-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid some crashes when importing a pool with corrupt metadata #9022
Avoid some crashes when importing a pool with corrupt metadata #9022
Conversation
Interesting idea, this can be useful in some of these edge cases.
I'm also concerned about what happens if someone does this in non-readonly while rolling back. I'm fairly sure this could lead to permanent pool damage, so it will need to be appropriately tested and if very destructive, will need to be documented with warnings. |
Thanks for the feedback, @richardelling. I just pushed a new commit that fixes the code-style issues, and adds the new option to the zpool man page and usage text.
zdb currently uses
Same here. I don't know enough about the ZFS internals to speak to that or to design a test plan. I just know that, on the one pool I've tested it on in readwrite mode, I've been able to successfully import/export many times, copy some files off of it, and completed 1.5 scrubs so far. |
This seems like a very low-level and potentially dangerous concept to be putting on the sysadmin. I'd prefer to find a solution that requires less admin intervention, or perhaps to make this a tunable rather than a first class option. |
perhaps make it a tunable that applies only when readonly import attempted? |
If the main use case is for readonly import, could we allow an unlimited number of errors by default for readonly import? |
Sounds good to me, since AFAIK there isn't yet a good way to recover a pool from a situation like this. I just pushed a new commit that changes the policy default when performing a readonly import. |
@smokris there appears to have general agreement on the updated approach. There's just some review feedback which needed to be addressed. How would you like to proceed with this? |
@behlendorf, thanks for the feedback, and my apologies for the delay. I just pushed a revised commit that rebases against latest master and incorporates your changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for refreshing this. The updated version makes good sense to me. Let's just run it by a few more reviewers.
One issue I see with this is that this instead of automatically rewinding to a safe TXG (one of the 3 latest txgs) that doesn't have metadata errors, it will proceed with the txg that has errors. We could also end up having a critical section of metadata being corrupted, although given that the pool is read-only it should generally not go into a The example that is presented in this bug seems to be specific to a particular on-disk corruption recovery scenario. We already have |
@smokris Could you update the first comment of the PR to reflect the design changes made? i.e. there's no new |
@smokris Yeah, I understand. My main worry is the situation I've outlined:
This could cause a non-corrupted pool to actually report errors when imported in read-only mode if there were issues with the very last txg. I don't know how much this happens in practice, but I feel like I did see it happen before. Looking at
|
Ah, I see — it's a question of which is less of two evils: rewinding TXGs (potentially losing the latest changes), or ignoring metadata errors (potentially making the pool unusable). Since the latter is dangeous, I think it might be better to keep the current default behavior (rewinding TXGs), and just use So the primary change in this pull request (ignore metadata errors in readonly mode in |
Codecov Report
@@ Coverage Diff @@
## master #9022 +/- ##
========================================
- Coverage 80% 80% -<1%
========================================
Files 385 385
Lines 121470 121475 +5
========================================
- Hits 96756 96617 -139
- Misses 24714 24858 +144
Continue to review full report at Codecov.
|
- Skip invalid DVAs when importing pools in readonly mode (in addition to when the config is untrusted). - Upon encountering a DVA with a null VDEV, fail gracefully instead of panicking with a NULL pointer dereference. Signed-off-by: Steve Mokris <[email protected]>
- Skip invalid DVAs when importing pools in readonly mode (in addition to when the config is untrusted). - Upon encountering a DVA with a null VDEV, fail gracefully instead of panicking with a NULL pointer dereference. Reviewed-by: Pavel Zakharov <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Steve Mokris <[email protected]> Closes openzfs#9022
- Skip invalid DVAs when importing pools in readonly mode (in addition to when the config is untrusted). - Upon encountering a DVA with a null VDEV, fail gracefully instead of panicking with a NULL pointer dereference. Reviewed-by: Pavel Zakharov <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Steve Mokris <[email protected]> Closes openzfs#9022
- Skip invalid DVAs when importing pools in readonly mode (in addition to when the config is untrusted). - Upon encountering a DVA with a null VDEV, fail gracefully instead of panicking with a NULL pointer dereference. Reviewed-by: Pavel Zakharov <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Steve Mokris <[email protected]> Closes openzfs#9022
- Skip invalid DVAs when importing pools in readonly mode (in addition to when the config is untrusted). - Upon encountering a DVA with a null VDEV, fail gracefully instead of panicking with a NULL pointer dereference. Reviewed-by: Pavel Zakharov <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Steve Mokris <[email protected]> Closes #9022
Motivation and Context
How Has This Been Tested?
Start with a pool with corrupt metadata (in my case, a spacemap was corrupt).
Before: kernel panic due to NULL pointer dereference.
After: no panic, and now I'm able to access (at least some of) the data on this pool.
Types of changes
Checklist:
-X
)Signed-off-by
.