All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Austin S. Hemmelgarn" <ahferroin7@gmail.com>
To: Andrei Borzenkov <arvidjaar@gmail.com>,
	Christoph Anton Mitterer <calestyo@scientia.net>,
	Qu Wenruo <quwenruo@cn.fujitsu.com>,
	linux-btrfs@vger.kernel.org
Subject: Re: Exactly what is wrong with RAID5/6
Date: Wed, 21 Jun 2017 13:30:21 -0400	[thread overview]
Message-ID: <76da9e45-a833-2552-f546-d71d9c2b371b@gmail.com> (raw)
In-Reply-To: <69992a11-bf68-9c0b-8b23-fef48ba80907@gmail.com>

On 2017-06-21 13:20, Andrei Borzenkov wrote:
> 21.06.2017 16:41, Austin S. Hemmelgarn пишет:
>> On 2017-06-21 08:43, Christoph Anton Mitterer wrote:
>>> On Wed, 2017-06-21 at 16:45 +0800, Qu Wenruo wrote:
>>>> Btrfs is always using device ID to build up its device mapping.
>>>> And for any multi-device implementation (LVM,mdadam) it's never a
>>>> good
>>>> idea to use device path.
>>>
>>> Isn't it rather the other way round? Using the ID is bad? Don't you
>>> remember our discussion about using leaked UUIDs (or accidental
>>> collisions) for all kinds of attacks?
>> Both are bad for different reasons.  For the particular case of sanely
>> handling transient storage failures (device disappears then reappears),
>> you can't do it with a path in /dev (which is what most people mean when
>> they say device path), and depending on how the hardware failed and the
>> specifics of the firmware, you may not be able to do it with a
>> hardware-level device path, but you can do it with a device ID assuming
>> you sanely verify the ID.  Right now, BTRFS is not sanely checking the
>> ID (it only verifies the UUID's in the FS itself, it should also be
>> checking hardware-level identifiers like WWN).
> 
> Which is not enough too; if device dropped off array and reappeared
> later we need to be able to declare it stale, even if it has exactly the
> same UUID and WWN and whatever hardware identifier is used. So we need
> some generation number to be able to do it. Incidentally MD does have
> them and compares generation numbers to decide whether device can be
> assimilated.
> 
I was not disputing that aspect, just the method verifying the device 
that reappeared is the same one that disappeared.  Outside of the 
requirement to properly re-sync (we would also need to do some kind of 
sanity check on the generation number too, otherwise we end up with the 
possibility of a partial write there nuking the whole FS when the device 
reconnects), verifying some level of hardware identification covers the 
security and data safety issues that Christoph is referring to 
sufficiently for the common cases (with the biggest being USB attached 
devices with BTRFS volumes on them).

  reply	other threads:[~2017-06-21 17:30 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-20 22:57 Exactly what is wrong with RAID5/6 waxhead
2017-06-20 23:25 ` Hugo Mills
2017-06-21  3:48   ` Chris Murphy
2017-06-21  6:51     ` Marat Khalili
2017-06-21  7:31       ` Peter Grandi
2017-06-21 17:13       ` Andrei Borzenkov
2017-06-21 18:43       ` Chris Murphy
2017-06-21  8:45 ` Qu Wenruo
2017-06-21 12:43   ` Christoph Anton Mitterer
2017-06-21 13:41     ` Austin S. Hemmelgarn
2017-06-21 17:20       ` Andrei Borzenkov
2017-06-21 17:30         ` Austin S. Hemmelgarn [this message]
2017-06-21 17:03   ` Goffredo Baroncelli
2017-06-22  2:05     ` Qu Wenruo
2017-06-21 18:24   ` Chris Murphy
2017-06-21 20:12     ` Goffredo Baroncelli
2017-06-21 23:19       ` Chris Murphy
2017-06-22  2:12     ` Qu Wenruo
2017-06-22  2:43       ` Chris Murphy
2017-06-22  3:55         ` Qu Wenruo
2017-06-22  5:15       ` Goffredo Baroncelli
2017-06-23 17:25 ` Michał Sokołowski
2017-06-23 18:45   ` Austin S. Hemmelgarn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=76da9e45-a833-2552-f546-d71d9c2b371b@gmail.com \
    --to=ahferroin7@gmail.com \
    --cc=arvidjaar@gmail.com \
    --cc=calestyo@scientia.net \
    --cc=linux-btrfs@vger.kernel.org \
    --cc=quwenruo@cn.fujitsu.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.