jiafu1115 commented on PR #20811: URL: https://github.com/apache/kafka/pull/20811#issuecomment-3485323683
> If min-isr is set to 2, then when two nodes goes down in the cluster, all the upload/delete operations won't make progress for those unavailable metadata partitions. It is good to leave it to 1 by default, the user can change the settings dynamically based on the replication-factor of the topic using `kafka-configs.sh` script. @kamalcph Thanks for you comments. I think it is one broker broken vs two brokers broken. I list some extra points for why we need to consider to change it: **Metadata loss is more critical than unavailable ** With min.isr=1, Leader crash = permanent metadata loss → remote data becomes unreachable. Silent data loss is worse than temporary write blocking. **Edge case vs. common risk** Single node failure (common): min.isr=2 still works Two nodes down (rare): Write blocked Correct trade-off: Block writes in extreme cases rather than risk data loss. **Industry standard or best pratice** Kafka's own metadata topics use min.isr=2: __transaction_state → min.isr=2 **Secure by default** Most users won't tune internal configs. Defaults must be safe. Users needing higher availability can explicitly lower it. Thanks for your discussion! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
