]

Tsz Wo (Nicholas), SZE added a comment - 13/May/09 05:39 PM

I filed ~~HADOOP-5818~~: Revert the renaming from checkSuperuserPrivilege to checkAccess by ~~HADOOP-5643~~.

[ Permlink | « Hide ]

Robert Chansler added a comment - 04/Jun/09 12:54 AM

Example patch for 0.20 not to be committed.

[ Permlink | « Hide ]

Amar Kamat added a comment - 05/Jun/09 05:46 AM

Example patch not to be committed.

[ Permlink | « Hide ]

Amar Kamat added a comment - 15/Jun/09 04:51 AM

Attaching a new patch for branch 0.20 merging the 2 patches. Note that this is an example patch for 20 and not to be committed.