Unexpected "too many FDs" error on local ES cluster

vangap · May 16, 2019, 6:07am

I have elasticsearch 6.4.2 running on Mac, inside a container (Docker Desktop). I have about 240 indices and 1100 shards with 0 replicas set. I probably have 100k docs at max (can't say exact count because the cluster is in Red because of FDs error)

I see errors in ES logs that says too many open files, when I check lsof | grep elasticsearch | wc -l it's giving about 800k+ FDs.

This seems to be strange, considering that number of indices isn't large and data is also small.
I have seen bigger clusters(in terms of indices/dac count) with far few FDs, I am not sure wha's the issue with my local ES cluster.

ES Data directory stats
5200 directories, 33015 files.
Majority of these files are translog files, I am not sure if this is normal or not.

Node stats endpoints gives this about FDs
{
"nodes": {
"pSuUtbN-T4e0Ovf03sUS6g": {
"process": {
"max_file_descriptors": 655366
}
}
}
}

ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 47843
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) unlimited
open files (-n) 655366
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) unlimited
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

Christian_Dahlqvist · May 16, 2019, 6:58am

Why do you have so many indices and shards for so little data? It does indeed look strange though. How did you index the data?

vangap · May 16, 2019, 8:28am

Hi, this is my local cluster and hence some testing which led to those many indices. Yes, I am aware of the issues/overhead with high number of shards.
Data is indexed using the bulk APIs, using elasticsearch-js

I am also seeing a similar issue on a VM with 100 indices with 200-300k FDs

What's strange is that, half of this 200k belong to files related to translog.
For ex EDfVKTP2Tni0mrm6K0RrTA doesn't have any docs, but has 1700 open FDs
test_20190422122112_6l7qj_7f6bpg7p2v_data_ocr5v0_launchpad_data_customer_viz_ns_default EDfVKTP2Tni0mrm6K0RrTA 5 1 0 0 1.2kb 1.2kb

gist.github.com

https://gist.github.com/vanga/1f5e8b904f3405f29036f803ce5156a9

gistfile1.txt

java      25420                    test  320r      REG              253,0        55    2766128 /usr/share/elasticsearch/data/nodes/0/indices/EDfVKTP2Tni0mrm6K0RrTA/2/translog/translog-2.tlog
java      25420                    test  325u      REG              253,0        55    2766475 /usr/share/elasticsearch/data/nodes/0/indices/EDfVKTP2Tni0mrm6K0RrTA/2/translog/translog-3.tlog
java      25420                    test  330r      REG              253,0        55    2766130 /usr/share/elasticsearch/data/nodes/0/indices/EDfVKTP2Tni0mrm6K0RrTA/4/translog/translog-2.tlog
java      25420                    test  331u      REG              253,0        55    2766480 /usr/share/elasticsearch/data/nodes/0/indices/EDfVKTP2Tni0mrm6K0RrTA/4/translog/translog-3.tlog
java      25420                    test  333u      REG              253,0        55    2766096 /usr/share/elasticsearch/data/nodes/0/indices/EDfVKTP2Tni0mrm6K0RrTA/1/translog/translog-3.tlog
java      25420                    test  334r      REG              253,0        55    2766118 /usr/share/elasticsearch/data/nodes/0/indices/EDfVKTP2Tni0mrm6K0RrTA/1/translog/translog-2.tlog
java      25420                    test  336r      REG              253,0        55    2766102 /usr/share/elasticsearch/data/nodes/0/indices/EDfVKTP2Tni0mrm6K0RrTA/3/translog/translog-2.tlog
java      25420                    test  338r      REG              253,0        55    2766116 /usr/share/elasticsearch/data/nodes/0/indices/EDfVKTP2Tni0mrm6K0RrTA/0/translog/translog-2.tlog
java      25420                    test  341u      REG              253,0        55    2766486 /usr/share/elasticsearch/data/nodes/0/indices/EDfVKTP2Tni0mrm6K0RrTA/0/translog/translog-3.tlog
java      25420                    test  342u      REG              253,0        55    2766493 /usr/share/elasticsearch/data/nodes/0/indices/EDfVKTP2Tni0mrm6K0RrTA/3/translog/translog-3.tlog

