Cloudstore is a diagnostics library for troubleshooting problems interacting with cloud storage through Apache Hadoop

License: Apache ASF 2.0

All the implementation classes are under the org.apache.hadoop.fs package tree but it is not part of the apache hadoop artifacts.

  1. Faster release cycle, so the diagnostics can evolve to track features going into Hadoop-trunk.
  2. Fewer test requirements. This is naughty, but as much of this code is written in a hurry to diagnose problems on remote sites, problems which are hard to test, it is undertested.
  3. Ability to compile against older versions. We've currently switched to Hadoop 3.3+ due to the need to make API calls and operations not in older versions.


Primarily: diagnostics


  1. Sometimes things fail, and the first problem is classpath;
  2. The second, invariably some client-side config.
  3. Then there's networking and permissions...
  4. The Hadoop FS connectors all assume a well configured system, and don't do much in terms of meaningful diagnostics.
  5. This is compounded by the fact that we dare not log secret credentials.
  6. And in support calls, it's all to easy to get those secrets, even though its a major security breach to get them.

Secondary: higher performance cloud IO

The main hadoop hadoop fs commands are written assuming a filesystem, where:

See also

Command Index

Command storediag

The storediag entry point is designed to pick up the FS settings, dump them with sanitized secrets, and display their provenance. It then bootstraps connectivity with an attempt to initiate (unauthed) HTTP connections to the store's endpoints. This should be sufficient to detect proxy and endpoint configuration problems.

Then it tries to perform some reads and writes against the store. If these fail, then there's clearly a problem. Hopefully though, there's now enough information to begin determining what it is.

Finally, if things do fail, the printed configuration excludes the login secrets, for safer reporting of issues in bug reports.

hadoop jar cloudstore-1.0.jar storediag -j -5 s3a://landsat-pds/
hadoop jar cloudstore-1.0.jar storediag --tokenfile mytokens.bin s3a://my-readwrite-bucket/
hadoop jar cloudstore-1.0.jar storediag wasb://container@user/subdir
hadoop jar cloudstore-1.0.jar storediag abfs://container@user/

The remote store is required to grant full R/W access to the caller, otherwise the creation tests will fail.

The --tokenfile option loads tokens saved with hdfs fetchdt. It does not need Kerberos, though most filesystems expect Kerberos enabled for them to pick up tokens (not S3A, potentially other stores).


Usage: storediag [options] <filesystem>
        -D <key=value>  Define a property
        -e      List the environmment variables. *danger: does not redact secrets*
        -h      redact all chars in sensitive options
        -j      List the JARs on the classpath
        -l      Dump the Log4J settings
        -o      Downgrade all 'required' classes to optional
        -principal <principal>  kerberos principal to request a token for
        -required <file>        text file of extra classes+resources to require
        -s      List the JVM System Properties
        -t      Require delegation tokens to be issued
        -tokenfile <file>       Hadoop token file to load
        -verbose                Verbose output
        -w      attempt write operations on the filesystem
        -xmlfile <file>         XML config file to load
        -5      Print MD5 checksums of the jars listed (requires -j)

The -require option takes a text file where every line is one of a #-prefixed comment, a blank line, a classname, a resource (with "/" in). These are all loaded

hadoop jar cloudstore-1.0.jar storediag -j -5 -required required.txt s3a://something/

and with a required.txt listing things you require

# S3A
# Misc

This is useful to dynamically add some extra mandatory classes to the list of classes you need to work with a store...most useful when either you are developing new features and want to verify they are on the classpath, or you are working with an unknown object store and just want to check its depencies up front.

Missing file or resource will result in an error and the command failing.

The comments are printed too! This means you can use them in the reports.

Command bandwidth

Measure upload/download bandwidth, optionally saving data to a CSV file.

See bandwidth for details.

Command bucketmetadata

Retrieves metadata from an S3 Bucket (v2 SDK only) by probing the store.

See bucketmetadata for details.

Command cloudup -upload and download files; optimised for cloud storage

See cloudup

Command committerinfo

Tries to instantiate a committer using the Hadoop 3.1+ committer factory mechanism, printing out what committer a specific path will create.

See committerinfo.

Command constval

Loads a class, resolves a constant/static final field and prints its value.

See constval

Command dux "Du, extended"

A variant on the hadoop du command which does a recursive listFiles() call on every directory immediately under the source path -in separate threads.

For any store which supports higher performance deep tree listing (S3A in particular) This can be significantly faster than du's normal treewalk.

