use xfs_repair to check and repair xfs filesystem in method formatAndMount #126
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @27149chen! |
k8s-ci-robot
added
the
size/L
|
/assign @jsafrane |
|
@jsafrane , do you have time to have a look of this PR? Thank you very much. |
mount/mount_linux.go
Outdated
| checkArgs := []string{"-n", source} | ||
|
|
||
| // check-only using "xfs_repair -n", if the exit status is not 0, perform a "xfs_repair" | ||
| out, err := mounter.Exec.Command("xfs_repair", checkArgs...).CombinedOutput() |
There was a problem hiding this comment.
xfs_repair -n on an empty device tries to find superblock on the whole device, taking really long time.
$ xfs_repair -n /dev/loop0
Phase 1 - find and verify superblock...
bad primary superblock - bad magic number !!!
attempting to find secondary superblock...
..........................................................................................................................................................................................................................................................................................................................................................................................................................................................
There was a problem hiding this comment.
In this case, running blkid first to check the format and fsck / xfs_repair only when the right filesystem is detected would be better.
See kubernetes/kubernetes#77982 for such attempt.
There was a problem hiding this comment.
@jsafrane , thank you for pointing out it. But if I add a GetDiskFormat here, I think the whole mount flow will be changed, like the order in kubernetes/kubernetes#77982.
So what is your suggestion here? merge 77982 into my change as one pr, or let 77982 merge first, then I continue my work?
There was a problem hiding this comment.
I would suggest to contact original author if he's still interested in the PR and re-post it in this repo. With a concrete use case where we really need to call blkid before mount it should be easy to merge.
There was a problem hiding this comment.
ok, thanks. I asked him in that pr.
There was a problem hiding this comment.
fixed, run fsck/xfs_repair only when the device is formatted.
|
@jsafrane , I merged the latest master changes and update the code, please have a look again, thank you very much. |
mount/mount_linux.go
Outdated
| return nil | ||
| } else { | ||
| return fmt.Errorf(string(output)) | ||
| } |
There was a problem hiding this comment.
I wonder if this could result in breaking existing stuff. I am unsure about searching for "done" string at the end of the message and using combined output from xfs_repair. We have been burnt by such checks in past and command output itself may change across versions.
I think may be we should allow different CSI driver authors to opt-in for doing filesystem repair before mounting. We did not call xfs_repair before and now we do and we are performing checks based on output of command(which can spew random stuff and provides no guarantees about API) - could this cause breaking behaviour?
There was a problem hiding this comment.
@gnufied , thank you for pointing it out. I checked several versions of xfs_repair, the output format is stable, so I think it is safe to search for "done" here. And I think it won't break existing stuff. Regarding "We have been burnt by such checks in past", do you remember the code and how did you fix it? can you show me so I can learn something.
I don't think we should let the CSI plugins to do the fs check. Because it is a common task, each type of filesystem has a specific check/repair method. Another reason is that xfs_repair must be run in a formatted disk, if we let the CSI plugins to run it, they must run blkid first, which is redundant.
Yes, for a xfs filesystem, We did not call xfs_repair before and now we do. But it won't break anything:
- If
xfs_repairis called before, the fs is repaired before entermount,soxfs_repair -nwill return ok and nothing will be repaireed again. - If
xfs_repairis not called before, we will try to repair it before mount, it will make themountmethod more robust.
What do you think?
There was a problem hiding this comment.
It is okay to rely on following outputs of a program called via exec:
- exit code
- if program supports some kind of json or other machine readable output.
It is not okay to rely on human readable text printed on terminal for consumption by another program. Because in that case - called program(xfs_repair in this case) makes no guarantees about an stable format.
There was a problem hiding this comment.
@gnufied , after checking the source code git://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git, I find that xfs_repair do return a non-zero status if it is failed to repair the filesystem. It works for all 4.x versions.
The code is in repair/xfs_repair.c.
In fact, the problem is the man page, it is wrong until v4.10.0 (Unfortunately, the documentation I found from google and my centos7 happens to be old), you can see the changelog of v4.10.0: https://abi-laboratory.pro/?view=changelog&l=xfsprogs&v=5.0.0 which fixed the description.