This file has been truncated. show original

DavidTurner · May 16, 2019, 9:29am

I think there is some confusion about what lsof is showing. The output here is 1700 lines long but only shows 10 distinct file descriptors in use:

$ cat fds.txt | awk '{ print $5 }' | sort -u
320r
325u
330r
331u
333u
334r
336r
338r
341u
342u
REG

Each file descriptor is listed multiple times, once for each of the 170 threads.

vangap · May 16, 2019, 10:01am

@DavidTurner Thanks.

I didn't know about the per thread entry there.

But, I haven't noticed such a huge number even if you account for duplicates in other clusters.
Also, this cluster is completely idle when I took these stats about FD, I wonder why there are so many threads running.

Also, I have deleted few indices and updated by dev cluster to 6.7.2 and the cluster has started without any issues.
Perhaps, even though the FD limit in the container is high, limits on MacOS and hyperkit vm are low. I will update if I run into FD error again.

DavidTurner · May 16, 2019, 10:47am

Elasticsearch uses thread pools to avoid the overhead of creating a new thread each time it's needed. It's possible that the JVM does something similar too. Keeping idle threads alive is normally pretty cheap so 170 threads isn't too surprising. You might get more useful information from these APIs:

GET _nodes/hot_threads?ignore_idle_threads=false

GET _nodes/stats/thread_pool

vangap · May 30, 2019, 11:30am

Hi,

I have removed the hyperkit, docker variables now. I have ES running on mac installed via brew.
I still see the error

Error:

gist.github.com

https://gist.github.com/vanga/726af932abc12cc4318a48a922b7093f

gistfile1.txt

[2019-05-29T11:28:34,176][WARN ][o.e.c.r.a.AllocationService] [pSuUtbN] failing shard [failed shard, shard [test_20190224060157_43mk275ixpqyd2gc_data_backlog_viz_ns_default][0], node[pSuUtbN-T4e0Ovf03sUS6g], [P], recovery_source[existing store recovery; bootstrap_history_uuid=false], s[INITIALIZING], a[id=4P43LM4zQPaUQIKVuD8Zrw], unassigned_info[[reason=ALLOCATION_FAILED], at[2019-05-29T11:28:33.994Z], failed_attempts[4], delayed=false, details[failed shard on node [pSuUtbN-T4e0Ovf03sUS6g]: failed recovery, failure RecoveryFailedException[[test_20190224060157_43mk275ixpqyd2gc_data_backlog_viz_ns_default][0]: Recovery failed on {pSuUtbN}{pSuUtbN-T4e0Ovf03sUS6g}{IzhzW8NSRjadBCJlrKzIJQ}{172.18.0.2}{172.18.0.2:9300}{ml.machine_memory=2147483648, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true}]; nested: IndexShardRecoveryException[failed to recover from gateway]; nested: EngineCreationFailureException[failed to create engine]; nested: FileSystemException[/usr/share/elasticsearch/data/nodes/0/indices/-qUAXIl3S5SM0PZN9wGKQw/0/translog/translog-49.ckp: Too many open files]; ], allocation_status[no_valid_shard_copy]], message [failed recovery], failure [RecoveryFailedException[[test_20190224060157_43mk275ixpqyd2gc_data_backlog_viz_ns_default][0]: Recovery failed on {pSuUtbN}{pSuUtbN-T4e0Ovf03sUS6g}{IzhzW8NSRjadBCJlrKzIJQ}{172.18.0.2}{172.18.0.2:9300}{ml.machine_memory=2147483648, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true}]; nested: IndexShardRecoveryException[failed to recover from gateway]; nested: FileSystemException[/usr/share/elasticsearch/data/nodes/0/indices/-qUAXIl3S5SM0PZN9wGKQw/0/index/_6e.si: Too many open files]; ], markAsStale [true]]
org.elasticsearch.indices.recovery.RecoveryFailedException: [test_20190224060157_43mk275ixpqyd2gc_data_backlog_viz_ns_default][0]: Recovery failed on {pSuUtbN}{pSuUtbN-T4e0Ovf03sUS6g}{IzhzW8NSRjadBCJlrKzIJQ}{172.18.0.2}{172.18.0.2:9300}{ml.machine_memory=2147483648, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true}
	at org.elasticsearch.index.shard.IndexShard.lambda$startRecovery$9(IndexShard.java:2394) ~[elasticsearch-6.7.2.jar:6.7.2]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:681) ~[elasticsearch-6.7.2.jar:6.7.2]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
	at java.lang.Thread.run(Thread.java:835) [?:?]
Caused by: org.elasticsearch.index.shard.IndexShardRecoveryException: failed to recover from gateway
	at org.elasticsearch.index.shard.StoreRecovery.internalRecoverFromStore(StoreRecovery.java:445) ~[elasticsearch-6.7.2.jar:6.7.2]
	at org.elasticsearch.index.shard.StoreRecovery.lambda$recoverFromStore$0(StoreRecovery.java:95) ~[elasticsearch-6.7.2.jar:6.7.2]

