7584 Improve 'zpool labelclear' command #424
Conversation
usr/src/lib/libnvpair/mapfile-vers
Outdated
| @@ -198,6 +198,7 @@ SYMBOL_VERSION SUNW_1.1 { | |||
| nvlist_alloc; | |||
| nvlist_dup; | |||
| nvlist_free; | |||
| nvlist_invalidate; | |||
There was a problem hiding this comment.
You can't add the symbols to already existing public version, either move it to SUNWprivate_1.1, or provide new public version.
| free(label); | ||
| return (-1); | ||
| for (l = start; l < end; l++) { | ||
| if ((check == B_TRUE) || (cherry == B_TRUE)) { |
There was a problem hiding this comment.
treat these as booleans that they are, i.e., if (check || cherry).
usr/src/cmd/zpool/zpool_main.c
Outdated
| n = VDEV_LABELS / 2; | ||
| break; | ||
| case 'i': | ||
| index = strtoll(optarg, &end, 10); |
There was a problem hiding this comment.
how about using our new friend, strtonum(), here? :-)
usr/src/man/man1m/zpool.1m
Outdated
| @@ -105,6 +105,9 @@ | |||
| .Op Ar interval Op Ar count | |||
| .Nm | |||
| .Cm labelclear | |||
| .Op Fl b | Fl e | Fl i Ar index | |||
There was a problem hiding this comment.
can we please make it (here, usage, description) zfs labelclear [-cfm] [-b|-e|-i index] device?
usr/src/common/nvpair/nvpair.c
Outdated
| @@ -2355,6 +2355,18 @@ nvlist_common(nvlist_t *nvl, char *buf, size_t *buflen, int encoding, | |||
| } | |||
|
|
|||
| int | |||
| nvlist_invalidate(char *buf) | |||
There was a problem hiding this comment.
Shouldn't this function be taking the size of the buffer in question that we're modifying? I realize that we're only modifying the first byte at this time which in theory should always be valid for a char *, but seems like if this ever changes, that'll be helpful as the function is making an implicit assumption about the size.
|
Thanks for your feedback! I've just committed changes. Can you check them out ? |
usr/src/cmd/zpool/Makefile
Outdated
| INCS += -I../../common/zfs -I$(STATCOMMONDIR) | ||
|
|
||
| C99MODE= -xc99=%all |
There was a problem hiding this comment.
Please use the $(C99_ENABLE) macro instead for both.
|
Hi, Thanks for your feedback. C99LMODE seems to be derived from C99MODE (see Makefile.master) so setting C99MODE only should be enough ? I've modified the Makefile accordingly. Regards, Ganael. |
|
This adds quite a lot of flexibility to an already obscure subcommand, making it even harder to know how to use correctly. Is there any reason you wouldn't always want the |
|
Hi Matthew, Thanks for your feedback. My original idea was to extend the command while keeping its default behaviour. The reason is simple : that command is quite new in OpenZFS world but has already existed on FreeBSD for about 6 years now, see : https://svnweb.freebsd.org/base?view=revision&revision=224171 People are already used to it and changing its default behaviour will probably break things (scripts, brains, ...). That's just my 2 cents by I would personally prefer keeping it that way to avoid -more- confusion :) |
|
@martymac What could break if we change the default behavior? It seems like it would still have the same semantic of leaving the disk without any valid labels. |
|
What I mean is that people are probably used to the fact that this command blindly zeroes 512KiB at the beginning and the end of the disk and may (ab)use that property in a way or another (e.g. in an install script to wipe other kinds of metadata - shame on me, I remember having done that myself). Also, if you make -cm the default (and only) available methods, there will be no easy way of "full cleaning" labels. Yes, this can always be replaced by a dd pass but the end of the disk is trickier to reach than a simple labelclear. We could revert options meaning : i.e. make -cm the default and provide 2 options, one for 'not checking before erasing' and another for the 'full mode', but that will leave the same complexity while changing users habits. |
|
@ahrens Hi Matthew, what do you think about my previous comments ? Can we leave the default options as they are ? |
|
I'm not convinced that people are "used to the fact that this command blindly zeroes 512KiB at the beginning and the end of the disk". I think that this command is seldom-used, and when it's used it's for the documented purpose: "Removes ZFS label information." That said, I'm open to evidence to the contrary. I agree that with my suggestion, "there will be no easy way of "full cleaning" labels", but I don't know of the use case for that. I don't consider "abusing ... to wipe other kinds of metadata" a legitimate use case. |
(one can still override checks using option '-f')
(option '-m' becomes option '-w' to zero labels entirely as was done before)
(an exported pool already needs option -f to clear labels: we cannot use a single -f to handle invalid labels as well)
|
@ahrens Hi Matthew, Well, I have modified the patch to try to keep simplicity as well as flexibility :
I think it is better that way : the base command remains simple but one can always bypass checks and wipe labels if necessary. What do you think ? Best regards, Ganael. |
|
@ahrens Any thoughts on that new patch ? |
|
Sorry for the latency, I was on vacation last week. That design sounds OK to me. I (or someone else familiar with this code) still need to review the code. @yuripv do you want to take another look? |
usr/src/cmd/zpool/zpool_main.c
Outdated
| @@ -47,6 +48,7 @@ | |||
| #include <zone.h> | |||
| #include <zfs_prop.h> | |||
| #include <sys/fs/zfs.h> | |||
| #include <sys/vdev_impl.h> | |||
There was a problem hiding this comment.