Even without that, because lists are done in separate threads, a speedup is almost guaranteed.

There is no scheduling of work into separate threads within a directory; those stores which do prefetching in separate threads (recent ABFS and S3A builds) do add some paralellism here.

Usage: dux
        -D <key=value>  Define a property
        -tokenfile <file>       Hadoop token file to load
        -xmlfile <file> XML config file to load
        -threads <threads>      number of threads
        -limit <limit>  limit of files to list
        -verbose        print verbose output
        -bfs            do a breadth first search of the path

The -verbose option prints out more filesystem statistics, and of the list iterators (useful if they publish statistics)

-limit puts a limit on the total number of files to scan; this is useful when doing deep scans of buckets so as to put an upper bound on the scan. Note, when used against S3 an ERROR may be printed in the AWS SDK. This is harmless; it comes from the SDK thread pool being closed while a list page prefetch is in progress.

Command fetchdt

This is an extension of hdfs fetchdt which collects delegation tokens from a list of filesystems, saving them to a file.

See fetchdt

Command filestatus

Calls getFileStatus on the listed paths, prints the values. For stores which have more detail on the toString value of any subclass of FileStatus, this can be more meaningful.

Also prints the time to execute each operation (including instantiating the store), and with the -verbose option, the store statistics.

hadoop jar  cloudstore-1.0.jar \
            filestatus  \

2019-07-31 21:48:34,963 [main] INFO  commands.PrintStatus (<init>(53)) - Starting: get path status
s3a://guarded-table/example S3AFileStatus{path=s3a://guarded-table/example; isDirectory=false; length=0; replication=1; 
  blocksize=33554432; modification_time=1564602680000;
  access_time=0; owner=stevel; group=stevel;
  permission=rw-rw-rw-; isSymlink=false; hasAcl=false; isEncrypted=true; isErasureCoded=false}
  isEmptyDirectory=FALSE eTag=d41d8cd98f00b204e9800998ecf8427e versionId=null
2019-07-31 21:48:37,182 [main] INFO  commands.PrintStatus ( - get path status: duration 0:02:221

Command gcscreds

Help debug gcs credential bindings as set in

it does ths with some better diagnostics of parsing problems.

warning: at -verbose, this prints your private key

hadoop jar cloudstore-1.0.jar gcscreds gs://bucket/

key uses \n for separator -gs connector must convert to line endings
2022-01-19 17:55:51,016 [main] INFO  gs.PemReader ( - title match  at line 1
2022-01-19 17:55:51,020 [main] INFO  gs.PemReader ( - scanning for end 
Parsed private key -entry length 28 lines

Command list

Do a recursive listing of a path. Uses listFiles(path, recursive), so for any object store which can do this as a deep paginated scan, is much, much faster.

Usage: list
  -D <key=value>    Define a property
  -tokenfile <file> Hadoop token file to load
  -limit <limit>    limit of files to list
  -verbose          print verbose output
  -xmlfile <file>   XML config file to load

Example: list some of the AWS public landsat store.

> bin/hadoop jar cloudstore-1.0.jar list -limit 10 s3a://landsat-pds/

Listing up to 10 files under s3a://landsat-pds/
2019-04-05 21:32:14,523 [main] INFO  tools.ListFiles (<init>(53)) - Starting: Directory list
2019-04-05 21:32:14,524 [main] INFO  tools.ListFiles (<init>(53)) - Starting: First listing
2019-04-05 21:32:15,754 [main] INFO  tools.ListFiles ( - First listing: duration 0:01:230
[1] s3a://landsat-pds/L8/001/002/LC80010022016230LGN00/LC80010022016230LGN00_B1.TIF 63,786,465 stevel stevel [encrypted]
[2] s3a://landsat-pds/L8/001/002/LC80010022016230LGN00/LC80010022016230LGN00_B1.TIF.ovr 8,475,353 stevel stevel [encrypted]
[3] s3a://landsat-pds/L8/001/002/LC80010022016230LGN00/LC80010022016230LGN00_B10.TIF 35,027,713 stevel stevel [encrypted]
[4] s3a://landsat-pds/L8/001/002/LC80010022016230LGN00/LC80010022016230LGN00_B10.TIF.ovr 6,029,012 stevel stevel [encrypted]
[5] s3a://landsat-pds/L8/001/002/LC80010022016230LGN00/LC80010022016230LGN00_B10_wrk.IMD 10,213 stevel stevel [encrypted]
[6] s3a://landsat-pds/L8/001/002/LC80010022016230LGN00/LC80010022016230LGN00_B11.TIF 34,131,348 stevel stevel [encrypted]
[7] s3a://landsat-pds/L8/001/002/LC80010022016230LGN00/LC80010022016230LGN00_B11.TIF.ovr 5,891,395 stevel stevel [encrypted]
[8] s3a://landsat-pds/L8/001/002/LC80010022016230LGN00/LC80010022016230LGN00_B11_wrk.IMD 10,213 stevel stevel [encrypted]
[9] s3a://landsat-pds/L8/001/002/LC80010022016230LGN00/LC80010022016230LGN00_B1_wrk.IMD 10,213 stevel stevel [encrypted]
[10] s3a://landsat-pds/L8/001/002/LC80010022016230LGN00/LC80010022016230LGN00_B2.TIF 64,369,211 stevel stevel [encrypted]
2019-04-05 21:32:15,757 [main] INFO  tools.ListFiles ( - Directory list: duration 0:01:235