This file has been truncated. show original

No Of Indices: 98 (I had 2x of these indices which I deleted, restarted)
No Of Shards: 473

Host Mac OS ulimit

core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
file size               (blocks, -f) unlimited
max locked memory       (kbytes, -l) unlimited
max memory size         (kbytes, -m) unlimited
open files                      (-n) 440000
pipe size            (512 bytes, -p) 1
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 2048
virtual memory          (kbytes, -v) unlimited

launchctl limit shows

	cpu         unlimited      unlimited
	filesize    unlimited      unlimited
	data        unlimited      unlimited
	stack       8388608        67104768
	core        0              unlimited
	rss         unlimited      unlimited
	memlock     unlimited      unlimited
	maxproc     2048           2048
	maxfiles    440000         524288

Is it possible that the error is misleading and the actual issue might with some other limit?

vangap · May 30, 2019, 12:54pm

I did some more testing..
I have sysctl kern.num_files around 3k+ when I don't have ES running.
It goes up to 13k+ with ES running, ES throws the errors shared above. I am not sure if there is a transient state where this number goes high, I did observe few times and it's always 13k+ afaics.

I have decreased the limit to 10k by doing sudo launchctl limit maxfiles 10000, I got the error in ES logs that it needs to be atleast 10240.

So the limits that I am setting seem to work definitely. This makes me wonder if there is a transient state where it goes to pretty high and then comes back? or the error message is misleading and I might be running into some other related limit

DavidTurner · May 30, 2019, 3:08pm

I don't think so. From what I can see, Too many open files maps to the error code EMFILE ...

github.com

lattera/glibc/blob/895ef79e04a953cac1493863bcae29ad85657ee1/sysdeps/gnu/errlist.c#L265


      
          #endif
          #ifdef EMFILE
          /*
          TRANS The current process has too many files open and can't open any more.
          TRANS Duplicate descriptors do count toward this limit.
          TRANS
          TRANS In BSD and GNU, the number of open files is controlled by a resource
          TRANS limit that can usually be increased.  If you get this error, you might
          TRANS want to increase the @code{RLIMIT_NOFILE} limit or make it unlimited;
          TRANS @pxref{Limits on Resources}. */
              [ERR_REMAP (EMFILE)] = N_("Too many open files"),
          # if EMFILE > ERR_MAX
          # undef ERR_MAX
          # define ERR_MAX EMFILE
          # endif
          #endif
          #ifdef ENFILE
          /*
          TRANS There are too many distinct file openings in the entire system.  Note
          TRANS that any number of linked channels count as just one file opening; see
          TRANS @ref{Linked Channels}.  This error never occurs on @gnuhurdsystems{}. */

... and the docs for this error code don't give any alternative explanations:

EMFILE The per-process limit on the number of open file descriptors has been reached (see the description of RLIMIT_NOFILE in getrlimit(2)).