It's possible that this is causing the compilation (lint) error (see http://jenkins.open-zfs.org/blue/organizations/jenkins/openzfs%2Fopenzfs/detail/PR-424/4/pipeline). Is this needed just for VDEV_LABELS? Maybe we should move that to a different header file (e.g. zfs.h)
There was a problem hiding this comment.
Yes, this is needed just for VDEV_LABELS. You mean moving VDEV_LABELS definition to sys/fs/zfs.h ? I don't know what that would imply for other parts of the code :/ Help would be welcome here :)
usr/src/cmd/zpool/zpool_main.c
Outdated
| * | ||
| * -f Force clearing the label for the vdevs which are | ||
| * members of the exported or foreign pools. Also consider | ||
| * seemingly invalid labels as valid ones. |
There was a problem hiding this comment.
should this now say, "if specified twice, clear even seemingly invalid labels"?
usr/src/cmd/zpool/zpool_main.c
Outdated
| break; | ||
| case 'i': | ||
| index = strtonum(optarg, 0, VDEV_LABELS - 1, &errstr); | ||
| if(errstr) { |
There was a problem hiding this comment.
cstyle: add space after if, and add explicit != NULL:
if (strerr != NULL) {
usr/src/cmd/zpool/zpool_main.c
Outdated
| case 'f': | ||
| if(force) |
There was a problem hiding this comment.
add space after if, and add braces for multi-line body (even if only one statement)
usr/src/man/man1m/zpool.1m
Outdated
| .Bl -tag -width Ds | ||
| .It Fl f | ||
| Treat exported or foreign devices as inactive. | ||
| Force mode: treat exported or foreign devices as inactive. | ||
| Specify twice to treat invalid labels as valid ones. |
There was a problem hiding this comment.
How about, Specify twice to clear even seemingly-invalid labels.
|
Hi Matthew, I've pushed fixes following your recommendations, thanks :) Only remains warnings about abd stuff. Any hint ? |
Yes. |
- this removes compilation warnings about static unused abd_* functions related to inclusion of sys/vdev_impl.h. - while here, also remove definition of -unused- VDEV_BEST_LABEL.
|
@ahrens My last commit should fix compilation warnings. |
|
@martymac I'll take a look at your latest changes. |
|
@ahrens Have you had time to take a deeper look at latest changes ? |
…l-labelclear-improvements
|
Hi and happy new year :) I've updated the patch with latest changes from master. If there are no more comments, can it be merged upstream ? |
| @@ -709,8 +751,12 @@ zpool_do_labelclear(int argc, char **argv) | |||
| } | |||
|
|
|||
| if (zpool_read_label(fd, &config) != 0) { | |||
| (void) fprintf(stderr, | |||
| gettext("failed to read label from %s\n"), vdev); | |||
| if (force) | |||
There was a problem hiding this comment.
Shouldn't this check force_invalid since it's possible for zpool_read_label to return -1 for reasons other than the inability to read the label. If just force is used then we could wipe out the label of a legit pool.
There was a problem hiding this comment.
Hi @grwilson ,
The original version of FreeBSD's labelclear command allowed to forcibly wipe a label in any case (except when a pool is in use), see :
https://svnweb.freebsd.org/base?view=revision&revision=224171
but that "feature" disappeared when the labelclear command was imported from upstream :
https://svnweb.freebsd.org/base?view=revision&revision=297760
So this is just a fix to re-add that possibility : if we really want to force a wipe out, I think the command should not prevent us from doing so ; and that becomes even more useful when working with individual labels, as that patch now allows.
| if (wipe) { | ||
| (void) memset(&label, 0, sizeof (vdev_label_t)); | ||
| } else { | ||
| if (nvlist_invalidate(buf, buflen) != 0) |
There was a problem hiding this comment.
If the goal is to prevent zpool import from showing the pool, then we should set the TXG value to 0 which is how ZFS clears a label while still leaving some information around for debugging.
There was a problem hiding this comment.
The main goal of the patch is to allow wiping a single label with minimal changes.
