From: Brian Foster <bfoster@redhat.com>
To: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: Dave Chinner <david@fromorbit.com>, Jan Tulak <jtulak@redhat.com>,
linux-xfs@vger.kernel.org, sandeen@sandeen.net
Subject: Re: [PATCH 2/2] mdrestore: warn about corruption if log is dirty
Date: Wed, 12 Apr 2017 07:06:33 -0400 [thread overview]
Message-ID: <20170412110633.GC6834@bfoster.bfoster> (raw)
In-Reply-To: <20170411234326.GA5109@birch.djwong.org>
On Tue, Apr 11, 2017 at 04:43:26PM -0700, Darrick J. Wong wrote:
> On Wed, Apr 12, 2017 at 08:34:05AM +1000, Dave Chinner wrote:
> > On Tue, Apr 11, 2017 at 04:12:37PM +0200, Jan Tulak wrote:
> > > A dirty log in an obfuscated dump means that a corruption can happen
> > > when replaying the log (which contains unobfuscated data). Warn the user
> > > about this possibility.
> >
> > > The xlog workaround is copy&paste solution from repair/phase2.c and
> > > other tools, because the function is not implemented in libxlog.
> > >
> > > Signed-off-by: Jan Tulak <jtulak@redhat.com>
> >
> > I think this is overkill. mdrestore is not the place
> > to be interpreting the state of the dumped image - it is a basic
> > "restore the image" program, not a "check the validity of the image"
> > program.
> >
> > Secondly, if people are having problems with running log recovery on
> > a restored obfuscated image and getting corruption and not knowing
> > why or what to do, then that is a /documentation and training/
> > problem, not a code problem.
> >
> > i.e. the problem is that people who aren't developers are trying to
> > use tools that were written for developers to do forensic analysis
> > of failures. Don't dumb down the tool for clueless users - point the
> > users at the documentation that the tool requires to use correctly...
>
> Looking at the patch, that's a lot of code to add to mdrestore that has
> nothing to do with metadump restoration. For that matter, who's to say
> that the metadump'd image is even an XFS filesystem, and not just some
> garbage with the just the right superblock values to pass the
> perform_restore() checks? (Ok, ok, that was a little over the top.)
>
Agreed wrt to the mdrestore bits...
> The key change we're trying to make is to prevent people incorrectly
> replaying an XFS with a dirty log when the fs image has been restored
> from an obfuscated metadump.
>
> So in my mind this brings up two questions: First, how do we prevent
> log replay in such situations? Second, how do we teach people not to
> attempt log replay? As you point out, it's better that we educate
> people as what problems each tool tries to solve and where the sharp
> edges might be on the debugging tools, but the answer to the first
> question ensures that us fallible developers can't do something stupid
> even though we theoretically know better.
>
> Frankly, if the goal is to nudge n00b members of support teams away from
> a behavior that won't help them towards starting their failure analysis,
> then then I think we ought to patch the log recovery code to detect an
> obfuscated fs image, complain to dmesg about someone making an illogical
> move, and then refuse to mount the log.
>
I don't think this is really appropriate. Some users may very well have
no other option but to create a dirty log + obfuscated metadump for
whatever security/privacy reasons they have. The purpose of warning in
that case is to notify the user to either verify the resulting image
shows whatever problems are exhibited by the original fs and no others,
or to notify the developer that other corruption might exist and to
ignore it as a side effect of the metadump process itself (provided it
doesn't interfere with rca of the original problem). Refusing to run log
recovery in such cases just gets in the way.
I'm not tied to having an mdrestore warning at all, but I'd much prefer
to see it there rather than include obfuscation logic in the kernel just
to facilitate a userspace tool to continue on silently corrupting
filesystem images.
Brian
> I'd rather push back on the incorrect behavior at the time it is done,
> instead of training people to ignore a priori warning messages.
>
> --D
>
> > Cheers,
> >
> > Dave.
> > --
> > Dave Chinner
> > david@fromorbit.com
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-04-12 11:06 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-11 14:12 [PATCH 0/2] xfsprogs: metadump/mdrestore warns about dirty journal Jan Tulak
2017-04-11 14:12 ` [PATCH 1/2] metadump: warn about corruption if log is dirty Jan Tulak
2017-04-11 18:30 ` Brian Foster
2017-04-11 18:34 ` Eric Sandeen
2017-04-11 18:43 ` Brian Foster
2017-04-11 19:01 ` Eric Sandeen
2017-04-11 23:44 ` Darrick J. Wong
2017-04-12 11:03 ` Brian Foster
2017-04-12 11:24 ` Jan Tulak
2017-04-11 14:12 ` [PATCH 2/2] mdrestore: " Jan Tulak
2017-04-11 18:33 ` Brian Foster
2017-04-11 18:39 ` Eric Sandeen
2017-04-11 18:49 ` Brian Foster
2017-04-11 18:59 ` Eric Sandeen
2017-04-11 22:34 ` Dave Chinner
2017-04-11 23:43 ` Darrick J. Wong
2017-04-12 1:48 ` Eric Sandeen
2017-04-12 11:26 ` Brian Foster
2017-04-12 11:06 ` Brian Foster [this message]
2017-04-12 17:45 ` Darrick J. Wong
2017-04-13 8:12 ` Jan Tulak
2017-04-12 11:04 ` Brian Foster
2017-04-13 2:51 ` Dave Chinner
2017-04-13 13:10 ` Brian Foster
2017-04-14 0:29 ` Dave Chinner
2017-04-14 2:54 ` Brian Foster
2017-05-25 17:29 ` [PATCH 0/2] xfsprogs: metadump/mdrestore warns about dirty journal Eric Sandeen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170412110633.GC6834@bfoster.bfoster \
--to=bfoster@redhat.com \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=jtulak@redhat.com \
--cc=linux-xfs@vger.kernel.org \
--cc=sandeen@sandeen.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.