Can you share your cluster's settings (GET _cluster/settings) and also your elasticsearch.yml file(s)?

vangap · May 30, 2019, 4:13pm

This is a fresh installation that I just did and copied the data from the docker setup where I ran into this first. So, nothing fancy in my setup.
But, I have attached these to the gist

gist.github.com

https://gist.github.com/vanga/726af932abc12cc4318a48a922b7093f

cluster settings

{
   "persistent": {},
   "transient": {}
}

elasticsearch.yml

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:

This file has been truncated. show original

gistfile1.txt

[2019-05-30T16:47:30,236][WARN ][o.e.i.c.IndicesClusterStateService] [pSuUtbN] [[test_20190224060157_43mk275ixpqyd2gc_data_backlog_viz_ns_default][0]] marking and sending shard failed due to [failed recovery]
org.elasticsearch.indices.recovery.RecoveryFailedException: [test_20190224060157_43mk275ixpqyd2gc_data_backlog_viz_ns_default][0]: Recovery failed on {pSuUtbN}{pSuUtbN-T4e0Ovf03sUS6g}{Zd6-BsorS7ukxeouzioKjQ}{127.0.0.1}{127.0.0.1:9300}
	at org.elasticsearch.index.shard.IndexShard.lambda$startRecovery$9(IndexShard.java:2394) ~[elasticsearch-6.8.0.jar:6.8.0]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:681) [elasticsearch-6.8.0.jar:6.8.0]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_192]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_192]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_192]
Caused by: org.elasticsearch.index.shard.IndexShardRecoveryException: failed to recover from gateway
	at org.elasticsearch.index.shard.StoreRecovery.internalRecoverFromStore(StoreRecovery.java:445) ~[elasticsearch-6.8.0.jar:6.8.0]
	at org.elasticsearch.index.shard.StoreRecovery.lambda$recoverFromStore$0(StoreRecovery.java:95) ~[elasticsearch-6.8.0.jar:6.8.0]

This file has been truncated. show original

vangap · May 31, 2019, 10:52am

Btw, same issue is happening on other members of my team who are using macs and have the number of indices that I have more or less.

DavidTurner · May 31, 2019, 11:24am

Sorry, debugging this kind of issue on a Mac is outside what I can really help with. I know there are OS-level tools like dtrace that might help work out whether Elasticsearch really is opening far too many files or whether there's some other limit that we don't know about, but I have no experience with using them.

Can you reproduce this on a supported OS?

vangap · May 31, 2019, 12:35pm

@DavidTurner thanks, that's understandable.
As mentioned in by original post, this is definitely something to do with Mac/+ES. I will see if any tracing tools might be helpful to narrow it down.

I was also trying to find a way to simulate this scenario to see if my system's kern.num_files goes beyond 13/14k. If it is, it means that OS can handle more FDs, which might suggest that there could be a transient state where ES might be having more FDs is a likely problem.
If you know of any way to simulate this, pls let me know.

system · June 28, 2019, 12:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic search error - translog: Too many open files Elasticsearch	4	1685	July 5, 2017
Too many open files even after increasing limit Elasticsearch	8	469	July 6, 2017
Too Many Open Files Elasticsearch	4	1582	July 6, 2017
Elasticsearch opening way too many (200K) Pipes, FDs Elasticsearch	9	3519	November 29, 2017
"Too many open files" on small cluster Elasticsearch	5	1844	April 19, 2019

Unexpected "too many FDs" error on local ES cluster

Related topics