Found 10 files, 124 milliseconds per file
Data size 217,741,136 bytes, 21,774,113 bytes per file

Command localhost

Print out localhost information from java APIs and then the hadoop network APIs.

Command locatefiles

Use the mapreduce LocatedFileStatusFetcher to scan for all non-hidden files under a path.

See locatefiles

Command mkcsv

Creates a large CSV file designed to trigger/validate the ABFS prefetching bug which came in HADOOP-17156/

See mkcsv

Command pathcapability

Probes a filesystem for offering a specific named capability on the given path.

Requires a version of Hadoop with the PathCapabilities interface, which includes Hadoop 3.3 onwards.

bin/hadoop jar cloudstore-1.0.jar pathcapability
Usage: pathcapability [options] <capability> <path>
    -D <key=value> Define a property
    -tokenfile <file> Hadoop token file to load
    -verbose print verbose output
    -xmlfile <file> XML config file to load
hadoop jar cloudstore-1.0.jar pathcapability s3a://landsat-pds/

Using filesystem s3a://landsat-pds
Path s3a://landsat-pds/ has capability

The exit code of the command is 0 if the capability is present, -1 if absent, and 55 if the hadoop version does not support the API. Approximate HTTP equivalent: 505: Version Not Supported.

As it is in Hadoop 3.3, all APIs new to that release (including openFile()) can absolutely be probed for. Otherwise, the 55 response may mean "an API is implemented, just not the probe".

Command safeprefetch

Probes an abfs store for being vulnerable to prefetch data corruption, providing the configuration information to disable it if so.

See safeprefetch

Command tarhardened

Verify the hadoop release has had its untar command hardened and will not evaluate commands passed in as filenames.

See tarhardened

Command tlsinfo

Print out tls information, and X509 certificates.

Usage: tlsinfo [-verbose] [-debug] [<match>]
> hadoop jar cloudstore-1.0 tlsinfo amazon

TLS System Properties

[001]  java.version = "17.0.8"
[002]  java.library.path = "/Users/stevel/Library/Java/Extensions:/Library/Java/Extensions:/Network/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java:."
[003]  https.protocols = (unset)
[004] = (unset)
[005] = (unset)
[006] = (unset)
[007] = (unset)
[008]  jdk.certpath.disabledAlgorithms = (unset)
[009]  jdk.tls.client.cipherSuites = (unset)
[010]  jdk.tls.client.protocols = (unset)
[011]  jdk.tls.disabledAlgorithms = (unset)
[012]  jdk.tls.legacyAlgorithms = (unset)
[013] = (unset)

HTTPS supported protocols



Certificates from the default certificate manager

[001] CN=Amazon Root CA 4, O=Amazon, C=US: 
[002] CN=Amazon Root CA 3, O=Amazon, C=US: 
[003] CN=Amazon Root CA 1, O=Amazon, C=US: 
[004] CN=Amazon Root CA 2, O=Amazon, C=US: 

V1 SDK commands

See Cloudstore support for AWS V1 SDK.

V2 SDK commands

See Cloudstore support for AWS V2 SDK.

Development and Future Work

Roadmap: Whatever we need to debug things.

This file can be grabbed via curl statements and executed to help automate testing of cluster deployments.

To help with doing this with the latest releases, it may be enhanced regularly, with new releases.

There is no real release plan other than this.

Possible future work

Contributions through PRs welcome.

Bug reports: please include environment and ideally patches.

There is no formal support for this. Sorry.