Acting on nvs encoding type (introducing a new type "invalid") allows touching a single byte, which is great because it minimizes the risks of damaging another FS that would have been created over the label. Acting on txg would touch 8 bytes and greatly improve the chances to break something. Also, as a side effect, acting on nvs encoding type keeps last txg value available for debugging.
|
One of the guiding principles for zfs is simple administration and it seems like we're exposing way too many knobs to the administrator. These knobs expose the internals of the product. For example, if I want to clear the labels, why wouldn't I just run This is less of a concern but one that I want to make sure we can discuss -- I still struggle with invalidating the nvlist encoding vs setting txg = 0. Yes, it's 1 byte vs 8 bytes so we have a smaller chance of impacting any software that is using that disk but the chance is not 0% in either case. I would argue that setting the value of txg=0 at least provides some diagnostics with existing tools and possibly some recovery opportunities that are not available with the nvlist invalidate case. For example, if invalidating the nvlist impacts the software running on that disk, how would you ever know that the disk was once used by zfs and has been invalidated? You would end up with corruption with no way of diagnosing what caused it. We could enhance the tools to look for the invalid encoding making this less of an issue. I recognize this is not a new problem since the current implementation "wipes" the labels. This is why I wonder if we ever need to "wipe" the labels or do we just want zfs to forget about this device? Do we know of cases where we have needed to "wipe" the label? |
|
I'll chime in here. There have been a number of cases in the past where I have wanted the moral equivalent to dd if=/dev/zero of=/dev/da0 bs=1M Typically, and this may be FreeBSD specific, it's a case of ZFS thinks the device is unused, then geom attaches to the device, then ZFS magically sees that oh yes, there is a label there. An example might be where you GPT partition and put a UFS filesystem on a disk that used to have ZFS on it. From a ZFS user perspective: I'd like it if there was a ZF safe and friendly "forget about this device" as well as a "nuke it from orbit" option that was faster than dd. (Yes, you can avoid running dd on the whole disk if you calculate the number of sectors on the disk and use the appropriate seek argument, but sometimes that takes enough time to figure out that I just let the dd run and go do something else for a while) |
|
Hi @grwilson, As a recall, the original problem that led to the patch is described here : https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204622
Yes, but I don't think exposing the internals of the product is a problem here because it does not make the command more complex : for the average user, its default action is still the same (invalidating all four labels). We just provide an administrator the possibility to go beyond and avoid the hassle of using dd plus a seek argument (this is a kind of simplification, but for the administrator) as @jpaetzel explains.
I do not always want to let ZFS choose the labels for me because I may want to minimally invalidate them at the beginning of a device (to avoid issues described at the link above) and totally wipe (zeroe) them at the end (e.g. to produce a clean disk image). The current implementation simply does not provide enough flexibility for that.
As @jpaetzel wrote, I think we want to be able to do both. The default behaviour is to minimally invalidate labels, but an option is provided to wipe them entirely if one needs it. Regarding the idea of invalidating a label using its encoding style, you're right, touching 1 byte can break another FS too, but it's always better than modifying 8 bytes (and even better than what is done currently : zeroing 4 * 256 KiB). Also, as you noticed, debugging tools could be expanded to handle that kind of invalid encoding. Best regards, Ganael. |
|
Hi @grwilson, |
|
@martymac @ahrens @grwilson @yuripv this is an issue we've definitely seen on the Linux side as well and would like to see resolved. I've read though the comments above it sounds like there's still some needed discussion over exactly which command lines options to support. However, there is general agreement that In order to help move this issue forward I've opened PR openzfs/zfs#8500 against ZFS on Linux which solely addresses that concern. No new options are added and only valid labels are zeroed. Additional improvements are left as future work. This change is in need of reviewers if you have the time. Thanks! |
That patch follows : openzfs#8500 and is a port to ZoL of: openzfs/openzfs#424 It adds the following: - ability to clear a specific label (options -b, -e and -i) - label invalidation using a single-byte modification (wipe with option -w) - option -ff to force invalidation even for invalid labels
That patch follows: openzfs#8500 and is a port to ZoL of: openzfs/openzfs#424 It adds the following: - ability to clear a specific label (options -b, -e and -i) - label invalidation using a single-byte modification (wipe with option -w) - option -ff to force invalidation even for invalid labels OpenZFS-issue: https://www.illumos.org/issues/7584
|
Hi @behlendorf, Sorry for lagging. If you are still interested in other parts of my patch, here is a port to ZoL : There are probably still things to discuss about, probably :
but that PR can serve as a basis. Note : I could not review your code in time but it introduces a small mistake : pwrite64() should also skip (2 * VDEV_PAD_SIZE) when reading from label, but as you write zeroes, that does not matter in your patch. That needed to be fixed in my patch to get the single-byte invalidation work. Best regards, |
|
This repo will be archived in the coming week, and therefore this PR is being closed. Alternate processes for contributing ZFS changes (including those in open PR's) include following the illumos procedures, or opening a PR against ZFSonLinux. The reasoning behind this are outlined in an email to the developer@open-zfs.org mailing list, which is reproduced below:
|
Hi,
This patch improves the 'zpool labelclear' command.
See :
https://www.illumos.org/issues/7584
for a detailed description and test cases.
Best regards,
Ganael.