So we don't need to analysis the human readable output here, just check the return status
There was a problem hiding this comment.
attached the diff here to make it more clear. @gnufied @jsafrane
$ git diff v4.9.0 v4.10.0 man/man8/xfs_repair.8
diff --git a/man/man8/xfs_repair.8 b/man/man8/xfs_repair.8
index 1b4d9e3..85e4dc9 100644
--- a/man/man8/xfs_repair.8
+++ b/man/man8/xfs_repair.8
@@ -65,7 +65,9 @@ Forces
.B xfs_repair
to zero the log even if it is dirty (contains metadata changes).
When using this option the filesystem will likely appear to be corrupt,
-and can cause the loss of user files and/or data.
+and can cause the loss of user files and/or data. See the
+.B "DIRTY LOGS"
+section for more information.
.TP
.BI \-l " logdev"
Specifies the device special file where the filesystem's external
@@ -505,11 +507,38 @@ This message refers to a large directory.
If the directory were small, the message would read "junking entry ...".
.SH EXIT STATUS
.B xfs_repair \-n
-(no modify node)
+(no modify mode)
will return a status of 1 if filesystem corruption was detected and
0 if no filesystem corruption was detected.
.B xfs_repair
-run without the \-n option will always return a status code of 0.
+run without the \-n option will always return a status code of 0 if
+it completes without problems. If a runtime error is encountered
+during operation, it will return a status of 1. In this case,
+.B xfs_repair
+should be restarted. If
+.B xfs_repair is unable
+to proceed due to a dirty log, it will return a status of 2. See below.
+.SH DIRTY LOGS
+Due to the design of the XFS log, a dirty log can only be replayed
+by the kernel, on a machine having the same CPU architecture as the
+machine which was writing to the log.
+.B xfs_repair
+cannot replay a dirty log and will exit with a status code of 2
+when it detects a dirty log.
+.PP
+In this situation, the log can be replayed by mounting and immediately
+unmounting the filesystem on the same class of machine that crashed.
+Please make sure that the machine's hardware is reliable before
+replaying to avoid compounding the problems.
+.PP
+If mounting fails, the log can be erased by running
+.B xfs_repair
+with the -L option.
+All metadata updates in progress at the time of the crash will be lost,
+which may cause significant filesystem damage.
+This should
+.B only
+be used as a last resort.
.SH BUGS
The filesystem to be checked and repaired must have been
unmounted cleanly using normal system administration procedures
|
/assign saad-ali |
|
@jsafrane , please take another look at the pr, thanks. |
|
lgtm-ish, can you please rebase? |
k8s-ci-robot
added
needs-rebase
Signed-off-by: Lou <[email protected]>
27149chen
force-pushed
the
add_xfs_repair
branch
from
623e4e0 to
aa83e53
Compare
k8s-ci-robot
removed
the
needs-rebase
|
@jsafrane , finished the squash and rebase, please approve. |
| } | ||
|
|
||
| if err != nil { | ||
| return err |
There was a problem hiding this comment.
Rebase is not that simple in this case: you should return NewMountError(mountErrorValue, err.Error()), to propagate potential FilesystemMismatch.
There was a problem hiding this comment.
Actually, you should return FilesystemMismatch, if the FS type is wrong, or HasFilesystemErrors if the FS type is OK, but the filesystem has errors.
There was a problem hiding this comment.
- HasFilesystemErrors is retruned in checkAndRepairXfsFilesystem/checkAndRepairFilesystem, so it is ok to return err here directly.
- I don't think we should return a FilesystemMismatch here, because the only error which will happen here is a failed_to_repair_filesystem_error, and the fs passed in is the existing fs, not the defined one, so I think there is no filesystem mismatch which can cause this error.
- I forgot to return a HasFilesystemErrors in checkAndRepairXfsFilesystem, which is fixed now. @jsafrane PTAL.
There was a problem hiding this comment.
ack, I missed checkAndRepairXfsFilesystem/checkAndRepairFilesystem
Signed-off-by: Lou <[email protected]>
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 27149chen, jsafrane The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR tries to fix the issue mentioned in #125, changes are as following:
Which are not included in this PR:
References: