sgdisk: Run partx after partition changes

[pothos]

• disks: Refuse to modify disks/partitions in use

  When a partition or the whole disk is in use, sgdisk should not execute
  the destructive operation.
  Add a check that errors out when a disk in use or a partition in use is
  to be destroyed.

• sgdisk: Run partx after partition changes

  The sgdisk tool does not update the kernel partition table with BLKPG in
  contrast to other similar tools but only uses BLKRRPART which fails as
  soon as one partition of the disk is mounted.
  Update the kernel partition table with partx when we know that a
  partition of the disk is in use.

[jlebon]

Thanks, this makes sense to me and may actually fix #1729. Some comments but the idea overall LGTM.

[jlebon]

I'd prefer we use blockdev --rereadpt which is part of util-linux and more likely to be already available (e.g. FCOS doesn't ship partprobe).

[pothos]

I tried this and it doesn't achieve the same thing because it can fail with BLKRRPART: Device or resource busy while partprobe succeeds in forcing a kernel partition re-read. If you know that you don't have this problem you could use the introduced command parameter to run blockdev instead, does this work for you?

[pothos]

I guess this requires a wrapper to pass the --rereadpt argument. Your initrd could ship something like that as blockdev-rereadpt and then you configure it as partprobeCmd:

#!/bin/sh
exec blockdev --rereadpt "$@"

[jlebon]

I tried this and it doesn't achieve the same thing because it can fail with BLKRRPART: Device or resource busy while partprobe succeeds in forcing a kernel partition re-read.

Not sure why it's hitting EBUSY. The common case would be if one of the filesystems on that disk is mounted, but since we were just able to modify the partition table, that shouldn't be the case. Possibly we're racing with udev?

And actually on that topic, would it work here to play the same trick as #1319 and emit a tagged event against the disk?

[pothos]

Right, one of the filesystems is mounted and this happens when adding a new partition to the boot disk.

[pothos]

Ok, so what works is partx -u - /dev/vda and this should have the same effect as partprobe which also adds the individual partitions to the kernel. Since partx should be available everywhere where util-linux is, should I change the PR to use partx?

[pothos]

It seems that sgdisk doesn't do that itself while sfdisk does - is there a big reason to use sgdisk?
Anyway, since it doesn't hurt to call partx I would suggest to use it here and can update the PR.

[jlebon]

It seems that sgdisk doesn't do that itself while sfdisk does - is there a big reason to use sgdisk?

I'm not sure. It seems like sfdisk didn't support GPT in the past so that may be related, but I didn't check the timelines. Regardless, changing it at this point is not worth the risk. The implementation is quite tied to sgdisk intricacies.

Anyway, since it doesn't hurt to call partx I would suggest to use it here and can update the PR.

Before we do that, did you try out this suggestion:

And actually on that topic, would it work here to play the same trick as #1319 and emit a tagged event against the disk?

?

That'd be my preferred solution if it works.

I know you're aware, but for posterity: the difference with partx (and partprobe) vs blockdev --rereadpt is that they manually parse the table and tell the kernel about it instead of letting the kernel do it (BLKPG vs BLKRRPART). While there shouldn't be a perceptible difference, I'd rather we keep relying on the kernel and not make the first boot special. (And of course, it avoids another dependency.)

[pothos]

And actually on that topic, would it work here to play the same trick as #1319 and emit a tagged event against the disk?

This here is not a race, it's really because the BLKRRPART ioctl on the block fails when one partition is mounted (E.g., the ESP or root partition). In this case, to my understanding, the partitioning program should add the partition objects one by one with BLKPG (I would argue that normally this is even the preferred way because it avoids the full re-read and async waiting logic needed when wanting to access the created partition).

I haven't tried if supplying sfdisk as sgdisk command would work but anyway, I think we need to work around the deficiencies of sgdisk and run partx/partprobe from Ignition.

[pothos]

udevadm trigger --settle does not result in the new partition showing up, maybe that wasn't clear from my previous comments
(After a reboot, the new partition shows up without problems of course)

[jlebon]

OK, I think I understand better now.

sgdisk does call BLKRRPART at the end of its operation, but will still exit 0 if it gets EBUSY (and print out its "Warning: The kernel is still using the old partition table." message). So the partition table never gets reloaded. And this happens in your environment because something is keeping one or more filesystems busy on the target disk we're editing.

Now, is that by design (e.g. you're knowingly mounting filesystems before the disks stage runs), or a bug (e.g. something is racing, maybe udev, and probing filesystems between the time sgdisk edits the table and the time it emits BLKRRPART)?

[pothos]

Now, is that by design (e.g. you're knowingly mounting filesystems before the disks stage runs), or a bug (e.g. something is racing, maybe udev, and probing filesystems between the time sgdisk edits the table and the time it emits BLKRRPART)?

Correct, it's by design because users want to add a new partition on the boot disk where in our case /usr is already mounted in the initrd, and maybe more (OEM or ESP, I would have to check).

[jlebon]

Correct, it's by design because users want to add a new partition on the boot disk where in our case /usr is already mounted in the initrd, and maybe more (OEM or ESP, I would have to check).

Gotcha. And did your initrd change recently to do this mounting earlier than it used to? I'm trying to understand how this ever worked before. I don't think there's a udev rule that will call out to partx/partprobe.

Thinking on this, it's not clear to me whether we should even try to support this (partitioning a busy disk). It makes Ignition less deterministic since depending on the config, it may or may not be able to update the kernel. Though if we can ensure that we correctly error out in the latter case, that'd be OK I guess... I'll try to gather thoughts from a few others.

[pothos]

Our initrd uses the /usr partition already at that point. Yes, this was a recent change. By chance, repartitioning the root partition worked because the start point stayed the same even though the "old" partition was still used by the kernel. Adding a new one didn't work anymore which we only found out later.
To me this is really a limitation in sgdisk and with sfdisk this wouldn't occur. I've updated the patch to use partx from util-linux which FCOS probably already has in the initrd (Flatcar did).

[jlebon]

I'm OK with this I think if we can confirm that Ignition will correctly error out if we try to nuke/modify partitions that are currently busy (i.e. with mounted filesystems).

In other words, the invariant here is that the loaded partition table must always match the on-disk state at the end of the operation. And fail if that invariant cannot hold.

[pothos]

I'm OK with this I think if we can confirm that Ignition will correctly error out if we try to nuke/modify partitions that are currently busy (i.e. with mounted filesystems).

This is orthogonal: currently sgdisk will not error out if you remove or resize a partition in use. Detecting this is also not easy because it's not only mounted filesystems but also about device mapper usage.
This can be used to check for unused disks/partitions:

lsblk -lnpb -o NAME | while IFS= read -r line; do
drive=$(echo "$line" | awk '{print $1}')
mountpoints=$(lsblk -ln -o MOUNTPOINT "$drive")
device_mapper_usages=$(lsblk -ln -o PATH "$drive" |  grep -v "^$drive")
if [[ -z "$mountpoints" ]] && [[ -z "${device_mapper_usages}" ]]; then
  echo "$drive"
fi
done

In other words, the invariant here is that the loaded partition table must always match the on-disk state at the end of the operation. And fail if that invariant cannot hold.

Yes, that's the aim of this PR, as this wasn't upheld before.

[pothos]

This is orthogonal: currently sgdisk will not error out if you remove or resize a partition in use. Detecting this is also not easy because it's not only mounted filesystems but also about device mapper usage.

I created a new issue for this: #1745

[jlebon]

Let me reword my comment a different way: I think the fact that partitioning a busy disk "additively" worked was a happy accident and not a design choice. No downstream distro until now needed it. This PR is making it a design choice, and I'm OK with that, but then we should try to implement it properly.

I had hoped that partx -u would error out if a busy partition was deleted, but testing it, that's not the case. An strace shows it getting EBUSY for BLKPG_DEL_PARTITION but the command itself doesn't error out.

Re. #1745, I think a simpler way to check for whether the partition is busy is to check if the holders/ directory in sysfs for that device is empty. We do something similar in coreos-installer: https://github.com/coreos/coreos-installer/blob/686e0320f04a5a3e18ab0bb6278a34137eb22f96/src/blockdev.rs#L132

As a bonus, checking this upfront means that we can call partx only when strictly necessary and otherwise rely on BLKRRPART from sgdisk.

Also, it looks like partx is failing in CI on the RAID1 test and some others:

[ 23.100241] ignition[958]: Ignition failed: create partitions failed: re-reading partitions failed: exit status 1: Cmd: "partx" "-u" "-" "/run/ignition/dev_aliases/dev/vda" Stdout: "" Stderr: "partx: /run/ignition/dev_aliases/dev/vda: failed to read partition table\n"

[pothos]

When testing I found out that partx -u is not a replacement for partprobe because it does not add new partitions or remove deleted ones. I need separate invocations with partx -d and partx -a with the exact partition numbers to work on and when at it it might make sense to also use the exact partitions for partx -u but that's a minor optimization.

[pothos]

The Go 1.21 linter suddenly can't find certain fields anymore, not sure where this comes from. Looks unrelated.

[pothos]

I'm still testing this, and will say when it's ready for review

[pothos]

I'm still testing this, and will say when it's ready for review

It's ready for review. I've tested it with Flatcar's kola suite and also manually: adding a partition on the boot device, updating a partition (resize), and deleting, and also that modifications of partitions in-use is producing an error and won't be touching the data.

[prestist]

I'm still testing this, and will say when it's ready for review

It's ready for review. I've tested it with Flatcar's kola suite and also manually: adding a partition on the boot device, updating a partition (resize), and deleting, and also that modifications of partitions in-use is producing an error and won't be touching the data.

Thank you so much for going through the testing. I will try and take a look today.

When you can, please make sure to re-base, as some of our CI has been updated , and will prevent a merge without it.

Thank you again for your patience and diligence.

[pothos]

Thanks for the note, I've rebased it.

[prestist]

Generally LGTM, I have a few asks and nits if you would not mind taking a look.

Nothing is blocking minus release notes.

[jlebon]

I've added a review request from myself as well. I should be able to review it soon too.

[jlebon]

Some minor details, but this looks sane overall. Thanks!

[jlebon]

A bit heavy to parse /proc/mounts on every block device. Ideally, we'd do this once. In practice, I don't think it matters too much.

[pothos]

Yes, there shouldn't be millions of mount points in the initrd - if that ever is the case it can be cached.

[prestist]

@pothos wanted to see if you had the chance to see @jlebon's change requests?

[pothos]

I'll try to have a look next week (edit: in the next months…).

[pothos]

The patches work well in Flatcar PR where a backported them to replace the first patch posted here.

Tested three cases, the overwriting of USR-A was detected and an error thrown, the other two changes passed without problem because the USR-B is unused and can be overwritten and the new partition is also ok to add (confirmed with lsblk that the kernel has the updated values thanks to partx).

variant: flatcar
version: 1.0.0
storage:
  disks:
  - device: /dev/vda
    partitions:
    - label: USR-A
      number: 3
      size_mib: 1
      resize: true

variant: flatcar
version: 1.0.0
storage:
  disks:
  - device: /dev/vda
    partitions:
    - label: USR-B
      number: 4
      size_mib: 1
      resize: true

variant: flatcar
version: 1.0.0
storage:
  disks:
  - device: /dev/vda
    partitions:
    - label: VAR
      number: 10
      size_mib: 1
  filesystems:
  - device: /dev/disk/by-partlabel/VAR
    format: vfat
    path: /var
    label: VAR
    with_mount_unit: true

[prestist]

@pothos Thank you so much for testing the cases and addressing @jlebon 's comments. I am going to take a pass at this today and see if I notice anything.

[prestist]

This looks good to me, thank you again for being so diligent. @jlebon wdyt?

[jlebon]

A few comments, but looks great overall!

[jlebon]

There is no error path in this function so we could also simplify this to just return a string.

[jlebon]

Minor: likely functionally equivalent, but it'd be clearer/more self-explanatory if instead we did strings.HasPrefix(mountSource, "/").

[jlebon]

Minor: maybe "failed to open /proc/mounts"?

[jlebon]

Hmm, is that the canonical way to get disk partitions? I wonder how libblkid does it. Which actually, we do link to it in Ignition.

So another way to get this info is to use e.g. getPartitionMap() in this file which calls out to libblkid. But I think that function assumes that the passed device is a disk so it wouldn't work when recursing into the partition in blockDevInUse(). But we could also restructure blockDevInUse() so that the held and mounted checks are their own functions and then not recurse (which anyway feels a bit like a weird thing to do to avoid even looking for partitions on partitions).

Not a blocker.

[jlebon]

At the very least here, we could pass a bool to make it not even check for partitions when recursing here.

[prestist]

@pothos have you had a chance to see @jlebon's comments?