1. The original JIRA description indicated that this problem was caused only by the disk filling up, yet the original patches also monitor for a near-full JVM heap. I left the memory checking in this reworked patch, but I think this feature should probably be removed. Unclear how this would interact with Java GC, and unclear if entering safemode would actually help the situation.
I agree, should be pulled out to a separate jira.
3. Todd mentioned that he's seen edit log corruptions from the log volume filling up. Perhaps we should add an additional configuration option to let the user specify arbitrary volumes to check, besides just the volumes containing the edits/name dirs?
Good idea, there's nothing edits specific here. Would need to add a test that if the admin does pass in the volume that hosts the edits log it doesn't conflict with the default behavior (eg double monitoring).
3. I switched the configuration of disk space amount from a percentage to a number of bytes remaining, since volume sizes may differ, and thus a fixed amount of space reserved seems more appropriate. Perhaps there should be a way to specify the threshold per-volume?
What's the intended behavior if there are n disks and one fills up before the others? Seems like this volume should be taken off-line and the NN does not enter SM. If there's just a global threshold would this cause the overall threshold to drop (because the removed volume's free space not longer counts towards the total), causing a cascade where the other volumes go off-line? This would suggest a threshold per volume. Though if we can make a single, simple threshold work that seems better from a usability perspective.
4. I'm a little concerned that we might see a problem where the NN will reach the threshold and then thrash in and out of safemode as it sits on the cusp of the configured free space. Perhaps we should not automatically leave safemode in the event the resources later return to normal? Or make this behavior configurable? It seems to me that an NN volume running out of space should be a cause for concern, so it might be reasonable for an admin to have to manually force the NN out of safe mode.
Seems there are two scenarios here:
a. The admin can easily free up some space
b. The admin can not easily free up space (eg needs to compact the log because the 2NN wasn't running for a while, need to resize the volume, replace the disk etc).
In both cases I think the admin would want to have to manually tell the NN to leave SM while they are working (eg w/o them explicitly telling it to do so). If they want automatic behavior they can continuosly monitor/roll on these volumes so they don't get into this scenario, and they don't want the monitoring/rolling to race with the free space detection (eg they'd want to have to take action if this process ever crosses the threshold they set). Ie seems like once you've gone into SM due to lack of free space you should stay there until the admin has had a chance to rectify.