All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jan Tulak <jtulak@redhat.com>
To: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: Brian Foster <bfoster@redhat.com>,
	Dave Chinner <david@fromorbit.com>,
	linux-xfs@vger.kernel.org, Eric Sandeen <sandeen@sandeen.net>
Subject: Re: [PATCH 2/2] mdrestore: warn about corruption if log is dirty
Date: Thu, 13 Apr 2017 10:12:18 +0200	[thread overview]
Message-ID: <CACj3i70U1_Z+mkwc9EkQ+ThWqWrZmtQCqnnULpnVAbNJcZM2XA@mail.gmail.com> (raw)
In-Reply-To: <20170412174515.GO8502@birch.djwong.org>

On Wed, Apr 12, 2017 at 7:45 PM, Darrick J. Wong
<darrick.wong@oracle.com> wrote:
> On Wed, Apr 12, 2017 at 07:06:33AM -0400, Brian Foster wrote:
>> On Tue, Apr 11, 2017 at 04:43:26PM -0700, Darrick J. Wong wrote:
>> > On Wed, Apr 12, 2017 at 08:34:05AM +1000, Dave Chinner wrote:
>> > > On Tue, Apr 11, 2017 at 04:12:37PM +0200, Jan Tulak wrote:
>> > > > A dirty log in an obfuscated dump means that a corruption can happen
>> > > > when replaying the log (which contains unobfuscated data). Warn the user
>> > > > about this possibility.
>> > >
>> > > > The xlog workaround is copy&paste solution from repair/phase2.c and
>> > > > other tools, because the function is not implemented in libxlog.
>> > > >
>> > > > Signed-off-by: Jan Tulak <jtulak@redhat.com>
>> > >
>> > > I think this is overkill. mdrestore is not the place
>> > > to be interpreting the state of the dumped image - it is a basic
>> > > "restore the image" program, not a "check the validity of the image"
>> > > program.
>> > >
>> > > Secondly, if people are having problems with running log recovery on
>> > > a restored obfuscated image and getting corruption and not knowing
>> > > why or what to do, then that is a /documentation and training/
>> > > problem, not a code problem.
>> > >
>> > > i.e. the problem is that people who aren't developers are trying to
>> > > use tools that were written for developers to do forensic analysis
>> > > of failures. Don't dumb down the tool for clueless users - point the
>> > > users at the documentation that the tool requires to use correctly...
>> >
>> > Looking at the patch, that's a lot of code to add to mdrestore that has
>> > nothing to do with metadump restoration.  For that matter, who's to say
>> > that the metadump'd image is even an XFS filesystem, and not just some
>> > garbage with the just the right superblock values to pass the
>> > perform_restore() checks?  (Ok, ok, that was a little over the top.)
>> >
>>
>> Agreed wrt to the mdrestore bits...
>>
>> > The key change we're trying to make is to prevent people incorrectly
>> > replaying an XFS with a dirty log when the fs image has been restored
>> > from an obfuscated metadump.
>> >
>> > So in my mind this brings up two questions:  First, how do we prevent
>> > log replay in such situations?  Second, how do we teach people not to
>> > attempt log replay?  As you point out, it's better that we educate
>> > people as what problems each tool tries to solve and where the sharp
>> > edges might be on the debugging tools, but the answer to the first
>> > question ensures that us fallible developers can't do something stupid
>> > even though we theoretically know better.
>> >
>> > Frankly, if the goal is to nudge n00b members of support teams away from
>> > a behavior that won't help them towards starting their failure analysis,
>> > then then I think we ought to patch the log recovery code to detect an
>> > obfuscated fs image, complain to dmesg about someone making an illogical
>> > move, and then refuse to mount the log.
>> >
>>
>> I don't think this is really appropriate. Some users may very well have
>> no other option but to create a dirty log + obfuscated metadump for
>> whatever security/privacy reasons they have. The purpose of warning in
>> that case is to notify the user to either verify the resulting image
>> shows whatever problems are exhibited by the original fs and no others,
>> or to notify the developer that other corruption might exist and to
>> ignore it as a side effect of the metadump process itself (provided it
>> doesn't interfere with rca of the original problem). Refusing to run log
>> recovery in such cases just gets in the way.
>>
>> I'm not tied to having an mdrestore warning at all, but I'd much prefer
>> to see it there rather than include obfuscation logic in the kernel just
>> to facilitate a userspace tool to continue on silently corrupting
>> filesystem images.
>
> <nod> I've changed my mind overnight.  Now I agree that we could put a
> message in at metadump time, because it's not too late to ask the user
> to try to send us a metadump w/ clean log.  Eric also convinced me that
> it's not so trivial to detect an obfuscated image, so that simply won't
> work without a bunch of hackery.
>

Ok, I will send again only the dump patch with modified message (+ man
page update), without this mdrestore patch. That way it should pass
and meanwhile, we can continue here about what to do (if anything)
with mdrestore.

Jan

-- 
Jan Tulak
jtulak@redhat.com / jan@tulak.me

  reply	other threads:[~2017-04-13  8:12 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-11 14:12 [PATCH 0/2] xfsprogs: metadump/mdrestore warns about dirty journal Jan Tulak
2017-04-11 14:12 ` [PATCH 1/2] metadump: warn about corruption if log is dirty Jan Tulak
2017-04-11 18:30   ` Brian Foster
2017-04-11 18:34     ` Eric Sandeen
2017-04-11 18:43       ` Brian Foster
2017-04-11 19:01         ` Eric Sandeen
2017-04-11 23:44           ` Darrick J. Wong
2017-04-12 11:03             ` Brian Foster
2017-04-12 11:24               ` Jan Tulak
2017-04-11 14:12 ` [PATCH 2/2] mdrestore: " Jan Tulak
2017-04-11 18:33   ` Brian Foster
2017-04-11 18:39     ` Eric Sandeen
2017-04-11 18:49       ` Brian Foster
2017-04-11 18:59         ` Eric Sandeen
2017-04-11 22:34   ` Dave Chinner
2017-04-11 23:43     ` Darrick J. Wong
2017-04-12  1:48       ` Eric Sandeen
2017-04-12 11:26         ` Brian Foster
2017-04-12 11:06       ` Brian Foster
2017-04-12 17:45         ` Darrick J. Wong
2017-04-13  8:12           ` Jan Tulak [this message]
2017-04-12 11:04     ` Brian Foster
2017-04-13  2:51       ` Dave Chinner
2017-04-13 13:10         ` Brian Foster
2017-04-14  0:29           ` Dave Chinner
2017-04-14  2:54             ` Brian Foster
2017-05-25 17:29 ` [PATCH 0/2] xfsprogs: metadump/mdrestore warns about dirty journal Eric Sandeen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CACj3i70U1_Z+mkwc9EkQ+ThWqWrZmtQCqnnULpnVAbNJcZM2XA@mail.gmail.com \
    --to=jtulak@redhat.com \
    --cc=bfoster@redhat.com \
    --cc=darrick.wong@oracle.com \
    --cc=david@fromorbit.com \
    --cc=linux-xfs@vger.kernel.org \
    --cc=sandeen@sandeen.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.